From chenkeong.yap at izeno.com  Thu Oct  1 03:10:31 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 1 Oct 2015 15:10:31 +0800
Subject: [keycloak-user] Keycloak Logger
Message-ID: <CAC2UnuXGKCOz+e3skLaaoeu_0VaGN3pikQhDKa12Pu1+O0J0Hg@mail.gmail.com>

Hi Guys,

Running into an issue when compiling the source code, can share how to
resolve it?

Tests run: 4, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.262 sec
<<< FAILURE! - in
org.keycloak.subsystem.server.extension.SubsystemParsingTestCase
testSubsystem(org.keycloak.subsystem.server.extension.SubsystemParsingTestCase)
 Time elapsed: 0.683 sec  <<< ERROR!
java.lang.Exception: java.lang.ExceptionInInitializerError
        at
org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:329)
        at
org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
        at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ExceptionInInitializerError: null
        at
org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:69)
        at
org.jboss.as.subsystem.test.TestModelControllerService.preBoot(TestModelControllerService.java:134)
        at
org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:316)
        at
org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
        at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: Invalid logger interface
org.keycloak.subsystem.server.logging.KeycloakLogger (implementation not
found in sun.misc.Launcher$AppClassLoade
r at 42a57993)
        at org.jboss.logging.Logger$1.run(Logger.java:2254)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.jboss.logging.Logger.getMessageLogger(Logger.java:2227)
        at org.jboss.logging.Logger.getMessageLogger(Logger.java:2214)
        at
org.keycloak.subsystem.server.logging.KeycloakLogger.<clinit>(KeycloakLogger.java:38)
        at org.keycloak.subsystem.server.ex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/df51d8a5/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:34:25 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:34:25 +0200
Subject: [keycloak-user] FIPS compliant
In-Reply-To: <CAJT7oPEuqniQxA1F9fE-sJc_Qm_LpZzBTmU9mc2NS+zHtHeuWw@mail.gmail.com>
References: <CAJT7oPEuqniQxA1F9fE-sJc_Qm_LpZzBTmU9mc2NS+zHtHeuWw@mail.gmail.com>
Message-ID: <CAJgngAeQFC2osWkkPbW6_UzEGbTt+qCiqt_vsmMQJWen2aQB5A@mail.gmail.com>

Keycloak is not FIPS compliant. There's basically two parts that would need
to be made FIPS compliant:

* SSL - this should be possible at the moment, Google for FIPS and WildFly
or EAP to see how to configure it
* OIDC/SAML - we use Bouncycastle for crypt which is not FIPS compliant,
but looking at
http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions
they have a FIPS compliant version in place

On 28 September 2015 at 23:27, Bhanu Kiran <getbhanu30 at gmail.com> wrote:

> Team,
>
>
>
> Please let us know if Keycloak is FIPS complained or how we can implement
> FIPS in keycloak ?
>
>
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/dce721f3/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:36:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:36:22 +0200
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
Message-ID: <CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>

You would need to create a custom authenticator for it. Take a look at
http://keycloak.github.io/docs/userguide/html/auth_spi.html

On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi all,
>
> I have an application that is secured by Keycloak. I am able to login
> using username/email and password. I also want to implement login via phone
> number. Could anybody help me how to store the phone number for a user and
> also how to use it to login the user.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/00cbd96f/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:43:05 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:43:05 +0200
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
Message-ID: <CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>

When you logged in via Facebook did the consent screen from Facebook
display your email address? Facebook users can prevent applications from
seeing the email both in account settings, but also selectively remove this
from the consent screen.

On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I am using keycloak 1.5.0 and want to use login via facebook. So i created
> a facebook app and provided all the details in the keycloak facebook
> identity provider settings. When i login from facebook, the user is created
> if not existing in keycloak and is authenticated.
>
> But the created user details are all null and in the server log, the
> response from facebook contains only the name and id but not the email but
> the default scope of my application is email. Also, when trying to store
> the returned details using mappers is not happening.
>
> Could anyone please help me on how to return more details from facebook
> and also store those details using mappers.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/b49b4470/attachment.html 

From anunay.sinha at arvindinternet.com  Thu Oct  1 03:45:26 2015
From: anunay.sinha at arvindinternet.com (Anunay Sinha)
Date: Thu, 1 Oct 2015 13:15:26 +0530
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
Message-ID: <CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>

Hi Stian,
I have question about login through mobile devices in general,
where I would like to login via mobile number, get an OTP on my number and
use it to register/login into the system,

For the number I can follow your instructions but am looking to provide for
OTP as well (I am exploring this). It will be nice to have it out of the
box :)

Is such a option there in the Keycloak's roadmap ?
If so what is the rough timeline?

On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> You would need to create a custom authenticator for it. Take a look at
> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>
> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi all,
>>
>> I have an application that is secured by Keycloak. I am able to login
>> using username/email and password. I also want to implement login via phone
>> number. Could anybody help me how to store the phone number for a user and
>> also how to use it to login the user.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
- Anunay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/16ec2e47/attachment-0001.html 

From sthorger at redhat.com  Thu Oct  1 03:45:36 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:45:36 +0200
Subject: [keycloak-user] Multi-tenant REST api
In-Reply-To: <CAMHPs26=0rz+G9WpcUsxyVbh1q-aFXRjMPPYwC=fK6i8eA5mxA@mail.gmail.com>
References: <CAMHPs26=0rz+G9WpcUsxyVbh1q-aFXRjMPPYwC=fK6i8eA5mxA@mail.gmail.com>
Message-ID: <CAJgngAe3KgH+yBQmZqeXq3RGOYv_OZAATLz0WCXS_YNOJXw+xQ@mail.gmail.com>

We'll need more info than that. Is there any errors in the log? My best bet
is that your KeycloakConfigResolver is not returning a valid
KeycloakDeployment.

On 27 September 2015 at 04:32, Vito Vessia <vvessia at katamail.com> wrote:

> Hi all,
> I have to create some multi-tenant rest apis secured by keycloak,
> following the multi-tenant example provided by the keycloak documentation.
> So, in the same way the example shows, I have some rest api like:
>
> /rest/api1/name/{id}
>
> and I wold like to let these api to be multi tenant using urls like this
> one:
>
> /tenant1/rest/api1/name/{id}   or /tenant2/rest/api1/name/{id}
>
> I am using Jersey as Jax-RS implementation and the AS is Wildfly 9.
> My KeycloakConfigResolver derived implementation seems to work well,
> because it receives the requests from KC and returns the
> correct KeycloakDeployment instance, but the rest  service is never called.
> If I temporary disable the resolver and I define a fixed realm, everything
> is ok calling the url without the tenant name part.
> Please. do you have some idea?
> Where do I can get a complete example?
>
> --Vito
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/8939665d/attachment.html 

From revanth at arvindinternet.com  Thu Oct  1 03:46:25 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Thu, 1 Oct 2015 13:16:25 +0530
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
Message-ID: <CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>

Hi,

Thanks for the quick reply. It did show the email address and the public
profile in the consent screen.

On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> When you logged in via Facebook did the consent screen from Facebook
> display your email address? Facebook users can prevent applications from
> seeing the email both in account settings, but also selectively remove this
> from the consent screen.
>
> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>> created a facebook app and provided all the details in the keycloak
>> facebook identity provider settings. When i login from facebook, the user
>> is created if not existing in keycloak and is authenticated.
>>
>> But the created user details are all null and in the server log, the
>> response from facebook contains only the name and id but not the email but
>> the default scope of my application is email. Also, when trying to store
>> the returned details using mappers is not happening.
>>
>> Could anyone please help me on how to return more details from facebook
>> and also store those details using mappers.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/eb31050b/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:52:41 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:52:41 +0200
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
Message-ID: <CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>

Using SMS as a two factor auth mechanism is on the road-map, but not in the
near future. The idea is basically that the server creates a unique code,
sends it in SMS, and the user would then copy it back to the login screen.
Issue with it is that we first need to allow users to select what two
factor auth mechanism they want to use. They could have a hardware OTP
token for example, but as they don't have it with them they could use the
SMS code as a backup. We also have tons of other things ahead of it in the
queue.

I'm a bit curious about your use-case. You basically want a user to login
with mobile number + password, and also use a code sent over SMS as a two
factor auth? Or do you have something different in mind?





On 1 October 2015 at 09:45, Anunay Sinha <anunay.sinha at arvindinternet.com>
wrote:

> Hi Stian,
> I have question about login through mobile devices in general,
> where I would like to login via mobile number, get an OTP on my number and
> use it to register/login into the system,
>
> For the number I can follow your instructions but am looking to provide
> for OTP as well (I am exploring this). It will be nice to have it out of
> the box :)
>
> Is such a option there in the Keycloak's roadmap ?
> If so what is the rough timeline?
>
> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> You would need to create a custom authenticator for it. Take a look at
>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>
>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi all,
>>>
>>> I have an application that is secured by Keycloak. I am able to login
>>> using username/email and password. I also want to implement login via phone
>>> number. Could anybody help me how to store the phone number for a user and
>>> also how to use it to login the user.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> - Anunay
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/d4256b46/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:57:10 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:57:10 +0200
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
Message-ID: <CAJgngAc6iDN2mh6dUN1QzNDKR1c9qQ+P=C5OY0p_s+o14HJxcg@mail.gmail.com>

Strange - I double checked it here and works fine for me. If you've got a
chance to remotely debug KC then put a breakpoint
in FacebookIdentityProvider.doGetFederatedIdentity as that's what retrieves
the users profile.

On 1 October 2015 at 09:46, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> Thanks for the quick reply. It did show the email address and the public
> profile in the consent screen.
>
> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> When you logged in via Facebook did the consent screen from Facebook
>> display your email address? Facebook users can prevent applications from
>> seeing the email both in account settings, but also selectively remove this
>> from the consent screen.
>>
>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi,
>>>
>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>> created a facebook app and provided all the details in the keycloak
>>> facebook identity provider settings. When i login from facebook, the user
>>> is created if not existing in keycloak and is authenticated.
>>>
>>> But the created user details are all null and in the server log, the
>>> response from facebook contains only the name and id but not the email but
>>> the default scope of my application is email. Also, when trying to store
>>> the returned details using mappers is not happening.
>>>
>>> Could anyone please help me on how to return more details from facebook
>>> and also store those details using mappers.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/ee8ded40/attachment.html 

From sthorger at redhat.com  Thu Oct  1 03:57:23 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 09:57:23 +0200
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAJgngAc6iDN2mh6dUN1QzNDKR1c9qQ+P=C5OY0p_s+o14HJxcg@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
	<CAJgngAc6iDN2mh6dUN1QzNDKR1c9qQ+P=C5OY0p_s+o14HJxcg@mail.gmail.com>
Message-ID: <CAJgngAfyHcDeZXvpDEW8Fb53mrPL_ds6G5zJim+rYS8ri11i-w@mail.gmail.com>

Or you can use wireshark or something to look at requests made

On 1 October 2015 at 09:57, Stian Thorgersen <sthorger at redhat.com> wrote:

> Strange - I double checked it here and works fine for me. If you've got a
> chance to remotely debug KC then put a breakpoint
> in FacebookIdentityProvider.doGetFederatedIdentity as that's what retrieves
> the users profile.
>
> On 1 October 2015 at 09:46, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> Thanks for the quick reply. It did show the email address and the public
>> profile in the consent screen.
>>
>> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> When you logged in via Facebook did the consent screen from Facebook
>>> display your email address? Facebook users can prevent applications from
>>> seeing the email both in account settings, but also selectively remove this
>>> from the consent screen.
>>>
>>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>>> revanth at arvindinternet.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>>> created a facebook app and provided all the details in the keycloak
>>>> facebook identity provider settings. When i login from facebook, the user
>>>> is created if not existing in keycloak and is authenticated.
>>>>
>>>> But the created user details are all null and in the server log, the
>>>> response from facebook contains only the name and id but not the email but
>>>> the default scope of my application is email. Also, when trying to store
>>>> the returned details using mappers is not happening.
>>>>
>>>> Could anyone please help me on how to return more details from facebook
>>>> and also store those details using mappers.
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/10ca2ffc/attachment-0001.html 

From anunay.sinha at arvindinternet.com  Thu Oct  1 03:57:58 2015
From: anunay.sinha at arvindinternet.com (Anunay Sinha)
Date: Thu, 1 Oct 2015 13:27:58 +0530
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
	<CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
Message-ID: <CANCBORSjcte7aSddsB33EgKP1ZuzqSYv6FXRbkoDxWYxgjFJ3w@mail.gmail.com>

User can register through a mobile number. He will be sent an OTP on his
mobile number (for verification and first time login)
Once verified ?and he logs in for the first time he can set his password.

Similar workflow will be used if he wants to recover his password. He will
get a OTP on his mobile that will allow him to log in and he can reset his
password thereafter.

2 Factor Authentication is not something we are looking at yet, though it
will be good to have

On Thu, Oct 1, 2015 at 1:22 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Using SMS as a two factor auth mechanism is on the road-map, but not in
> the near future. The idea is basically that the server creates a unique
> code, sends it in SMS, and the user would then copy it back to the login
> screen. Issue with it is that we first need to allow users to select what
> two factor auth mechanism they want to use. They could have a hardware OTP
> token for example, but as they don't have it with them they could use the
> SMS code as a backup. We also have tons of other things ahead of it in the
> queue.
>
> I'm a bit curious about your use-case. You basically want a user to login
> with mobile number + password, and also use a code sent over SMS as a two
> factor auth? Or do you have something different in mind?
>
>
>
>
>
> On 1 October 2015 at 09:45, Anunay Sinha <anunay.sinha at arvindinternet.com>
> wrote:
>
>> Hi Stian,
>> I have question about login through mobile devices in general,
>> where I would like to login via mobile number, get an OTP on my number
>> and use it to register/login into the system,
>>
>> For the number I can follow your instructions but am looking to provide
>> for OTP as well (I am exploring this). It will be nice to have it out of
>> the box :)
>>
>> Is such a option there in the Keycloak's roadmap ?
>> If so what is the rough timeline?
>>
>> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> You would need to create a custom authenticator for it. Take a look at
>>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>>
>>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>>> revanth at arvindinternet.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have an application that is secured by Keycloak. I am able to login
>>>> using username/email and password. I also want to implement login via phone
>>>> number. Could anybody help me how to store the phone number for a user and
>>>> also how to use it to login the user.
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> - Anunay
>>
>
>


-- 
- Anunay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/8f457d94/attachment.html 

From revanth at arvindinternet.com  Thu Oct  1 03:58:09 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Thu, 1 Oct 2015 13:28:09 +0530
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
Message-ID: <CAA1skqV-kJwkFOBc3tVn9WBKkuawkL1agyFS=3ZDKZHaJZjrLA@mail.gmail.com>

Hi,

In the server log, this is the json that i see.

User Profile JSON Data for provider facebook: {"name":"Revanth
Ayalasomayajula","id":"897360963633861"}

On Thu, Oct 1, 2015 at 1:16 PM, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> Thanks for the quick reply. It did show the email address and the public
> profile in the consent screen.
>
> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> When you logged in via Facebook did the consent screen from Facebook
>> display your email address? Facebook users can prevent applications from
>> seeing the email both in account settings, but also selectively remove this
>> from the consent screen.
>>
>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi,
>>>
>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>> created a facebook app and provided all the details in the keycloak
>>> facebook identity provider settings. When i login from facebook, the user
>>> is created if not existing in keycloak and is authenticated.
>>>
>>> But the created user details are all null and in the server log, the
>>> response from facebook contains only the name and id but not the email but
>>> the default scope of my application is email. Also, when trying to store
>>> the returned details using mappers is not happening.
>>>
>>> Could anyone please help me on how to return more details from facebook
>>> and also store those details using mappers.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/7987c93d/attachment.html 

From traviskds at gmail.com  Thu Oct  1 04:06:16 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Thu, 01 Oct 2015 08:06:16 +0000
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
	<CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
Message-ID: <CACQJ6LS7aYFfHpaDn6Ybz6bu5+KZKL-t82H+sk=nKpQHVtgofQ@mail.gmail.com>

+1 for this feature.

This use case is getting quite popular these days. Apart from the banks
that follow this procedure, you also get companies like Google that do this
as an extra step to prevent someone who has stolen your username/password
from using it to access your content.

A would like to suggest a few additional features around this requirement
for it to be more valuable.

1. Option in KeyCloak to set if the SMS should be sent for all login
attempts or only when logging in from a new device like who you get with
Google

2. A set of actions that could trigger the SMS - For example let's say I
have a banking web app and if the user logs in and does a funds transfer
above a certain limit, I should be able to from my app trigger an SMS auth.
Not sure if this is part of OAuth2 or OIDC but I have encountered quite a
few applications following this flow to prevent identify theft.



On Thu, 1 Oct 2015 at 17:52 Stian Thorgersen <sthorger at redhat.com> wrote:

> Using SMS as a two factor auth mechanism is on the road-map, but not in
> the near future. The idea is basically that the server creates a unique
> code, sends it in SMS, and the user would then copy it back to the login
> screen. Issue with it is that we first need to allow users to select what
> two factor auth mechanism they want to use. They could have a hardware OTP
> token for example, but as they don't have it with them they could use the
> SMS code as a backup. We also have tons of other things ahead of it in the
> queue.
>
> I'm a bit curious about your use-case. You basically want a user to login
> with mobile number + password, and also use a code sent over SMS as a two
> factor auth? Or do you have something different in mind?
>
>
>
>
>
> On 1 October 2015 at 09:45, Anunay Sinha <anunay.sinha at arvindinternet.com>
> wrote:
>
>> Hi Stian,
>> I have question about login through mobile devices in general,
>> where I would like to login via mobile number, get an OTP on my number
>> and use it to register/login into the system,
>>
>> For the number I can follow your instructions but am looking to provide
>> for OTP as well (I am exploring this). It will be nice to have it out of
>> the box :)
>>
>> Is such a option there in the Keycloak's roadmap ?
>> If so what is the rough timeline?
>>
>> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> You would need to create a custom authenticator for it. Take a look at
>>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>>
>>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>>> revanth at arvindinternet.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have an application that is secured by Keycloak. I am able to login
>>>> using username/email and password. I also want to implement login via phone
>>>> number. Could anybody help me how to store the phone number for a user and
>>>> also how to use it to login the user.
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> - Anunay
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/c1e1884a/attachment-0001.html 

From traviskds at gmail.com  Thu Oct  1 04:12:32 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Thu, 01 Oct 2015 08:12:32 +0000
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAA1skqV-kJwkFOBc3tVn9WBKkuawkL1agyFS=3ZDKZHaJZjrLA@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
	<CAA1skqV-kJwkFOBc3tVn9WBKkuawkL1agyFS=3ZDKZHaJZjrLA@mail.gmail.com>
Message-ID: <CACQJ6LTMBiAbQ4BPKPQ=-BamuUL7t7W=ZnRSSqbx4ERrbr6ruw@mail.gmail.com>

I have the same issue. I raised this on the keycloak forum a few weeks back
but did not get a reply. Please refer to this post as it gives some
possible reasons.

http://lists.jboss.org/pipermail/keycloak-user/2015-August/002939.html



On Thu, 1 Oct 2015 at 17:58 Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> In the server log, this is the json that i see.
>
> User Profile JSON Data for provider facebook: {"name":"Revanth
> Ayalasomayajula","id":"897360963633861"}
>
> On Thu, Oct 1, 2015 at 1:16 PM, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> Thanks for the quick reply. It did show the email address and the public
>> profile in the consent screen.
>>
>> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> When you logged in via Facebook did the consent screen from Facebook
>>> display your email address? Facebook users can prevent applications from
>>> seeing the email both in account settings, but also selectively remove this
>>> from the consent screen.
>>>
>>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>>> revanth at arvindinternet.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>>> created a facebook app and provided all the details in the keycloak
>>>> facebook identity provider settings. When i login from facebook, the user
>>>> is created if not existing in keycloak and is authenticated.
>>>>
>>>> But the created user details are all null and in the server log, the
>>>> response from facebook contains only the name and id but not the email but
>>>> the default scope of my application is email. Also, when trying to store
>>>> the returned details using mappers is not happening.
>>>>
>>>> Could anyone please help me on how to return more details from facebook
>>>> and also store those details using mappers.
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/53e8521e/attachment.html 

From mstrukel at redhat.com  Thu Oct  1 05:09:57 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 1 Oct 2015 11:09:57 +0200
Subject: [keycloak-user] Keycloak Logger
In-Reply-To: <CAC2UnuXGKCOz+e3skLaaoeu_0VaGN3pikQhDKa12Pu1+O0J0Hg@mail.gmail.com>
References: <CAC2UnuXGKCOz+e3skLaaoeu_0VaGN3pikQhDKa12Pu1+O0J0Hg@mail.gmail.com>
Message-ID: <CA+1OW+geg+m-=u9v90E_YxiYAe5oZNvjuNMbJ2SOsJGTEbW-1Q@mail.gmail.com>

Latest master builds fine. As a matter of fact I have never seen the error
you get.

Are you building the latest master or something else? What does your build
command look like?


On Thu, Oct 1, 2015 at 9:10 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> Hi Guys,
>
> Running into an issue when compiling the source code, can share how to
> resolve it?
>
> Tests run: 4, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.262 sec
> <<< FAILURE! - in
> org.keycloak.subsystem.server.extension.SubsystemParsingTestCase
> testSubsystem(org.keycloak.subsystem.server.extension.SubsystemParsingTestCase)
>  Time elapsed: 0.683 sec  <<< ERROR!
> java.lang.Exception: java.lang.ExceptionInInitializerError
>         at
> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:329)
>         at
> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>         at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.ExceptionInInitializerError: null
>         at
> org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:69)
>         at
> org.jboss.as.subsystem.test.TestModelControllerService.preBoot(TestModelControllerService.java:134)
>         at
> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:316)
>         at
> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>         at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.IllegalArgumentException: Invalid logger interface
> org.keycloak.subsystem.server.logging.KeycloakLogger (implementation not
> found in sun.misc.Launcher$AppClassLoade
> r at 42a57993)
>         at org.jboss.logging.Logger$1.run(Logger.java:2254)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2227)
>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2214)
>         at
> org.keycloak.subsystem.server.logging.KeycloakLogger.<clinit>(KeycloakLogger.java:38)
>         at org.keycloak.subsystem.server.ex
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/7af7ff69/attachment.html 

From chenkeong.yap at izeno.com  Thu Oct  1 05:11:24 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 1 Oct 2015 17:11:24 +0800
Subject: [keycloak-user] Keycloak Logger
In-Reply-To: <CA+1OW+geg+m-=u9v90E_YxiYAe5oZNvjuNMbJ2SOsJGTEbW-1Q@mail.gmail.com>
References: <CAC2UnuXGKCOz+e3skLaaoeu_0VaGN3pikQhDKa12Pu1+O0J0Hg@mail.gmail.com>
	<CA+1OW+geg+m-=u9v90E_YxiYAe5oZNvjuNMbJ2SOsJGTEbW-1Q@mail.gmail.com>
Message-ID: <CAC2UnuWuhrH6U22UTbdwA4jFFRsVjzJaQXLLrOYWj+Vd7CMhAg@mail.gmail.com>

hi marko,

i was compiling keycloak 1.5 final source code using command --> mvn
install -Pdistribution

On Thu, Oct 1, 2015 at 5:09 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> Latest master builds fine. As a matter of fact I have never seen the error
> you get.
>
> Are you building the latest master or something else? What does your build
> command look like?
>
>
> On Thu, Oct 1, 2015 at 9:10 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
> wrote:
>
>> Hi Guys,
>>
>> Running into an issue when compiling the source code, can share how to
>> resolve it?
>>
>> Tests run: 4, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.262 sec
>> <<< FAILURE! - in
>> org.keycloak.subsystem.server.extension.SubsystemParsingTestCase
>> testSubsystem(org.keycloak.subsystem.server.extension.SubsystemParsingTestCase)
>>  Time elapsed: 0.683 sec  <<< ERROR!
>> java.lang.Exception: java.lang.ExceptionInInitializerError
>>         at
>> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:329)
>>         at
>> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>>         at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>>         at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.ExceptionInInitializerError: null
>>         at
>> org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:69)
>>         at
>> org.jboss.as.subsystem.test.TestModelControllerService.preBoot(TestModelControllerService.java:134)
>>         at
>> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:316)
>>         at
>> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>>         at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>>         at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.IllegalArgumentException: Invalid logger interface
>> org.keycloak.subsystem.server.logging.KeycloakLogger (implementation not
>> found in sun.misc.Launcher$AppClassLoade
>> r at 42a57993)
>>         at org.jboss.logging.Logger$1.run(Logger.java:2254)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2227)
>>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2214)
>>         at
>> org.keycloak.subsystem.server.logging.KeycloakLogger.<clinit>(KeycloakLogger.java:38)
>>         at org.keycloak.subsystem.server.ex
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Best regards, CK Yap
Technology Consultant   [image: iZeno Pte Ltd] <http://www.izeno.com/> *iZeno
Pte Ltd*  |   72 Bendemeer Road Luzerne #05-28 Singapore 339941
M  (65) 90666701  |  T   (65) 6100 2788  |  www.izeno.com [image: facebook]
<https://www.facebook.com/iZenoPL> Oracle Certified Professional (OCP) |
PSMB Certified Train The Trainer  [image: iZeno Pte Ltd]
<http://www.izeno.com/> This communication contains information which may
be confidential or privileged. The information is intended solely for the
use of the individual or entity named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of
the contents of this information is prohibited. If you have received this
communication in error, please notify me by telephone immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/887c7d04/attachment-0001.html 

From mstrukel at redhat.com  Thu Oct  1 05:39:41 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 1 Oct 2015 11:39:41 +0200
Subject: [keycloak-user] Keycloak Logger
In-Reply-To: <CAC2UnuWuhrH6U22UTbdwA4jFFRsVjzJaQXLLrOYWj+Vd7CMhAg@mail.gmail.com>
References: <CAC2UnuXGKCOz+e3skLaaoeu_0VaGN3pikQhDKa12Pu1+O0J0Hg@mail.gmail.com>
	<CA+1OW+geg+m-=u9v90E_YxiYAe5oZNvjuNMbJ2SOsJGTEbW-1Q@mail.gmail.com>
	<CAC2UnuWuhrH6U22UTbdwA4jFFRsVjzJaQXLLrOYWj+Vd7CMhAg@mail.gmail.com>
Message-ID: <CA+1OW+hqUw9jVYfcRHoNkZ1t=VuWTeKeC=02_0g8DheUcrBp7Q@mail.gmail.com>

The release procedure itself is such that if build failed during release,
the release could not be completed, therefore tag 1.5.0.Final is guaranteed
to build.

Try this:

git checkout 1.5.0.Final

mvn clean install -Pdistribution

Also consider using -DskipTests if you don't mind about tests failing, and
are only interested in producing distribution without waiting for tests.

On Thu, Oct 1, 2015 at 11:11 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> hi marko,
>
> i was compiling keycloak 1.5 final source code using command --> mvn
> install -Pdistribution
>
> On Thu, Oct 1, 2015 at 5:09 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Latest master builds fine. As a matter of fact I have never seen the
>> error you get.
>>
>> Are you building the latest master or something else? What does your
>> build command look like?
>>
>>
>> On Thu, Oct 1, 2015 at 9:10 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
>> wrote:
>>
>>> Hi Guys,
>>>
>>> Running into an issue when compiling the source code, can share how to
>>> resolve it?
>>>
>>> Tests run: 4, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.262
>>> sec <<< FAILURE! - in
>>> org.keycloak.subsystem.server.extension.SubsystemParsingTestCase
>>> testSubsystem(org.keycloak.subsystem.server.extension.SubsystemParsingTestCase)
>>>  Time elapsed: 0.683 sec  <<< ERROR!
>>> java.lang.Exception: java.lang.ExceptionInInitializerError
>>>         at
>>> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:329)
>>>         at
>>> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>>>         at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>>>         at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.lang.ExceptionInInitializerError: null
>>>         at
>>> org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:69)
>>>         at
>>> org.jboss.as.subsystem.test.TestModelControllerService.preBoot(TestModelControllerService.java:134)
>>>         at
>>> org.jboss.as.model.test.ModelTestModelControllerService.boot(ModelTestModelControllerService.java:316)
>>>         at
>>> org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:308)
>>>         at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271)
>>>         at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.lang.IllegalArgumentException: Invalid logger interface
>>> org.keycloak.subsystem.server.logging.KeycloakLogger (implementation not
>>> found in sun.misc.Launcher$AppClassLoade
>>> r at 42a57993)
>>>         at org.jboss.logging.Logger$1.run(Logger.java:2254)
>>>         at java.security.AccessController.doPrivileged(Native Method)
>>>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2227)
>>>         at org.jboss.logging.Logger.getMessageLogger(Logger.java:2214)
>>>         at
>>> org.keycloak.subsystem.server.logging.KeycloakLogger.<clinit>(KeycloakLogger.java:38)
>>>         at org.keycloak.subsystem.server.ex
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Best regards, CK Yap
> Technology Consultant   [image: iZeno Pte Ltd] <http://www.izeno.com/> *iZeno
> Pte Ltd*  |   72 Bendemeer Road Luzerne #05-28 Singapore 339941
> M  (65) 90666701  |  T   (65) 6100 2788  |  www.izeno.com [image:
> facebook] <https://www.facebook.com/iZenoPL> Oracle Certified
> Professional (OCP) | PSMB Certified Train The Trainer  [image: iZeno Pte
> Ltd] <http://www.izeno.com/> This communication contains information
> which may be confidential or privileged. The information is intended solely
> for the use of the individual or entity named above. If you are not the
> intended recipient, be aware that any disclosure, copying, distribution or
> use of the contents of this information is prohibited. If you have received
> this communication in error, please notify me by telephone immediately.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/6996d203/attachment.html 

From sthorger at redhat.com  Thu Oct  1 05:47:06 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 11:47:06 +0200
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CACQJ6LTMBiAbQ4BPKPQ=-BamuUL7t7W=ZnRSSqbx4ERrbr6ruw@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
	<CAA1skqV-kJwkFOBc3tVn9WBKkuawkL1agyFS=3ZDKZHaJZjrLA@mail.gmail.com>
	<CACQJ6LTMBiAbQ4BPKPQ=-BamuUL7t7W=ZnRSSqbx4ERrbr6ruw@mail.gmail.com>
Message-ID: <CAJgngAebk-S69f0Oq-6pYqn3AV4Hqw9KoMfQWEGJ5b9xQtZ+6Q@mail.gmail.com>

Just tested this out some more. I've had a app registered in Facebook for a
long time which I use for testing, with this it works fine and I get name
and email. Now I tried to create a new app and I don't get anything. Please
create a JIRA for this

On 1 October 2015 at 10:12, Travis De Silva <traviskds at gmail.com> wrote:

> I have the same issue. I raised this on the keycloak forum a few weeks
> back but did not get a reply. Please refer to this post as it gives some
> possible reasons.
>
> http://lists.jboss.org/pipermail/keycloak-user/2015-August/002939.html
>
>
>
> On Thu, 1 Oct 2015 at 17:58 Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> In the server log, this is the json that i see.
>>
>> User Profile JSON Data for provider facebook: {"name":"Revanth
>> Ayalasomayajula","id":"897360963633861"}
>>
>> On Thu, Oct 1, 2015 at 1:16 PM, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi,
>>>
>>> Thanks for the quick reply. It did show the email address and the public
>>> profile in the consent screen.
>>>
>>> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> When you logged in via Facebook did the consent screen from Facebook
>>>> display your email address? Facebook users can prevent applications from
>>>> seeing the email both in account settings, but also selectively remove this
>>>> from the consent screen.
>>>>
>>>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>>>> revanth at arvindinternet.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>>>> created a facebook app and provided all the details in the keycloak
>>>>> facebook identity provider settings. When i login from facebook, the user
>>>>> is created if not existing in keycloak and is authenticated.
>>>>>
>>>>> But the created user details are all null and in the server log, the
>>>>> response from facebook contains only the name and id but not the email but
>>>>> the default scope of my application is email. Also, when trying to store
>>>>> the returned details using mappers is not happening.
>>>>>
>>>>> Could anyone please help me on how to return more details from
>>>>> facebook and also store those details using mappers.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/f1ff6041/attachment.html 

From sthorger at redhat.com  Thu Oct  1 05:53:46 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 1 Oct 2015 11:53:46 +0200
Subject: [keycloak-user] Unable to get required user data from facebook
 and store the data in keycloak
In-Reply-To: <CAJgngAebk-S69f0Oq-6pYqn3AV4Hqw9KoMfQWEGJ5b9xQtZ+6Q@mail.gmail.com>
References: <CAA1skqWVQknV9yiDyZ=0XXz0UqCQbdGPsbtVmtMH-E3RWgJRNQ@mail.gmail.com>
	<CAJgngAcbF65rn_xA4satNDsNanVkiDnK0nNaou8AFC5HKJk6+A@mail.gmail.com>
	<CAA1skqXJOL+5-NNmHzKBgc6rop+HrauWHzLaLAQ9GfUjgFBbyQ@mail.gmail.com>
	<CAA1skqV-kJwkFOBc3tVn9WBKkuawkL1agyFS=3ZDKZHaJZjrLA@mail.gmail.com>
	<CACQJ6LTMBiAbQ4BPKPQ=-BamuUL7t7W=ZnRSSqbx4ERrbr6ruw@mail.gmail.com>
	<CAJgngAebk-S69f0Oq-6pYqn3AV4Hqw9KoMfQWEGJ5b9xQtZ+6Q@mail.gmail.com>
Message-ID: <CAJgngAdpBERFapP0U=8tqzZBwtEDSWw+P9E4wM9vMhq3H7YegA@mail.gmail.com>

https://issues.jboss.org/browse/KEYCLOAK-1894

Adding fix from Travis. Thanks :)

On 1 October 2015 at 11:47, Stian Thorgersen <sthorger at redhat.com> wrote:

> Just tested this out some more. I've had a app registered in Facebook for
> a long time which I use for testing, with this it works fine and I get name
> and email. Now I tried to create a new app and I don't get anything. Please
> create a JIRA for this
>
> On 1 October 2015 at 10:12, Travis De Silva <traviskds at gmail.com> wrote:
>
>> I have the same issue. I raised this on the keycloak forum a few weeks
>> back but did not get a reply. Please refer to this post as it gives some
>> possible reasons.
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2015-August/002939.html
>>
>>
>>
>> On Thu, 1 Oct 2015 at 17:58 Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi,
>>>
>>> In the server log, this is the json that i see.
>>>
>>> User Profile JSON Data for provider facebook: {"name":"Revanth
>>> Ayalasomayajula","id":"897360963633861"}
>>>
>>> On Thu, Oct 1, 2015 at 1:16 PM, Revanth Ayalasomayajula <
>>> revanth at arvindinternet.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for the quick reply. It did show the email address and the
>>>> public profile in the consent screen.
>>>>
>>>> On Thu, Oct 1, 2015 at 1:13 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> When you logged in via Facebook did the consent screen from Facebook
>>>>> display your email address? Facebook users can prevent applications from
>>>>> seeing the email both in account settings, but also selectively remove this
>>>>> from the consent screen.
>>>>>
>>>>> On 30 September 2015 at 14:57, Revanth Ayalasomayajula <
>>>>> revanth at arvindinternet.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am using keycloak 1.5.0 and want to use login via facebook. So i
>>>>>> created a facebook app and provided all the details in the keycloak
>>>>>> facebook identity provider settings. When i login from facebook, the user
>>>>>> is created if not existing in keycloak and is authenticated.
>>>>>>
>>>>>> But the created user details are all null and in the server log, the
>>>>>> response from facebook contains only the name and id but not the email but
>>>>>> the default scope of my application is email. Also, when trying to store
>>>>>> the returned details using mappers is not happening.
>>>>>>
>>>>>> Could anyone please help me on how to return more details from
>>>>>> facebook and also store those details using mappers.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/7090c83f/attachment-0001.html 

From a.lamers at first8.nl  Thu Oct  1 10:17:50 2015
From: a.lamers at first8.nl (Arjan Lamers)
Date: Thu, 1 Oct 2015 17:17:50 +0300
Subject: [keycloak-user] retrieving custom user attributes
Message-ID: <CADePbQKOuJO7eZQ1gzw-WNoH4z3ZqKH3yfi1UzzCZVUHDF7J5A@mail.gmail.com>

Hi,

Well, as far as I can see, the unmarshalled AccessToken does not contain
any custom attributes. I would expect something like a Map<String,Object>
where you can access additional attributes.
Just to be clear: the custom attribute I configured does appear in the JWT
token, I am simply searching for an easy way to access them from Java.
There is an 'otherClaims' in the JsonWebToken, should they appear there?
(They don't).

Kind regards,
Arjan Lamers



>
> What do you want for an interface?  KeycloakSecurityContext has the
> unmarshalled IDToken and AccessToken.
>
> KeycloakPrincipal.getKeycloakSecurityContext().getToken()
>
> On 9/30/2015 11:12 AM, Arjan Lamers wrote:
> > Hi,
> >
> > I am trying to find an easy way to access custom attributes as defined
> > for a client. For a Keycloak client, I?ve defined a new Mapper for a
> > /user attribute/ to store some additional authorisation data. This then
> > is managed by some user domain that uses the keycloak-admin-client to
> > write that property.
> >
> > The problem arises when I want to access that property in an JEE
> > application.The way I do it right now to use the KeycloakPrincipal found
> > in the javax.ejb.SessionContext. From there, I get the JWT token as a
> > String, deserialize the JSON and access the custom attribute from there.
> > This feels like a very roundabout way to get to the token but somehow I
> > am not able to find an easier way. Is it a missing feature or is it
> > simply too close to the weekend for me ;)?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/a55fd882/attachment.html 

From getbhanu30 at gmail.com  Thu Oct  1 11:53:13 2015
From: getbhanu30 at gmail.com (Bhanu Kiran)
Date: Thu, 1 Oct 2015 10:53:13 -0500
Subject: [keycloak-user] Customization in template ftl file or other file
Message-ID: <CAJT7oPGAWVQdrNv_bxXaP0geDBYUNjcJTta1UJDdftb8S=y2dg@mail.gmail.com>

Hello Team,


1.Need to add new functionality like (forgot User Id)to keycloak template
page. If this link is click it should call an action and then navigate to
new ftl file.

the url's like loginUrl, registration, forgot password are generated in URL
bean and this don?t have functionality to added new links which can be
mapped from ftl file to action class.



Let us know how to proceed with this requirement?



Thanks,

Bhanu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151001/614867ec/attachment.html 

From tair.sabirgaliev at bee.kz  Fri Oct  2 04:49:02 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Fri, 2 Oct 2015 14:49:02 +0600
Subject: [keycloak-user] Redirect to keycloak only for certain content-types
Message-ID: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>

?
Hi,

Is it possible to setup login redirection only for certain content types??
I want to redirect only when the browser asks for text/html. For other types
either 40x or Authorization challenge.
?
--  
Tair Sabirgaliev  
Bee Software, LLP




From maciej.szewczykowski at pjmedia.co.uk  Fri Oct  2 06:16:25 2015
From: maciej.szewczykowski at pjmedia.co.uk (Maciej Szewczykowski)
Date: Fri, 2 Oct 2015 10:16:25 +0000
Subject: [keycloak-user] Custom theme - modifying HTML files
Message-ID: <da552f25474a40cc8a8ff5d62866c0a8@THHSTE15D3BE5.hs20.net>

Hi,

I'd like to create a custom admin theme which would contain some additional controls (buttons) which, when clicked, would redirect user to some external address.

Creating a theme itself is rather easy and well documented. The problem is that I can't seem to be able to modify the HTML page of my choice - in my case it is role-mappings.html page where the additional button should be placed. Modification of the page simply doesn't seem to take any effect (although page caching is switched off).

I'm using demo v. 1.4.0

Would be very grateful for any tips on how to achieve this.


Best Regards,
Maciej Szewczykowski

Java Developer

________________________________

T +44 01628 539 800

E firstname.lastname at pjmedia.co.uk


PJ Media Limited,

Plac Wolno?ci 21, 05-825

Grodzisk Mazowiecki, Warsaw, Poland


[Brandpath]<http://www.brandpath.com/>

PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 | Registered Office: Network House, Third Avenue, Globe Park, Marlow, Buckinghamshire, SL7 1EY, United Kingdom | Web site: http://www.pjmedia.co.uk



The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within PJ Media, unless otherwise stated, you should consider this message and attachments as PJ Media confidential.

PJ MEDIA LIMITED,
Registered in England no. 04946760
Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, United Kingdom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151002/244f4320/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9315 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151002/244f4320/attachment-0001.jpg 

From giriraj.sharma27 at gmail.com  Fri Oct  2 10:54:00 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Fri, 2 Oct 2015 20:24:00 +0530
Subject: [keycloak-user] Redirect to keycloak only for certain
	content-types
In-Reply-To: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
References: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
Message-ID: <CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>

Hi,

One possible way is to put nginx as a reverse proxy in between browser and
Keycloak server instance. You can dig around using *$content_type* embedded
variable of nginx *ngx_http_core_module* or may be *nginx_rewrite* module
and a simple tweak (may be an if statement in nginx server/location block
config) will help you in achieving the required. Based on the value of
content-type header, you can proxy-pass the requests to a different
upstream server via nginx.

Cheers,


On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
wrote:

>
> Hi,
>
> Is it possible to setup login redirection only for certain content types?
> I want to redirect only when the browser asks for text/html. For other
> types
> either 40x or Authorization challenge.
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151002/35f6823b/attachment.html 

From tair.sabirgaliev at bee.kz  Fri Oct  2 12:24:38 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Fri, 2 Oct 2015 22:24:38 +0600
Subject: [keycloak-user] Redirect to keycloak only for certain
 content-types
In-Reply-To: <CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>
References: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
	<CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>
Message-ID: <etPan.560eafc6.45ecece3.651@MacBook-Pro.local>

?
Hi,

Yes, it can be done with nginx, but I still hope this could be accomplished natively :)

The general idea is this:?

a) if browser asks for "text/html" => act as confidential/public client,?that is?
start keycloak login protocol

b) if browser asks for "application/json? => act as bearer only client, and in
case of authorization error, respond with proper 40x status

This would let me build an ?isomorphic? JavaScript application (http://isomorphic.net)

With keycloak-1.5.0 I see that there is no difference whether I accept text/html or application/json:

tair$ curl -v -H 'Accept: text/html' http://localhost:9080/hello-world/rest/something
* ? Trying ::1...
* connect to ::1 port 9080 failed: Connection refused
* ? Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: text/html
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
< Date: Fri, 02 Oct 2015 15:53:32 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact

tair$ curl -v -H 'Accept: application/json' http://localhost:9080/hello-world/rest/something
* ? Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
< Date: Fri, 02 Oct 2015 15:53:41 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact

Any workarounds there?

--  
Tair Sabirgaliev  
Bee Software, LLP



On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:

> Hi,  
>  
> One possible way is to put nginx as a reverse proxy in between browser and Keycloak server instance. You can dig around using $content_type embedded variable of nginx ngx_http_core_module or may be nginx_rewrite module and a simple tweak (may be an if statement in nginx server/location block config) will help you in achieving the required. Based on the value of content-type header, you can proxy-pass the requests to a different upstream server via nginx.  
>  
> Cheers,  
>  
>  
> On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> >  
> > Hi,
> >  
> > Is it possible to setup login redirection only for certain content types?  
> > I want to redirect only when the browser asks for text/html. For other types
> > either 40x or Authorization challenge.
> >  
> > --
> > Tair Sabirgaliev
> > Bee Software, LLP
> >  
> >  
> >  
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/keycloak-user  
>  
>  
> --
>  
> Giriraj Sharma
> about.me/girirajsharma
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> Giriraj Sharma,  
> Department of Computer Science  
> National Institute of Technology Hamirpur  
> Himachal Pradesh, India 177005



From getbhanu30 at gmail.com  Fri Oct  2 13:09:15 2015
From: getbhanu30 at gmail.com (Bhanu Kiran)
Date: Fri, 2 Oct 2015 12:09:15 -0500
Subject: [keycloak-user] Customization in template ftl file or other file
In-Reply-To: <CAJT7oPGAWVQdrNv_bxXaP0geDBYUNjcJTta1UJDdftb8S=y2dg@mail.gmail.com>
References: <CAJT7oPGAWVQdrNv_bxXaP0geDBYUNjcJTta1UJDdftb8S=y2dg@mail.gmail.com>
Message-ID: <CAJT7oPE0_njvEspndO0B9z7QNghh6v0D4kMbKS_igyt-kba9Ow@mail.gmail.com>

Team,

Please reply.

How to proceed with this requirement ?

Thanks,
Bhanu

On Thu, Oct 1, 2015 at 10:53 AM, Bhanu Kiran <getbhanu30 at gmail.com> wrote:

> Hello Team,
>
>
> 1.Need to add new functionality like (forgot User Id)to keycloak template
> page. If this link is click it should call an action and then navigate to
> new ftl file.
>
> the url's like loginUrl, registration, forgot password are generated in
> URL bean and this don?t have functionality to added new links which can be
> mapped from ftl file to action class.
>
>
>
> Let us know how to proceed with this requirement?
>
>
>
> Thanks,
>
> Bhanu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151002/aafff8dd/attachment.html 

From traviskds at gmail.com  Sat Oct  3 02:50:43 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Sat, 03 Oct 2015 06:50:43 +0000
Subject: [keycloak-user] Role Name query parameter on user list admin rest
	api
Message-ID: <CACQJ6LRf4asbyjLUbGgxmtQ6B2Dx1c-Qpiz3wNmvUVUz2Xdufg@mail.gmail.com>

Hi,

I am using the below admin rest api to get a list of users by realm

http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/index.html#GET

In the query parameters, you don't get a parameter for the role name.

My use case is to get a list of users by a role. In some of the past forum
ports this was discussed but it was more around writing a SQL query and I
prefer to use the admin rest api.

Has anyone else had this requirement and how did they go about solving this
or should I raise a Jira request.

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151003/7e28d47e/attachment.html 

From tdudgeon.ml at gmail.com  Sat Oct  3 06:55:11 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Sat, 3 Oct 2015 11:55:11 +0100
Subject: [keycloak-user] export of realm json
Message-ID: <560FB40F.4050600@gmail.com>

keycloak provides a way to import the definition of a realm as json, but 
I can't see any way in the UI to export the definition in the first place.
Am I missing something obvious?
Tim

From giriraj.sharma27 at gmail.com  Sat Oct  3 08:39:07 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Sat, 3 Oct 2015 18:09:07 +0530
Subject: [keycloak-user] export of realm json
In-Reply-To: <560FB40F.4050600@gmail.com>
References: <560FB40F.4050600@gmail.com>
Message-ID: <CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>

Hi Tim,


Please have a look a keycloak docs
<http://keycloak.github.io/docs/userguide/html/export-import.html>[1]. I am
not sure if it can be achieved via admin console too but I don't think so.

To export into single JSON file you can use:

bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO EXPORT TO>

Here's an example of importing:

bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO IMPORT>
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

[1]http://keycloak.github.io/docs/userguide/html/export-import.html

On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:

> keycloak provides a way to import the definition of a realm as json, but
> I can't see any way in the UI to export the definition in the first place.
> Am I missing something obvious?
> Tim
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151003/49be6870/attachment-0001.html 

From khirschmann at huebinet.de  Sat Oct  3 14:17:04 2015
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Sat, 3 Oct 2015 20:17:04 +0200
Subject: [keycloak-user] angularjs example for 1.4
Message-ID: <00cd01d0fe07$b4ab5d60$1e021820$@huebinet.de>

Hello,

 

I am trying to use the example provided here

 

https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angu
lar-product-app

 

to connect from an angularjs client to a REST Endpoint. Both frontend and
backend are protected by keycloak.

My problem is, that the example provided by the link above uses angularjs
1.2 and doesn?t work with newer versions.

(see
http://stackoverflow.com/questions/28212837/keycloak-unknown-provider-error)

 

Has anyone on the mailing list been able to adapt the example to angular
1.4? What steps are necessary?

 

Kind Regards

 

Kevin Hirschmann

 

HUEBINET Informationsmanagement GmbH & Co. KG

 

 

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.

 

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151003/a929c6fc/attachment.html 

From satyajit.das at spire2grow.com  Sun Oct  4 05:04:46 2015
From: satyajit.das at spire2grow.com (Satyajit Das)
Date: Sun, 4 Oct 2015 14:34:46 +0530
Subject: [keycloak-user] Findings about keycloak--Important
Message-ID: <CA+oCsRq3=4G0_O9yFhDimQu7Rt7E-yRky3pihL1TeEjv=WfDiQ@mail.gmail.com>

Hi Team,

1) I have the keycloak(1.4.0 final) set up in windows OS.

2) I have 2 services that i have secured using keycloak. The services are
registered in keycloak and the respective keycloak.json is placed in
resource folder.

3) When the services are are deployed in Ubuntu OS the authentication works
as expected. by sharing the tokenid

but then the services are deployed in centos machine the authentication
fails.

The error is Invalid token: Token is inactive.

I tried the same setup and the same war files of services on different
instances of centos , we are facing the same issue but the issue is not
replicated on ubuntu different instances.

Please let me know your thoughts.

Regards,
Satya.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151004/539cd6ea/attachment.html 

From tdudgeon.ml at gmail.com  Sun Oct  4 05:27:30 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Sun, 4 Oct 2015 10:27:30 +0100
Subject: [keycloak-user] export of realm json
In-Reply-To: <CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
Message-ID: <5610F102.8090203@gmail.com>

Thanks. That looks like what I need.
Tim

On 03/10/2015 13:39, Giriraj Sharma wrote:
> Hi Tim,
>
>
> Please have a look a keycloak docs 
> <http://keycloak.github.io/docs/userguide/html/export-import.html>[1]. 
> I am not sure if it can be achieved via admin console too but I don't 
> think so.
>
> To export into single JSON file you can use:
>
>
> bin/standalone.sh -Dkeycloak.migration.action=export
> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>
>
> Here's an example of importing:
>
> bin/standalone.sh -Dkeycloak.migration.action=import
> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO IMPORT>
> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
> [1]http://keycloak.github.io/docs/userguide/html/export-import.html
>
> On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml at gmail.com 
> <mailto:tdudgeon.ml at gmail.com>> wrote:
>
>     keycloak provides a way to import the definition of a realm as
>     json, but
>     I can't see any way in the UI to export the definition in the
>     first place.
>     Am I missing something obvious?
>     Tim
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Giriraj Sharma
> about.me/girirajsharma
>
> <http://about.me/girirajsharma?promo=email_sig>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151004/e0f440d2/attachment.html 

From bburke at redhat.com  Sun Oct  4 16:51:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 4 Oct 2015 16:51:00 -0400
Subject: [keycloak-user] Findings about keycloak--Important
In-Reply-To: <CA+oCsRq3=4G0_O9yFhDimQu7Rt7E-yRky3pihL1TeEjv=WfDiQ@mail.gmail.com>
References: <CA+oCsRq3=4G0_O9yFhDimQu7Rt7E-yRky3pihL1TeEjv=WfDiQ@mail.gmail.com>
Message-ID: <56119134.9050503@redhat.com>

You have given us very little information.  All I can think of is that 
the different clocks of every machine are out of sync giving what little 
symptoms you've given us.

On 10/4/2015 5:04 AM, Satyajit Das wrote:
> Hi Team,
>
> 1) I have the keycloak(1.4.0 final) set up in windows OS.
>
> 2) I have 2 services that i have secured using keycloak. The services
> are registered in keycloak and the respective keycloak.json is placed in
> resource folder.
>
> 3) When the services are are deployed in Ubuntu OS the authentication
> works as expected. by sharing the tokenid
>
> but then the services are deployed in centos machine the authentication
> fails.
>
> The error is Invalid token: Token is inactive.
>
> I tried the same setup and the same war files of services on different
> instances of centos , we are facing the same issue but the issue is not
> replicated on ubuntu different instances.
>
> Please let me know your thoughts.
>
> Regards,
> Satya.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Sun Oct  4 16:57:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 4 Oct 2015 16:57:20 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <5610F102.8090203@gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com>
Message-ID: <561192B0.5080706@redhat.com>

For security reasons we did not want to have a remote option to export.

On 10/4/2015 5:27 AM, Tim Dudgeon wrote:
> Thanks. That looks like what I need.
> Tim
>
> On 03/10/2015 13:39, Giriraj Sharma wrote:
>> Hi Tim,
>>
>>
>> Please have a look a keycloak docs
>> <http://keycloak.github.io/docs/userguide/html/export-import.html>[1].
>> I am not sure if it can be achieved via admin console too but I don't
>> think so.
>>
>> To export into single JSON file you can use:
>>
>>
>> bin/standalone.sh -Dkeycloak.migration.action=export
>> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>
>>
>> Here's an example of importing:
>>
>> bin/standalone.sh -Dkeycloak.migration.action=import
>> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO IMPORT>
>> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>> [1]http://keycloak.github.io/docs/userguide/html/export-import.html
>>
>> On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml at gmail.com
>> <mailto:tdudgeon.ml at gmail.com>> wrote:
>>
>>     keycloak provides a way to import the definition of a realm as
>>     json, but
>>     I can't see any way in the UI to export the definition in the
>>     first place.
>>     Am I missing something obvious?
>>     Tim
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> --
>> Giriraj Sharma
>> about.me/girirajsharma
>>
>> <http://about.me/girirajsharma?promo=email_sig>
>>
>> Giriraj Sharma,
>> Department of Computer Science
>> National Institute of Technology Hamirpur
>> Himachal Pradesh, India 177005
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.raehalme at aitiofinland.com  Sun Oct  4 17:37:03 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 5 Oct 2015 00:37:03 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <561192B0.5080706@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
Message-ID: <CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>

On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com> wrote:
>
> For security reasons we did not want to have a remote option to export.

You can still access all the same information via the admin application,
no? So I wonder if it really improves security...

>From admin point of view it would be much easier if it was possible to
export realms.

Best regards,
Thomas



> On 10/4/2015 5:27 AM, Tim Dudgeon wrote:
> > Thanks. That looks like what I need.
> > Tim
> >
> > On 03/10/2015 13:39, Giriraj Sharma wrote:
> >> Hi Tim,
> >>
> >>
> >> Please have a look a keycloak docs
> >> <http://keycloak.github.io/docs/userguide/html/export-import.html>[1].
> >> I am not sure if it can be achieved via admin console too but I don't
> >> think so.
> >>
> >> To export into single JSON file you can use:
> >>
> >>
> >> bin/standalone.sh -Dkeycloak.migration.action=export
> >> -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO EXPORT TO>
> >>
> >> Here's an example of importing:
> >>
> >> bin/standalone.sh -Dkeycloak.migration.action=import
> >> -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO IMPORT>
> >> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
> >> [1]http://keycloak.github.io/docs/userguide/html/export-import.html
> >>
> >> On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml at gmail.com
> >> <mailto:tdudgeon.ml at gmail.com>> wrote:
> >>
> >>     keycloak provides a way to import the definition of a realm as
> >>     json, but
> >>     I can't see any way in the UI to export the definition in the
> >>     first place.
> >>     Am I missing something obvious?
> >>     Tim
> >>     _______________________________________________
> >>     keycloak-user mailing list
> >>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>
> >>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >>
> >> --
> >> Giriraj Sharma
> >> about.me/girirajsharma
> >>
> >> <http://about.me/girirajsharma?promo=email_sig>
> >>
> >> Giriraj Sharma,
> >> Department of Computer Science
> >> National Institute of Technology Hamirpur
> >> Himachal Pradesh, India 177005
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/1fb93fc0/attachment.html 

From bburke at redhat.com  Sun Oct  4 19:47:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 4 Oct 2015 19:47:20 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
Message-ID: <5611BA88.4060809@redhat.com>



On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>  >
>  > For security reasons we did not want to have a remote option to export.
>
> You can still access all the same information via the admin application,
> no? So I wonder if it really improves security...
>

You can't view user credentials from admin console.  Nor can you view 
realm's private keys or secrets.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tair.sabirgaliev at bee.kz  Sun Oct  4 22:43:09 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Mon, 5 Oct 2015 08:43:09 +0600
Subject: [keycloak-user] angularjs example for 1.4
In-Reply-To: <mailman.64313.1443992242.15730.keycloak-user@lists.jboss.org>
References: <mailman.64313.1443992242.15730.keycloak-user@lists.jboss.org>
Message-ID: <etPan.5611e3bd.335e7a64.651@MacBook-Pro.local>

?
Here is what we did for angular 1.4 :

"use strict";

var module = angular.module('hello.world', ['ngRoute', 'ngResource']);

var auth = {};
var logout = function(){
? ? console.log('*** LOGOUT');
? ? auth.loggedIn = false;
? ? auth.authz = null;
? ? window.location = auth.logoutUrl;
};

angular.element(document).ready(["$http", function ($http) {

? ? var keycloakAuth = new Keycloak('js/keycloak.json');
? ? auth.loggedIn = false;


? ? keycloakAuth.init({ onLoad: 'login-required' }).success(function () {
? ? ? ? auth.loggedIn = true;
? ? ? ? auth.authz = keycloakAuth;
? ? ? ? auth.logoutUrl = keycloakAuth.authServerUrl + "/realms/demo/tokens/logout?redirect_uri=http://localhost:9080/hello-world/";
? ? ? ? module.factory('Auth', function() {
? ? ? ? ? ? return auth;
? ? ? ? });
? ? ? ? angular.bootstrap(document, ["hello.world"]);

? ? }).error(function () {
? ? ? ? window.location.reload();
? ? });

}]);

module.factory('authInterceptor', ["$q", "Auth", function($q, Auth) {
? ? return {
? ? ? ? 'request': function (config) {
? ? ? ? ? ? var deferred = $q.defer();
? ? ? ? ? ? if (Auth.authz.token) {
? ? ? ? ? ? ? ? Auth.authz.updateToken(5).success(function() {
? ? ? ? ? ? ? ? ? ? config.headers = config.headers || {};
? ? ? ? ? ? ? ? ? ? config.headers.Authorization = 'Bearer ' + Auth.authz.token;

? ? ? ? ? ? ? ? ? ? deferred.resolve(config);
? ? ? ? ? ? ? ? }).error(function() {
? ? ? ? ? ? ? ? ? ? deferred.reject('Failed to refresh token');
? ? ? ? ? ? ? ? });
? ? ? ? ? ? }
? ? ? ? ? ? return deferred.promise;
? ? ? ? },
? ? ? ? 'requestError': function(rejection) {
? ? ? ? ? ? return $q.reject(rejection);
? ? ? ? },

? ? ? ? 'response': function(response) {
? ? ? ? ? ? return response;
? ? ? ? },

? ? ? ? 'responseError': function(response) {

? ? ? ? ? ? if (response.status == 401) {
? ? ? ? ? ? ? ? console.log('session timeout?');
? ? ? ? ? ? ? ? logout();
? ? ? ? ? ? } else if (response.status == 403) {
? ? ? ? ? ? ? ? alert("Forbidden");
? ? ? ? ? ? } else if (response.status == 404) {
? ? ? ? ? ? ? ? alert("Not found");
? ? ? ? ? ? } else if (response.status) {
? ? ? ? ? ? ? ? console.log(response.status);
? ? ? ? ? ? ? ? if (response.data && response.data.errorMessage) {
? ? ? ? ? ? ? ? ? ? alert(response.data.errorMessage);
? ? ? ? ? ? ? ? } else {
? ? ? ? ? ? ? ? ? ? alert("An unexpected server error has occurred");
? ? ? ? ? ? ? ? }
? ? ? ? ? ? } else if (response === 'Failed to refresh token') {
? ? ? ? ? ? ? ? logout();
? ? ? ? ? ? }
? ? ? ? ? ? return $q.reject(response);
? ? ? ? }
? ? };
}]);

module.config(['$httpProvider', function($httpProvider) {
? ? $httpProvider.interceptors.push('authInterceptor');
}]);


--  
Tair Sabirgaliev  
Bee Software, LLP



On October 5, 2015 at 02:57:31, keycloak-user-request at lists.jboss.org (keycloak-user-request at lists.jboss.org(mailto:keycloak-user-request at lists.jboss.org)) wrote:

> Date: Sat, 3 Oct 2015 20:17:04 +0200(http://airmail.calendar/2015-10-04%2000:17:04%20GMT+6)  
> From: "Kevin Hirschmann"  
> Subject: [keycloak-user] angularjs example for 1.4  
> To: "'keycloak-user'"  
> Message-ID: <00cd01d0fe07$b4ab5d60$1e021820$@huebinet.de(mailto:00cd01d0fe07$b4ab5d60$1e021820$@huebinet.de)>  
> Content-Type: text/plain; charset="iso-8859-1"  
>  
> Hello,  
>  
>  
>  
> I am trying to use the example provided here  
>  
>  
>  
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angu  
> lar-product-app  
>  
>  
>  
> to connect from an angularjs client to a REST Endpoint. Both frontend and  
> backend are protected by keycloak.  
>  
> My problem is, that the example provided by the link above uses angularjs  
> 1.2 and doesn?t work with newer versions.  
>  
> (see  
> http://stackoverflow.com/questions/28212837/keycloak-unknown-provider-error)  
>  
>  
>  
> Has anyone on the mailing list been able to adapt the example to angular  
> 1.4? What steps are necessary?  
>  
>  
>  
> Kind Regards  
>  
>  
>  
> Kevin Hirschmann  
>  
>  
>  
> HUEBINET Informationsmanagement GmbH & Co. KG  
>  
>  
>  
>  
>  
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,  
> Koblenz via E-Mail dient lediglich zu Informationszwecken.  
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses  
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch  
> Dritte nicht ausgeschlossen werden kann.  
>  
>  
>  
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is  
> only intended to provide information of a general kind, and shall not be  
> used for any statement with binding contents in respect to legal relations.  
> It is not totally possible to prevent a third party from manipulating emails  
> and email contents.  
>  
>  
>  
>  
>  
>  



From tair.sabirgaliev at bee.kz  Sun Oct  4 22:50:53 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Mon, 5 Oct 2015 08:50:53 +0600
Subject: [keycloak-user] angularjs example for 1.4
In-Reply-To: <etPan.5611e3bd.335e7a64.651@MacBook-Pro.local>
References: <mailman.64313.1443992242.15730.keycloak-user@lists.jboss.org>
	<etPan.5611e3bd.335e7a64.651@MacBook-Pro.local>
Message-ID: <etPan.5611e58d.33b980a0.651@MacBook-Pro.local>

Hi, Kevin

I replied to batch mail, so this one went out of context.

--?
Tair Sabirgaliev
Bee Software, LLP

On October 5, 2015 at 08:43:11, Tair Sabirgaliev (tair.sabirgaliev at bee.kz) wrote:

?  
Here is what we did for angular 1.4 :  

"use strict";  

var module = angular.module('hello.world', ['ngRoute', 'ngResource']);  

var auth = {};  
var logout = function(){  
? ? console.log('*** LOGOUT');  
? ? auth.loggedIn = false;  
? ? auth.authz = null;  
? ? window.location = auth.logoutUrl;  
};  

angular.element(document).ready(["$http", function ($http) {  

? ? var keycloakAuth = new Keycloak('js/keycloak.json');  
? ? auth.loggedIn = false;  


? ? keycloakAuth.init({ onLoad: 'login-required' }).success(function () {  
? ? ? ? auth.loggedIn = true;  
? ? ? ? auth.authz = keycloakAuth;  
? ? ? ? auth.logoutUrl = keycloakAuth.authServerUrl + "/realms/demo/tokens/logout?redirect_uri=http://localhost:9080/hello-world/";  
? ? ? ? module.factory('Auth', function() {  
? ? ? ? ? ? return auth;  
? ? ? ? });  
? ? ? ? angular.bootstrap(document, ["hello.world"]);  

? ? }).error(function () {  
? ? ? ? window.location.reload();  
? ? });  

}]);  

module.factory('authInterceptor', ["$q", "Auth", function($q, Auth) {  
? ? return {  
? ? ? ? 'request': function (config) {  
? ? ? ? ? ? var deferred = $q.defer();  
? ? ? ? ? ? if (Auth.authz.token) {  
? ? ? ? ? ? ? ? Auth.authz.updateToken(5).success(function() {  
? ? ? ? ? ? ? ? ? ? config.headers = config.headers || {};  
? ? ? ? ? ? ? ? ? ? config.headers.Authorization = 'Bearer ' + Auth.authz.token;  

? ? ? ? ? ? ? ? ? ? deferred.resolve(config);  
? ? ? ? ? ? ? ? }).error(function() {  
? ? ? ? ? ? ? ? ? ? deferred.reject('Failed to refresh token');  
? ? ? ? ? ? ? ? });  
? ? ? ? ? ? }  
? ? ? ? ? ? return deferred.promise;  
? ? ? ? },  
? ? ? ? 'requestError': function(rejection) {  
? ? ? ? ? ? return $q.reject(rejection);  
? ? ? ? },  

? ? ? ? 'response': function(response) {  
? ? ? ? ? ? return response;  
? ? ? ? },  

? ? ? ? 'responseError': function(response) {  

? ? ? ? ? ? if (response.status == 401) {  
? ? ? ? ? ? ? ? console.log('session timeout?');  
? ? ? ? ? ? ? ? logout();  
? ? ? ? ? ? } else if (response.status == 403) {  
? ? ? ? ? ? ? ? alert("Forbidden");  
? ? ? ? ? ? } else if (response.status == 404) {  
? ? ? ? ? ? ? ? alert("Not found");  
? ? ? ? ? ? } else if (response.status) {  
? ? ? ? ? ? ? ? console.log(response.status);  
? ? ? ? ? ? ? ? if (response.data && response.data.errorMessage) {  
? ? ? ? ? ? ? ? ? ? alert(response.data.errorMessage);  
? ? ? ? ? ? ? ? } else {  
? ? ? ? ? ? ? ? ? ? alert("An unexpected server error has occurred");  
? ? ? ? ? ? ? ? }  
? ? ? ? ? ? } else if (response === 'Failed to refresh token') {  
? ? ? ? ? ? ? ? logout();  
? ? ? ? ? ? }  
? ? ? ? ? ? return $q.reject(response);  
? ? ? ? }  
? ? };  
}]);  

module.config(['$httpProvider', function($httpProvider) {  
? ? $httpProvider.interceptors.push('authInterceptor');  
}]);  


--  
Tair Sabirgaliev  
Bee Software, LLP  



On October 5, 2015 at 02:57:31, keycloak-user-request at lists.jboss.org (keycloak-user-request at lists.jboss.org(mailto:keycloak-user-request at lists.jboss.org)) wrote:  

> Date: Sat, 3 Oct 2015 20:17:04 +0200(http://airmail.calendar/2015-10-04%2000:17:04%20GMT+6)  
> From: "Kevin Hirschmann"  
> Subject: [keycloak-user] angularjs example for 1.4  
> To: "'keycloak-user'"  
> Message-ID: <00cd01d0fe07$b4ab5d60$1e021820$@huebinet.de(mailto:00cd01d0fe07$b4ab5d60$1e021820$@huebinet.de)>  
> Content-Type: text/plain; charset="iso-8859-1"  
>  
> Hello,  
>  
>  
>  
> I am trying to use the example provided here  
>  
>  
>  
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angu  
> lar-product-app  
>  
>  
>  
> to connect from an angularjs client to a REST Endpoint. Both frontend and  
> backend are protected by keycloak.  
>  
> My problem is, that the example provided by the link above uses angularjs  
> 1.2 and doesn?t work with newer versions.  
>  
> (see  
> http://stackoverflow.com/questions/28212837/keycloak-unknown-provider-error)  
>  
>  
>  
> Has anyone on the mailing list been able to adapt the example to angular  
> 1.4? What steps are necessary?  
>  
>  
>  
> Kind Regards  
>  
>  
>  
> Kevin Hirschmann  
>  
>  
>  
> HUEBINET Informationsmanagement GmbH & Co. KG  
>  
>  
>  
>  
>  
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,  
> Koblenz via E-Mail dient lediglich zu Informationszwecken.  
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses  
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch  
> Dritte nicht ausgeschlossen werden kann.  
>  
>  
>  
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is  
> only intended to provide information of a general kind, and shall not be  
> used for any statement with binding contents in respect to legal relations.  
> It is not totally possible to prevent a third party from manipulating emails  
> and email contents.  
>  
>  
>  
>  
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/f344025e/attachment-0001.html 

From ornot2008 at yahoo.com  Mon Oct  5 00:19:04 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Mon, 5 Oct 2015 04:19:04 +0000 (UTC)
Subject: [keycloak-user] No user data in the access-token
Message-ID: <1113328523.419743.1444018744406.JavaMail.yahoo@mail.yahoo.com>

Hi, there
We add a user ( with name and email ) via ?the endpoint ?: ? ?/admin/realms/demo/users

and then we want to get the name and the email ?from the accesstoken,?

KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); AccessToken token=session.getToken();



but nothing there.?



Can anyone help on this?

T.I.A
Mai



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/e8f25fba/attachment.html 

From thomas.raehalme at aitiofinland.com  Mon Oct  5 00:30:03 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 5 Oct 2015 07:30:03 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <5611BA88.4060809@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
Message-ID: <CAPyAMoadVZMZsw+__wjT0+Vh6WWnfre=pimkkJk5g4kWWCd-_A@mail.gmail.com>

On Oct 5, 2015 2:47 AM, "Bill Burke" <bburke at redhat.com> wrote:
>
>
>
> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>  >
>>  > For security reasons we did not want to have a remote option to
export.
>>
>> You can still access all the same information via the admin application,
>> no? So I wonder if it really improves security...
>>
>
> You can't view user credentials from admin console.  Nor can you view
realm's private keys or secrets.

Ah, that's true, it's only the public key for the realm. You're right, I'm
sorry for the confusion.

Best regards,
Thomas

>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/a640c578/attachment.html 

From mposolda at redhat.com  Mon Oct  5 02:52:23 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Oct 2015 08:52:23 +0200
Subject: [keycloak-user] Findings about keycloak--Important
In-Reply-To: <CA+oCsRq3=4G0_O9yFhDimQu7Rt7E-yRky3pihL1TeEjv=WfDiQ@mail.gmail.com>
References: <CA+oCsRq3=4G0_O9yFhDimQu7Rt7E-yRky3pihL1TeEjv=WfDiQ@mail.gmail.com>
Message-ID: <56121E27.1040202@redhat.com>

Hi,

this looks like bad time set either on your centos machine or on windows 
OS machine with Keycloak. Can't it be that? I suggest to doublecheck the 
time settings on all your servers and sync it to be the correct and same 
on all your servers.

Marek

On 04/10/15 11:04, Satyajit Das wrote:
> Hi Team,
>
> 1) I have the keycloak(1.4.0 final) set up in windows OS.
>
> 2) I have 2 services that i have secured using keycloak. The services 
> are registered in keycloak and the respective keycloak.json is placed 
> in resource folder.
>
> 3) When the services are are deployed in Ubuntu OS the authentication 
> works as expected. by sharing the tokenid
>
> but then the services are deployed in centos machine the 
> authentication fails.
>
> The error is Invalid token: Token is inactive.
>
> I tried the same setup and the same war files of services on different 
> instances of centos , we are facing the same issue but the issue is 
> not replicated on ubuntu different instances.
>
> Please let me know your thoughts.
>
> Regards,
> Satya.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/0047a36a/attachment.html 

From mposolda at redhat.com  Mon Oct  5 04:05:49 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Oct 2015 10:05:49 +0200
Subject: [keycloak-user] No user data in the access-token
In-Reply-To: <1113328523.419743.1444018744406.JavaMail.yahoo@mail.yahoo.com>
References: <1113328523.419743.1444018744406.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <56122F5D.20407@redhat.com>

Hi,

you added a user and then you authenticated with this user to keycloak 
application?

The "nothing here" means that whole variable "session" is null or just 
that name and email are missing in the token? If it's the first case, 
then I suspect that you didn't authenticate user with the Keycloak at 
all. Make sure to mark all the security-constraints URLs into web.xml 
(check the examples for details). If just the name and email is missing 
in the token, then doublecheck if your user has the values you gave to 
him (you can do it in admin console). Other possibility is that your 
client doesn't have protocol mappers, but I don't think error is here as 
name and email protocol mappers are added by default.

Marek


On 05/10/15 06:19, Mai Zi wrote:
> Hi, there
>
> We add a user ( with name and email ) via  the endpoint  : 
>  /admin/realms/demo/users
>
>
> and then we want to get the name and the email  from the accesstoken,
>
>
> KeycloakSecurityContext session = (KeycloakSecurityContext) 
> request.getAttribute(KeycloakSecurityContext.class.getName());
> AccessToken token=session.getToken();
>
>
>
> but nothing there.
>
>
>
>
> Can anyone help on this?
>
>
> T.I.A
>
> Mai
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/de59b81f/attachment.html 

From mposolda at redhat.com  Mon Oct  5 04:10:48 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Oct 2015 10:10:48 +0200
Subject: [keycloak-user] Role Name query parameter on user list admin
 rest api
In-Reply-To: <CACQJ6LRf4asbyjLUbGgxmtQ6B2Dx1c-Qpiz3wNmvUVUz2Xdufg@mail.gmail.com>
References: <CACQJ6LRf4asbyjLUbGgxmtQ6B2Dx1c-Qpiz3wNmvUVUz2Xdufg@mail.gmail.com>
Message-ID: <56123088.3090405@redhat.com>

Hi,

feel free to create JIRA. However not sure if/when we add this...:-\

Marek

On 03/10/15 08:50, Travis De Silva wrote:
> Hi,
>
> I am using the below admin rest api to get a list of users by realm
>
> http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/index.html#GET
>
> In the query parameters, you don't get a parameter for the role name.
>
> My use case is to get a list of users by a role. In some of the past 
> forum ports this was discussed but it was more around writing a SQL 
> query and I prefer to use the admin rest api.
>
> Has anyone else had this requirement and how did they go about solving 
> this or should I raise a Jira request.
>
> Cheers
> Travis
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/5b5bbfbb/attachment-0001.html 

From mhajas at redhat.com  Mon Oct  5 06:45:17 2015
From: mhajas at redhat.com (Michal Hajas)
Date: Mon, 5 Oct 2015 06:45:17 -0400 (EDT)
Subject: [keycloak-user] How to enable grant logging
In-Reply-To: <CAJgngAeV3HFMKvtBtJY8vXk9=pWk18V6F2sn2T2sGzKMCg5LHg@mail.gmail.com>
References: <1744131951.24492075.1443701298541.JavaMail.zimbra@redhat.com>
	<1658882558.24504565.1443702237274.JavaMail.zimbra@redhat.com>
	<CAJgngAeV3HFMKvtBtJY8vXk9=pWk18V6F2sn2T2sGzKMCg5LHg@mail.gmail.com>
Message-ID: <803974986.25832581.1444041917221.JavaMail.zimbra@redhat.com>

Hi,

I would like to ask, which event type, in Login Events Settings form ->
Saved Types input, stands for grant access?

Michal.

From thomas.raehalme at aitiofinland.com  Mon Oct  5 06:56:27 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 5 Oct 2015 13:56:27 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <5611BA88.4060809@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
Message-ID: <CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>

On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com> wrote:

> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
>>
>> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>  >
>>  > For security reasons we did not want to have a remote option to export.
>>
>>
How about just storing the export as a local file on the server? You'd need
access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you would be
able to trigger the export at will without server restart.

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/c5e7df8e/attachment.html 

From sebastian.rose at aoe.com  Mon Oct  5 09:01:42 2015
From: sebastian.rose at aoe.com (Sebastian Rose)
Date: Mon, 5 Oct 2015 13:01:42 +0000
Subject: [keycloak-user] retrieving custom user attributes
In-Reply-To: <CADePbQKOuJO7eZQ1gzw-WNoH4z3ZqKH3yfi1UzzCZVUHDF7J5A@mail.gmail.com>
References: <CADePbQKOuJO7eZQ1gzw-WNoH4z3ZqKH3yfi1UzzCZVUHDF7J5A@mail.gmail.com>
Message-ID: <d9ccb7fd4cc54704abf7a48579784d82@exchange02.srv.hq.aoe.lan>

Hi,

for me this works fine. You have to add a Mapping of Kind 'User Attribute' (Mapper Type) within Clients -> <Choose your client> -> 'Mappers'.

Best Regards,
Sebastian

Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Arjan Lamers
Gesendet: Donnerstag, 1. Oktober 2015 16:18
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] retrieving custom user attributes

Hi,

Well, as far as I can see, the unmarshalled AccessToken does not contain any custom attributes. I would expect something like a Map<String,Object> where you can access additional attributes.
Just to be clear: the custom attribute I configured does appear in the JWT token, I am simply searching for an easy way to access them from Java.
There is an 'otherClaims' in the JsonWebToken, should they appear there? (They don't).

Kind regards,
Arjan Lamers



What do you want for an interface?  KeycloakSecurityContext has the
unmarshalled IDToken and AccessToken.

KeycloakPrincipal.getKeycloakSecurityContext().getToken()

On 9/30/2015 11:12 AM, Arjan Lamers wrote:
> Hi,
>
> I am trying to find an easy way to access custom attributes as defined
> for a client. For a Keycloak client, I?ve defined a new Mapper for a
> /user attribute/ to store some additional authorisation data. This then
> is managed by some user domain that uses the keycloak-admin-client to
> write that property.
>
> The problem arises when I want to access that property in an JEE
> application.The way I do it right now to use the KeycloakPrincipal found
> in the javax.ejb.SessionContext. From there, I get the JWT token as a
> String, deserialize the JSON and access the custom attribute from there.
> This feels like a very roundabout way to get to the token but somehow I
> am not able to find an easier way. Is it a missing feature or is it
> simply too close to the weekend for me ;)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/6a960d6d/attachment.html 

From remi.cartier at imetrik.com  Mon Oct  5 09:07:25 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Mon, 5 Oct 2015 13:07:25 +0000
Subject: [keycloak-user] Search by client roles & search by custom attributes
Message-ID: <31E965D3-1EBA-41CB-B6B4-11CF5357E0CC@imetrik.com>

Hey there,

Question 1:

I was wondering if there was an existing mechanism to fetch users that have some specific client roles.

My scenario is this one. As a SSO provider, different applications (clients) are created in Keycloak.
A specific user can have roles for some of those clients.

If, in one of my application, I want to list all the users that ?belongs? to me (that have roles for my application) how do I do that ?

I don?t want to list all the users and they filter them by some criteria, that would be a very inefficient way to do it. (CPU + Bandwidth)

Question 2:

In the search REST admin endpoint, is there a mechanism to filter on specific custom attributes ?

for example. I created a language attribute for a user. I now want to list all my users with custom attribute language=FR for example, how do I do that ?

Syntax could be :
/search?attribute1=language&value1=FR or
/search?attribute_language=FR

Thank for your time and great work.
Sorry if those questions have already been asked (if so, please,  simply point me to some reference without repeating yourself)

Cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/c5bb7c73/attachment-0001.html 

From bburke at redhat.com  Mon Oct  5 09:19:39 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 5 Oct 2015 09:19:39 -0400
Subject: [keycloak-user] Search by client roles & search by custom
 attributes
In-Reply-To: <31E965D3-1EBA-41CB-B6B4-11CF5357E0CC@imetrik.com>
References: <31E965D3-1EBA-41CB-B6B4-11CF5357E0CC@imetrik.com>
Message-ID: <561278EB.1000908@redhat.com>

Can only search by name and email right now.  We need to make this a 
priority.

On 10/5/2015 9:07 AM, Remi Cartier wrote:
> Hey there,'
>
> *Question 1:*
>
> I was wondering if there was an existing mechanism to fetch users that
> have some specific client roles.
>
> My scenario is this one. As a SSO provider, different applications
> (clients) are created in Keycloak.
> A specific user can have roles for some of those clients.
>
> If, in one of my application, I want to list all the users that
> ?belongs? to me (that have roles for my application) how do I do that ?
>
> I don?t want to list all the users and they filter them by some
> criteria, that would be a very inefficient way to do it. (CPU + Bandwidth)
>
> *Question 2: *
>
> In the search REST admin endpoint, is there a mechanism to filter on
> specific custom attributes ?
>
> for example. I created a language attribute for a user. I now want to
> list all my users with custom attribute language=FR for example, how do
> I do that ?
>
> Syntax could be :
> /search?attribute1=language&value1=FR or
> /search?attribute_language=FR
>
> Thank for your time and great work.
> Sorry if those questions have already been asked (if so, please,  simply
> point me to some reference without repeating yourself)
>
> Cheers !
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sebastian.rose at aoe.com  Mon Oct  5 09:22:55 2015
From: sebastian.rose at aoe.com (Sebastian Rose)
Date: Mon, 5 Oct 2015 13:22:55 +0000
Subject: [keycloak-user] Direkt Link to forgot password page
Message-ID: <8c9b49eaa1cc4d77aac678ef91b0de20@exchange02.srv.hq.aoe.lan>

Hi all,

part of my requirements are static links to forgot-password/forgot-credentials and register-user. As far as I understand the source code and everything i read so far, there is a check for the code/user-session and the client-id. Would it be acceptable to change this behaviour to allow requesting e.g. the forgot password link without visiting the login-page first?

Best Regards,
Sebastian

[AOESigLogo]
Sebastian Rose
Developer
AOE GmbH
LuisenForum, Kirchgasse 6
65185 Wiesbaden
Germany

Tel. +49 6122 70 70 7 -234
Fax. +49 6122 70 70 7 -199
e-Mail: sebastian.rose at aoe.com<mailto:sebastian.rose at aoe.com>
Web: http://www.aoe.com/

Pflichtangaben laut Handelsgesetz ?37a / Aktiengesetz ?35a

USt-ID Nr.: DE250247455
Handelsregister: Wiesbaden B
Handelsregister Nr.: 22567

Stammsitz: Wiesbaden
Creditreform: 625.0209354
Gesch?ftsf?hrer: Kian Toyouri Gould

Diese E-Mail Nachricht enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/1ae59630/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6344 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/1ae59630/attachment.jpg 

From srossillo at smartling.com  Mon Oct  5 11:36:48 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 5 Oct 2015 11:36:48 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
Message-ID: <0B9CD8CC-A549-4AF4-BCB4-A698F788F7E9@smartling.com>

It would be helpful to be able to export the realm from the admin console, but I understand the security risk and I wouldn?t want this enabled in production.

I?d say if you do end up adding a remote export option, it should be enabled in keycloak-server.json with the value set to disabled by default.


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 5, 2015, at 6:56 AM, Thomas Raehalme <thomas.raehalme at aitiofinland.com> wrote:
> 
> 
> 
> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> 
> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>  >
>  > For security reasons we did not want to have a remote option to export.
> 
> 
> How about just storing the export as a local file on the server? You'd need access to the server in order to get the file (making the system compromised anyways). The change to current behaviour is that you would be able to trigger the export at will without server restart.
> 
> Best regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/e6dfa0b6/attachment-0001.html 

From remi.cartier at imetrik.com  Mon Oct  5 11:59:42 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Mon, 5 Oct 2015 15:59:42 +0000
Subject: [keycloak-user] Hash Algorithm
Message-ID: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>

Hey guys,

I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :

    public static String hashPassword(String password, String salt) {
        try {
            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
            return new BigInteger(1, hash).toString(16);
        } catch (Exception x) {
            throw new IllegalStateException(x);
        }
    }

I was wondering, in order to ease the migration, if I could configure keycloak to use the same hash algorithm ?

Or if there was any other ways ? Like maybe a federation provider, but then comes the question when to push things into keycloak, at password change ?

What do you think ?

Sincerely.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/5d27b5be/attachment.html 

From tdudgeon.ml at gmail.com  Mon Oct  5 12:34:59 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Mon, 5 Oct 2015 17:34:59 +0100
Subject: [keycloak-user] export of realm json
In-Reply-To: <CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
Message-ID: <5612A6B3.3010307@gmail.com>

That's a good point. Having to stop/start the server to generate an 
export is not ideal.

Tim

On 05/10/2015 11:56, Thomas Raehalme wrote:
>
>
> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
>
>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>          >
>          > For security reasons we did not want to have a remote
>         option to export.
>
>
> How about just storing the export as a local file on the server? You'd 
> need access to the server in order to get the file (making the system 
> compromised anyways). The change to current behaviour is that you 
> would be able to trigger the export at will without server restart.
>
> Best regards,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/94ceaed9/attachment.html 

From bburke at redhat.com  Mon Oct  5 13:08:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 5 Oct 2015 13:08:04 -0400
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
Message-ID: <5612AE74.8080703@redhat.com>

Yeah, for now, federation provider would be the correct approach.  But 
if you're migrating we should provide a facility to plug in hash 
algorithm.  I'll add a jira.

On 10/5/2015 11:59 AM, Remi Cartier wrote:
> Hey guys,
>
> I will have to migrate from a custom in house user management system to
> keycloak.
> We are using this algorithm to store salted/hashed password :
>
>      public static String hashPassword(String password, String salt) {
>          try {
>              KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
>              SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>              byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
>              return new BigInteger(1, hash).toString(16);
>          } catch (Exception x) {
>              throw new IllegalStateException(x);
>          }
>      }
>
> I was wondering, in order to ease the migration, if I could configure
> keycloak to use the same hash algorithm ?
>
> Or if there was any other ways ? Like maybe a federation provider, but
> then comes the question when to push things into keycloak, at password
> change ?
>
> What do you think ?
>
> Sincerely.
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From srossillo at smartling.com  Mon Oct  5 13:13:13 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 5 Oct 2015 13:13:13 -0400
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
Message-ID: <3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>

I?d recommend using a federation provider. Others may have another opinion but here?s the approach I like, using a federation provider:

Create the user when Keycloak calls one of these methods on the federation provider and the user exists in the legacy system:

UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()

This creates the federation link. However, do not set a password for the user yet (you wouldn?t know what to set it to yet anyway). Then, when Keycloak calls:

UserFederationProvider.validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)

query your legacy system to see if the given user and password combination is valid. If so:

1. Update the user (in Keycloak) to have password supplied in List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)

I?m going to publish a template for migrating users using this approach soon. For now, I hope this is enough to get you going in the right direction if you choose the federation provider approach.

~ Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com> wrote:
> 
> Hey guys,
> 
> I will have to migrate from a custom in house user management system to keycloak.
> We are using this algorithm to store salted/hashed password :
> 
>     public static String hashPassword(String password, String salt) {
>         try {
>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
>             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>             byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
>             return new BigInteger(1, hash).toString(16);
>         } catch (Exception x) {
>             throw new IllegalStateException(x);
>         }
>     }
> 
> I was wondering, in order to ease the migration, if I could configure keycloak to use the same hash algorithm ?
> 
> Or if there was any other ways ? Like maybe a federation provider, but then comes the question when to push things into keycloak, at password change ?
> 
> What do you think ?
> 
> Sincerely.
> 
> 
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> 
> IMETRIK GLOBAL INC. 
> T : +1 514 448-6407 x2009
> T : +1 866 276-5382 (toll free) 
> F : +1 514 904-0611 
> 
> 740 Notre Dame St. West, Suite 1575 
> Montreal, Quebec, Canada H3C 3X6 
> imetrik.com <http://www.imetrik.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/70c163c9/attachment-0001.html 

From remi.cartier at imetrik.com  Mon Oct  5 13:16:13 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Mon, 5 Oct 2015 17:16:13 +0000
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
	<3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>
Message-ID: <593EEA3E-2678-4619-9ED5-ABDB9BC97EEE@imetrik.com>

Great explanation Scott, thank you for the details.
Thanks to bill too for his reply.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 5, 2015, at 1:13 PM, Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>> wrote:

I?d recommend using a federation provider. Others may have another opinion but here?s the approach I like, using a federation provider:

Create the user when Keycloak calls one of these methods on the federation provider and the user exists in the legacy system:

UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()

This creates the federation link. However, do not set a password for the user yet (you wouldn?t know what to set it to yet anyway). Then, when Keycloak calls:

UserFederationProvider.validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)

query your legacy system to see if the given user and password combination is valid. If so:

1. Update the user (in Keycloak) to have password supplied in List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)

I?m going to publish a template for migrating users using this approach soon. For now, I hope this is enough to get you going in the right direction if you choose the federation provider approach.

~ Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>

On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:

Hey guys,

I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :

    public static String hashPassword(String password, String salt) {
        try {
            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
            return new BigInteger(1, hash).toString(16);
        } catch (Exception x) {
            throw new IllegalStateException(x);
        }
    }

I was wondering, in order to ease the migration, if I could configure keycloak to use the same hash algorithm ?

Or if there was any other ways ? Like maybe a federation provider, but then comes the question when to push things into keycloak, at password change ?

What do you think ?

Sincerely.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/0f8d17b2/attachment-0001.html 

From bmcwhirt at redhat.com  Mon Oct  5 13:17:23 2015
From: bmcwhirt at redhat.com (Bob McWhirter)
Date: Mon, 5 Oct 2015 13:17:23 -0400
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <5612AE74.8080703@redhat.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
	<5612AE74.8080703@redhat.com>
Message-ID: <CA+45JvGqCLG1bmhnx73DeCEcBYvYonnrxut3eM-f0ujm6gHJug@mail.gmail.com>

I think it could be useful that if a Keycloak is using an alternate hash
(possibly insecure or sub-optimal), that it hashes the cleartext with
ALT-HASH, and if successful, re-hashes the cleartext with KEYCLOAK-HASH and
stores the new hash in the canonical Keycloak DB.  This would allow for
rolling migration of accounts as users login.

This way you could effectively rehash the passwords without forcing a
global password reset.  After so many days (90, 120, whatever your policy),
you could determine who has not logged in successfully, by finding those
who don't have a KC-stored password, and force them to reset upon next
login or whatnot.

On Mon, Oct 5, 2015 at 1:08 PM, Bill Burke <bburke at redhat.com> wrote:

> Yeah, for now, federation provider would be the correct approach.  But
> if you're migrating we should provide a facility to plug in hash
> algorithm.  I'll add a jira.
>
> On 10/5/2015 11:59 AM, Remi Cartier wrote:
> > Hey guys,
> >
> > I will have to migrate from a custom in house user management system to
> > keycloak.
> > We are using this algorithm to store salted/hashed password :
> >
> >      public static String hashPassword(String password, String salt) {
> >          try {
> >              KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> > salt.getBytes(), 2048, 160);
> >              SecretKeyFactory secretKeyFactory =
> > SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
> >              byte[] hash =
> > secretKeyFactory.generateSecret(keySpec).getEncoded();
> >              return new BigInteger(1, hash).toString(16);
> >          } catch (Exception x) {
> >              throw new IllegalStateException(x);
> >          }
> >      }
> >
> > I was wondering, in order to ease the migration, if I could configure
> > keycloak to use the same hash algorithm ?
> >
> > Or if there was any other ways ? Like maybe a federation provider, but
> > then comes the question when to push things into keycloak, at password
> > change ?
> >
> > What do you think ?
> >
> > Sincerely.
> >
> > ------------------------------------------------------------------------
> >
> >
> > REMI CARTIER
> >
> > B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> >
> > *IMETRIK GLOBAL INC.*
> > *T :* +1 514 448-6407 x2009
> > *T :* +1 866 276-5382 (toll free)
> > *F :* +1 514 904-0611
> >
> > 740 Notre Dame St. West, Suite 1575
> > Montreal, Quebec, Canada H3C 3X6
> > imetrik.com <http://www.imetrik.com/>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/780ae53d/attachment.html 

From ssilvert at redhat.com  Mon Oct  5 14:02:54 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 05 Oct 2015 14:02:54 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612A6B3.3010307@gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com>
Message-ID: <5612BB4E.8000705@redhat.com>

I'm actually starting on the design and implementation of this right 
now.  It's import/export from the admin console.  It will also have the 
ability to import/export partial pieces of a realm such as just users.

Thanks for the comments so far on this thread.  They have been very helpful.

We will keep the idea that no secrets should ever be exported from admin 
console.  I'm not sure that having a flag for it in keycloak-server.json 
helps.  To edit keycloak-server.json, you need access to the server, in 
which case you might as well do the current import/export.

So what do you do after you import a user with no credentials? Some ideas:
* The administrator can reset the password manually.
* The user can do password recovery (if enabled)

An other ideas?

Stan

On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> That's a good point. Having to stop/start the server to generate an 
> export is not ideal.
>
> Tim
>
> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>
>>
>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>
>>
>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>          >
>>          > For security reasons we did not want to have a remote
>>         option to export.
>>
>>
>> How about just storing the export as a local file on the server? 
>> You'd need access to the server in order to get the file (making the 
>> system compromised anyways). The change to current behaviour is that 
>> you would be able to trigger the export at will without server restart.
>>
>> Best regards,
>> Thomas
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/10da6f2c/attachment.html 

From thomas.raehalme at codecenter.fi  Mon Oct  5 14:09:33 2015
From: thomas.raehalme at codecenter.fi (Thomas Raehalme)
Date: Mon, 5 Oct 2015 21:09:33 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612BB4E.8000705@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
Message-ID: <CAPyAMob8DkMWDvDnJ7-V6zJGcF=2Nh_JMZOonrzW4jAaHFG86w@mail.gmail.com>

On Oct 5, 2015 21:03, "Stan Silvert" <ssilvert at redhat.com> wrote:
>
> I'm actually starting on the design and implementation of this right
now.  It's import/export from the admin console.  It will also have the
ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread.  They have been very
helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
console.  I'm not sure that having a flag for it in keycloak-server.json
helps.  To edit keycloak-server.json, you need access to the server, in
which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials?  Some
ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?

It'd be helpful if one could use exported realms as a template allowing you
to overwrite some properties such as the realm name when importing. I know
you can do it manually by editing the file which is why I haven't suggested
it earlier. Also allowing you to control with toggles whether to keep or
regenerate keys and secrets would be useful.

Best regards,
Thomas



>
> Stan
>
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>
>> That's a good point. Having to stop/start the server to generate an
export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>>
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>>>
>>>>>
>>>>> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>  >
>>>>>  > For security reasons we did not want to have a remote option to
export.
>>>>>
>>>
>>> How about just storing the export as a local file on the server? You'd
need access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you would be
able to trigger the export at will without server restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/0ae0a519/attachment.html 

From remi.cartier at imetrik.com  Mon Oct  5 14:17:20 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Mon, 5 Oct 2015 18:17:20 +0000
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
	<3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>
Message-ID: <343375C4-5DEF-4ECF-891F-04FA0E48656A@imetrik.com>

Me again,

I have written some simple FederationProvider for my migration case.
I put them on pastebin here :

http://pastebin.com/sqt2Pm3P - JdbcUserFederationProviderFactory
http://pastebin.com/5JJyb7bm - JdbcUserFederationProvider

I tried to follow your recommendations.

Does it seem to make sense ?

Thank you guys !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 5, 2015, at 1:13 PM, Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>> wrote:

I?d recommend using a federation provider. Others may have another opinion but here?s the approach I like, using a federation provider:

Create the user when Keycloak calls one of these methods on the federation provider and the user exists in the legacy system:

UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()

This creates the federation link. However, do not set a password for the user yet (you wouldn?t know what to set it to yet anyway). Then, when Keycloak calls:

UserFederationProvider.validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)

query your legacy system to see if the given user and password combination is valid. If so:

1. Update the user (in Keycloak) to have password supplied in List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)

I?m going to publish a template for migrating users using this approach soon. For now, I hope this is enough to get you going in the right direction if you choose the federation provider approach.

~ Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>

On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:

Hey guys,

I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :

    public static String hashPassword(String password, String salt) {
        try {
            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
            return new BigInteger(1, hash).toString(16);
        } catch (Exception x) {
            throw new IllegalStateException(x);
        }
    }

I was wondering, in order to ease the migration, if I could configure keycloak to use the same hash algorithm ?

Or if there was any other ways ? Like maybe a federation provider, but then comes the question when to push things into keycloak, at password change ?

What do you think ?

Sincerely.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/aaa70cbf/attachment-0001.html 

From bburke at redhat.com  Mon Oct  5 14:24:37 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 5 Oct 2015 14:24:37 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612BB4E.8000705@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
Message-ID: <5612C065.4030002@redhat.com>

I'm still averse to allowing export from admin console of any 
credentials or private keys.

On 10/5/2015 2:02 PM, Stan Silvert wrote:
> I'm actually starting on the design and implementation of this right
> now.  It's import/export from the admin console.  It will also have the
> ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread.  They have been very helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
> console.  I'm not sure that having a flag for it in keycloak-server.json
> helps.  To edit keycloak-server.json, you need access to the server, in
> which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials? Some ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?
>
> Stan
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> That's a good point. Having to stop/start the server to generate an
>> export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>
>>>
>>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>          >
>>>          > For security reasons we did not want to have a remote
>>>         option to export.
>>>
>>>
>>> How about just storing the export as a local file on the server?
>>> You'd need access to the server in order to get the file (making the
>>> system compromised anyways). The change to current behaviour is that
>>> you would be able to trigger the export at will without server restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.raehalme at aitiofinland.com  Mon Oct  5 14:26:46 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 5 Oct 2015 21:26:46 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612C065.4030002@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
Message-ID: <CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>

On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>
> I'm still averse to allowing export from admin console of any
> credentials or private keys.

Even if they are not directly downloadable but require access to the server
just like now?

>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > I'm actually starting on the design and implementation of this right
> > now.  It's import/export from the admin console.  It will also have the
> > ability to import/export partial pieces of a realm such as just users.
> >
> > Thanks for the comments so far on this thread.  They have been very
helpful.
> >
> > We will keep the idea that no secrets should ever be exported from admin
> > console.  I'm not sure that having a flag for it in keycloak-server.json
> > helps.  To edit keycloak-server.json, you need access to the server, in
> > which case you might as well do the current import/export.
> >
> > So what do you do after you import a user with no credentials? Some
ideas:
> > * The administrator can reset the password manually.
> > * The user can do password recovery (if enabled)
> >
> > An other ideas?
> >
> > Stan
> >
> > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> >> That's a good point. Having to stop/start the server to generate an
> >> export is not ideal.
> >>
> >> Tim
> >>
> >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> >>>
> >>>
> >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
> >>> <mailto:bburke at redhat.com>> wrote:
> >>>
> >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> >>>
> >>>
> >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
> >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
> >>>          >
> >>>          > For security reasons we did not want to have a remote
> >>>         option to export.
> >>>
> >>>
> >>> How about just storing the export as a local file on the server?
> >>> You'd need access to the server in order to get the file (making the
> >>> system compromised anyways). The change to current behaviour is that
> >>> you would be able to trigger the export at will without server
restart.
> >>>
> >>> Best regards,
> >>> Thomas
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/a9d48055/attachment.html 

From ssilvert at redhat.com  Mon Oct  5 14:27:34 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 05 Oct 2015 14:27:34 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612C065.4030002@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
Message-ID: <5612C116.301@redhat.com>

agreed

On 10/5/2015 2:24 PM, Bill Burke wrote:
> I'm still averse to allowing export from admin console of any
> credentials or private keys.
>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> I'm actually starting on the design and implementation of this right
>> now.  It's import/export from the admin console.  It will also have the
>> ability to import/export partial pieces of a realm such as just users.
>>
>> Thanks for the comments so far on this thread.  They have been very helpful.
>>
>> We will keep the idea that no secrets should ever be exported from admin
>> console.  I'm not sure that having a flag for it in keycloak-server.json
>> helps.  To edit keycloak-server.json, you need access to the server, in
>> which case you might as well do the current import/export.
>>
>> So what do you do after you import a user with no credentials? Some ideas:
>> * The administrator can reset the password manually.
>> * The user can do password recovery (if enabled)
>>
>> An other ideas?
>>
>> Stan
>>
>> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>> That's a good point. Having to stop/start the server to generate an
>>> export is not ideal.
>>>
>>> Tim
>>>
>>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>>
>>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>
>>>>      On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>>
>>>>
>>>>          On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>>>          <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>>           >
>>>>           > For security reasons we did not want to have a remote
>>>>          option to export.
>>>>
>>>>
>>>> How about just storing the export as a local file on the server?
>>>> You'd need access to the server in order to get the file (making the
>>>> system compromised anyways). The change to current behaviour is that
>>>> you would be able to trigger the export at will without server restart.
>>>>
>>>> Best regards,
>>>> Thomas
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From ssilvert at redhat.com  Mon Oct  5 14:33:35 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 05 Oct 2015 14:33:35 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
Message-ID: <5612C27F.9080809@redhat.com>

On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>
>
> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
> >
> > I'm still averse to allowing export from admin console of any
> > credentials or private keys.
>
> Even if they are not directly downloadable but require access to the 
> server just like now?
>
I think there should be no secrets ever downloadable from admin 
console.  Admin console is, by definition, remote.

If you have access to the server then you can use what is there now.

It is possible, however, that when we do our CLI implementation we can 
verify that the user is local and allow full access.  That way, you 
could do full export on a running server.  WildFly CLI already has logic 
to verify a user is local.

>
> >
> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > > I'm actually starting on the design and implementation of this right
> > > now.  It's import/export from the admin console.  It will also 
> have the
> > > ability to import/export partial pieces of a realm such as just users.
> > >
> > > Thanks for the comments so far on this thread.  They have been 
> very helpful.
> > >
> > > We will keep the idea that no secrets should ever be exported from 
> admin
> > > console.  I'm not sure that having a flag for it in 
> keycloak-server.json
> > > helps.  To edit keycloak-server.json, you need access to the 
> server, in
> > > which case you might as well do the current import/export.
> > >
> > > So what do you do after you import a user with no credentials? 
> Some ideas:
> > > * The administrator can reset the password manually.
> > > * The user can do password recovery (if enabled)
> > >
> > > An other ideas?
> > >
> > > Stan
> > >
> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> > >> That's a good point. Having to stop/start the server to generate an
> > >> export is not ideal.
> > >>
> > >> Tim
> > >>
> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>
> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
> > >>>
> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>
> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
> > >>>          >
> > >>>          > For security reasons we did not want to have a remote
> > >>>         option to export.
> > >>>
> > >>>
> > >>> How about just storing the export as a local file on the server?
> > >>> You'd need access to the server in order to get the file (making the
> > >>> system compromised anyways). The change to current behaviour is that
> > >>> you would be able to trigger the export at will without server 
> restart.
> > >>>
> > >>> Best regards,
> > >>> Thomas
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/b912b971/attachment-0001.html 

From thomas.raehalme at aitiofinland.com  Mon Oct  5 14:37:33 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 5 Oct 2015 21:37:33 +0300
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612C27F.9080809@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
	<5612C27F.9080809@redhat.com>
Message-ID: <CAPyAMoagg3x5wtMcunQtzpQh18HFV051+4G6+PCbhjbuF9Ahfw@mail.gmail.com>

On Oct 5, 2015 21:33, "Stan Silvert" <ssilvert at redhat.com> wrote:
>
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the
server just like now?
>
> I think there should be no secrets ever downloadable from admin console.
Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we can
verify that the user is local and allow full access.  That way, you could
do full export on a running server.  WildFly CLI already has logic to
verify a user is local.

I guess that would be equal in terms of functionality, you just start the
export from the CLI instead of from the admin console.

>
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this right
>> > > now.  It's import/export from the admin console.  It will also have
the
>> > > ability to import/export partial pieces of a realm such as just
users.
>> > >
>> > > Thanks for the comments so far on this thread.  They have been very
helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported from
admin
>> > > console.  I'm not sure that having a flag for it in
keycloak-server.json
>> > > helps.  To edit keycloak-server.json, you need access to the server,
in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials? Some
ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
>> > >>> <mailto:bburke at redhat.com>> wrote:
>> > >>>
>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>
wrote:
>> > >>>          >
>> > >>>          > For security reasons we did not want to have a remote
>> > >>>         option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the server?
>> > >>> You'd need access to the server in order to get the file (making
the
>> > >>> system compromised anyways). The change to current behaviour is
that
>> > >>> you would be able to trigger the export at will without server
restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user at lists.jboss.org
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/1f281a0d/attachment.html 

From mposolda at redhat.com  Mon Oct  5 15:10:11 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Oct 2015 21:10:11 +0200
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612C27F.9080809@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
	<5612C27F.9080809@redhat.com>
Message-ID: <5612CB13.80002@redhat.com>

+1 on not allow remote export from admin console with possibility to 
download file . However I am not seeing a problem with allowing export 
from admin console as long as the exported file is downloaded to the 
server filesystem - either to specified file or directory. As mentioned 
by Thomas, the advantage of this is, that you can do export at runtime 
without need to restart server.

However there is one tricky with export at runtime, that some user may 
do modifications when export is in progress (For example some user 
registers himself or changes his stuff in account management). This may 
results in broken data/inconsistencies. And that's the main reason why 
the export is currently allowed just at the startup when server is not 
yet opened for any requests from users. This can be likely handled 
somehow - for example with the locking servlet filter, which will block 
any requests to server when export is in progress etc.

Another good thing to add might be the "progress" table. This can be 
useful when admin has some very large database with million of users and 
export can take 10 hours or so. So admin will be able to go to the table 
and check the progress of export task (500.000 users already exported, 
500.000 users still remaining, expected time to end: 3 hours 30 minutes) 
etc. This stuff might be good for other long running tasks in Keycloak 
as well (like syncing users from federation provider when you have 
million users in LDAP etc)

Marek

On 05/10/15 20:33, Stan Silvert wrote:
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the 
>> server just like now?
>>
> I think there should be no secrets ever downloadable from admin 
> console.  Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we can 
> verify that the user is local and allow full access.  That way, you 
> could do full export on a running server.  WildFly CLI already has 
> logic to verify a user is local.
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this right
>> > > now.  It's import/export from the admin console.  It will also 
>> have the
>> > > ability to import/export partial pieces of a realm such as just 
>> users.
>> > >
>> > > Thanks for the comments so far on this thread.  They have been 
>> very helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported 
>> from admin
>> > > console.  I'm not sure that having a flag for it in 
>> keycloak-server.json
>> > > helps.  To edit keycloak-server.json, you need access to the 
>> server, in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials? 
>> Some ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>> > >>>
>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>> > >>>          >
>> > >>>          > For security reasons we did not want to have a remote
>> > >>>         option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the server?
>> > >>> You'd need access to the server in order to get the file 
>> (making the
>> > >>> system compromised anyways). The change to current behaviour is 
>> that
>> > >>> you would be able to trigger the export at will without server 
>> restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/eca7a4de/attachment-0001.html 

From mposolda at redhat.com  Mon Oct  5 15:18:00 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Oct 2015 21:18:00 +0200
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612C27F.9080809@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
	<5612C27F.9080809@redhat.com>
Message-ID: <5612CCE8.4070801@redhat.com>

Btv. Stan, is your work going to be added into 1.6 or is it for next 
release? I am just asking because there is one pending PR, which is 
likely going to be merged for 1.6 - 
https://github.com/keycloak/keycloak/pull/1656/files . After merging 
this, we discussed with Stian some additional minor changes (namely 
removing "zip" export/import provider as nobody doesn't seem to be using 
it so far). I should also doublecheck that import still works after 
those changes.

I am going to look at this likely next week and it's going to be 
included in 1.6. I am asking as I don't want to edit same code like you 
and break something you're working on ;-)

Marek

On 05/10/15 20:33, Stan Silvert wrote:
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the 
>> server just like now?
>>
> I think there should be no secrets ever downloadable from admin 
> console.  Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we can 
> verify that the user is local and allow full access.  That way, you 
> could do full export on a running server.  WildFly CLI already has 
> logic to verify a user is local.
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this right
>> > > now.  It's import/export from the admin console.  It will also 
>> have the
>> > > ability to import/export partial pieces of a realm such as just 
>> users.
>> > >
>> > > Thanks for the comments so far on this thread.  They have been 
>> very helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported 
>> from admin
>> > > console.  I'm not sure that having a flag for it in 
>> keycloak-server.json
>> > > helps.  To edit keycloak-server.json, you need access to the 
>> server, in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials? 
>> Some ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>> > >>>
>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>> > >>>          >
>> > >>>          > For security reasons we did not want to have a remote
>> > >>>         option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the server?
>> > >>> You'd need access to the server in order to get the file 
>> (making the
>> > >>> system compromised anyways). The change to current behaviour is 
>> that
>> > >>> you would be able to trigger the export at will without server 
>> restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/36a4f104/attachment.html 

From srossillo at smartling.com  Mon Oct  5 15:21:03 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 5 Oct 2015 15:21:03 -0400
Subject: [keycloak-user] Hash Algorithm
In-Reply-To: <343375C4-5DEF-4ECF-891F-04FA0E48656A@imetrik.com>
References: <C05F46F3-47E1-4FEC-BA06-AE02DB491F38@imetrik.com>
	<3EE9D383-25DD-4EE8-B6A9-C9A01D62BFC3@smartling.com>
	<343375C4-5DEF-4ECF-891F-04FA0E48656A@imetrik.com>
Message-ID: <CALAqdu9_421ikLzzEgS7qCPXmFte-ftjUxZ9oar0PsamTh32Rg@mail.gmail.com>

Looks good. To answer your question on PasteBin about setting fields: this
is going to be implementation specific but the way to set them on the
Keycloak user model is below.

       RemoteUser remoteUser = // get legacy system user, replace getters
below with methods matching your domain

        userModel.setFederationLink(model.getId());
        userModel.setEnabled(remoteUser.isEnabled()); // or set to true
        userModel.setEmail(username); // assume username is email, if not
get email from data source
        userModel.setEmailVerified(remoteUser.isEmailVerified()); // or set
to true
        userModel.setFirstName(remoteUser.getFirstName());
        userModel.setLastName(remoteUser.getLastName());

~ Scott


On Mon, Oct 5, 2015 at 2:17 PM, Remi Cartier <remi.cartier at imetrik.com>
wrote:

> Me again,
>
> I have written some simple FederationProvider for my migration case.
> I put them on pastebin here :
>
> http://pastebin.com/sqt2Pm3P - JdbcUserFederationProviderFactory
> http://pastebin.com/5JJyb7bm - JdbcUserFederationProvider
>
> I tried to follow your recommendations.
>
> Does it seem to make sense ?
>
> Thank you guys !
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> On Oct 5, 2015, at 1:13 PM, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
> I?d recommend using a federation provider. Others may have another opinion
> but here?s the approach I like, using a federation provider:
>
> Create the user when Keycloak calls one of these methods on the federation
> provider and the user exists in the legacy system:
>
> UserFederationProvider.getUserByUsername()
> UserFederationProvider.getUserByEmail()
>
> This creates the federation link. However, do not set a password for the
> user yet (you wouldn?t know what to set it to yet anyway). Then, when
> Keycloak calls:
>
> UserFederationProvider.validCredentials(RealmModel realm, UserModel
> user, List<UserCredentialModel> input)
>
> query your legacy system to see if the given user and password combination
> is valid. If so:
>
> 1. Update the user (in Keycloak) to have password supplied in
> List<UserCredentialModel> input
> 2. Break the federation link
> (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)
>
> I?m going to publish a template for migrating users using this approach
> soon. For now, I hope this is enough to get you going in the right
> direction if you choose the federation provider approach.
>
> ~ Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Latest News + Events]
> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com>
> wrote:
>
> Hey guys,
>
> I will have to migrate from a custom in house user management system to
> keycloak.
> We are using this algorithm to store salted/hashed password :
>
>     public static String hashPassword(String password, String salt) {
>         try {
>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
>             SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>             byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
>             return new BigInteger(1, hash).toString(16);
>         } catch (Exception x) {
>             throw new IllegalStateException(x);
>         }
>     }
>
> I was wondering, in order to ease the migration, if I could configure
> keycloak to use the same hash algorithm ?
>
> Or if there was any other ways ? Like maybe a federation provider, but
> then comes the question when to push things into keycloak, at password
> change ?
>
> What do you think ?
>
> Sincerely.
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/15c09003/attachment-0001.html 

From remi.cartier at imetrik.com  Mon Oct  5 16:38:09 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Mon, 5 Oct 2015 20:38:09 +0000
Subject: [keycloak-user] Crypto
Message-ID: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>

Hy guys,

I am trying to use some crypto to match hashes from my old db.
The code is :

            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();

I cant make it work as a federation provider.

it was complaining about java.lang.ClassNotFoundException: javax.crypto.spec.PBEKeySpec

I added jce.jar to the list of dependencies in my module.xml (I shouldn?t have to do that)

Then I got :

ClassNotFoundException: sun.security.jca.GetInstance

I added rt.jar (which I shouldn?t do either)

and then I got some fancy exception : java.lang.LinkageError: loader constraint violation

I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.

what is wrong ?

here is my module.xml file :

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
    <resources>
        <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
        <resource-root path="jdbi-2.63.1.jar"/>
        <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
        <resource-root path="slf4j-api-1.7.12.jar"/>
        <resource-root path="slf4j-simple-1.7.12.jar"/>
        <resource-root path="global-library-common-2.0.4.jar"/>
        <resource-root path="jce.jar"/>
        <resource-root path="bcprov-jdk15on-152.jar"/>
    </resources>
    <dependencies>
        <module name="org.keycloak.keycloak-core"/>
        <module name="org.keycloak.keycloak-model-api"/>
    </dependencies>
</module>


Cheers.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/082a40e5/attachment-0001.html 

From traviskds at gmail.com  Mon Oct  5 16:49:16 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 05 Oct 2015 20:49:16 +0000
Subject: [keycloak-user] Role Name query parameter on user list admin
	rest api
In-Reply-To: <56123088.3090405@redhat.com>
References: <CACQJ6LRf4asbyjLUbGgxmtQ6B2Dx1c-Qpiz3wNmvUVUz2Xdufg@mail.gmail.com>
	<56123088.3090405@redhat.com>
Message-ID: <CACQJ6LRguHLZM6ptkJ0Fg+RGz44abBJXa9R9N7qVQK8kseyGgw@mail.gmail.com>

Created a Jira request

https://issues.jboss.org/browse/KEYCLOAK-1902

On Mon, 5 Oct 2015 at 19:10 Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> feel free to create JIRA. However not sure if/when we add this... :-\
>
> Marek
>
>
> On 03/10/15 08:50, Travis De Silva wrote:
>
> Hi,
>
> I am using the below admin rest api to get a list of users by realm
>
>
> http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/index.html#GET
>
> In the query parameters, you don't get a parameter for the role name.
>
> My use case is to get a list of users by a role. In some of the past forum
> ports this was discussed but it was more around writing a SQL query and I
> prefer to use the admin rest api.
>
> Has anyone else had this requirement and how did they go about solving
> this or should I raise a Jira request.
>
> Cheers
> Travis
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/c6296552/attachment.html 

From traviskds at gmail.com  Mon Oct  5 16:51:52 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 05 Oct 2015 20:51:52 +0000
Subject: [keycloak-user] Search by client roles & search by custom
	attributes
In-Reply-To: <561278EB.1000908@redhat.com>
References: <31E965D3-1EBA-41CB-B6B4-11CF5357E0CC@imetrik.com>
	<561278EB.1000908@redhat.com>
Message-ID: <CACQJ6LQgLA-7TMhPsBVfkykqjQRaL6ehsEJMgSYHzsv8JpafUA@mail.gmail.com>

I too raised this requirement on the forum a few days back. (mine was just
search by client role but to be able to search by custom attribute will be
a bonus for me)

Mark wanted me to raise a Jira which I just did and referred to my forum
topic link and this one. Please feel free to add further comments against
the Jira case

https://issues.jboss.org/browse/KEYCLOAK-1902


On Tue, 6 Oct 2015 at 00:19 Bill Burke <bburke at redhat.com> wrote:

> Can only search by name and email right now.  We need to make this a
> priority.
>
> On 10/5/2015 9:07 AM, Remi Cartier wrote:
> > Hey there,'
> >
> > *Question 1:*
> >
> > I was wondering if there was an existing mechanism to fetch users that
> > have some specific client roles.
> >
> > My scenario is this one. As a SSO provider, different applications
> > (clients) are created in Keycloak.
> > A specific user can have roles for some of those clients.
> >
> > If, in one of my application, I want to list all the users that
> > ?belongs? to me (that have roles for my application) how do I do that ?
> >
> > I don?t want to list all the users and they filter them by some
> > criteria, that would be a very inefficient way to do it. (CPU +
> Bandwidth)
> >
> > *Question 2: *
> >
> > In the search REST admin endpoint, is there a mechanism to filter on
> > specific custom attributes ?
> >
> > for example. I created a language attribute for a user. I now want to
> > list all my users with custom attribute language=FR for example, how do
> > I do that ?
> >
> > Syntax could be :
> > /search?attribute1=language&value1=FR or
> > /search?attribute_language=FR
> >
> > Thank for your time and great work.
> > Sorry if those questions have already been asked (if so, please,  simply
> > point me to some reference without repeating yourself)
> >
> > Cheers !
> >
> > ------------------------------------------------------------------------
> >
> >
> > REMI CARTIER
> >
> > B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> >
> > *IMETRIK GLOBAL INC.*
> > *T :* +1 514 448-6407 x2009
> > *T :* +1 866 276-5382 (toll free)
> > *F :* +1 514 904-0611
> >
> > 740 Notre Dame St. West, Suite 1575
> > Montreal, Quebec, Canada H3C 3X6
> > imetrik.com <http://www.imetrik.com/>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/26cfedd0/attachment.html 

From srossillo at smartling.com  Mon Oct  5 18:47:03 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 5 Oct 2015 18:47:03 -0400
Subject: [keycloak-user] Crypto
In-Reply-To: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
Message-ID: <F73011DE-017E-4E81-B94C-5B1D18FD82C3@smartling.com>

Try adding a dependency on <module name="javax.api"/>


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 5, 2015, at 4:38 PM, Remi Cartier <remi.cartier at imetrik.com> wrote:
> 
> Hy guys,
> 
> I am trying to use some crypto to match hashes from my old db.
> The code is :
> 
>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
>             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>             byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
> 
> I cant make it work as a federation provider.
> 
> it was complaining about java.lang.ClassNotFoundException: javax.crypto.spec.PBEKeySpec
> 
> I added jce.jar to the list of dependencies in my module.xml (I shouldn?t have to do that)
> 
> Then I got :
> 
> ClassNotFoundException: sun.security.jca.GetInstance
> 
> I added rt.jar (which I shouldn?t do either)
> 
> and then I got some fancy exception : java.lang.LinkageError: loader constraint violation
> 
> I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.
> 
> what is wrong ?
> 
> here is my module.xml file :
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.1" name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
>     <resources>
>         <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
>         <resource-root path="jdbi-2.63.1.jar"/>
>         <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
>         <resource-root path="slf4j-api-1.7.12.jar"/>
>         <resource-root path="slf4j-simple-1.7.12.jar"/>
>         <resource-root path="global-library-common-2.0.4.jar"/>
>         <resource-root path="jce.jar"/>
>         <resource-root path="bcprov-jdk15on-152.jar"/>
>     </resources>
>     <dependencies>
>         <module name="org.keycloak.keycloak-core"/>
>         <module name="org.keycloak.keycloak-model-api"/>
>     </dependencies>
> </module>
> 
> 
> Cheers.
> 
> 
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> 
> IMETRIK GLOBAL INC. 
> T : +1 514 448-6407 x2009
> T : +1 866 276-5382 (toll free) 
> F : +1 514 904-0611 
> 
> 740 Notre Dame St. West, Suite 1575 
> Montreal, Quebec, Canada H3C 3X6 
> imetrik.com <http://www.imetrik.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/e9c8e78e/attachment-0001.html 

From srossillo at smartling.com  Mon Oct  5 18:48:51 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 5 Oct 2015 18:48:51 -0400
Subject: [keycloak-user] Crypto
In-Reply-To: <F73011DE-017E-4E81-B94C-5B1D18FD82C3@smartling.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
	<F73011DE-017E-4E81-B94C-5B1D18FD82C3@smartling.com>
Message-ID: <8C91B64C-2161-40F3-956E-E993649BEE01@smartling.com>


Sorry, I sent that too quick. I meant javax.crypto. :)

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 5, 2015, at 6:47 PM, Scott Rossillo <srossillo at smartling.com> wrote:
> 
> Try adding a dependency on <module name="javax.api"/>
> 
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>  <http://www.sigstr.com/>
>> On Oct 5, 2015, at 4:38 PM, Remi Cartier <remi.cartier at imetrik.com <mailto:remi.cartier at imetrik.com>> wrote:
>> 
>> Hy guys,
>> 
>> I am trying to use some crypto to match hashes from my old db.
>> The code is :
>> 
>>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
>>             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>>             byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
>> 
>> I cant make it work as a federation provider.
>> 
>> it was complaining about java.lang.ClassNotFoundException: javax.crypto.spec.PBEKeySpec
>> 
>> I added jce.jar to the list of dependencies in my module.xml (I shouldn?t have to do that)
>> 
>> Then I got :
>> 
>> ClassNotFoundException: sun.security.jca.GetInstance
>> 
>> I added rt.jar (which I shouldn?t do either)
>> 
>> and then I got some fancy exception : java.lang.LinkageError: loader constraint violation
>> 
>> I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.
>> 
>> what is wrong ?
>> 
>> here is my module.xml file :
>> 
>> <?xml version="1.0" encoding="UTF-8"?>
>> <module xmlns="urn:jboss:module:1.1" name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
>>     <resources>
>>         <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
>>         <resource-root path="jdbi-2.63.1.jar"/>
>>         <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
>>         <resource-root path="slf4j-api-1.7.12.jar"/>
>>         <resource-root path="slf4j-simple-1.7.12.jar"/>
>>         <resource-root path="global-library-common-2.0.4.jar"/>
>>         <resource-root path="jce.jar"/>
>>         <resource-root path="bcprov-jdk15on-152.jar"/>
>>     </resources>
>>     <dependencies>
>>         <module name="org.keycloak.keycloak-core"/>
>>         <module name="org.keycloak.keycloak-model-api"/>
>>     </dependencies>
>> </module>
>> 
>> 
>> Cheers.
>> 
>> 
>> REMI CARTIER
>> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>> 
>> IMETRIK GLOBAL INC. 
>> T : +1 514 448-6407 x2009
>> T : +1 866 276-5382 (toll free) 
>> F : +1 514 904-0611 
>> 
>> 740 Notre Dame St. West, Suite 1575 
>> Montreal, Quebec, Canada H3C 3X6 
>> imetrik.com <http://www.imetrik.com/>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/46830d2b/attachment-0001.html 

From kalinga at leapset.com  Mon Oct  5 21:33:59 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Tue, 6 Oct 2015 07:03:59 +0530 (IST)
Subject: [keycloak-user] Implementing central logout
In-Reply-To: <cbfd04d178814bbf9cb4c2e36fe87dfa@exchange02.srv.hq.aoe.lan>
References: <1443534333.637225003@apps.rackspace.com>   
	<CA+45JvE=dcoG2bsygs+PatBkkkT0ABvT+ycnpwZeSJQh4AnSYA@mail.gmail.com> 
	<1443543618.418112794@apps.rackspace.com> 
	<1443619799.762427469@apps.rackspace.com> 
	<cbfd04d178814bbf9cb4c2e36fe87dfa@exchange02.srv.hq.aoe.lan>
Message-ID: <1444095239.20743881@apps.rackspace.com>


guys, 
 
Thanks for the tips.
Went through the request and the code as well and realized that when retrieving the access code we need to send the state parameters which we didnt send.
 
These are the two parameters I added;
client_session_state={client_session_state}&client_session_host={client_session_host}
 
After fixing this, we got a demo working. Will play around more.
Thanks again.
 
Regards,
Kalinga


-----Original Message-----
From: "Sebastian Rose" <sebastian.rose at aoe.com>
Sent: Wednesday, September 30, 2015 9:59pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>, "Bob McWhirter" <bmcwhirt at redhat.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: AW: [keycloak-user] Implementing central logout




Yes, we have, everything works fine with the admin url (we do not use the tomcat adapter, but this should not change a thing). There are calls to the configured admin URL with k_logout. Maybe check your admin-url again, or have a look at the wire?
 
Regards,
Sebastian
 
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Kalinga Dissanayake
Gesendet: Mittwoch, 30. September 2015 15:30
An: Bob McWhirter; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Implementing central logout
 
I cant get this to work. Any one who implemented central logout via keycloak?
Regards,
Kalinga


 -----Original Message-----
 From: "Kalinga Dissanayake" <[ kalinga at leapset.com ]( mailto:kalinga at leapset.com )>
 Sent: Tuesday, September 29, 2015 9:50pm
 To: "Bob McWhirter" <[ bmcwhirt at redhat.com ]( mailto:bmcwhirt at redhat.com )>
 Cc: "[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )" <[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )>
 Subject: Re: [keycloak-user] Implementing central logout

Yes. Is that all I should do? 
I have done that but I receive no notification.
Regards,
Kalinga

 -----Original Message-----
 From: "Bob McWhirter" <[ bmcwhirt at redhat.com ]( mailto:bmcwhirt at redhat.com )>
 Sent: Tuesday, September 29, 2015 7:25pm
 To: "Kalinga Dissanayake" <[ kalinga at leapset.com ]( mailto:kalinga at leapset.com )>
 Cc: "[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )" <[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )>
 Subject: Re: [keycloak-user] Implementing central logout


All registered admin URLs should be notified, if I recall.  Does each client have an admin URL configured in the Keycloak console?

 

On Tue, Sep 29, 2015 at 9:45 AM, Kalinga Dissanayake <[ kalinga at leapset.com ]( mailto:kalinga at leapset.com )> wrote:
My scenario is this;
I have two clients configured on keycloak and I have two client applications relying on keycloak for SSO and user management.
Both of my client applications are using the tomcat adapter.
 
Currently if the user signs out from the first client the second client is not notified. I need this to be fixed, so that when a user signs out from one client, the other client is notified, so the latter can forcefully logout the user. How can I handle this on keycloak?
 
I tried the Admin Url configuration given on the docs
[ http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ]( http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration )
but I did not see a way forward.
 
My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its required.
 
Regards,
Kalinga

 _______________________________________________
 keycloak-user mailing list
[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )
[ https://lists.jboss.org/mailman/listinfo/keycloak-user ]( https://lists.jboss.org/mailman/listinfo/keycloak-user )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/9bb8c34a/attachment.html 

From hr.stoyanov at peruncs.com  Tue Oct  6 00:26:21 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Mon, 5 Oct 2015 21:26:21 -0700
Subject: [keycloak-user] UT010039: Unknown authentication mechanism
	KEYCLOAK
In-Reply-To: <CA+1OW+gEmKaKukEfjBnOzO10om5hDzLbkskgiwz7T3KhGsqX+A@mail.gmail.com>
References: <CAHiHDeR91s8+WrjMv7EskuqAL=aDf15A9X+NBjwxx0m+DSmv5w@mail.gmail.com>
	<CA+1OW+gEmKaKukEfjBnOzO10om5hDzLbkskgiwz7T3KhGsqX+A@mail.gmail.com>
Message-ID: <CAHiHDeSaNEigqjwzjnFnFO_ysW2nkwd9+Rk7H3yZV=SP6-+Pcg@mail.gmail.com>

Thank you,
I wish the docs were clearer, but you helped me solved the problem!

/Hristo Stoyanov
On Sep 28, 2015 7:04 AM, "Marko Strukelj" <mstrukel at redhat.com> wrote:

> Keycloak server overlay installation only contains Keycloak server
> support, and accompanying keycloak-standalone.xml only contains server
> configuration.
>
> What you need to secure your web app in the same container is Keycloak
> adapter download for WF9 to get the necessary adapter modules (that's the
> 'client' part that talks to the server).
>
> Then you also need to add:
>
> <extension module="org.keycloak.keycloak-adapter-subsystem"/>
>
> and
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
>
> to standalone.xml
> On Sep 26, 2015 8:58 AM, "Hristo Stoyanov" <hr.stoyanov at peruncs.com>
> wrote:
>
>> Hi all
>> I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay
>> installation. My configuration file looks exactly the same as the stock
>> one, e.g:
>>
>> <extensions>
>>         ...
>>         <extension module="org.keycloak.keycloak-server-subsystem"/>
>>         ...
>> </extensions>
>> ...
>>
>> <profile>
>> ...
>> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>> <web-context>auth</web-context>
>> </subsystem>
>> </profile>
>>
>> The module jars are properly put in the WF folders
>>
>> My web.xml also seems right too:
>> =========================================
>> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
>>          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
>> http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
>>          version="3.1">
>>
>>     <!-- Default page to serve -->
>>     <welcome-file-list>
>>         <welcome-file>index.jsp</welcome-file>
>>     </welcome-file-list>
>>
>>     <!--  This error page rule responds with the GWT Host page for
>> pushstate Errai Navigation URLs -->
>>     <error-page>
>>         <error-code>404</error-code>
>>         <location>/</location>
>>     </error-page>
>>
>>
>>     <!-- Erray Keycloak security -->
>>     <filter>
>>         <filter-name>ErraiLoginRedirectFilter</filter-name>
>>         <init-param>
>>             <param-name>redirectLocation</param-name>
>>             <param-value>/index_draft.jsp</param-value>
>>         </init-param>
>>     </filter>
>>
>>     <!-- JAX-RS configuration-->
>>     <servlet-mapping>
>>         <servlet-name>javax.ws.rs.core.Application</servlet-name>
>>         <url-pattern>/rest/*</url-pattern>
>>     </servlet-mapping>
>>
>>     <filter-mapping>
>>         <filter-name>ErraiUserCookieFilter</filter-name>
>>         <url-pattern>/index_draft.jsp</url-pattern>
>>     </filter-mapping>
>>
>>     <filter-mapping>
>>         <filter-name>ErraiLoginRedirectFilter</filter-name>
>>         <url-pattern>/app-login</url-pattern>
>>     </filter-mapping>
>>
>>     <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>Login</web-resource-name>
>>             <url-pattern>/app-login</url-pattern>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>*</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>
>>     <login-config>
>>         <auth-method>KEYCLOAK</auth-method>
>>         <realm-name>whatever</realm-name>
>>     </login-config>
>>
>>     <security-role>
>>         <role-name>user</role-name>
>>     </security-role>
>>
>>     <security-role>
>>         <role-name>admin</role-name>
>>     </security-role>
>>
>> </web-app>
>>
>> I can access the KC admin console and configure realms/users/roles no
>> problem in the WF 9.0.1 server.* I am out of ideas of what could be
>> causing it. Any hints? Thanks*
>>
>> =============================
>> 11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>> Pool -- 78) MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.de
>> fault-host./draft: org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./draft:
>> java.lang.RuntimeException: jav
>> a.lang.RuntimeException: UT010039: Unknown authentication mechanism
>> KEYCLOAK
>>         at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>         at java.util.concurrent.Executors$RunnableAdapter.call(Unknown
>> Source)
>>         at java.util.concurrent.FutureTask.run(Unknown Source)
>>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
>> Source)
>>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
>> Source)
>>         at java.lang.Thread.run(Unknown Source)
>>         at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>> Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
>> UT010039: Unknown authentication mechanism KEYCLOAK
>>         at
>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224)
>>         at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>>         at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>         ... 6 more
>> Caused by: java.lang.RuntimeException: UT010039: Unknown authentication
>> mechanism KEYCLOAK
>>         at
>> io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326)
>>         at
>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200)
>>         ... 8 more
>>
>> 11:47:54,471 ERROR [org.jboss.as.controller.management-operation]
>> (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed -
>> address: ([("deploy
>> ment" => "draft.war")]) - failure description: {"WFLYCTL0080: Failed
>> services" =>
>> {"jboss.undertow.deployment.default-server.default-host./draft" =>
>> "org.jboss.
>> msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./draft:
>> java.lang.RuntimeException: java.lang.RuntimeException: UT01
>> 0039: Unknown authentication mechanism KEYCLOAK
>>     Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
>> UT010039: Unknown authentication mechanism KEYCLOAK
>>     Caused by: java.lang.RuntimeException: UT010039: Unknown
>> authentication mechanism KEYCLOAK"}}
>> 11:47:54,478 ERROR [org.jboss.as.server] (management-handler-thread - 2)
>> WFLYSRV0021: Deploy of deployment "draft.war" was rolled back with the
>> following failur
>> e message:
>> {"WFLYCTL0080: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./draft" =>
>> "org.jboss.msc.service.StartException in service jboss.und
>> ertow.deployment.default-server.default-host./draft:
>> java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
>> authentication mechanism KEYCLOAK
>>
>>     Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
>> UT010039: Unknown authentication mechanism KEYCLOAK
>>     Caused by: java.lang.RuntimeException: UT010039: Unknown
>> authentication mechanism KEYCLOAK"}}
>> 11:47:54,488 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 79)
>> WFLYJPA0011: Stopping Persistence Unit (phase 2 of 2) Service
>> 'draft.war#s4g'
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/d0cfccca/attachment-0001.html 

From sthorger at redhat.com  Tue Oct  6 01:32:44 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 07:32:44 +0200
Subject: [keycloak-user] Redirect to keycloak only for certain
	content-types
In-Reply-To: <etPan.560eafc6.45ecece3.651@MacBook-Pro.local>
References: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
	<CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>
	<etPan.560eafc6.45ecece3.651@MacBook-Pro.local>
Message-ID: <CAJgngAcnpM+sBLHP-kRLeknt9DyEQUk8wN-+s5PUL6ecwrH6LA@mail.gmail.com>

I'm afraid it's not possible at the moment. The only option now is to have
two different clients and either split your application into two, or you
can use the KeycloakConfigResolver to select the client based on the
content type yourself. See the multi tenancy example for an idea on how to
use it.

On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
wrote:

>
> Hi,
>
> Yes, it can be done with nginx, but I still hope this could be
> accomplished natively :)
>
> The general idea is this:
>
> a) if browser asks for "text/html" => act as confidential/public
> client, that is
> start keycloak login protocol
>
> b) if browser asks for "application/json? => act as bearer only client,
> and in
> case of authorization error, respond with proper 40x status
>
> This would let me build an ?isomorphic? JavaScript application (
> http://isomorphic.net)
>
> With keycloak-1.5.0 I see that there is no difference whether I accept
> text/html or application/json:
>
> tair$ curl -v -H 'Accept: text/html'
> http://localhost:9080/hello-world/rest/something
> *   Trying ::1...
> * connect to ::1 port 9080 failed: Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 9080 (#0)
> > GET /hello-world/rest/something HTTP/1.1
> > Host: localhost:9080
> > User-Agent: curl/7.43.0
> > Accept: text/html
> >
> < HTTP/1.1 302 Found
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Set-Cookie:
> OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
> < Server: WildFly/9
> < Pragma: no-cache
> < Location:
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
> < Date: Fri, 02 Oct 2015 15:53:32 GMT
> < Connection: keep-alive
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
> tair$ curl -v -H 'Accept: application/json'
> http://localhost:9080/hello-world/rest/something
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 9080 (#0)
> > GET /hello-world/rest/something HTTP/1.1
> > Host: localhost:9080
> > User-Agent: curl/7.43.0
> > Accept: application/json
> >
> < HTTP/1.1 302 Found
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Set-Cookie:
> OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
> < Server: WildFly/9
> < Pragma: no-cache
> < Location:
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
> < Date: Fri, 02 Oct 2015 15:53:41 GMT
> < Connection: keep-alive
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
> Any workarounds there?
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
>
>
> On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com
> (mailto:giriraj.sharma27 at gmail.com)) wrote:
>
> > Hi,
> >
> > One possible way is to put nginx as a reverse proxy in between browser
> and Keycloak server instance. You can dig around using $content_type
> embedded variable of nginx ngx_http_core_module or may be nginx_rewrite
> module and a simple tweak (may be an if statement in nginx server/location
> block config) will help you in achieving the required. Based on the value
> of content-type header, you can proxy-pass the requests to a different
> upstream server via nginx.
> >
> > Cheers,
> >
> >
> > On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> > >
> > > Hi,
> > >
> > > Is it possible to setup login redirection only for certain content
> types?
> > > I want to redirect only when the browser asks for text/html. For other
> types
> > > either 40x or Authorization challenge.
> > >
> > > --
> > > Tair Sabirgaliev
> > > Bee Software, LLP
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > --
> >
> > Giriraj Sharma
> > about.me/girirajsharma
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Giriraj Sharma,
> > Department of Computer Science
> > National Institute of Technology Hamirpur
> > Himachal Pradesh, India 177005
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/1c9898e4/attachment.html 

From sthorger at redhat.com  Tue Oct  6 01:49:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 07:49:15 +0200
Subject: [keycloak-user] Custom theme - modifying HTML files
In-Reply-To: <da552f25474a40cc8a8ff5d62866c0a8@THHSTE15D3BE5.hs20.net>
References: <da552f25474a40cc8a8ff5d62866c0a8@THHSTE15D3BE5.hs20.net>
Message-ID: <CAJgngAeOaCuZ3AZvD6BVVCDM1DK0suwrO9nbyQjei5Fy3D+71g@mail.gmail.com>

Not sure what you mean about page caching is witched off. In the admin
console the pages are just static html pages so you can disable caching by
setting staticMaxAge to -1 (sere
http://keycloak.github.io/docs/userguide/html/themes.html). Angular also
caches pages so you may need to also do a force refresh (ctrl+f5) or even
disable caching altogether (in Chrome you can do this through developer
tools.

On 2 October 2015 at 12:16, Maciej Szewczykowski <
maciej.szewczykowski at pjmedia.co.uk> wrote:

> Hi,
>
>
>
> I?d like to create a custom admin theme which would contain some
> additional controls (buttons) which, when clicked, would redirect user to
> some external address.
>
>
>
> Creating a theme itself is rather easy and well documented. The problem is
> that I can?t seem to be able to modify the HTML page of my choice ? in my
> case it is role-mappings.html page where the additional button should be
> placed. Modification of the page simply doesn?t seem to take any effect
> (although page caching is switched off).
>
>
>
> I?m using demo v. 1.4.0
>
>
>
> Would be very grateful for any tips on how to achieve this.
>
>
>
>
>
> Best Regards,
>
> *Maciej Szewczykowski *
>
> Java Developer
> ------------------------------
>
> T +44 01628 539 800
>
> E firstname.lastname at pjmedia.co.uk
>
> *PJ Media Limited,*
>
> Plac Wolno?ci 21, 05-825
>
> Grodzisk Mazowiecki, Warsaw, Poland
>
> [image: Brandpath] <http://www.brandpath.com/>
>
> PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 |
> Registered Office: Network House, Third Avenue, Globe Park, Marlow,
> Buckinghamshire, SL7 1EY, United Kingdom | Web site:
> http://www.pjmedia.co.uk
>
>
>
>
>
> The contents of this message and any attachments to it are confidential
> and may be legally privileged. If you have received this message in error
> you should delete it from your system immediately and advise the sender. To
> any recipient of this message within PJ Media, unless otherwise stated, you
> should consider this message and attachments as PJ Media confidential.
>
> PJ MEDIA LIMITED,
> Registered in England no. 04946760
> Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, United
> Kingdom
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/621ee7c7/attachment.html 

From sthorger at redhat.com  Tue Oct  6 02:11:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 08:11:03 +0200
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CANCBORSjcte7aSddsB33EgKP1ZuzqSYv6FXRbkoDxWYxgjFJ3w@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
	<CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
	<CANCBORSjcte7aSddsB33EgKP1ZuzqSYv6FXRbkoDxWYxgjFJ3w@mail.gmail.com>
Message-ID: <CAJgngAdqKGq4wXrQs260CrPD8dsCVXhi4pk==7juV3GWVKTPcA@mail.gmail.com>

You should be able to do this yourself using the authenticator spi. It
would be a while until we get resources to add a feature around this.

On 1 October 2015 at 09:57, Anunay Sinha <anunay.sinha at arvindinternet.com>
wrote:

> User can register through a mobile number. He will be sent an OTP on his
> mobile number (for verification and first time login)
> Once verified ?and he logs in for the first time he can set his password.
>
> Similar workflow will be used if he wants to recover his password. He will
> get a OTP on his mobile that will allow him to log in and he can reset his
> password thereafter.
>
> 2 Factor Authentication is not something we are looking at yet, though it
> will be good to have
>
> On Thu, Oct 1, 2015 at 1:22 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Using SMS as a two factor auth mechanism is on the road-map, but not in
>> the near future. The idea is basically that the server creates a unique
>> code, sends it in SMS, and the user would then copy it back to the login
>> screen. Issue with it is that we first need to allow users to select what
>> two factor auth mechanism they want to use. They could have a hardware OTP
>> token for example, but as they don't have it with them they could use the
>> SMS code as a backup. We also have tons of other things ahead of it in the
>> queue.
>>
>> I'm a bit curious about your use-case. You basically want a user to login
>> with mobile number + password, and also use a code sent over SMS as a two
>> factor auth? Or do you have something different in mind?
>>
>>
>>
>>
>>
>> On 1 October 2015 at 09:45, Anunay Sinha <anunay.sinha at arvindinternet.com
>> > wrote:
>>
>>> Hi Stian,
>>> I have question about login through mobile devices in general,
>>> where I would like to login via mobile number, get an OTP on my number
>>> and use it to register/login into the system,
>>>
>>> For the number I can follow your instructions but am looking to provide
>>> for OTP as well (I am exploring this). It will be nice to have it out of
>>> the box :)
>>>
>>> Is such a option there in the Keycloak's roadmap ?
>>> If so what is the rough timeline?
>>>
>>> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> You would need to create a custom authenticator for it. Take a look at
>>>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>>>
>>>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>>>> revanth at arvindinternet.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I have an application that is secured by Keycloak. I am able to login
>>>>> using username/email and password. I also want to implement login via phone
>>>>> number. Could anybody help me how to store the phone number for a user and
>>>>> also how to use it to login the user.
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>> --
>>> - Anunay
>>>
>>
>>
>
>
> --
> - Anunay
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/fe6ce711/attachment-0001.html 

From sthorger at redhat.com  Tue Oct  6 02:13:43 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 08:13:43 +0200
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CACQJ6LS7aYFfHpaDn6Ybz6bu5+KZKL-t82H+sk=nKpQHVtgofQ@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
	<CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
	<CACQJ6LS7aYFfHpaDn6Ybz6bu5+KZKL-t82H+sk=nKpQHVtgofQ@mail.gmail.com>
Message-ID: <CAJgngAeNZVRRvWNcpBj6BoAKY8Kahx8h2bufd6L1oo9GMJpoiw@mail.gmail.com>

We have plans to add step up authentication. Basically the idea is that a
user can authenticate with a set of week credentials (username/password),
but when the application requires stronger authentication it would redirect
back to Keycloak which would then ask for additional authentication (otp,
sms, etc.). This is not something that's on our immediate road-map though.

On 1 October 2015 at 10:06, Travis De Silva <traviskds at gmail.com> wrote:

> +1 for this feature.
>
> This use case is getting quite popular these days. Apart from the banks
> that follow this procedure, you also get companies like Google that do this
> as an extra step to prevent someone who has stolen your username/password
> from using it to access your content.
>
> A would like to suggest a few additional features around this requirement
> for it to be more valuable.
>
> 1. Option in KeyCloak to set if the SMS should be sent for all login
> attempts or only when logging in from a new device like who you get with
> Google
>
> 2. A set of actions that could trigger the SMS - For example let's say I
> have a banking web app and if the user logs in and does a funds transfer
> above a certain limit, I should be able to from my app trigger an SMS auth.
> Not sure if this is part of OAuth2 or OIDC but I have encountered quite a
> few applications following this flow to prevent identify theft.
>
>
>
> On Thu, 1 Oct 2015 at 17:52 Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Using SMS as a two factor auth mechanism is on the road-map, but not in
>> the near future. The idea is basically that the server creates a unique
>> code, sends it in SMS, and the user would then copy it back to the login
>> screen. Issue with it is that we first need to allow users to select what
>> two factor auth mechanism they want to use. They could have a hardware OTP
>> token for example, but as they don't have it with them they could use the
>> SMS code as a backup. We also have tons of other things ahead of it in the
>> queue.
>>
>> I'm a bit curious about your use-case. You basically want a user to login
>> with mobile number + password, and also use a code sent over SMS as a two
>> factor auth? Or do you have something different in mind?
>>
>>
>>
>>
>>
>> On 1 October 2015 at 09:45, Anunay Sinha <anunay.sinha at arvindinternet.com
>> > wrote:
>>
>>> Hi Stian,
>>> I have question about login through mobile devices in general,
>>> where I would like to login via mobile number, get an OTP on my number
>>> and use it to register/login into the system,
>>>
>>> For the number I can follow your instructions but am looking to provide
>>> for OTP as well (I am exploring this). It will be nice to have it out of
>>> the box :)
>>>
>>> Is such a option there in the Keycloak's roadmap ?
>>> If so what is the rough timeline?
>>>
>>> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> You would need to create a custom authenticator for it. Take a look at
>>>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>>>
>>>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>>>> revanth at arvindinternet.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I have an application that is secured by Keycloak. I am able to login
>>>>> using username/email and password. I also want to implement login via phone
>>>>> number. Could anybody help me how to store the phone number for a user and
>>>>> also how to use it to login the user.
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>> --
>>> - Anunay
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/330968a8/attachment.html 

From thomas.raehalme at aitiofinland.com  Tue Oct  6 02:22:06 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 6 Oct 2015 09:22:06 +0300
Subject: [keycloak-user] Login by mobile number.
In-Reply-To: <CAJgngAeNZVRRvWNcpBj6BoAKY8Kahx8h2bufd6L1oo9GMJpoiw@mail.gmail.com>
References: <CAA1skqXmzxvt=6T3wnZsr29XjNi3ktQZA=Zx0F1dW1QUJchyDA@mail.gmail.com>
	<CAJgngAcySZR0ckiovt7enbrrWC1up1JmCMdyWt+ipS2eJcwdFQ@mail.gmail.com>
	<CANCBORT-fKjVBamg2cmQ5fXUYM3A6_wJXMcmq_G3=Wfj0rSewg@mail.gmail.com>
	<CAJgngAcrLZfcN-L=4nxvF_B=xzc2e8EJzbwrM_a35Gf3TsSAqQ@mail.gmail.com>
	<CACQJ6LS7aYFfHpaDn6Ybz6bu5+KZKL-t82H+sk=nKpQHVtgofQ@mail.gmail.com>
	<CAJgngAeNZVRRvWNcpBj6BoAKY8Kahx8h2bufd6L1oo9GMJpoiw@mail.gmail.com>
Message-ID: <CAPyAMoYwzJDZgkN4qjM86A+gGvcJ0EM_6Q7ofxJvUXbAmpzkMA@mail.gmail.com>

+1 this would be great!
On Oct 6, 2015 9:14 AM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> We have plans to add step up authentication. Basically the idea is that a
> user can authenticate with a set of week credentials (username/password),
> but when the application requires stronger authentication it would redirect
> back to Keycloak which would then ask for additional authentication (otp,
> sms, etc.). This is not something that's on our immediate road-map though.
>
> On 1 October 2015 at 10:06, Travis De Silva <traviskds at gmail.com> wrote:
>
>> +1 for this feature.
>>
>> This use case is getting quite popular these days. Apart from the banks
>> that follow this procedure, you also get companies like Google that do this
>> as an extra step to prevent someone who has stolen your username/password
>> from using it to access your content.
>>
>> A would like to suggest a few additional features around this requirement
>> for it to be more valuable.
>>
>> 1. Option in KeyCloak to set if the SMS should be sent for all login
>> attempts or only when logging in from a new device like who you get with
>> Google
>>
>> 2. A set of actions that could trigger the SMS - For example let's say I
>> have a banking web app and if the user logs in and does a funds transfer
>> above a certain limit, I should be able to from my app trigger an SMS auth.
>> Not sure if this is part of OAuth2 or OIDC but I have encountered quite a
>> few applications following this flow to prevent identify theft.
>>
>>
>>
>> On Thu, 1 Oct 2015 at 17:52 Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>>> Using SMS as a two factor auth mechanism is on the road-map, but not in
>>> the near future. The idea is basically that the server creates a unique
>>> code, sends it in SMS, and the user would then copy it back to the login
>>> screen. Issue with it is that we first need to allow users to select what
>>> two factor auth mechanism they want to use. They could have a hardware OTP
>>> token for example, but as they don't have it with them they could use the
>>> SMS code as a backup. We also have tons of other things ahead of it in the
>>> queue.
>>>
>>> I'm a bit curious about your use-case. You basically want a user to
>>> login with mobile number + password, and also use a code sent over SMS as a
>>> two factor auth? Or do you have something different in mind?
>>>
>>>
>>>
>>>
>>>
>>> On 1 October 2015 at 09:45, Anunay Sinha <
>>> anunay.sinha at arvindinternet.com> wrote:
>>>
>>>> Hi Stian,
>>>> I have question about login through mobile devices in general,
>>>> where I would like to login via mobile number, get an OTP on my number
>>>> and use it to register/login into the system,
>>>>
>>>> For the number I can follow your instructions but am looking to provide
>>>> for OTP as well (I am exploring this). It will be nice to have it out of
>>>> the box :)
>>>>
>>>> Is such a option there in the Keycloak's roadmap ?
>>>> If so what is the rough timeline?
>>>>
>>>> On Thu, Oct 1, 2015 at 1:06 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> You would need to create a custom authenticator for it. Take a look at
>>>>> http://keycloak.github.io/docs/userguide/html/auth_spi.html
>>>>>
>>>>> On 30 September 2015 at 15:34, Revanth Ayalasomayajula <
>>>>> revanth at arvindinternet.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I have an application that is secured by Keycloak. I am able to login
>>>>>> using username/email and password. I also want to implement login via phone
>>>>>> number. Could anybody help me how to store the phone number for a user and
>>>>>> also how to use it to login the user.
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> - Anunay
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/b391b3e6/attachment.html 

From sthorger at redhat.com  Tue Oct  6 04:14:20 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 10:14:20 +0200
Subject: [keycloak-user] Support for Implicit Flow
In-Reply-To: <264882050.3277333.1443609173763.JavaMail.yahoo@mail.yahoo.com>
References: <264882050.3277333.1443609173763.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAct-Y+W8p6zo4b-uOMrZ1iCE-nseFt1m4CtVQiCYgtF_Q@mail.gmail.com>

Yes and yes, but I can't give you exact dates at the moment.

On 30 September 2015 at 12:32, Raghuram Prabhala <prabhalar at yahoo.com>
wrote:

> Hi Keycloak Dev team,
>
> When can we expect support for Implicit flow and OpenID Connect
> certification for keycloak?
>
> Thanks,
> Raghu
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/874fed5a/attachment-0001.html 

From sthorger at redhat.com  Tue Oct  6 04:19:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 10:19:15 +0200
Subject: [keycloak-user] Support for Implicit Flow
In-Reply-To: <CAJgngAct-Y+W8p6zo4b-uOMrZ1iCE-nseFt1m4CtVQiCYgtF_Q@mail.gmail.com>
References: <264882050.3277333.1443609173763.JavaMail.yahoo@mail.yahoo.com>
	<CAJgngAct-Y+W8p6zo4b-uOMrZ1iCE-nseFt1m4CtVQiCYgtF_Q@mail.gmail.com>
Message-ID: <CAJgngAcHP42j1JdtvQEugz6xX-XugEXc+LQ2nkSLa8ZyhGhZhA@mail.gmail.com>

Correction with regards to OpenID Connect ceritication, we will probably
not be able to have the official certification, but we are planning to
self-certify and publish the results.

Having the official certification currently requires being a OpenID
Foundation memember. The cost is based on the size of the company and for
us it would be $15,000! We don't have budget for that.

On 6 October 2015 at 10:14, Stian Thorgersen <sthorger at redhat.com> wrote:

> Yes and yes, but I can't give you exact dates at the moment.
>
> On 30 September 2015 at 12:32, Raghuram Prabhala <prabhalar at yahoo.com>
> wrote:
>
>> Hi Keycloak Dev team,
>>
>> When can we expect support for Implicit flow and OpenID Connect
>> certification for keycloak?
>>
>> Thanks,
>> Raghu
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/a2876580/attachment.html 

From lkubik at redhat.com  Tue Oct  6 04:59:21 2015
From: lkubik at redhat.com (Lukas Kubik)
Date: Tue, 6 Oct 2015 04:59:21 -0400 (EDT)
Subject: [keycloak-user] Custom theme - modifying HTML files
In-Reply-To: <da552f25474a40cc8a8ff5d62866c0a8@THHSTE15D3BE5.hs20.net>
References: <da552f25474a40cc8a8ff5d62866c0a8@THHSTE15D3BE5.hs20.net>
Message-ID: <1614727561.50725501.1444121961270.JavaMail.zimbra@redhat.com>

Hi Maciej,

for some reasons angular holds the imported HTML files in the cache even when you reload them without cache (ctrl+f5). Just go to the URL of the HTML file that you have changed and reload it without cache (ctrl + f5). Then go to the page where the HTML file is imported and reload it without cache. Then you should see the changed file.

For example if you want to change the navbar HTML file then you would go to the:
http://localhost:8080/auth/resources/1.5.0.final-snapshot/admin/keycloak/partials/menu.html
Do a reload with ctrl+f5 and then go back to the admin console and do the reload without cache. This worked for me. The URL could be also different just adjust it by your Keycloak version.


Regards,
Lukas

----- Original Message -----
From: "Maciej Szewczykowski" <maciej.szewczykowski at pjmedia.co.uk>
To: keycloak-user at lists.jboss.org
Sent: Friday, October 2, 2015 12:16:25 PM
Subject: [keycloak-user] Custom theme - modifying HTML files



Hi, 



I?d like to create a custom admin theme which would contain some additional controls (buttons) which, when clicked, would redirect user to some external address. 



Creating a theme itself is rather easy and well documented. The problem is that I can?t seem to be able to modify the HTML page of my choice ? in my case it is role-mappings.html page where the additional button should be placed. Modification of the page simply doesn?t seem to take any effect (although page caching is switched off). 



I?m using demo v. 1.4.0 



Would be very grateful for any tips on how to achieve this. 





Best Regards, 
	
	

Maciej Szewczykowski 
	

Java Developer 
	


	

T +44 01628 539 800 
	

E firstname.lastname at pjmedia.co.uk 
	
	

PJ Media Limited, 
	

Plac Wolno?ci 21, 05-825 
	

Grodzisk Mazowiecki, Warsaw, Poland 	



PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 | Registered Office: Network House, Third Avenue, Globe Park, Marlow, Buckinghamshire, SL7 1EY, United Kingdom | Web site: http://www.pjmedia.co.uk 







The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within PJ Media, unless otherwise stated, you should consider this message and attachments as PJ Media confidential. 

PJ MEDIA LIMITED, 
Registered in England no. 04946760 
Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, United Kingdom 

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From lkrzyzan at redhat.com  Tue Oct  6 05:12:06 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 6 Oct 2015 11:12:06 +0200
Subject: [keycloak-user] URL/Link for registration page
Message-ID: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>

Hi,
is it possible to have a unique URL resp. link for registration page on website?
JS Adapter (http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098 <http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098>) has only login and logout actions.

Right now there is only login page as entry point for clients.

It?s quite common to have separate links for Login and Register on website because going directly to registration page makes registration process easier.

Other scenario is promoting registration via e-mail like ?Register for free. Click on this link ?"
It would be great to have bookmarkable URL for such use case.

Thanks,

Libor

Libor Krzy?anek
jboss.org Development Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/5987cb75/attachment.html 

From sthorger at redhat.com  Tue Oct  6 06:09:38 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 12:09:38 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
Message-ID: <CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>

Just swap the last 'auth' to 'registrations' in the link and you'll get the
registration page instead of login page

On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> Hi,
> is it possible to have a unique URL resp. link for registration page on
> website?
> JS Adapter (
> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098) has only
> login and logout actions.
>
> Right now there is only login page as entry point for clients.
>
> It?s quite common to have separate links for Login and Register on website
> because going directly to registration page makes registration process
> easier.
>
> Other scenario is promoting registration via e-mail like ?Register for
> free. Click on this link ?"
> It would be great to have bookmarkable URL for such use case.
>
> Thanks,
>
> Libor
>
> Libor Krzy?anek
> jboss.org Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/8d5224b6/attachment.html 

From revanth at arvindinternet.com  Tue Oct  6 06:15:25 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 6 Oct 2015 15:45:25 +0530
Subject: [keycloak-user] Social Account Linking support in Keycloak.
Message-ID: <CAA1skqWRwGTMBJ=wq+PCA-q1sWeKFhVM7CmFuo06LeehZ1PAbw@mail.gmail.com>

Hi,

I have an application secured using keycloak 1.5. I have a situation where
in an user is registered  using a social login(say facebook). Now if i
login the user using another social login(say google+) using the same email
address as the former social login(fb) it say's that the user is already
registered and gives an error. Is there any way to link two accounts that
use the same email address but from two different social accounts or Is
there a way in which keycloak recognizes the email address and the log's in
the respective user.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/d61e723c/attachment.html 

From sthorger at redhat.com  Tue Oct  6 06:18:36 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 12:18:36 +0200
Subject: [keycloak-user] Social Account Linking support in Keycloak.
In-Reply-To: <CAA1skqWRwGTMBJ=wq+PCA-q1sWeKFhVM7CmFuo06LeehZ1PAbw@mail.gmail.com>
References: <CAA1skqWRwGTMBJ=wq+PCA-q1sWeKFhVM7CmFuo06LeehZ1PAbw@mail.gmail.com>
Message-ID: <CAJgngAc7g1GMcUPw5EFEpAvVgPAaRwyqHA++AK+tYYndvUo0bQ@mail.gmail.com>

The only way to link accounts at the moment is through the account
management console. We're going to look at improve this flow soon.

On 6 October 2015 at 12:15, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I have an application secured using keycloak 1.5. I have a situation where
> in an user is registered  using a social login(say facebook). Now if i
> login the user using another social login(say google+) using the same email
> address as the former social login(fb) it say's that the user is already
> registered and gives an error. Is there any way to link two accounts that
> use the same email address but from two different social accounts or Is
> there a way in which keycloak recognizes the email address and the log's in
> the respective user.
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/8d45e972/attachment.html 

From revanth at arvindinternet.com  Tue Oct  6 06:21:06 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 6 Oct 2015 15:51:06 +0530
Subject: [keycloak-user] Social Account Linking support in Keycloak.
In-Reply-To: <CAJgngAc7g1GMcUPw5EFEpAvVgPAaRwyqHA++AK+tYYndvUo0bQ@mail.gmail.com>
References: <CAA1skqWRwGTMBJ=wq+PCA-q1sWeKFhVM7CmFuo06LeehZ1PAbw@mail.gmail.com>
	<CAJgngAc7g1GMcUPw5EFEpAvVgPAaRwyqHA++AK+tYYndvUo0bQ@mail.gmail.com>
Message-ID: <CAA1skqV03-5ZjtPrqr2Qw1kyPWXRrdOOF0knUfAToGXP2AKAKA@mail.gmail.com>

Is there any rest api that we can use to achieve this??

Thanks.

On Tue, Oct 6, 2015 at 3:48 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> The only way to link accounts at the moment is through the account
> management console. We're going to look at improve this flow soon.
>
> On 6 October 2015 at 12:15, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> I have an application secured using keycloak 1.5. I have a situation
>> where in an user is registered  using a social login(say facebook). Now if
>> i login the user using another social login(say google+) using the same
>> email address as the former social login(fb) it say's that the user is
>> already registered and gives an error. Is there any way to link two
>> accounts that use the same email address but from two different social
>> accounts or Is there a way in which keycloak recognizes the email address
>> and the log's in the respective user.
>>
>> Thanks.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/d77795a7/attachment-0001.html 

From lkrzyzan at redhat.com  Tue Oct  6 06:28:46 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 6 Oct 2015 12:28:46 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
Message-ID: <6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>

Yep works. Thanks for the tip. We can handle it in JS implementation.

Wouldn?t be useful to have extra methods in Keycloak JS adapter for it like you have for login ? login(options), createLoginUrl(options) methods.
It would be super convenient then.

Thanks,

Libor Krzy?anek
jboss.org Development Team

> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Just swap the last 'auth' to 'registrations' in the link and you'll get the registration page instead of login page
> 
> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> Hi,
> is it possible to have a unique URL resp. link for registration page on website?
> JS Adapter (http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098 <http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098>) has only login and logout actions.
> 
> Right now there is only login page as entry point for clients.
> 
> It?s quite common to have separate links for Login and Register on website because going directly to registration page makes registration process easier.
> 
> Other scenario is promoting registration via e-mail like ?Register for free. Click on this link ?"
> It would be great to have bookmarkable URL for such use case.
> 
> Thanks,
> 
> Libor
> 
> Libor Krzy?anek
> jboss.org <http://jboss.org/> Development Team
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/4dd05ce3/attachment.html 

From galeido at galeido.com  Tue Oct  6 06:28:53 2015
From: galeido at galeido.com (=?UTF-8?Q?Pekka_Lepp=C3=A4nen?=)
Date: Tue, 06 Oct 2015 10:28:53 +0000
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
Message-ID: <1444127333829-b1b8cca2-58b6a7cc-3263461b@galeido.com>

Hi,

I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0. 

Here is the direct link to error mesasge itself:
http://pastebin.ubuntu.com/12634233/

Any ideas what could cause this error scenario or is it just a bug in migration process? 

--
Best regards,
Pekka Lepp?nen

--
email: galeido at galeido.com
--



From sthorger at redhat.com  Tue Oct  6 06:35:54 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 12:35:54 +0200
Subject: [keycloak-user] Interested in joining the Keycloak team?
Message-ID: <CAJgngAehzaiOUZ3rppJfgVsD1O7_0NXaL1KJh_GiV=pzc4qG+w@mail.gmail.com>

Are you interested in joining the Keycloak team? We're looking for a new
member of the team. For more details go to
http://jobs.redhat.com/jobs/descriptions/senior-software-engineer-brno-jihomoravsky-kraj-czech-republic-job-1-5879315
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/b7f02d83/attachment.html 

From sthorger at redhat.com  Tue Oct  6 06:37:59 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 12:37:59 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
Message-ID: <CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>

True would be nice to add to keycloak.js - do you want to create a jira and
maybe even a PR?

On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> Yep works. Thanks for the tip. We can handle it in JS implementation.
>
> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it
> like you have for login ? login(options), createLoginUrl(options) methods.
> It would be super convenient then.
>
> Thanks,
>
> Libor Krzy?anek
> jboss.org Development Team
>
> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Just swap the last 'auth' to 'registrations' in the link and you'll get
> the registration page instead of login page
>
> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>
>> Hi,
>> is it possible to have a unique URL resp. link for registration page on
>> website?
>> JS Adapter (
>> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098) has
>> only login and logout actions.
>>
>> Right now there is only login page as entry point for clients.
>>
>> It?s quite common to have separate links for Login and Register on
>> website because going directly to registration page makes registration
>> process easier.
>>
>> Other scenario is promoting registration via e-mail like ?Register for
>> free. Click on this link ?"
>> It would be great to have bookmarkable URL for such use case.
>>
>> Thanks,
>>
>> Libor
>>
>> Libor Krzy?anek
>> jboss.org Development Team
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/4f6bdacd/attachment.html 

From mposolda at redhat.com  Tue Oct  6 06:46:23 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Oct 2015 12:46:23 +0200
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
In-Reply-To: <1444127333829-b1b8cca2-58b6a7cc-3263461b@galeido.com>
References: <1444127333829-b1b8cca2-58b6a7cc-3263461b@galeido.com>
Message-ID: <5613A67F.3050704@redhat.com>

Hi,

what's your mongo DB version?

Marek

On 06/10/15 12:28, Pekka Lepp?nen wrote:
> Hi,
>
> I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
>
> Here is the direct link to error mesasge itself:
> http://pastebin.ubuntu.com/12634233/
>
> Any ideas what could cause this error scenario or is it just a bug in migration process?
>
> --
> Best regards,
> Pekka Lepp?nen
>
> --
> email: galeido at galeido.com
> --
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From galeido at galeido.com  Tue Oct  6 06:52:34 2015
From: galeido at galeido.com (=?UTF-8?Q?Pekka_Lepp=C3=A4nen?=)
Date: Tue, 06 Oct 2015 10:52:34 +0000
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
Message-ID: <1444128754968-8dd54c25-c6a9a1f3-8c97079f@galeido.com>

Hi Marek,

Currently running 3.0.3. Previous version of Keycloak (1.2.0) works perfectly with this.

--
Best regards,
Pekka Lepp?nen

--
email: galeido at galeido.com
--


On 06.10.15 13:46, Marek Posolda wrote :

> Hi,
> 
> what's your mongo DB version?
> 
> Marek
> 
> On 06/10/15 12:28, Pekka Lepp?nen wrote:
> > Hi,
> >
> > I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
> >
> > Here is the direct link to error mesasge itself:
> > http://pastebin.ubuntu.com/12634233/
> >
> > Any ideas what could cause this error scenario or is it just a bug in migration process?
> >
> > --
> > Best regards,
> > Pekka Lepp?nen
> >
> > --
> > email: galeido at galeido.com
> > --
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> .


From mposolda at redhat.com  Tue Oct  6 06:58:54 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Oct 2015 12:58:54 +0200
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
In-Reply-To: <5613A67F.3050704@redhat.com>
References: <1444127333829-b1b8cca2-58b6a7cc-3263461b@galeido.com>
	<5613A67F.3050704@redhat.com>
Message-ID: <5613A96E.2060706@redhat.com>

Another question: Are you seeing admin clients in master realm for all 
your realms in admin console? For example, assuming you have 2 realms 
"master" and "foo" . When you go to master and you check clients, are 
you seeing both "master-realm" and "foo-realm" clients in the list?

Feel free to create JIRA (ideally with info about mongo version and 
about your realms and if those admin clients in master realm are available)

Thanks,
Marek

On 06/10/15 12:46, Marek Posolda wrote:
> Hi,
>
> what's your mongo DB version?
>
> Marek
>
> On 06/10/15 12:28, Pekka Lepp?nen wrote:
>> Hi,
>>
>> I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
>>
>> Here is the direct link to error mesasge itself:
>> http://pastebin.ubuntu.com/12634233/
>>
>> Any ideas what could cause this error scenario or is it just a bug in migration process?
>>
>> --
>> Best regards,
>> Pekka Lepp?nen
>>
>> --
>> email: galeido at galeido.com
>> --
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Tue Oct  6 07:00:47 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Oct 2015 13:00:47 +0200
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
In-Reply-To: <1444128754968-8dd54c25-c6a9a1f3-8c97079f@galeido.com>
References: <1444128754968-8dd54c25-c6a9a1f3-8c97079f@galeido.com>
Message-ID: <5613A9DF.6000708@redhat.com>

Ah, ok.

We already have jira opened for proper mongo 3 support. Actually testing 
with 2.X only... I hope to get into this for this release, but not sure 
at 100% .

Marek

On 06/10/15 12:52, Pekka Lepp?nen wrote:
> Hi Marek,
>
> Currently running 3.0.3. Previous version of Keycloak (1.2.0) works perfectly with this.
>
> --
> Best regards,
> Pekka Lepp?nen
>
> --
> email: galeido at galeido.com
> --
>
>
> On 06.10.15 13:46, Marek Posolda wrote :
>
>> Hi,
>>
>> what's your mongo DB version?
>>
>> Marek
>>
>> On 06/10/15 12:28, Pekka Lepp?nen wrote:
>>> Hi,
>>>
>>> I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
>>>
>>> Here is the direct link to error mesasge itself:
>>> http://pastebin.ubuntu.com/12634233/
>>>
>>> Any ideas what could cause this error scenario or is it just a bug in migration process?
>>>
>>> --
>>> Best regards,
>>> Pekka Lepp?nen
>>>
>>> --
>>> email: galeido at galeido.com
>>> --
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> .


From ssilvert at redhat.com  Tue Oct  6 07:04:46 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 06 Oct 2015 07:04:46 -0400
Subject: [keycloak-user] export of realm json
In-Reply-To: <5612CCE8.4070801@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
	<5612C27F.9080809@redhat.com> <5612CCE8.4070801@redhat.com>
Message-ID: <5613AACE.7090603@redhat.com>

On 10/5/2015 3:18 PM, Marek Posolda wrote:
> Btv. Stan, is your work going to be added into 1.6 or is it for next 
> release? I am just asking because there is one pending PR, which is 
> likely going to be merged for 1.6 - 
> https://github.com/keycloak/keycloak/pull/1656/files . After merging 
> this, we discussed with Stian some additional minor changes (namely 
> removing "zip" export/import provider as nobody doesn't seem to be 
> using it so far). I should also doublecheck that import still works 
> after those changes.
>
> I am going to look at this likely next week and it's going to be 
> included in 1.6. I am asking as I don't want to edit same code like 
> you and break something you're working on ;-)
It definitely won't make it for 1.6.  I'm just getting started, figuring 
out the requirements, and figuring out how it will all work.

>
> Marek
>
> On 05/10/15 20:33, Stan Silvert wrote:
>> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>>
>>>
>>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>>> >
>>> > I'm still averse to allowing export from admin console of any
>>> > credentials or private keys.
>>>
>>> Even if they are not directly downloadable but require access to the 
>>> server just like now?
>>>
>> I think there should be no secrets ever downloadable from admin 
>> console.  Admin console is, by definition, remote.
>>
>> If you have access to the server then you can use what is there now.
>>
>> It is possible, however, that when we do our CLI implementation we 
>> can verify that the user is local and allow full access. That way, 
>> you could do full export on a running server.  WildFly CLI already 
>> has logic to verify a user is local.
>>
>>>
>>> >
>>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>>> > > I'm actually starting on the design and implementation of this right
>>> > > now.  It's import/export from the admin console. It will also 
>>> have the
>>> > > ability to import/export partial pieces of a realm such as just 
>>> users.
>>> > >
>>> > > Thanks for the comments so far on this thread. They have been 
>>> very helpful.
>>> > >
>>> > > We will keep the idea that no secrets should ever be exported 
>>> from admin
>>> > > console.  I'm not sure that having a flag for it in 
>>> keycloak-server.json
>>> > > helps.  To edit keycloak-server.json, you need access to the 
>>> server, in
>>> > > which case you might as well do the current import/export.
>>> > >
>>> > > So what do you do after you import a user with no credentials? 
>>> Some ideas:
>>> > > * The administrator can reset the password manually.
>>> > > * The user can do password recovery (if enabled)
>>> > >
>>> > > An other ideas?
>>> > >
>>> > > Stan
>>> > >
>>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>> > >> That's a good point. Having to stop/start the server to generate an
>>> > >> export is not ideal.
>>> > >>
>>> > >> Tim
>>> > >>
>>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>
>>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>> > >>>
>>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>
>>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>> > >>>          >
>>> > >>>          > For security reasons we did not want to have a remote
>>> > >>>         option to export.
>>> > >>>
>>> > >>>
>>> > >>> How about just storing the export as a local file on the server?
>>> > >>> You'd need access to the server in order to get the file 
>>> (making the
>>> > >>> system compromised anyways). The change to current behaviour 
>>> is that
>>> > >>> you would be able to trigger the export at will without server 
>>> restart.
>>> > >>>
>>> > >>> Best regards,
>>> > >>> Thomas
>>> > >>>
>>> > >>>
>>> > >>> _______________________________________________
>>> > >>> keycloak-user mailing list
>>> > >>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >>
>>> > >>
>>> > >>
>>> > >> _______________________________________________
>>> > >> keycloak-user mailing list
>>> > >> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> >
>>> > --
>>> > Bill Burke
>>> > JBoss, a division of Red Hat
>>> > http://bill.burkecentral.com
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/0446f66a/attachment.html 

From mposolda at redhat.com  Tue Oct  6 07:09:43 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Oct 2015 13:09:43 +0200
Subject: [keycloak-user] export of realm json
In-Reply-To: <5613AACE.7090603@redhat.com>
References: <560FB40F.4050600@gmail.com>
	<CAB5vuUxN2moYM4VFsYjEA1BCOeG=5+Fb-r7EuqQhVwVznvrMhQ@mail.gmail.com>
	<5610F102.8090203@gmail.com> <561192B0.5080706@redhat.com>
	<CAPyAMoYW59Qixmpp_FEYAZeX3shdbU3yhZGaEbGVwf-jMicrCg@mail.gmail.com>
	<5611BA88.4060809@redhat.com>
	<CAPyAMobO-uieDFk8CmL5rDB+r9rAFqN9z7hWx9pX8ejLmBSA1A@mail.gmail.com>
	<5612A6B3.3010307@gmail.com> <5612BB4E.8000705@redhat.com>
	<5612C065.4030002@redhat.com>
	<CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com>
	<5612C27F.9080809@redhat.com> <5612CCE8.4070801@redhat.com>
	<5613AACE.7090603@redhat.com>
Message-ID: <5613ABF7.7050905@redhat.com>

On 06/10/15 13:04, Stan Silvert wrote:
> On 10/5/2015 3:18 PM, Marek Posolda wrote:
>> Btv. Stan, is your work going to be added into 1.6 or is it for next 
>> release? I am just asking because there is one pending PR, which is 
>> likely going to be merged for 1.6 - 
>> https://github.com/keycloak/keycloak/pull/1656/files . After merging 
>> this, we discussed with Stian some additional minor changes (namely 
>> removing "zip" export/import provider as nobody doesn't seem to be 
>> using it so far). I should also doublecheck that import still works 
>> after those changes.
>>
>> I am going to look at this likely next week and it's going to be 
>> included in 1.6. I am asking as I don't want to edit same code like 
>> you and break something you're working on ;-)
> It definitely won't make it for 1.6.  I'm just getting started, 
> figuring out the requirements, and figuring out how it will all work.
ah, ok. Thanks. No conflicts expected then :-)

Marek
>
>>
>> Marek
>>
>> On 05/10/15 20:33, Stan Silvert wrote:
>>> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>>>
>>>>
>>>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>>>> >
>>>> > I'm still averse to allowing export from admin console of any
>>>> > credentials or private keys.
>>>>
>>>> Even if they are not directly downloadable but require access to 
>>>> the server just like now?
>>>>
>>> I think there should be no secrets ever downloadable from admin 
>>> console.  Admin console is, by definition, remote.
>>>
>>> If you have access to the server then you can use what is there now.
>>>
>>> It is possible, however, that when we do our CLI implementation we 
>>> can verify that the user is local and allow full access.  That way, 
>>> you could do full export on a running server.  WildFly CLI already 
>>> has logic to verify a user is local.
>>>
>>>>
>>>> >
>>>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>>>> > > I'm actually starting on the design and implementation of this 
>>>> right
>>>> > > now.  It's import/export from the admin console.  It will also 
>>>> have the
>>>> > > ability to import/export partial pieces of a realm such as just 
>>>> users.
>>>> > >
>>>> > > Thanks for the comments so far on this thread. They have been 
>>>> very helpful.
>>>> > >
>>>> > > We will keep the idea that no secrets should ever be exported 
>>>> from admin
>>>> > > console.  I'm not sure that having a flag for it in 
>>>> keycloak-server.json
>>>> > > helps.  To edit keycloak-server.json, you need access to the 
>>>> server, in
>>>> > > which case you might as well do the current import/export.
>>>> > >
>>>> > > So what do you do after you import a user with no credentials? 
>>>> Some ideas:
>>>> > > * The administrator can reset the password manually.
>>>> > > * The user can do password recovery (if enabled)
>>>> > >
>>>> > > An other ideas?
>>>> > >
>>>> > > Stan
>>>> > >
>>>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>>> > >> That's a good point. Having to stop/start the server to 
>>>> generate an
>>>> > >> export is not ideal.
>>>> > >>
>>>> > >> Tim
>>>> > >>
>>>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>> > >>>
>>>> > >>>
>>>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>>>> <mailto:bburke at redhat.com>
>>>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>> > >>>
>>>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>> > >>>
>>>> > >>>
>>>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>>>> <mailto:bburke at redhat.com>
>>>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>>> > >>>          >
>>>> > >>>          > For security reasons we did not want to have a remote
>>>> > >>>         option to export.
>>>> > >>>
>>>> > >>>
>>>> > >>> How about just storing the export as a local file on the server?
>>>> > >>> You'd need access to the server in order to get the file 
>>>> (making the
>>>> > >>> system compromised anyways). The change to current behaviour 
>>>> is that
>>>> > >>> you would be able to trigger the export at will without 
>>>> server restart.
>>>> > >>>
>>>> > >>> Best regards,
>>>> > >>> Thomas
>>>> > >>>
>>>> > >>>
>>>> > >>> _______________________________________________
>>>> > >>> keycloak-user mailing list
>>>> > >>> keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >>
>>>> > >>
>>>> > >>
>>>> > >> _______________________________________________
>>>> > >> keycloak-user mailing list
>>>> > >> keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > keycloak-user mailing list
>>>> > > keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >
>>>> >
>>>> > --
>>>> > Bill Burke
>>>> > JBoss, a division of Red Hat
>>>> > http://bill.burkecentral.com
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/7b6ee264/attachment-0001.html 

From galeido at galeido.com  Tue Oct  6 07:25:21 2015
From: galeido at galeido.com (=?UTF-8?Q?Pekka_Lepp=C3=A4nen?=)
Date: Tue, 06 Oct 2015 11:25:21 +0000
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
Message-ID: <1444130721147-d2e7bb39-6d3df5c1-263dbd91@galeido.com>

Hi,

Here is link to client screenshot: http://postimg.org/image/9brwy7iax/
 
--

Best regards,
Pekka Lepp?nen
--
email: galeido at galeido.com

--


On 06.10.15 13:58, Marek Posolda wrote :

> Another question: Are you seeing admin clients in master realm for all your realms in admin console? For example, assuming you have 2 realms "master" and "foo" . When you go to master and you check clients, are you seeing both "master-realm" and "foo-realm" clients in the list?
> 
> Feel free to create JIRA (ideally with info about mongo version and about your realms and if those admin clients in master realm are available)
> 
> Thanks,
> Marek
> 
> On 06/10/15 12:46, Marek Posolda wrote:
> > Hi,
> >
> > what's your mongo DB version?
> >
> > Marek
> >
> > On 06/10/15 12:28, Pekka Lepp?nen wrote:
> >> Hi,
> >>
> >> I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
> >>
> >> Here is the direct link to error mesasge itself:
> >> http://pastebin.ubuntu.com/12634233/
> >>
> >> Any ideas what could cause this error scenario or is it just a bug in migration process?
> >>
> >> --
> >> Best regards,
> >> Pekka Lepp?nen
> >>
> >> --
> >> email: galeido at galeido.com
> >> --
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> .


From lkrzyzan at redhat.com  Tue Oct  6 07:32:57 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 6 Oct 2015 13:32:57 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
	<CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
Message-ID: <2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>

I?m checking the keycloak.js source code and it seems that createLoginUrl already support it. Just pass in options 'options.action == ?register?? and it should create a registration page url.

See https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144 <https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144>

From keycalok.js API point of view would say there could be a new method ?createRegistrationUrl? method which will be just a shortcut for calling the createLoginUrl with options.action=?register'.

WDYT?


Libor Krzy?anek
jboss.org Development Team

> On Oct 6, 2015, at 12:37 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> True would be nice to add to keycloak.js - do you want to create a jira and maybe even a PR?
> 
> On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> Yep works. Thanks for the tip. We can handle it in JS implementation.
> 
> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it like you have for login ? login(options), createLoginUrl(options) methods.
> It would be super convenient then.
> 
> Thanks,
> 
> Libor Krzy?anek
> jboss.org <http://jboss.org/> Development Team
> 
>> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>> 
>> Just swap the last 'auth' to 'registrations' in the link and you'll get the registration page instead of login page
>> 
>> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>> Hi,
>> is it possible to have a unique URL resp. link for registration page on website?
>> JS Adapter (http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098 <http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098>) has only login and logout actions.
>> 
>> Right now there is only login page as entry point for clients.
>> 
>> It?s quite common to have separate links for Login and Register on website because going directly to registration page makes registration process easier.
>> 
>> Other scenario is promoting registration via e-mail like ?Register for free. Click on this link ?"
>> It would be great to have bookmarkable URL for such use case.
>> 
>> Thanks,
>> 
>> Libor
>> 
>> Libor Krzy?anek
>> jboss.org <http://jboss.org/> Development Team
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/17d787eb/attachment.html 

From sthorger at redhat.com  Tue Oct  6 07:38:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Oct 2015 13:38:51 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
	<CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
	<2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>
Message-ID: <CAJgngAeUqz9eP=n6FRrBfNxDh3Xq8kRr+UV9sFfi39T51L+PQw@mail.gmail.com>

+1 We should also add register() so it's consistent with login and account
management

On 6 October 2015 at 13:32, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> I?m checking the keycloak.js source code and it seems that createLoginUrl
> already support it. Just pass in options 'options.action == ?register?? and
> it should create a registration page url.
>
> See
> https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144
>
> From keycalok.js API point of view would say there could be a new method
> ?createRegistrationUrl? method which will be just a shortcut for calling
> the createLoginUrl with options.action=?register'.
>
> WDYT?
>
>
> Libor Krzy?anek
> jboss.org Development Team
>
> On Oct 6, 2015, at 12:37 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> True would be nice to add to keycloak.js - do you want to create a jira
> and maybe even a PR?
>
> On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>
>> Yep works. Thanks for the tip. We can handle it in JS implementation.
>>
>> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it
>> like you have for login ? login(options), createLoginUrl(options) methods.
>> It would be super convenient then.
>>
>> Thanks,
>>
>> Libor Krzy?anek
>> jboss.org Development Team
>>
>> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> Just swap the last 'auth' to 'registrations' in the link and you'll get
>> the registration page instead of login page
>>
>> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>>
>>> Hi,
>>> is it possible to have a unique URL resp. link for registration page on
>>> website?
>>> JS Adapter (
>>> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098) has
>>> only login and logout actions.
>>>
>>> Right now there is only login page as entry point for clients.
>>>
>>> It?s quite common to have separate links for Login and Register on
>>> website because going directly to registration page makes registration
>>> process easier.
>>>
>>> Other scenario is promoting registration via e-mail like ?Register for
>>> free. Click on this link ?"
>>> It would be great to have bookmarkable URL for such use case.
>>>
>>> Thanks,
>>>
>>> Libor
>>>
>>> Libor Krzy?anek
>>> jboss.org Development Team
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/ea1a9d51/attachment.html 

From remi.cartier at imetrik.com  Tue Oct  6 08:48:00 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Tue, 6 Oct 2015 12:48:00 +0000
Subject: [keycloak-user] Crypto
In-Reply-To: <8C91B64C-2161-40F3-956E-E993649BEE01@smartling.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
	<F73011DE-017E-4E81-B94C-5B1D18FD82C3@smartling.com>
	<8C91B64C-2161-40F3-956E-E993649BEE01@smartling.com>
Message-ID: <A807A6B3-52FB-4B30-931A-D3721E46EC0D@imetrik.com>

Thank you scott for the tip, now I have :

org.jboss.modules.ModuleNotFoundException: javax.crypto:main

it doesn?t seem to recognize it as a ?builtin? module, will try to look in the code / mailing list archive to see what I can find.

At least I have a lead.

Cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 5, 2015, at 6:48 PM, Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>> wrote:


Sorry, I sent that too quick. I meant javax.crypto. :)

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>

On Oct 5, 2015, at 6:47 PM, Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>> wrote:

Try adding a dependency on <module name="javax.api"/>


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>

On Oct 5, 2015, at 4:38 PM, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:

Hy guys,

I am trying to use some crypto to match hashes from my old db.
The code is :

            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();

I cant make it work as a federation provider.

it was complaining about java.lang.ClassNotFoundException: javax.crypto.spec.PBEKeySpec

I added jce.jar to the list of dependencies in my module.xml (I shouldn?t have to do that)

Then I got :

ClassNotFoundException: sun.security.jca.GetInstance

I added rt.jar (which I shouldn?t do either)

and then I got some fancy exception : java.lang.LinkageError: loader constraint violation

I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.

what is wrong ?

here is my module.xml file :

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
    <resources>
        <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
        <resource-root path="jdbi-2.63.1.jar"/>
        <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
        <resource-root path="slf4j-api-1.7.12.jar"/>
        <resource-root path="slf4j-simple-1.7.12.jar"/>
        <resource-root path="global-library-common-2.0.4.jar"/>
        <resource-root path="jce.jar"/>
        <resource-root path="bcprov-jdk15on-152.jar"/>
    </resources>
    <dependencies>
        <module name="org.keycloak.keycloak-core"/>
        <module name="org.keycloak.keycloak-model-api"/>
    </dependencies>
</module>


Cheers.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/8d084d30/attachment-0001.html 

From bburke at redhat.com  Tue Oct  6 09:01:25 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 6 Oct 2015 09:01:25 -0400
Subject: [keycloak-user] Crypto
In-Reply-To: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
Message-ID: <5613C625.7020309@redhat.com>

dependencies refer to other modules.  You also need to include the 
javax.* package dependencies.  These aren't actually on by default.

         <module name="javax.api"/>
         <module name="org.bouncycastle" />

I don't think you need to add jce.jar.  Just "javax.api".

On 10/5/2015 4:38 PM, Remi Cartier wrote:
> Hy guys,
>
> I am trying to use some crypto to match hashes from my old db.
> The code is :
>
>              KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
>              SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>              byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
>
> I cant make it work as a federation provider.
>
> it was complaining about java.lang.ClassNotFoundException:
> javax.crypto.spec.PBEKeySpec
>
> I added jce.jar to the list of dependencies in my module.xml (I
> shouldn?t have to do that)
>
> Then I got :
>
> ClassNotFoundException: sun.security.jca.GetInstance
>
> I added rt.jar (which I shouldn?t do either)
>
> and then I got some fancy exception : java.lang.LinkageError: loader
> constraint violation
>
> I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.
>
> what is wrong ?
>
> here is my module.xml file :
>
> <?xml version="1.0" encoding="UTF-8"?>
> <module
> xmlns="urn:jboss:module:1.1"name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
> <resources>
> <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
> <resource-root path="jdbi-2.63.1.jar"/>
> <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
> <resource-root path="slf4j-api-1.7.12.jar"/>
> <resource-root path="slf4j-simple-1.7.12.jar"/>
> <resource-root path="global-library-common-2.0.4.jar"/>
> <resource-root path="jce.jar"/>
> <resource-root path="bcprov-jdk15on-152.jar"/>
> </resources>
> <dependencies>
> <module name="org.keycloak.keycloak-core"/>
> <module name="org.keycloak.keycloak-model-api"/>
> </dependencies>
> </module>
>
>
> Cheers.
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From remi.cartier at imetrik.com  Tue Oct  6 09:07:02 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Tue, 6 Oct 2015 13:07:02 +0000
Subject: [keycloak-user] Crypto
In-Reply-To: <5613C625.7020309@redhat.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
	<5613C625.7020309@redhat.com>
Message-ID: <EB636301-667A-495D-974D-2B007EFC1E48@imetrik.com>

Bill, you?re the best, it did the trick !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 6, 2015, at 9:01 AM, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:

dependencies refer to other modules.  You also need to include the
javax.* package dependencies.  These aren't actually on by default.

        <module name="javax.api"/>
        <module name="org.bouncycastle" />

I don't think you need to add jce.jar.  Just "javax.api".

On 10/5/2015 4:38 PM, Remi Cartier wrote:
Hy guys,

I am trying to use some crypto to match hashes from my old db.
The code is :

            KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
salt.getBytes(), 2048, 160);
            SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            byte[] hash =
secretKeyFactory.generateSecret(keySpec).getEncoded();

I cant make it work as a federation provider.

it was complaining about java.lang.ClassNotFoundException:
javax.crypto.spec.PBEKeySpec

I added jce.jar to the list of dependencies in my module.xml (I
shouldn?t have to do that)

Then I got :

ClassNotFoundException: sun.security.jca.GetInstance

I added rt.jar (which I shouldn?t do either)

and then I got some fancy exception : java.lang.LinkageError: loader
constraint violation

I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.

what is wrong ?

here is my module.xml file :

<?xml version="1.0" encoding="UTF-8"?>
<module
xmlns="urn:jboss:module:1.1"name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
<resources>
<resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
<resource-root path="jdbi-2.63.1.jar"/>
<resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
<resource-root path="slf4j-api-1.7.12.jar"/>
<resource-root path="slf4j-simple-1.7.12.jar"/>
<resource-root path="global-library-common-2.0.4.jar"/>
<resource-root path="jce.jar"/>
<resource-root path="bcprov-jdk15on-152.jar"/>
</resources>
<dependencies>
<module name="org.keycloak.keycloak-core"/>
<module name="org.keycloak.keycloak-model-api"/>
</dependencies>
</module>


Cheers.

------------------------------------------------------------------------


REMI CARTIER

B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

*IMETRIK GLOBAL INC.*
*T :* +1 514 448-6407 x2009
*T :* +1 866 276-5382 (toll free)
*F :* +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://imetrik.com> <http://www.imetrik.com/>



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/3f78ae23/attachment.html 

From bburke at redhat.com  Tue Oct  6 09:08:33 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 6 Oct 2015 09:08:33 -0400
Subject: [keycloak-user] Crypto
In-Reply-To: <EB636301-667A-495D-974D-2B007EFC1E48@imetrik.com>
References: <82D08E2F-83A5-4CE0-AB7C-DC8C54211B70@imetrik.com>
	<5613C625.7020309@redhat.com>
	<EB636301-667A-495D-974D-2B007EFC1E48@imetrik.com>
Message-ID: <5613C7D1.8030100@redhat.com>

BTW, I thought this was weird that you had to include javax.api, but I 
learned that it is used if you want to use a newer (or older) version of 
xerces (which is included in the JDK).

On 10/6/2015 9:07 AM, Remi Cartier wrote:
> Bill, you?re the best, it did the trick !
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>> On Oct 6, 2015, at 9:01 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> dependencies refer to other modules.  You also need to include the
>> javax.* package dependencies.  These aren't actually on by default.
>>
>>         <module name="javax.api"/>
>>         <module name="org.bouncycastle" />
>>
>> I don't think you need to add jce.jar.  Just "javax.api".
>>
>> On 10/5/2015 4:38 PM, Remi Cartier wrote:
>>> Hy guys,
>>>
>>> I am trying to use some crypto to match hashes from my old db.
>>> The code is :
>>>
>>>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
>>> salt.getBytes(), 2048, 160);
>>>             SecretKeyFactory secretKeyFactory =
>>> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>>>             byte[] hash =
>>> secretKeyFactory.generateSecret(keySpec).getEncoded();
>>>
>>> I cant make it work as a federation provider.
>>>
>>> it was complaining about java.lang.ClassNotFoundException:
>>> javax.crypto.spec.PBEKeySpec
>>>
>>> I added jce.jar to the list of dependencies in my module.xml (I
>>> shouldn?t have to do that)
>>>
>>> Then I got :
>>>
>>> ClassNotFoundException: sun.security.jca.GetInstance
>>>
>>> I added rt.jar (which I shouldn?t do either)
>>>
>>> and then I got some fancy exception : java.lang.LinkageError: loader
>>> constraint violation
>>>
>>> I then tried with bouncy castle : bcprov-jdk15on-152.jar to no avail.
>>>
>>> what is wrong ?
>>>
>>> here is my module.xml file :
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <module
>>> xmlns="urn:jboss:module:1.1"name="com.imetrik.saas.server.services.insuranceWebUIBackend.dao.federation">
>>> <resources>
>>> <resource-root path="insuranceWebUIBackend-lib-2.0.5-SNAPSHOT.jar"/>
>>> <resource-root path="jdbi-2.63.1.jar"/>
>>> <resource-root path="postgresql-9.4-1203-jdbc4.jar"/>
>>> <resource-root path="slf4j-api-1.7.12.jar"/>
>>> <resource-root path="slf4j-simple-1.7.12.jar"/>
>>> <resource-root path="global-library-common-2.0.4.jar"/>
>>> <resource-root path="jce.jar"/>
>>> <resource-root path="bcprov-jdk15on-152.jar"/>
>>> </resources>
>>> <dependencies>
>>> <module name="org.keycloak.keycloak-core"/>
>>> <module name="org.keycloak.keycloak-model-api"/>
>>> </dependencies>
>>> </module>
>>>
>>>
>>> Cheers.
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> REMI CARTIER
>>>
>>> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>>>
>>> *IMETRIK GLOBAL INC.*
>>> *T :* +1 514 448-6407 x2009
>>> *T :* +1 866 276-5382 (toll free)
>>> *F :* +1 514 904-0611
>>>
>>> 740 Notre Dame St. West, Suite 1575
>>> Montreal, Quebec, Canada H3C 3X6
>>> imetrik.com <http://imetrik.com> <http://www.imetrik.com/>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From lkrzyzan at redhat.com  Tue Oct  6 09:30:00 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 6 Oct 2015 15:30:00 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <CAJgngAeUqz9eP=n6FRrBfNxDh3Xq8kRr+UV9sFfi39T51L+PQw@mail.gmail.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
	<CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
	<2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>
	<CAJgngAeUqz9eP=n6FRrBfNxDh3Xq8kRr+UV9sFfi39T51L+PQw@mail.gmail.com>
Message-ID: <52AA7FE8-E112-41AB-B885-84CA74D590B8@redhat.com>

Yep sounds good.

https://issues.jboss.org/browse/KEYCLOAK-1904 <https://issues.jboss.org/browse/KEYCLOAK-1904>

I could prepare a PR this week.
The show case of using a new API could be in https://github.com/keycloak/keycloak/tree/master/examples/js-console <https://github.com/keycloak/keycloak/tree/master/examples/js-console>.

Libor Krzy?anek
jboss.org Development Team

> On Oct 6, 2015, at 1:38 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> +1 We should also add register() so it's consistent with login and account management
> 
> On 6 October 2015 at 13:32, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> I?m checking the keycloak.js source code and it seems that createLoginUrl already support it. Just pass in options 'options.action == ?register?? and it should create a registration page url.
> 
> See https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144 <https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144>
> 
> From keycalok.js API point of view would say there could be a new method ?createRegistrationUrl? method which will be just a shortcut for calling the createLoginUrl with options.action=?register'.
> 
> WDYT?
> 
> 
> Libor Krzy?anek
> jboss.org <http://jboss.org/> Development Team
> 
>> On Oct 6, 2015, at 12:37 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>> 
>> True would be nice to add to keycloak.js - do you want to create a jira and maybe even a PR?
>> 
>> On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>> Yep works. Thanks for the tip. We can handle it in JS implementation.
>> 
>> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it like you have for login ? login(options), createLoginUrl(options) methods.
>> It would be super convenient then.
>> 
>> Thanks,
>> 
>> Libor Krzy?anek
>> jboss.org <http://jboss.org/> Development Team
>> 
>>> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>> 
>>> Just swap the last 'auth' to 'registrations' in the link and you'll get the registration page instead of login page
>>> 
>>> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>>> Hi,
>>> is it possible to have a unique URL resp. link for registration page on website?
>>> JS Adapter (http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098 <http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098>) has only login and logout actions.
>>> 
>>> Right now there is only login page as entry point for clients.
>>> 
>>> It?s quite common to have separate links for Login and Register on website because going directly to registration page makes registration process easier.
>>> 
>>> Other scenario is promoting registration via e-mail like ?Register for free. Click on this link ?"
>>> It would be great to have bookmarkable URL for such use case.
>>> 
>>> Thanks,
>>> 
>>> Libor
>>> 
>>> Libor Krzy?anek
>>> jboss.org <http://jboss.org/> Development Team
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/7aef4e6e/attachment.html 

From mposolda at redhat.com  Tue Oct  6 13:28:55 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Oct 2015 19:28:55 +0200
Subject: [keycloak-user] Issue to migrate MongoDB database from Keycloak
 version 1.2.0 to 1.5.0
In-Reply-To: <1444130721147-d2e7bb39-6d3df5c1-263dbd91@galeido.com>
References: <1444130721147-d2e7bb39-6d3df5c1-263dbd91@galeido.com>
Message-ID: <561404D7.1000208@redhat.com>

Thanks, the initial line with just " -realm" in the client list is not 
correct, looks like a bug.

As I said, the migration likely doesn't work with Mongo 3 . JIRA for 
this is already opened and I hope to fix it for this release.

Marek

On 06/10/15 13:25, Pekka Lepp?nen wrote:
> Hi,
>
> Here is link to client screenshot: http://postimg.org/image/9brwy7iax/
>   
> --
>
> Best regards,
> Pekka Lepp?nen
> --
> email: galeido at galeido.com
>
> --
>
>
> On 06.10.15 13:58, Marek Posolda wrote :
>
>> Another question: Are you seeing admin clients in master realm for all your realms in admin console? For example, assuming you have 2 realms "master" and "foo" . When you go to master and you check clients, are you seeing both "master-realm" and "foo-realm" clients in the list?
>>
>> Feel free to create JIRA (ideally with info about mongo version and about your realms and if those admin clients in master realm are available)
>>
>> Thanks,
>> Marek
>>
>> On 06/10/15 12:46, Marek Posolda wrote:
>>> Hi,
>>>
>>> what's your mongo DB version?
>>>
>>> Marek
>>>
>>> On 06/10/15 12:28, Pekka Lepp?nen wrote:
>>>> Hi,
>>>>
>>>> I have issue to migrate MongoDB database related to the upgrade of Keycloak version 1.2.0 to 1.5.0.
>>>>
>>>> Here is the direct link to error mesasge itself:
>>>> http://pastebin.ubuntu.com/12634233/
>>>>
>>>> Any ideas what could cause this error scenario or is it just a bug in migration process?
>>>>
>>>> --
>>>> Best regards,
>>>> Pekka Lepp?nen
>>>>
>>>> --
>>>> email: galeido at galeido.com
>>>> --
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> .


From sthorger at redhat.com  Wed Oct  7 02:37:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 7 Oct 2015 08:37:03 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <52AA7FE8-E112-41AB-B885-84CA74D590B8@redhat.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
	<CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
	<2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>
	<CAJgngAeUqz9eP=n6FRrBfNxDh3Xq8kRr+UV9sFfi39T51L+PQw@mail.gmail.com>
	<52AA7FE8-E112-41AB-B885-84CA74D590B8@redhat.com>
Message-ID: <CAJgngAdkhErxxJGBd4WdMFbQzvR5Y1u2r7HgpKerDRMLNLTLdA@mail.gmail.com>

+1 Do you want to add to js-console as well?

On 6 October 2015 at 15:30, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> Yep sounds good.
>
> https://issues.jboss.org/browse/KEYCLOAK-1904
>
> I could prepare a PR this week.
> The show case of using a new API could be in
> https://github.com/keycloak/keycloak/tree/master/examples/js-console.
>
> Libor Krzy?anek
> jboss.org Development Team
>
> On Oct 6, 2015, at 1:38 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> +1 We should also add register() so it's consistent with login and account
> management
>
> On 6 October 2015 at 13:32, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>
>> I?m checking the keycloak.js source code and it seems that createLoginUrl
>> already support it. Just pass in options 'options.action == ?register?? and
>> it should create a registration page url.
>>
>> See
>> https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144
>>
>> From keycalok.js API point of view would say there could be a new method
>> ?createRegistrationUrl? method which will be just a shortcut for calling
>> the createLoginUrl with options.action=?register'.
>>
>> WDYT?
>>
>>
>> Libor Krzy?anek
>> jboss.org Development Team
>>
>> On Oct 6, 2015, at 12:37 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> True would be nice to add to keycloak.js - do you want to create a jira
>> and maybe even a PR?
>>
>> On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>>
>>> Yep works. Thanks for the tip. We can handle it in JS implementation.
>>>
>>> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it
>>> like you have for login ? login(options), createLoginUrl(options) methods.
>>> It would be super convenient then.
>>>
>>> Thanks,
>>>
>>> Libor Krzy?anek
>>> jboss.org Development Team
>>>
>>> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> Just swap the last 'auth' to 'registrations' in the link and you'll get
>>> the registration page instead of login page
>>>
>>> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:
>>>
>>>> Hi,
>>>> is it possible to have a unique URL resp. link for registration page on
>>>> website?
>>>> JS Adapter (
>>>> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098) has
>>>> only login and logout actions.
>>>>
>>>> Right now there is only login page as entry point for clients.
>>>>
>>>> It?s quite common to have separate links for Login and Register on
>>>> website because going directly to registration page makes registration
>>>> process easier.
>>>>
>>>> Other scenario is promoting registration via e-mail like ?Register for
>>>> free. Click on this link ?"
>>>> It would be great to have bookmarkable URL for such use case.
>>>>
>>>> Thanks,
>>>>
>>>> Libor
>>>>
>>>> Libor Krzy?anek
>>>> jboss.org Development Team
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/27fab3b8/attachment-0001.html 

From sebastian.rose at aoe.com  Wed Oct  7 03:06:04 2015
From: sebastian.rose at aoe.com (Sebastian Rose)
Date: Wed, 7 Oct 2015 07:06:04 +0000
Subject: [keycloak-user] Direkt Link to forgot password page
In-Reply-To: <8c9b49eaa1cc4d77aac678ef91b0de20@exchange02.srv.hq.aoe.lan>
References: <8c9b49eaa1cc4d77aac678ef91b0de20@exchange02.srv.hq.aoe.lan>
Message-ID: <e31e047bee2d41c594548c7395694725@exchange02.srv.hq.aoe.lan>

Hi again,

as the direct link to the registration Link has been discussed and approved (Thread: URL/Link for registration page) i want to propose the same solution for the forgot-password link (this is the second half of my requirements).

I guess that i would have to add some code to org.keycloak.protocol.oidc.endpointsAuthorizationEndpoint for reset-credentials/reset-password and it then would be possible to do the extension to keycloak.js the same way as discussed in the Thread about URL/Link for registration page.

WDYT?

Best Regards,
Sebastian

Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Sebastian Rose
Gesendet: Montag, 5. Oktober 2015 15:23
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Direkt Link to forgot password page

Hi all,

part of my requirements are static links to forgot-password/forgot-credentials and register-user. As far as I understand the source code and everything i read so far, there is a check for the code/user-session and the client-id. Would it be acceptable to change this behaviour to allow requesting e.g. the forgot password link without visiting the login-page first?

Best Regards,
Sebastian

[AOESigLogo]
Sebastian Rose
Developer
AOE GmbH
LuisenForum, Kirchgasse 6
65185 Wiesbaden
Germany

Tel. +49 6122 70 70 7 -234
Fax. +49 6122 70 70 7 -199
e-Mail: sebastian.rose at aoe.com<mailto:sebastian.rose at aoe.com>
Web: http://www.aoe.com/

Pflichtangaben laut Handelsgesetz ?37a / Aktiengesetz ?35a

USt-ID Nr.: DE250247455
Handelsregister: Wiesbaden B
Handelsregister Nr.: 22567

Stammsitz: Wiesbaden
Creditreform: 625.0209354
Gesch?ftsf?hrer: Kian Toyouri Gould

Diese E-Mail Nachricht enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/635899eb/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6344 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/635899eb/attachment.jpg 

From lkrzyzan at redhat.com  Wed Oct  7 03:25:07 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Wed, 7 Oct 2015 09:25:07 +0200
Subject: [keycloak-user] URL/Link for registration page
In-Reply-To: <CAJgngAdkhErxxJGBd4WdMFbQzvR5Y1u2r7HgpKerDRMLNLTLdA@mail.gmail.com>
References: <C9BB07CE-82F1-412E-A0A9-A4F5A2CAAA0C@redhat.com>
	<CAJgngAeEhNgQPfOZqUxSG8SNrhRxpCa-1ydgPPRGnGBrgHYi-A@mail.gmail.com>
	<6ADE5034-B38A-4D8C-B8EE-DAB1971D71D5@redhat.com>
	<CAJgngAdpipBmYFp2m+LS_jE2RibOY0m5SXikCiSk_DwHFzZNUA@mail.gmail.com>
	<2C951D73-1E0B-4ABF-9CE0-22A747210D59@redhat.com>
	<CAJgngAeUqz9eP=n6FRrBfNxDh3Xq8kRr+UV9sFfi39T51L+PQw@mail.gmail.com>
	<52AA7FE8-E112-41AB-B885-84CA74D590B8@redhat.com>
	<CAJgngAdkhErxxJGBd4WdMFbQzvR5Y1u2r7HgpKerDRMLNLTLdA@mail.gmail.com>
Message-ID: <6FFE515F-6109-4756-8D23-DC804457820E@redhat.com>

Yep I?ll add ?register" buttons to js-console as well.


Libor Krzy?anek
jboss.org Development Team

> On Oct 7, 2015, at 8:37 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> +1 Do you want to add to js-console as well?
> 
> On 6 October 2015 at 15:30, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> Yep sounds good.
> 
> https://issues.jboss.org/browse/KEYCLOAK-1904 <https://issues.jboss.org/browse/KEYCLOAK-1904>
> 
> I could prepare a PR this week.
> The show case of using a new API could be in https://github.com/keycloak/keycloak/tree/master/examples/js-console <https://github.com/keycloak/keycloak/tree/master/examples/js-console>.
> 
> Libor Krzy?anek
> jboss.org <http://jboss.org/> Development Team
> 
>> On Oct 6, 2015, at 1:38 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>> 
>> +1 We should also add register() so it's consistent with login and account management
>> 
>> On 6 October 2015 at 13:32, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>> I?m checking the keycloak.js source code and it seems that createLoginUrl already support it. Just pass in options 'options.action == ?register?? and it should create a registration page url.
>> 
>> See https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144 <https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L144>
>> 
>> From keycalok.js API point of view would say there could be a new method ?createRegistrationUrl? method which will be just a shortcut for calling the createLoginUrl with options.action=?register'.
>> 
>> WDYT?
>> 
>> 
>> Libor Krzy?anek
>> jboss.org <http://jboss.org/> Development Team
>> 
>>> On Oct 6, 2015, at 12:37 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>> 
>>> True would be nice to add to keycloak.js - do you want to create a jira and maybe even a PR?
>>> 
>>> On 6 October 2015 at 12:28, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>>> Yep works. Thanks for the tip. We can handle it in JS implementation.
>>> 
>>> Wouldn?t be useful to have extra methods in Keycloak JS adapter for it like you have for login ? login(options), createLoginUrl(options) methods.
>>> It would be super convenient then.
>>> 
>>> Thanks,
>>> 
>>> Libor Krzy?anek
>>> jboss.org <http://jboss.org/> Development Team
>>> 
>>>> On Oct 6, 2015, at 12:09 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>>> 
>>>> Just swap the last 'auth' to 'registrations' in the link and you'll get the registration page instead of login page
>>>> 
>>>> On 6 October 2015 at 11:12, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
>>>> Hi,
>>>> is it possible to have a unique URL resp. link for registration page on website?
>>>> JS Adapter (http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098 <http://keycloak.github.io/docs/userguide/html/ch08.html#d4e1098>) has only login and logout actions.
>>>> 
>>>> Right now there is only login page as entry point for clients.
>>>> 
>>>> It?s quite common to have separate links for Login and Register on website because going directly to registration page makes registration process easier.
>>>> 
>>>> Other scenario is promoting registration via e-mail like ?Register for free. Click on this link ?"
>>>> It would be great to have bookmarkable URL for such use case.
>>>> 
>>>> Thanks,
>>>> 
>>>> Libor
>>>> 
>>>> Libor Krzy?anek
>>>> jboss.org <http://jboss.org/> Development Team
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> 
>>> 
>>> 
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/c960328a/attachment-0001.html 

From tair.sabirgaliev at bee.kz  Wed Oct  7 09:30:13 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Wed, 7 Oct 2015 19:30:13 +0600
Subject: [keycloak-user] Redirect to keycloak only for certain
 content-types
In-Reply-To: <CAJgngAcnpM+sBLHP-kRLeknt9DyEQUk8wN-+s5PUL6ecwrH6LA@mail.gmail.com>
References: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
	<CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>
	<etPan.560eafc6.45ecece3.651@MacBook-Pro.local>
	<CAJgngAcnpM+sBLHP-kRLeknt9DyEQUk8wN-+s5PUL6ecwrH6LA@mail.gmail.com>
Message-ID: <etPan.56151e65.64caa0c.651@MacBook-Pro.local>

Is KeycloakConfigResolver coming in 1.6?

--?
Tair Sabirgaliev
Bee Software, LLP

On October 6, 2015 at 11:32:44, Stian Thorgersen (sthorger at redhat.com) wrote:

I'm afraid it's not possible at the moment. The only option now is to have two different clients and either split your application into two, or you can use the KeycloakConfigResolver to select the client based on the content type yourself. See the multi tenancy example for an idea on how to use it.

On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz> wrote:
?
Hi,

Yes, it can be done with nginx, but I still hope this could be accomplished natively :)

The general idea is this:?

a) if browser asks for "text/html" => act as confidential/public client,?that is?
start keycloak login protocol

b) if browser asks for "application/json? => act as bearer only client, and in
case of authorization error, respond with proper 40x status

This would let me build an ?isomorphic? JavaScript application (http://isomorphic.net)

With keycloak-1.5.0 I see that there is no difference whether I accept text/html or application/json:

tair$ curl -v -H 'Accept: text/html' http://localhost:9080/hello-world/rest/something
* ? Trying ::1...
* connect to ::1 port 9080 failed: Connection refused
* ? Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: text/html
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
< Date: Fri, 02 Oct 2015 15:53:32 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact

tair$ curl -v -H 'Accept: application/json' http://localhost:9080/hello-world/rest/something
* ? Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
< Date: Fri, 02 Oct 2015 15:53:41 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact

Any workarounds there?

--
Tair Sabirgaliev
Bee Software, LLP



On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:

> Hi,
>
> One possible way is to put nginx as a reverse proxy in between browser and Keycloak server instance. You can dig around using $content_type embedded variable of nginx ngx_http_core_module or may be nginx_rewrite module and a simple tweak (may be an if statement in nginx server/location block config) will help you in achieving the required. Based on the value of content-type header, you can proxy-pass the requests to a different upstream server via nginx.
>
> Cheers,
>
>
> On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> >
> > Hi,
> >
> > Is it possible to setup login redirection only for certain content types?
> > I want to redirect only when the browser asks for text/html. For other types
> > either 40x or Authorization challenge.
> >
> > --
> > Tair Sabirgaliev
> > Bee Software, LLP
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>
> Giriraj Sharma
> about.me/girirajsharma
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/be5a071e/attachment.html 

From valerij.timofeev at gmail.com  Wed Oct  7 12:37:57 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Wed, 7 Oct 2015 18:37:57 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
	custom provider?
Message-ID: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>

Hi,

in order to import users having encrypted passwords from existing user
storage I'm implementing user federation provider based on the keycloak
example *keycloak-examples-1.5.0.Final/providers/federation-provider*
*.*
Additionally I considered hints provided by Scott Rossillo in the
keycloak-user Digest, Vol 22, Issue 18
Above example works properly when retrieving users from a properties file.
The next step in the implementation would be access to the database where
users data is stored.

*My question: *What would be the best practice for accessing database from
a custom keycloak provider?

Something like this?

// KeycloakSession
session.getProvider(JpaConnectionProvider.class, "myTS")
                .getEntityManager()
                .createQuery("SELECT... ?








*keycloak-server.json:"connectionsJpa": {        "default": {
"dataSource": "java:jboss/datasources/KeycloakDS",
"databaseSchema": "update"        },*



*"myTS": {            "dataSource": "java:jboss/datasources/myTsDS"
}    }*Thank you,

Valerij Timofeev
Software Engineer
Trusted Shops GmbH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/41ea312b/attachment.html 

From lopez.m.gonzalo at gmail.com  Wed Oct  7 13:54:00 2015
From: lopez.m.gonzalo at gmail.com (=?UTF-8?Q?Gonzalo_L=C3=B3pez?=)
Date: Wed, 7 Oct 2015 14:54:00 -0300
Subject: [keycloak-user] Role to claim mapping
In-Reply-To: <560C044C.1010908@redhat.com>
References: <CAE_JkU-_b2EVQRd6XD1AxC3dbNHzivbzUghX29muwsHn7p0M9g@mail.gmail.com>
	<560BF123.2080204@redhat.com>
	<CAE_JkU8V4yuhHfZ5p75AV8vXR2h_uHGFEhgwOmtY=_Sfz-ZS6w@mail.gmail.com>
	<560C039E.6060603@redhat.com> <560C044C.1010908@redhat.com>
Message-ID: <CAE_JkU9uiHKvDWmgcdfkAWvx7Xp=p1tgWXaQf54EJzuOfc7MQw@mail.gmail.com>

I finally made it work.

The problem I was having was that the provider was not taking the
information from the access token because the provider I created in
Keycloak B was not a "Keycloak OpenID Connect" provider, was just OpenID
Connect, so It didnt try to get the info from the access token cause it
does't have to be a jwt token.

Thank you

2015-09-30 12:48 GMT-03:00 Bill Burke <bburke at redhat.com>:

>
>
> On 9/30/2015 11:45 AM, Bill Burke wrote:
> >  Or, you can use the Attribute Importer.  You can reference the
> > testrole via "realm_access.roles.testrole" or
> > "resource_access.<app>.roles.testrole".
> >
>
> Actually, this won't work.  You have to map testrole to a role in
> Keycloak B.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/b0ef629e/attachment.html 

From remi.cartier at imetrik.com  Wed Oct  7 14:06:59 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Wed, 7 Oct 2015 18:06:59 +0000
Subject: [keycloak-user] Service Setup
Message-ID: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>

Quick question.

what would be the best way to setup a keycloak instance to run as a service ?
I have setup the server as a standalone instance right now, but it needs a screen to run.
I have no wildfly instance running anywhere else in my stack.

thanks for your time !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/00f149ed/attachment-0001.html 

From mposolda at redhat.com  Wed Oct  7 14:59:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 7 Oct 2015 20:59:26 +0200
Subject: [keycloak-user] Service Setup
In-Reply-To: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>
References: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>
Message-ID: <56156B8E.70002@redhat.com>

Are you using Linux or other OS? I think that generally the service 
setup is specific to OS . Here are some instructions for Wildfly on 
Linux I found during quick googline: 
http://developer-should-know.tumblr.com/post/112230363742/how-to-install-wildfly-as-a-service-on-linux 
. Maybe there are more proper ones somewhere else (maybe Wildfly docs).

Anyway, I don't think that service setup is Keycloak specific stuff. You 
can find any instructions for "generic" Wildfly server for your OS and 
just use them for the Wildfly instance with Keycloak.

Marek

On 07/10/15 20:06, Remi Cartier wrote:
> Quick question.
>
> what would be the best way to setup a keycloak instance to run as a 
> service ?
> I have setup the server as a standalone instance right now, but it 
> needs a screen to run.
> I have no wildfly instance running anywhere else in my stack.
>
> thanks for your time !
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/65afaecf/attachment.html 

From remi.cartier at imetrik.com  Wed Oct  7 15:01:40 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Wed, 7 Oct 2015 19:01:40 +0000
Subject: [keycloak-user] Service Setup
In-Reply-To: <56156B8E.70002@redhat.com>
References: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>
	<56156B8E.70002@redhat.com>
Message-ID: <1A67CCA3-8CC5-43A9-9544-E9DEAB2C2283@imetrik.com>

Marek,

I am running the service on a linux box.
I was wondering if there was a setup with the standalone configuration, but it seems I need to go the wildfly way.

thank you.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 7, 2015, at 2:59 PM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

Are you using Linux or other OS? I think that generally the service setup is specific to OS . Here are some instructions for Wildfly on Linux I found during quick googline: http://developer-should-know.tumblr.com/post/112230363742/how-to-install-wildfly-as-a-service-on-linux . Maybe there are more proper ones somewhere else (maybe Wildfly docs).

Anyway, I don't think that service setup is Keycloak specific stuff. You can find any instructions for "generic" Wildfly server for your OS and just use them for the Wildfly instance with Keycloak.

Marek

On 07/10/15 20:06, Remi Cartier wrote:
Quick question.

what would be the best way to setup a keycloak instance to run as a service ?
I have setup the server as a standalone instance right now, but it needs a screen to run.
I have no wildfly instance running anywhere else in my stack.

thanks for your time !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/4dbd9955/attachment-0001.html 

From thomas.raehalme at aitiofinland.com  Wed Oct  7 15:32:41 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Wed, 7 Oct 2015 22:32:41 +0300
Subject: [keycloak-user] Service Setup
In-Reply-To: <1A67CCA3-8CC5-43A9-9544-E9DEAB2C2283@imetrik.com>
References: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>
	<56156B8E.70002@redhat.com>
	<1A67CCA3-8CC5-43A9-9544-E9DEAB2C2283@imetrik.com>
Message-ID: <CAPyAMoZiUghCX18K1NSNtNWPwyP+JyU4ZWiXgCHp=f0v7qfhWQ@mail.gmail.com>

Hi!

The standalone distribution has init scripts for RedHat/CentOS and Debian
under bin/init.d. I have successfully used the script for RedHat without
any problems. Just copy or link the file under /etc/init.d and use
chkconfig to enable it.

Best regards,
Thomas



On Wed, Oct 7, 2015 at 10:01 PM, Remi Cartier <remi.cartier at imetrik.com>
wrote:

> Marek,
>
> I am running the service on a linux box.
> I was wondering if there was a setup with the standalone configuration,
> but it seems I need to go the wildfly way.
>
> thank you.
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> On Oct 7, 2015, at 2:59 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
> Are you using Linux or other OS? I think that generally the service setup
> is specific to OS . Here are some instructions for Wildfly on Linux I found
> during quick googline:
> http://developer-should-know.tumblr.com/post/112230363742/how-to-install-wildfly-as-a-service-on-linux
> . Maybe there are more proper ones somewhere else (maybe Wildfly docs).
>
> Anyway, I don't think that service setup is Keycloak specific stuff. You
> can find any instructions for "generic" Wildfly server for your OS and just
> use them for the Wildfly instance with Keycloak.
>
> Marek
>
> On 07/10/15 20:06, Remi Cartier wrote:
>
> Quick question.
>
> what would be the best way to setup a keycloak instance to run as a
> service ?
> I have setup the server as a standalone instance right now, but it needs a
> screen to run.
> I have no wildfly instance running anywhere else in my stack.
>
> thanks for your time !
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
*Thomas Raehalme*
*CTO, teknologiajohtaja*
Mobile +358 40 545 0605

*Aitio Finland Oy*
V?in?nkatu 26 A
40100 JYV?SKYL?, Finland
Tel. +358 10 322 0040
www.aitiofinland.com <http://www.codecenter.fi>

*Codecenter on nyt Aitio ? me kun ei vain koodata!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/d002fdf2/attachment.html 

From remi.cartier at imetrik.com  Wed Oct  7 15:33:33 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Wed, 7 Oct 2015 19:33:33 +0000
Subject: [keycloak-user] Service Setup
In-Reply-To: <CAPyAMoZiUghCX18K1NSNtNWPwyP+JyU4ZWiXgCHp=f0v7qfhWQ@mail.gmail.com>
References: <5315EEC9-FC02-4E1A-A648-17382B57ECC5@imetrik.com>
	<56156B8E.70002@redhat.com>
	<1A67CCA3-8CC5-43A9-9544-E9DEAB2C2283@imetrik.com>
	<CAPyAMoZiUghCX18K1NSNtNWPwyP+JyU4ZWiXgCHp=f0v7qfhWQ@mail.gmail.com>
Message-ID: <BFD98221-F6EE-4676-96AD-88E0C5A4D3B8@imetrik.com>

ah !
I do prefer that option, will try and validate.
thank you !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 7, 2015, at 3:32 PM, Thomas Raehalme <thomas.raehalme at aitiofinland.com<mailto:thomas.raehalme at aitiofinland.com>> wrote:

Hi!

The standalone distribution has init scripts for RedHat/CentOS and Debian under bin/init.d. I have successfully used the script for RedHat without any problems. Just copy or link the file under /etc/init.d and use chkconfig to enable it.

Best regards,
Thomas



On Wed, Oct 7, 2015 at 10:01 PM, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:
Marek,

I am running the service on a linux box.
I was wondering if there was a setup with the standalone configuration, but it seems I need to go the wildfly way.

thank you.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 7, 2015, at 2:59 PM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

Are you using Linux or other OS? I think that generally the service setup is specific to OS . Here are some instructions for Wildfly on Linux I found during quick googline: http://developer-should-know.tumblr.com/post/112230363742/how-to-install-wildfly-as-a-service-on-linux . Maybe there are more proper ones somewhere else (maybe Wildfly docs).

Anyway, I don't think that service setup is Keycloak specific stuff. You can find any instructions for "generic" Wildfly server for your OS and just use them for the Wildfly instance with Keycloak.

Marek

On 07/10/15 20:06, Remi Cartier wrote:
Quick question.

what would be the best way to setup a keycloak instance to run as a service ?
I have setup the server as a standalone instance right now, but it needs a screen to run.
I have no wildfly instance running anywhere else in my stack.

thanks for your time !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Thomas Raehalme
CTO, teknologiajohtaja
Mobile +358 40 545 0605

Aitio Finland Oy
V?in?nkatu 26 A
40100 JYV?SKYL?, Finland
Tel. +358 10 322 0040
www.aitiofinland.com<http://www.codecenter.fi/>

Codecenter on nyt Aitio ? me kun ei vain koodata!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/9f2776c3/attachment-0001.html 

From remi.cartier at imetrik.com  Wed Oct  7 15:51:04 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Wed, 7 Oct 2015 19:51:04 +0000
Subject: [keycloak-user] /protocol/openid-connect/userinfo
Message-ID: <E9C1BAC6-64E4-48FA-B14F-29FF4A78EE2C@imetrik.com>

Hey guys,

I created a token with /protocol/openid-connect/token and got a JWT token back.
Now I am trying to get the username of the logged user from the token via /userinfo.
I get the 403 error code.
When I was doing that request with the admin user, it worked.
I am wondering if I have to set some roles to every user that want to be able to get back their info via /userinfo

    public User getUserFromToken(String iToken) {
        HttpClient httpClient = buildHttpClient();
        HttpGet httpGet = new HttpGet(getKeycloakServerURL() + "/realms/" + getKeycloakRealm() + "/protocol/openid-connect/userinfo");
        httpGet.addHeader("Authorization", "Bearer " + iToken);
        try {
            HttpResponse httpResponse = httpClient.execute(httpGet);
            if (httpResponse.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
                throw new IllegalStateException(httpGet.toString() + " returned " + httpResponse.getStatusLine().toString());
            }
            String json = IOUtils.toString(httpResponse.getEntity().getContent());
            UserInfo userInfo = JsonSerialization.readValue(json, UserInfo.class);
            return getUser(userInfo.getName(), getKeycloakRealm());
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

java.lang.IllegalStateException: GET http://m4ib-idm:8080/auth/realms/imetrik/protocol/openid-connect/userinfo HTTP/1.1 returned HTTP/1.1 403 Forbidden

anything I am missing ?

cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/4e8bb8e6/attachment.html 

From robin1233 at gmail.com  Wed Oct  7 17:09:09 2015
From: robin1233 at gmail.com (robinfernandes .)
Date: Wed, 7 Oct 2015 17:09:09 -0400
Subject: [keycloak-user] Unable to access admin API (Get Identity Provider
	Instance)
Message-ID: <CAFOTW4asOQ2WVXoWEM-H=smcOLeuOHW1f=6SttLvio1V7PY1iw@mail.gmail.com>

Hi All,

I was trying to call this API *GET
/admin/realms/{realm}/identity-provider/instances/{alias} *and all I see in
the error message is "Bearer".

Can someone point me to what credentials I need to use to get the token in
order to be able to access this API? Also any tests written for this API
would also help.
Am i missing something very obvious?

Thanks,
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/ede9fa29/attachment.html 

From sthorger at redhat.com  Wed Oct  7 23:53:46 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 05:53:46 +0200
Subject: [keycloak-user] Redirect to keycloak only for certain
	content-types
In-Reply-To: <etPan.56151e65.64caa0c.651@MacBook-Pro.local>
References: <etPan.560e503e.6d84818f.651@MacBook-Pro.local>
	<CAB5vuUyvGaF4pmfnB4U4he7Jo9U2aj=X8TZBU8rn-hL2MCycxw@mail.gmail.com>
	<etPan.560eafc6.45ecece3.651@MacBook-Pro.local>
	<CAJgngAcnpM+sBLHP-kRLeknt9DyEQUk8wN-+s5PUL6ecwrH6LA@mail.gmail.com>
	<etPan.56151e65.64caa0c.651@MacBook-Pro.local>
Message-ID: <CAJgngAdL75mA8O7eKOh-x77hnBBBF2EsPNNnTt+LuLUh+K=0Vw@mail.gmail.com>

It's been there for a long time, take a look at the multi tenancy example

On 7 October 2015 at 15:30, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
wrote:

> Is KeycloakConfigResolver coming in 1.6?
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
> On October 6, 2015 at 11:32:44, Stian Thorgersen (sthorger at redhat.com)
> wrote:
>
> I'm afraid it's not possible at the moment. The only option now is to have
> two different clients and either split your application into two, or you
> can use the KeycloakConfigResolver to select the client based on the
> content type yourself. See the multi tenancy example for an idea on how to
> use it.
>
> On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
> wrote:
>
>>
>> Hi,
>>
>> Yes, it can be done with nginx, but I still hope this could be
>> accomplished natively :)
>>
>> The general idea is this:
>>
>> a) if browser asks for "text/html" => act as confidential/public
>> client, that is
>> start keycloak login protocol
>>
>> b) if browser asks for "application/json? => act as bearer only client,
>> and in
>> case of authorization error, respond with proper 40x status
>>
>> This would let me build an ?isomorphic? JavaScript application (
>> http://isomorphic.net)
>>
>> With keycloak-1.5.0 I see that there is no difference whether I accept
>> text/html or application/json:
>>
>> tair$ curl -v -H 'Accept: text/html'
>> http://localhost:9080/hello-world/rest/something
>> *   Trying ::1...
>> * connect to ::1 port 9080 failed: Connection refused
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 9080 (#0)
>> > GET /hello-world/rest/something HTTP/1.1
>> > Host: localhost:9080
>> > User-Agent: curl/7.43.0
>> > Accept: text/html
>> >
>> < HTTP/1.1 302 Found
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Set-Cookie:
>> OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
>> < Server: WildFly/9
>> < Pragma: no-cache
>> < Location:
>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
>> < Date: Fri, 02 Oct 2015 15:53:32 GMT
>> < Connection: keep-alive
>> < Content-Length: 0
>> <
>> * Connection #0 to host localhost left intact
>>
>> tair$ curl -v -H 'Accept: application/json'
>> http://localhost:9080/hello-world/rest/something
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 9080 (#0)
>> > GET /hello-world/rest/something HTTP/1.1
>> > Host: localhost:9080
>> > User-Agent: curl/7.43.0
>> > Accept: application/json
>> >
>> < HTTP/1.1 302 Found
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Set-Cookie:
>> OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
>> < Server: WildFly/9
>> < Pragma: no-cache
>> < Location:
>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
>> < Date: Fri, 02 Oct 2015 15:53:41 GMT
>> < Connection: keep-alive
>> < Content-Length: 0
>> <
>> * Connection #0 to host localhost left intact
>>
>> Any workarounds there?
>>
>> --
>> Tair Sabirgaliev
>> Bee Software, LLP
>>
>>
>>
>> On October 2, 2015 at 20:54:01, Giriraj Sharma (
>> giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:
>>
>> > Hi,
>> >
>> > One possible way is to put nginx as a reverse proxy in between browser
>> and Keycloak server instance. You can dig around using $content_type
>> embedded variable of nginx ngx_http_core_module or may be nginx_rewrite
>> module and a simple tweak (may be an if statement in nginx server/location
>> block config) will help you in achieving the required. Based on the value
>> of content-type header, you can proxy-pass the requests to a different
>> upstream server via nginx.
>> >
>> > Cheers,
>> >
>> >
>> > On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
>> > >
>> > > Hi,
>> > >
>> > > Is it possible to setup login redirection only for certain content
>> types?
>> > > I want to redirect only when the browser asks for text/html. For
>> other types
>> > > either 40x or Authorization challenge.
>> > >
>> > > --
>> > > Tair Sabirgaliev
>> > > Bee Software, LLP
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> > --
>> >
>> > Giriraj Sharma
>> > about.me/girirajsharma
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Giriraj Sharma,
>> > Department of Computer Science
>> > National Institute of Technology Hamirpur
>> > Himachal Pradesh, India 177005
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/36848229/attachment-0001.html 

From sthorger at redhat.com  Wed Oct  7 23:57:56 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 05:57:56 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
Message-ID: <CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>

Do you want to permanently import the users into the Keycloak database?

On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com>
wrote:

> Hi,
>
> in order to import users having encrypted passwords from existing user
> storage I'm implementing user federation provider based on the keycloak
> example *keycloak-examples-1.5.0.Final/providers/federation-provider*
> *.*
> Additionally I considered hints provided by Scott Rossillo in the
> keycloak-user Digest, Vol 22, Issue 18
> Above example works properly when retrieving users from a properties file.
> The next step in the implementation would be access to the database where
> users data is stored.
>
> *My question: *What would be the best practice for accessing database
> from a custom keycloak provider?
>
> Something like this?
>
> // KeycloakSession
> session.getProvider(JpaConnectionProvider.class, "myTS")
>                 .getEntityManager()
>                 .createQuery("SELECT... ?
>
>
>
>
>
>
>
>
> *keycloak-server.json:"connectionsJpa": {        "default": {
> "dataSource": "java:jboss/datasources/KeycloakDS",
> "databaseSchema": "update"        },*
>
>
>
> *"myTS": {            "dataSource": "java:jboss/datasources/myTsDS"
> }    }*Thank you,
>
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/ad92eb34/attachment.html 

From sthorger at redhat.com  Thu Oct  8 01:19:21 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 07:19:21 +0200
Subject: [keycloak-user] Unable to access admin API (Get Identity
	Provider Instance)
In-Reply-To: <CAFOTW4asOQ2WVXoWEM-H=smcOLeuOHW1f=6SttLvio1V7PY1iw@mail.gmail.com>
References: <CAFOTW4asOQ2WVXoWEM-H=smcOLeuOHW1f=6SttLvio1V7PY1iw@mail.gmail.com>
Message-ID: <CAJgngAfiq38YYGPKcUZ-sThPJ_XVs8zDJCazRjpjYfceCgXXtw@mail.gmail.com>

You need a token to invoke the admin endpoints. Take a look at the
"admin-access-app" example in the demo (uses HttpClient) or the
"admin-client" example (uses our admin java client library).

On 7 October 2015 at 23:09, robinfernandes . <robin1233 at gmail.com> wrote:

> Hi All,
>
> I was trying to call this API *GET
> /admin/realms/{realm}/identity-provider/instances/{alias} *and all I see
> in the error message is "Bearer".
>
> Can someone point me to what credentials I need to use to get the token in
> order to be able to access this API? Also any tests written for this API
> would also help.
> Am i missing something very obvious?
>
> Thanks,
> Robin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/dc81a869/attachment.html 

From valerij.timofeev at gmail.com  Thu Oct  8 04:17:39 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Thu, 8 Oct 2015 10:17:39 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
Message-ID: <CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>

Exactly.

Plain text passwords are unknown, so the "custom user federation provider"
approach, suggested by Scott Rossillo in the keycloak-user Digest, Vol 22,
Issue 18, seems to be feasible:
- User federation provider searches for the user in the legacy user storage
on the 1st login.
- If the user is found and the password legacy hash matches the value in
the legacy user storage, user credential is updated in the Keycloak storage
and federation link is removed then (see code snippet below).

My question is, what would be the best way to access legacy database from
within a Keycloak custom provider?
JPA datasource  for the legacy database is available on the same
application server, where the Keycloak server runs (EAP 6.4.3).


@Override

    public boolean validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input)

    {

        for (UserCredentialModel cred : input)

        {

            if (cred.getType().equals(UserCredentialModel.PASSWORD))

            {


                return this.updateCredential(realm, user, cred);


            } else

            {

                return false; // invalid cred type

            }

        }

        return false;

    }



    private boolean updateCredential(RealmModel realm, UserModel user,
UserCredentialModel cred)

    {

        String password = properties.getProperty(user.getUsername());

        if (password == null)

            return false;



        String encodedPassword = Digest.createPassword(cred.getValue());

        boolean isPasswordOK = password.equals(encodedPassword);

        if (isPasswordOK)

        {

            // save password

            session.userStorage().getUserById(user.getId(),
realm).updateCredential(cred);

            // break the federation link

            session.userStorage().getUserById(user.getId(),
realm).setFederationLink(null);

        }

        return isPasswordOK;

    }


2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> Do you want to permanently import the users into the Keycloak database?
>
> On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com>
> wrote:
>
>> Hi,
>>
>> in order to import users having encrypted passwords from existing user
>> storage I'm implementing user federation provider based on the keycloak
>> example *keycloak-examples-1.5.0.Final/providers/federation-provider*
>> *.*
>> Additionally I considered hints provided by Scott Rossillo in the
>> keycloak-user Digest, Vol 22, Issue 18
>> Above example works properly when retrieving users from a properties
>> file. The next step in the implementation would be access to the database
>> where users data is stored.
>>
>> *My question: *What would be the best practice for accessing database
>> from a custom keycloak provider?
>>
>> Something like this?
>>
>> // KeycloakSession
>> session.getProvider(JpaConnectionProvider.class, "myTS")
>>                 .getEntityManager()
>>                 .createQuery("SELECT... ?
>>
>>
>>
>>
>>
>>
>>
>>
>> *keycloak-server.json:"connectionsJpa": {        "default": {
>> "dataSource": "java:jboss/datasources/KeycloakDS",
>> "databaseSchema": "update"        },*
>>
>>
>>
>> *"myTS": {            "dataSource":
>> "java:jboss/datasources/myTsDS"        }    }*Thank you,
>>
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/a57691fc/attachment-0001.html 

From chenkeong.yap at izeno.com  Thu Oct  8 04:29:57 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 8 Oct 2015 16:29:57 +0800
Subject: [keycloak-user] Keycloak 1.5 Compilation Error in windows
Message-ID: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>

Hi Guys,

I was compiling the source codes using mvn clean install -Pdistribution but
getting the following errors. Can advise?

[INFO] Feature Pack Builds ................................ SUCCESS [
 0.014 s]
[INFO] Keycloak Feature Pack: Server ...................... FAILURE [
 0.553 s]
[INFO] Keycloak Server Distribution ....................... SKIPPED
[INFO] Keycloak Server Overlay Distribution ............... SKIPPED
[INFO] Keycloak Examples Distribution ..................... SKIPPED
[INFO] Keycloak Docs Distribution ......................... SKIPPED
[INFO] Keycloak Demo Distribution ......................... SKIPPED
[INFO] Proxy Distro ....................................... SKIPPED
[INFO] Keycloak EAP 6 Server Modules ...................... SKIPPED
[INFO] Keycloak Server Overlay EAP 6 Distribution ......... SKIPPED
[INFO] Keycloak Server Overlay EAP 6 ...................... SKIPPED
[INFO] Keycloak Server Overlay Parent ..................... SKIPPED
[INFO] Keycloak Source Distribution ....................... SKIPPED
[INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 02:12 min
[INFO] Finished at: 2015-10-08T16:21:56+08:00
[INFO] Final Memory: 310M/900M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
(feature-pack-build) on project keycloak-server-feature-pack: Execution
featur
e-pack-build of goal
org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
failed: java.lang.RuntimeException: java.lang.RuntimeException: Failed to
create feature
 pack from org.wildfly:wildfly-feature-pack:9.0.1.Final: error in opening
zip file -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the
command
[ERROR]   mvn <goals> -rf :keycloak-server-feature-pack

--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/461c1ead/attachment.html 

From sthorger at redhat.com  Thu Oct  8 06:04:09 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 12:04:09 +0200
Subject: [keycloak-user] Keycloak 1.5 Compilation Error in windows
In-Reply-To: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>
References: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>
Message-ID: <CAJgngAcVF2qP4QcW0jJp9dKeJReoEHhzHMUkMvKHWog=4hy-3g@mail.gmail.com>

Looks like maybe the zip for org.wildfly:wildfly-feature-pack:9.0.1.Final
in your Maven repo is corrupt?

On 8 October 2015 at 10:29, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:

> Hi Guys,
>
> I was compiling the source codes using mvn clean install -Pdistribution
> but getting the following errors. Can advise?
>
> [INFO] Feature Pack Builds ................................ SUCCESS [
>  0.014 s]
> [INFO] Keycloak Feature Pack: Server ...................... FAILURE [
>  0.553 s]
> [INFO] Keycloak Server Distribution ....................... SKIPPED
> [INFO] Keycloak Server Overlay Distribution ............... SKIPPED
> [INFO] Keycloak Examples Distribution ..................... SKIPPED
> [INFO] Keycloak Docs Distribution ......................... SKIPPED
> [INFO] Keycloak Demo Distribution ......................... SKIPPED
> [INFO] Proxy Distro ....................................... SKIPPED
> [INFO] Keycloak EAP 6 Server Modules ...................... SKIPPED
> [INFO] Keycloak Server Overlay EAP 6 Distribution ......... SKIPPED
> [INFO] Keycloak Server Overlay EAP 6 ...................... SKIPPED
> [INFO] Keycloak Server Overlay Parent ..................... SKIPPED
> [INFO] Keycloak Source Distribution ....................... SKIPPED
> [INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 02:12 min
> [INFO] Finished at: 2015-10-08T16:21:56+08:00
> [INFO] Final Memory: 310M/900M
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal
> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
> (feature-pack-build) on project keycloak-server-feature-pack: Execution
> featur
> e-pack-build of goal
> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
> failed: java.lang.RuntimeException: java.lang.RuntimeException: Failed to
> create feature
>  pack from org.wildfly:wildfly-feature-pack:9.0.1.Final: error in opening
> zip file -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the
> -e switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions,
> please read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
> [ERROR]
> [ERROR] After correcting the problems, you can resume the build with the
> command
> [ERROR]   mvn <goals> -rf :keycloak-server-feature-pack
>
> --
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/474291e0/attachment.html 

From chenkeong.yap at izeno.com  Thu Oct  8 06:09:47 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 8 Oct 2015 18:09:47 +0800
Subject: [keycloak-user] Keycloak 1.5 Compilation Error in windows
In-Reply-To: <CAJgngAcVF2qP4QcW0jJp9dKeJReoEHhzHMUkMvKHWog=4hy-3g@mail.gmail.com>
References: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>
	<CAJgngAcVF2qP4QcW0jJp9dKeJReoEHhzHMUkMvKHWog=4hy-3g@mail.gmail.com>
Message-ID: <CAC2UnuWjbaJbuq4NxRaPQ50O6mq-Gpur4-0=e+o-QLH=vqvasg@mail.gmail.com>

Hi stian,

please advise how to rectify the issue. The zip for other projects are
working but only org.wildfly:wildfly-feature-pack:9.0.1.Final is failing.

On Thu, Oct 8, 2015 at 6:04 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Looks like maybe the zip for org.wildfly:wildfly-feature-pack:9.0.1.Final
> in your Maven repo is corrupt?
>
> On 8 October 2015 at 10:29, Chen Keong Yap <chenkeong.yap at izeno.com>
> wrote:
>
>> Hi Guys,
>>
>> I was compiling the source codes using mvn clean install -Pdistribution
>> but getting the following errors. Can advise?
>>
>> [INFO] Feature Pack Builds ................................ SUCCESS [
>>  0.014 s]
>> [INFO] Keycloak Feature Pack: Server ...................... FAILURE [
>>  0.553 s]
>> [INFO] Keycloak Server Distribution ....................... SKIPPED
>> [INFO] Keycloak Server Overlay Distribution ............... SKIPPED
>> [INFO] Keycloak Examples Distribution ..................... SKIPPED
>> [INFO] Keycloak Docs Distribution ......................... SKIPPED
>> [INFO] Keycloak Demo Distribution ......................... SKIPPED
>> [INFO] Proxy Distro ....................................... SKIPPED
>> [INFO] Keycloak EAP 6 Server Modules ...................... SKIPPED
>> [INFO] Keycloak Server Overlay EAP 6 Distribution ......... SKIPPED
>> [INFO] Keycloak Server Overlay EAP 6 ...................... SKIPPED
>> [INFO] Keycloak Server Overlay Parent ..................... SKIPPED
>> [INFO] Keycloak Source Distribution ....................... SKIPPED
>> [INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] BUILD FAILURE
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Total time: 02:12 min
>> [INFO] Finished at: 2015-10-08T16:21:56+08:00
>> [INFO] Final Memory: 310M/900M
>> [INFO]
>> ------------------------------------------------------------------------
>> [ERROR] Failed to execute goal
>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>> (feature-pack-build) on project keycloak-server-feature-pack: Execution
>> featur
>> e-pack-build of goal
>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>> failed: java.lang.RuntimeException: java.lang.RuntimeException: Failed to
>> create feature
>>  pack from org.wildfly:wildfly-feature-pack:9.0.1.Final: error in opening
>> zip file -> [Help 1]
>> [ERROR]
>> [ERROR] To see the full stack trace of the errors, re-run Maven with the
>> -e switch.
>> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
>> [ERROR]
>> [ERROR] For more information about the errors and possible solutions,
>> please read the following articles:
>> [ERROR] [Help 1]
>> http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
>> [ERROR]
>> [ERROR] After correcting the problems, you can resume the build with the
>> command
>> [ERROR]   mvn <goals> -rf :keycloak-server-feature-pack
>>
>> --
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/1a59c18f/attachment.html 

From sthorger at redhat.com  Thu Oct  8 08:13:41 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 14:13:41 +0200
Subject: [keycloak-user] Keycloak 1.5 Compilation Error in windows
In-Reply-To: <CAC2UnuWjbaJbuq4NxRaPQ50O6mq-Gpur4-0=e+o-QLH=vqvasg@mail.gmail.com>
References: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>
	<CAJgngAcVF2qP4QcW0jJp9dKeJReoEHhzHMUkMvKHWog=4hy-3g@mail.gmail.com>
	<CAC2UnuWjbaJbuq4NxRaPQ50O6mq-Gpur4-0=e+o-QLH=vqvasg@mail.gmail.com>
Message-ID: <CAJgngAcousU-6LHS4r+LWkH7pT_JS_3orYpVR8-6YLYBFGWcAA@mail.gmail.com>

Try deleting "org\wildfly\wildfly-feature-pack" from your Maven repo
(should be in C:\Documents and Settings\{your-username}\.m2\repository)

On 8 October 2015 at 12:09, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:

> Hi stian,
>
> please advise how to rectify the issue. The zip for other projects are
> working but only org.wildfly:wildfly-feature-pack:9.0.1.Final is failing.
>
>
> On Thu, Oct 8, 2015 at 6:04 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Looks like maybe the zip for org.wildfly:wildfly-feature-pack:9.0.1.Final
>> in your Maven repo is corrupt?
>>
>> On 8 October 2015 at 10:29, Chen Keong Yap <chenkeong.yap at izeno.com>
>> wrote:
>>
>>> Hi Guys,
>>>
>>> I was compiling the source codes using mvn clean install -Pdistribution
>>> but getting the following errors. Can advise?
>>>
>>> [INFO] Feature Pack Builds ................................ SUCCESS [
>>>  0.014 s]
>>> [INFO] Keycloak Feature Pack: Server ...................... FAILURE [
>>>  0.553 s]
>>> [INFO] Keycloak Server Distribution ....................... SKIPPED
>>> [INFO] Keycloak Server Overlay Distribution ............... SKIPPED
>>> [INFO] Keycloak Examples Distribution ..................... SKIPPED
>>> [INFO] Keycloak Docs Distribution ......................... SKIPPED
>>> [INFO] Keycloak Demo Distribution ......................... SKIPPED
>>> [INFO] Proxy Distro ....................................... SKIPPED
>>> [INFO] Keycloak EAP 6 Server Modules ...................... SKIPPED
>>> [INFO] Keycloak Server Overlay EAP 6 Distribution ......... SKIPPED
>>> [INFO] Keycloak Server Overlay EAP 6 ...................... SKIPPED
>>> [INFO] Keycloak Server Overlay Parent ..................... SKIPPED
>>> [INFO] Keycloak Source Distribution ....................... SKIPPED
>>> [INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
>>> [INFO]
>>> ------------------------------------------------------------------------
>>> [INFO] BUILD FAILURE
>>> [INFO]
>>> ------------------------------------------------------------------------
>>> [INFO] Total time: 02:12 min
>>> [INFO] Finished at: 2015-10-08T16:21:56+08:00
>>> [INFO] Final Memory: 310M/900M
>>> [INFO]
>>> ------------------------------------------------------------------------
>>> [ERROR] Failed to execute goal
>>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>>> (feature-pack-build) on project keycloak-server-feature-pack: Execution
>>> featur
>>> e-pack-build of goal
>>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>>> failed: java.lang.RuntimeException: java.lang.RuntimeException: Failed to
>>> create feature
>>>  pack from org.wildfly:wildfly-feature-pack:9.0.1.Final: error in
>>> opening zip file -> [Help 1]
>>> [ERROR]
>>> [ERROR] To see the full stack trace of the errors, re-run Maven with the
>>> -e switch.
>>> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
>>> [ERROR]
>>> [ERROR] For more information about the errors and possible solutions,
>>> please read the following articles:
>>> [ERROR] [Help 1]
>>> http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
>>> [ERROR]
>>> [ERROR] After correcting the problems, you can resume the build with the
>>> command
>>> [ERROR]   mvn <goals> -rf :keycloak-server-feature-pack
>>>
>>> --
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/669e4023/attachment-0001.html 

From remi.cartier at imetrik.com  Thu Oct  8 10:53:02 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Thu, 8 Oct 2015 14:53:02 +0000
Subject: [keycloak-user] /protocol/openid-connect/userinfo
In-Reply-To: <E9C1BAC6-64E4-48FA-B14F-29FF4A78EE2C@imetrik.com>
References: <E9C1BAC6-64E4-48FA-B14F-29FF4A78EE2C@imetrik.com>
Message-ID: <8525F127-8966-468D-9421-E7D67C9F6DC9@imetrik.com>

ok guys, nothing wrong here.
I was using the UserInfo name field to match with the UserRepresentation username field and it wasn?t working.
I am not using ?preferred_username? and everything works as expected.

Using UserInfo to retrieve a UserRepresentation containing all the informations.

thank you for your ?silence?. It made me think I was probably doing something wrong !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 7, 2015, at 3:51 PM, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:

Hey guys,

I created a token with /protocol/openid-connect/token and got a JWT token back.
Now I am trying to get the username of the logged user from the token via /userinfo.
I get the 403 error code.
When I was doing that request with the admin user, it worked.
I am wondering if I have to set some roles to every user that want to be able to get back their info via /userinfo

    public User getUserFromToken(String iToken) {
        HttpClient httpClient = buildHttpClient();
        HttpGet httpGet = new HttpGet(getKeycloakServerURL() + "/realms/" + getKeycloakRealm() + "/protocol/openid-connect/userinfo");
        httpGet.addHeader("Authorization", "Bearer " + iToken);
        try {
            HttpResponse httpResponse = httpClient.execute(httpGet);
            if (httpResponse.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
                throw new IllegalStateException(httpGet.toString() + " returned " + httpResponse.getStatusLine().toString());
            }
            String json = IOUtils.toString(httpResponse.getEntity().getContent());
            UserInfo userInfo = JsonSerialization.readValue(json, UserInfo.class);
            return getUser(userInfo.getName(), getKeycloakRealm());
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

java.lang.IllegalStateException: GET http://m4ib-idm:8080/auth/realms/imetrik/protocol/openid-connect/userinfo HTTP/1.1 returned HTTP/1.1 403 Forbidden

anything I am missing ?

cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/dfec4d49/attachment-0001.html 

From christian_hebert at hotmail.com  Thu Oct  8 13:36:19 2015
From: christian_hebert at hotmail.com (Christian Hebert)
Date: Thu, 8 Oct 2015 13:36:19 -0400
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>,
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>,
	<CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
Message-ID: <SNT150-W7414868F0726CD1FA1E621ED350@phx.gbl>

Hi !
I'm new to keycloak and i'm trying to do a custom user federation provider also. Unfortunately, i can't find to the article you are refering (keycloak-user Digest, Vol 22, Issue 18). Is there any way you could send me this article ?
Thanks in advance,
Christian
Date: Thu, 8 Oct 2015 10:17:39 +0200
From: valerij.timofeev at gmail.com
To: stian at redhat.com
CC: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Best practice for database access in a keycloak custom provider?

Exactly. 
Plain text passwords are unknown, so the "custom user federation provider" approach, suggested by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18, seems to be feasible:- User federation provider searches for the user in the legacy user storage on the 1st login. - If the user is found and the password legacy hash matches the value in the legacy user storage, user credential is updated in the Keycloak storage and federation link is removed then (see code snippet below).
My question is, what would be the best way to access legacy database from within a Keycloak custom provider? JPA datasource  for the legacy database is available on the same application server, where the Keycloak server runs (EAP 6.4.3).


@Override    public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)    {        for (UserCredentialModel cred : input)        {            if (cred.getType().equals(UserCredentialModel.PASSWORD))            {
                return this.updateCredential(realm, user, cred);
            } else            {                return false; // invalid cred type            }        }        return false;    }     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)    {        String password = properties.getProperty(user.getUsername());        if (password == null)            return false;         String encodedPassword = Digest.createPassword(cred.getValue());        boolean isPasswordOK = password.equals(encodedPassword);        if (isPasswordOK)        {            // save password            session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);            // break the federation link            session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);        }        return isPasswordOK;    }
2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
Do you want to permanently import the users into the Keycloak database?
On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com> wrote:
Hi,

in order to import users having encrypted passwords from existing user storage I'm implementing user federation provider based on the keycloak example keycloak-examples-1.5.0.Final/providers/federation-provider.
Additionally I considered hints provided by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18
Above example works properly when retrieving users from a properties file. The next step in the implementation would be access to the database where users data is stored.
 
My question: What would be the best practice for accessing database from a custom keycloak provider?

Something like this?

// KeycloakSession
session.getProvider(JpaConnectionProvider.class, "myTS")
                .getEntityManager()
                .createQuery("SELECT... ?


keycloak-server.json:
"connectionsJpa": {
        "default": {
            "dataSource": "java:jboss/datasources/KeycloakDS",
            "databaseSchema": "update"
        },
      "myTS": {
            "dataSource": "java:jboss/datasources/myTsDS"
        }    }

Thank you,

Valerij Timofeev
Software Engineer
Trusted Shops GmbH




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/ef2eddc8/attachment-0001.html 

From sthorger at redhat.com  Thu Oct  8 13:49:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Oct 2015 19:49:42 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
	<CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
Message-ID: <CAJgngAf74w-rWymH6y3UN82VrJB+swbqy0B2FCK2oDK4axJkbQ@mail.gmail.com>

For the database in a user federation provider you can use
JpaConnectionProvider,
but then you have to modify our persistence.xml. Alternatively you can
create your own EntityManagerFactory within your
UserFederationProviderFactory. Downside to that is that you won't share the
connection (and 1pc transaction). We could improve on this in the future as
it's a bit clunky.

The other alternative is that we plan to introduce a password hashing spi.
With that you can provide the implementation that can hash passwords
according to how you have them saved in your current database. Then you can
import the users directly into Keycloak and forget about the user
federation provider. To import the users you can either export them from
your db to a json file (currently you need a full realm file, but we are
looking at doing partial import/export now and with that you'll be able to
import a json file with users only into an existing realm). Alternatively
you can use the rest admin api to import them.

On 8 October 2015 at 10:17, Valerij Timofeev <valerij.timofeev at gmail.com>
wrote:

> Exactly.
>
> Plain text passwords are unknown, so the "custom user federation provider"
> approach, suggested by Scott Rossillo in the keycloak-user Digest, Vol
> 22, Issue 18, seems to be feasible:
> - User federation provider searches for the user in the legacy user
> storage on the 1st login.
> - If the user is found and the password legacy hash matches the value in
> the legacy user storage, user credential is updated in the Keycloak storage
> and federation link is removed then (see code snippet below).
>
> My question is, what would be the best way to access legacy database from
> within a Keycloak custom provider?
> JPA datasource  for the legacy database is available on the same
> application server, where the Keycloak server runs (EAP 6.4.3).
>
>
> @Override
>
>     public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)
>
>     {
>
>         for (UserCredentialModel cred : input)
>
>         {
>
>             if (cred.getType().equals(UserCredentialModel.PASSWORD))
>
>             {
>
>
>                 return this.updateCredential(realm, user, cred);
>
>
>             } else
>
>             {
>
>                 return false; // invalid cred type
>
>             }
>
>         }
>
>         return false;
>
>     }
>
>
>
>     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)
>
>     {
>
>         String password = properties.getProperty(user.getUsername());
>
>         if (password == null)
>
>             return false;
>
>
>
>         String encodedPassword = Digest.createPassword(cred.getValue());
>
>         boolean isPasswordOK = password.equals(encodedPassword);
>
>         if (isPasswordOK)
>
>         {
>
>             // save password
>
>             session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);
>
>             // break the federation link
>
>             session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);
>
>         }
>
>         return isPasswordOK;
>
>     }
>
>
> 2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Do you want to permanently import the users into the Keycloak database?
>>
>> On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> in order to import users having encrypted passwords from existing user
>>> storage I'm implementing user federation provider based on the keycloak
>>> example *keycloak-examples-1.5.0.Final/providers/federation-provider*
>>> *.*
>>> Additionally I considered hints provided by Scott Rossillo in the
>>> keycloak-user Digest, Vol 22, Issue 18
>>> Above example works properly when retrieving users from a properties
>>> file. The next step in the implementation would be access to the database
>>> where users data is stored.
>>>
>>> *My question: *What would be the best practice for accessing database
>>> from a custom keycloak provider?
>>>
>>> Something like this?
>>>
>>> // KeycloakSession
>>> session.getProvider(JpaConnectionProvider.class, "myTS")
>>>                 .getEntityManager()
>>>                 .createQuery("SELECT... ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *keycloak-server.json:"connectionsJpa": {        "default": {
>>> "dataSource": "java:jboss/datasources/KeycloakDS",
>>> "databaseSchema": "update"        },*
>>>
>>>
>>>
>>> *"myTS": {            "dataSource":
>>> "java:jboss/datasources/myTsDS"        }    }*Thank you,
>>>
>>> Valerij Timofeev
>>> Software Engineer
>>> Trusted Shops GmbH
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/2d17d9c6/attachment-0001.html 

From srossillo at smartling.com  Thu Oct  8 14:56:55 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Thu, 8 Oct 2015 14:56:55 -0400
Subject: [keycloak-user] Best practice for database access in a keycloak
	custom provider?
In-Reply-To: <CAJgngAf74w-rWymH6y3UN82VrJB+swbqy0B2FCK2oDK4axJkbQ@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
	<CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
	<CAJgngAf74w-rWymH6y3UN82VrJB+swbqy0B2FCK2oDK4axJkbQ@mail.gmail.com>
Message-ID: <6B7F4262-E2EE-4211-A021-02A761AC2BE0@smartling.com>

One plus of the federation provider approach is that it requires zero downtime. Users start migrating on login rather than shutting down the legacy system, importing users, and bringing things back up.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Oct 8, 2015, at 1:49 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> For the database in a user federation provider you can use JpaConnectionProvider, but then you have to modify our persistence.xml. Alternatively you can create your own EntityManagerFactory within your UserFederationProviderFactory. Downside to that is that you won't share the connection (and 1pc transaction). We could improve on this in the future as it's a bit clunky.
> 
> The other alternative is that we plan to introduce a password hashing spi. With that you can provide the implementation that can hash passwords according to how you have them saved in your current database. Then you can import the users directly into Keycloak and forget about the user federation provider. To import the users you can either export them from your db to a json file (currently you need a full realm file, but we are looking at doing partial import/export now and with that you'll be able to import a json file with users only into an existing realm). Alternatively you can use the rest admin api to import them.
> 
> On 8 October 2015 at 10:17, Valerij Timofeev <valerij.timofeev at gmail.com <mailto:valerij.timofeev at gmail.com>> wrote:
> Exactly. 
> 
> Plain text passwords are unknown, so the "custom user federation provider" approach, suggested by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18, seems to be feasible:
> - User federation provider searches for the user in the legacy user storage on the 1st login. 
> - If the user is found and the password legacy hash matches the value in the legacy user storage, user credential is updated in the Keycloak storage and federation link is removed then (see code snippet below).
> 
> My question is, what would be the best way to access legacy database from within a Keycloak custom provider? 
> JPA datasource  for the legacy database is available on the same application server, where the Keycloak server runs (EAP 6.4.3).
> 
> 
> @Override
>     public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)
>     {
>         for (UserCredentialModel cred : input)
>         {
>             if (cred.getType().equals(UserCredentialModel.PASSWORD))
>             {
> 
>                 return this.updateCredential(realm, user, cred);
> 
>             } else
>             {
>                 return false; // invalid cred type
>             }
>         }
>         return false;
>     }
>  
>     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)
>     {
>         String password = properties.getProperty(user.getUsername());
>         if (password == null)
>             return false;
>  
>         String encodedPassword = Digest.createPassword(cred.getValue());
>         boolean isPasswordOK = password.equals(encodedPassword);
>         if (isPasswordOK)
>         {
>             // save password
>             session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);
>             // break the federation link
>             session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);
>         }
>         return isPasswordOK;
>     }
> 
> 2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>>:
> Do you want to permanently import the users into the Keycloak database?
> 
> On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com <mailto:valerij.timofeev at gmail.com>> wrote:
> Hi,
> 
> in order to import users having encrypted passwords from existing user storage I'm implementing user federation provider based on the keycloak example keycloak-examples-1.5.0.Final/providers/federation-provider.
> Additionally I considered hints provided by Scott Rossillo in the keycloak-user Digest, Vol 22, Issue 18
> Above example works properly when retrieving users from a properties file. The next step in the implementation would be access to the database where users data is stored.
>  
> My question: What would be the best practice for accessing database from a custom keycloak provider?
> 
> Something like this?
> 
> // KeycloakSession
> session.getProvider(JpaConnectionProvider.class, "myTS")
>                 .getEntityManager()
>                 .createQuery("SELECT... ?
> 
> 
> keycloak-server.json:
> "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/KeycloakDS",
>             "databaseSchema": "update"
>         },
>       "myTS": {
>             "dataSource": "java:jboss/datasources/myTsDS"
>         }    }
> 
> Thank you,
> 
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/422132f6/attachment-0001.html 

From sthorger at redhat.com  Fri Oct  9 01:15:04 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 9 Oct 2015 07:15:04 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <6B7F4262-E2EE-4211-A021-02A761AC2BE0@smartling.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
	<CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
	<CAJgngAf74w-rWymH6y3UN82VrJB+swbqy0B2FCK2oDK4axJkbQ@mail.gmail.com>
	<6B7F4262-E2EE-4211-A021-02A761AC2BE0@smartling.com>
Message-ID: <CAJgngAcZgGn6MT5eVtaRoc=jJRKmTrkbA7xeQadO5R8bgy7dTA@mail.gmail.com>

One issue with the federation provider is that at least for the time being
you can't deprovision the old store, so you end up with having users in the
Keycloak database as well as your old database. In the long run that'll be
more to maintain. It would be great if we provided a way to deprovision a
federation provider. It would give you an option of either migrate all
users or remove users. Would require either being able to read password
hashes (and also a password hash spi), or if that's not possible users
would not be able to login until they have recovered their password over
email or an admin has recovered their password for them.

On 8 October 2015 at 20:56, Scott Rossillo <srossillo at smartling.com> wrote:

> One plus of the federation provider approach is that it requires zero
> downtime. Users start migrating on login rather than shutting down the
> legacy system, importing users, and bringing things back up.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Oct 8, 2015, at 1:49 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> For the database in a user federation provider you can use JpaConnectionProvider,
> but then you have to modify our persistence.xml. Alternatively you can
> create your own EntityManagerFactory within your
> UserFederationProviderFactory. Downside to that is that you won't share the
> connection (and 1pc transaction). We could improve on this in the future as
> it's a bit clunky.
>
> The other alternative is that we plan to introduce a password hashing spi.
> With that you can provide the implementation that can hash passwords
> according to how you have them saved in your current database. Then you can
> import the users directly into Keycloak and forget about the user
> federation provider. To import the users you can either export them from
> your db to a json file (currently you need a full realm file, but we are
> looking at doing partial import/export now and with that you'll be able to
> import a json file with users only into an existing realm). Alternatively
> you can use the rest admin api to import them.
>
> On 8 October 2015 at 10:17, Valerij Timofeev <valerij.timofeev at gmail.com>
> wrote:
>
>> Exactly.
>>
>> Plain text passwords are unknown, so the "custom user federation
>> provider" approach, suggested by Scott Rossillo in the keycloak-user
>> Digest, Vol 22, Issue 18, seems to be feasible:
>> - User federation provider searches for the user in the legacy user
>> storage on the 1st login.
>> - If the user is found and the password legacy hash matches the value in
>> the legacy user storage, user credential is updated in the Keycloak storage
>> and federation link is removed then (see code snippet below).
>>
>> My question is, what would be the best way to access legacy database from
>> within a Keycloak custom provider?
>> JPA datasource  for the legacy database is available on the same
>> application server, where the Keycloak server runs (EAP 6.4.3).
>>
>>
>> @Override
>>
>>     public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)
>>
>>     {
>>
>>         for (UserCredentialModel cred : input)
>>
>>         {
>>
>>             if (cred.getType().equals(UserCredentialModel.PASSWORD))
>>
>>             {
>>
>>
>>                 return this.updateCredential(realm, user, cred);
>>
>>
>>             } else
>>
>>             {
>>
>>                 return false; // invalid cred type
>>
>>             }
>>
>>         }
>>
>>         return false;
>>
>>     }
>>
>>
>>
>>     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)
>>
>>     {
>>
>>         String password = properties.getProperty(user.getUsername());
>>
>>         if (password == null)
>>
>>             return false;
>>
>>
>>
>>         String encodedPassword = Digest.createPassword(cred.getValue());
>>
>>         boolean isPasswordOK = password.equals(encodedPassword);
>>
>>         if (isPasswordOK)
>>
>>         {
>>
>>             // save password
>>
>>             session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);
>>
>>             // break the federation link
>>
>>             session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);
>>
>>         }
>>
>>         return isPasswordOK;
>>
>>     }
>>
>>
>> 2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> Do you want to permanently import the users into the Keycloak database?
>>>
>>> On 7 October 2015 at 18:37, Valerij Timofeev <valerij.timofeev at gmail.com
>>> > wrote:
>>>
>>>> Hi,
>>>>
>>>> in order to import users having encrypted passwords from existing user
>>>> storage I'm implementing user federation provider based on the
>>>> keycloak example
>>>> *keycloak-examples-1.5.0.Final/providers/federation-provider*
>>>> *.*
>>>> Additionally I considered hints provided by Scott Rossillo in the
>>>> keycloak-user Digest, Vol 22, Issue 18
>>>> Above example works properly when retrieving users from a properties
>>>> file. The next step in the implementation would be access to the database
>>>> where users data is stored.
>>>>
>>>> *My question: *What would be the best practice for accessing database
>>>> from a custom keycloak provider?
>>>>
>>>> Something like this?
>>>>
>>>> // KeycloakSession
>>>> session.getProvider(JpaConnectionProvider.class, "myTS")
>>>>                 .getEntityManager()
>>>>                 .createQuery("SELECT... ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *keycloak-server.json:"connectionsJpa": {        "default":
>>>> {            "dataSource": "java:jboss/datasources/KeycloakDS",
>>>> "databaseSchema": "update"        },*
>>>>
>>>>
>>>>
>>>> *"myTS": {            "dataSource":
>>>> "java:jboss/datasources/myTsDS"        }    }*Thank you,
>>>>
>>>> Valerij Timofeev
>>>> Software Engineer
>>>> Trusted Shops GmbH
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151009/84ac926e/attachment-0001.html 

From chenkeong.yap at izeno.com  Fri Oct  9 01:40:47 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Fri, 9 Oct 2015 13:40:47 +0800
Subject: [keycloak-user] Keycloak 1.5 Compilation Error in windows
In-Reply-To: <CAJgngAcousU-6LHS4r+LWkH7pT_JS_3orYpVR8-6YLYBFGWcAA@mail.gmail.com>
References: <CAC2UnuVTE1MNBC1G7z6+xDTg3Ei27JKUtgV3fQyBaSejnxNTLQ@mail.gmail.com>
	<CAJgngAcVF2qP4QcW0jJp9dKeJReoEHhzHMUkMvKHWog=4hy-3g@mail.gmail.com>
	<CAC2UnuWjbaJbuq4NxRaPQ50O6mq-Gpur4-0=e+o-QLH=vqvasg@mail.gmail.com>
	<CAJgngAcousU-6LHS4r+LWkH7pT_JS_3orYpVR8-6YLYBFGWcAA@mail.gmail.com>
Message-ID: <CAC2UnuUZPHDYoTzG2tpCo9Hk6MTxNEcgPtUGW=8ENgM5kReHAA@mail.gmail.com>

thanks stian. is working now.

On Thu, Oct 8, 2015 at 8:13 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Try deleting "org\wildfly\wildfly-feature-pack" from your Maven repo
> (should be in C:\Documents and Settings\{your-username}\.m2\repository)
>
> On 8 October 2015 at 12:09, Chen Keong Yap <chenkeong.yap at izeno.com>
> wrote:
>
>> Hi stian,
>>
>> please advise how to rectify the issue. The zip for other projects are
>> working but only org.wildfly:wildfly-feature-pack:9.0.1.Final is failing.
>>
>>
>> On Thu, Oct 8, 2015 at 6:04 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Looks like maybe the zip for org.wildfly:wildfly-feature-pack:9.0.1.Final
>>> in your Maven repo is corrupt?
>>>
>>> On 8 October 2015 at 10:29, Chen Keong Yap <chenkeong.yap at izeno.com>
>>> wrote:
>>>
>>>> Hi Guys,
>>>>
>>>> I was compiling the source codes using mvn clean install -Pdistribution
>>>> but getting the following errors. Can advise?
>>>>
>>>> [INFO] Feature Pack Builds ................................ SUCCESS [
>>>>  0.014 s]
>>>> [INFO] Keycloak Feature Pack: Server ...................... FAILURE [
>>>>  0.553 s]
>>>> [INFO] Keycloak Server Distribution ....................... SKIPPED
>>>> [INFO] Keycloak Server Overlay Distribution ............... SKIPPED
>>>> [INFO] Keycloak Examples Distribution ..................... SKIPPED
>>>> [INFO] Keycloak Docs Distribution ......................... SKIPPED
>>>> [INFO] Keycloak Demo Distribution ......................... SKIPPED
>>>> [INFO] Proxy Distro ....................................... SKIPPED
>>>> [INFO] Keycloak EAP 6 Server Modules ...................... SKIPPED
>>>> [INFO] Keycloak Server Overlay EAP 6 Distribution ......... SKIPPED
>>>> [INFO] Keycloak Server Overlay EAP 6 ...................... SKIPPED
>>>> [INFO] Keycloak Server Overlay Parent ..................... SKIPPED
>>>> [INFO] Keycloak Source Distribution ....................... SKIPPED
>>>> [INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [INFO] BUILD FAILURE
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [INFO] Total time: 02:12 min
>>>> [INFO] Finished at: 2015-10-08T16:21:56+08:00
>>>> [INFO] Final Memory: 310M/900M
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [ERROR] Failed to execute goal
>>>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>>>> (feature-pack-build) on project keycloak-server-feature-pack: Execution
>>>> featur
>>>> e-pack-build of goal
>>>> org.wildfly.build:wildfly-feature-pack-build-maven-plugin:1.0.0.Final:build
>>>> failed: java.lang.RuntimeException: java.lang.RuntimeException: Failed to
>>>> create feature
>>>>  pack from org.wildfly:wildfly-feature-pack:9.0.1.Final: error in
>>>> opening zip file -> [Help 1]
>>>> [ERROR]
>>>> [ERROR] To see the full stack trace of the errors, re-run Maven with
>>>> the -e switch.
>>>> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
>>>> [ERROR]
>>>> [ERROR] For more information about the errors and possible solutions,
>>>> please read the following articles:
>>>> [ERROR] [Help 1]
>>>> http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
>>>> [ERROR]
>>>> [ERROR] After correcting the problems, you can resume the build with
>>>> the command
>>>> [ERROR]   mvn <goals> -rf :keycloak-server-feature-pack
>>>>
>>>> --
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151009/80bb1af3/attachment.html 

From valerij.timofeev at gmail.com  Fri Oct  9 08:44:39 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Fri, 9 Oct 2015 14:44:39 +0200
Subject: [keycloak-user] Best practice for database access in a keycloak
 custom provider?
In-Reply-To: <CAJgngAcZgGn6MT5eVtaRoc=jJRKmTrkbA7xeQadO5R8bgy7dTA@mail.gmail.com>
References: <CAOy2obEjBmR1EMqpZczJy1E9Lw-KTW4ua_Zj=AMusk2fr=aArQ@mail.gmail.com>
	<CAJgngAeJskmShPMLGi4nFGQCYqcS=1oP8HGOLf5QNyd07_DAYA@mail.gmail.com>
	<CAOy2obGwZHj7wmOuHHa+KJtgFVMH_UaV+PQvLDaHkX9d09XnNQ@mail.gmail.com>
	<CAJgngAf74w-rWymH6y3UN82VrJB+swbqy0B2FCK2oDK4axJkbQ@mail.gmail.com>
	<6B7F4262-E2EE-4211-A021-02A761AC2BE0@smartling.com>
	<CAJgngAcZgGn6MT5eVtaRoc=jJRKmTrkbA7xeQadO5R8bgy7dTA@mail.gmail.com>
Message-ID: <CAOy2obFsqy_YkH_RH3pq8c8_U+K6=CGOg-4Trffh=3Dbi3Wg6g@mail.gmail.com>

Thank you all for your explanations!

We cannot afford downtime for user migration, so the federation provider
approach seems to be the most suitable for us.
After migration of our web application(s), Keycloak should become master
storage for user data, so every change on user's data would establish link
to the federation provider, which is removed on successful login. After
some operation time (e.g. 1 year) we are going to import the rest of
(inactive) users into the Keycloak storage, remove existing federation
links (where login was not successful)  and then remove federation provider.

Back to the topic: after all I suppose that retrieval of legacy user data
via restful web service would be the most simple solution to access
external databases from within Keycloak custom provider context, isn't it?

I succeeded to build and run federation provider with a call to a dummy
restful web service first.
One small obstacle: how can I find out on which host Keycloak is running?
KeycloakSession seems not to provide such information.
This should  help to avoid staging issues (which web service should be
requested in which environment).
Alternative I could derive web service host name from realm name. May be it
is anyway not bad idea to give different realm names in different
deployment stages for preventing cross linking issues between them.

2015-10-09 7:15 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> One issue with the federation provider is that at least for the time being
> you can't deprovision the old store, so you end up with having users in the
> Keycloak database as well as your old database. In the long run that'll be
> more to maintain. It would be great if we provided a way to deprovision a
> federation provider. It would give you an option of either migrate all
> users or remove users. Would require either being able to read password
> hashes (and also a password hash spi), or if that's not possible users
> would not be able to login until they have recovered their password over
> email or an admin has recovered their password for them.
>
> On 8 October 2015 at 20:56, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
>> One plus of the federation provider approach is that it requires zero
>> downtime. Users start migrating on login rather than shutting down the
>> legacy system, importing users, and bringing things back up.
>>
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com
>>
>> [image: Powered by Sigstr] <http://www.sigstr.com/>
>>
>> On Oct 8, 2015, at 1:49 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>> For the database in a user federation provider you can use JpaConnectionProvider,
>> but then you have to modify our persistence.xml. Alternatively you can
>> create your own EntityManagerFactory within your
>> UserFederationProviderFactory. Downside to that is that you won't share the
>> connection (and 1pc transaction). We could improve on this in the future as
>> it's a bit clunky.
>>
>> The other alternative is that we plan to introduce a password hashing
>> spi. With that you can provide the implementation that can hash passwords
>> according to how you have them saved in your current database. Then you can
>> import the users directly into Keycloak and forget about the user
>> federation provider. To import the users you can either export them from
>> your db to a json file (currently you need a full realm file, but we are
>> looking at doing partial import/export now and with that you'll be able to
>> import a json file with users only into an existing realm). Alternatively
>> you can use the rest admin api to import them.
>>
>> On 8 October 2015 at 10:17, Valerij Timofeev <valerij.timofeev at gmail.com>
>> wrote:
>>
>>> Exactly.
>>>
>>> Plain text passwords are unknown, so the "custom user federation
>>> provider" approach, suggested by Scott Rossillo in the keycloak-user
>>> Digest, Vol 22, Issue 18, seems to be feasible:
>>> - User federation provider searches for the user in the legacy user
>>> storage on the 1st login.
>>> - If the user is found and the password legacy hash matches the value in
>>> the legacy user storage, user credential is updated in the Keycloak storage
>>> and federation link is removed then (see code snippet below).
>>>
>>> My question is, what would be the best way to access legacy database
>>> from within a Keycloak custom provider?
>>> JPA datasource  for the legacy database is available on the same
>>> application server, where the Keycloak server runs (EAP 6.4.3).
>>>
>>>
>>> @Override
>>>
>>>     public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)
>>>
>>>     {
>>>
>>>         for (UserCredentialModel cred : input)
>>>
>>>         {
>>>
>>>             if (cred.getType().equals(UserCredentialModel.PASSWORD))
>>>
>>>             {
>>>
>>>
>>>                 return this.updateCredential(realm, user, cred);
>>>
>>>
>>>             } else
>>>
>>>             {
>>>
>>>                 return false; // invalid cred type
>>>
>>>             }
>>>
>>>         }
>>>
>>>         return false;
>>>
>>>     }
>>>
>>>
>>>
>>>     private boolean updateCredential(RealmModel realm, UserModel user, UserCredentialModel cred)
>>>
>>>     {
>>>
>>>         String password = properties.getProperty(user.getUsername());
>>>
>>>         if (password == null)
>>>
>>>             return false;
>>>
>>>
>>>
>>>         String encodedPassword = Digest.createPassword(cred.getValue());
>>>
>>>         boolean isPasswordOK = password.equals(encodedPassword);
>>>
>>>         if (isPasswordOK)
>>>
>>>         {
>>>
>>>             // save password
>>>
>>>             session.userStorage().getUserById(user.getId(), realm).updateCredential(cred);
>>>
>>>             // break the federation link
>>>
>>>             session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);
>>>
>>>         }
>>>
>>>         return isPasswordOK;
>>>
>>>     }
>>>
>>>
>>> 2015-10-08 5:57 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> Do you want to permanently import the users into the Keycloak database?
>>>>
>>>> On 7 October 2015 at 18:37, Valerij Timofeev <
>>>> valerij.timofeev at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> in order to import users having encrypted passwords from existing user
>>>>> storage I'm implementing user federation provider based on the
>>>>> keycloak example
>>>>> *keycloak-examples-1.5.0.Final/providers/federation-provider*
>>>>> *.*
>>>>> Additionally I considered hints provided by Scott Rossillo in the
>>>>> keycloak-user Digest, Vol 22, Issue 18
>>>>> Above example works properly when retrieving users from a properties
>>>>> file. The next step in the implementation would be access to the database
>>>>> where users data is stored.
>>>>>
>>>>> *My question: *What would be the best practice for accessing database
>>>>> from a custom keycloak provider?
>>>>>
>>>>> Something like this?
>>>>>
>>>>> // KeycloakSession
>>>>> session.getProvider(JpaConnectionProvider.class, "myTS")
>>>>>                 .getEntityManager()
>>>>>                 .createQuery("SELECT... ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *keycloak-server.json:"connectionsJpa": {        "default":
>>>>> {            "dataSource": "java:jboss/datasources/KeycloakDS",
>>>>> "databaseSchema": "update"        },*
>>>>>
>>>>>
>>>>>
>>>>> *"myTS": {            "dataSource":
>>>>> "java:jboss/datasources/myTsDS"        }    }*Thank you,
>>>>>
>>>>> Valerij Timofeev
>>>>> Software Engineer
>>>>> Trusted Shops GmbH
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151009/8c446834/attachment-0001.html 

From a.lamers at first8.nl  Fri Oct  9 08:59:47 2015
From: a.lamers at first8.nl (Arjan Lamers)
Date: Fri, 9 Oct 2015 14:59:47 +0200
Subject: [keycloak-user] retrieving custom user attributes
In-Reply-To: <d9ccb7fd4cc54704abf7a48579784d82@exchange02.srv.hq.aoe.lan>
References: <CADePbQKOuJO7eZQ1gzw-WNoH4z3ZqKH3yfi1UzzCZVUHDF7J5A@mail.gmail.com>
	<d9ccb7fd4cc54704abf7a48579784d82@exchange02.srv.hq.aoe.lan>
Message-ID: <0C6265DE-03E5-4612-A888-41D22569975A@first8.nl>

Hi,

Thanks for your feedback. I?ve been doing some more testing and now I am unable to reproduce it: otherClaims is being filled in now. Must have been some missing checkmark in the Mapper. 

Thanks,
Arjan Lamers

> On 05-10-2015, at 15:01, Sebastian Rose <sebastian.rose at aoe.com> wrote:
> 
> Hi,
>  
> for me this works fine. You have to add a Mapping of Kind 'User Attribute' (Mapper Type) within Clients -> <Choose your client> -> 'Mappers'. 
>  
> Best Regards,
> Sebastian
>  
> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Arjan Lamers
> Gesendet: Donnerstag, 1. Oktober 2015 16:18
> An: keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] retrieving custom user attributes
>  
> Hi,
>  
> Well, as far as I can see, the unmarshalled AccessToken does not contain any custom attributes. I would expect something like a Map<String,Object> where you can access additional attributes.
> Just to be clear: the custom attribute I configured does appear in the JWT token, I am simply searching for an easy way to access them from Java. 
> There is an 'otherClaims' in the JsonWebToken, should they appear there? (They don't).
>  
> Kind regards,
> Arjan Lamers
>  
>  
> 
> What do you want for an interface?  KeycloakSecurityContext has the
> unmarshalled IDToken and AccessToken.
> 
> KeycloakPrincipal.getKeycloakSecurityContext().getToken()
> 
> On 9/30/2015 11:12 AM, Arjan Lamers wrote:
> > Hi,
> >
> > I am trying to find an easy way to access custom attributes as defined
> > for a client. For a Keycloak client, I?ve defined a new Mapper for a
> > /user attribute/ to store some additional authorisation data. This then
> > is managed by some user domain that uses the keycloak-admin-client to
> > write that property.
> >
> > The problem arises when I want to access that property in an JEE
> > application.The way I do it right now to use the KeycloakPrincipal found
> > in the javax.ejb.SessionContext. From there, I get the JWT token as a
> > String, deserialize the JSON and access the custom attribute from there.
> > This feels like a very roundabout way to get to the token but somehow I
> > am not able to find an easier way. Is it a missing feature or is it
> > simply too close to the weekend for me ;)?
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151009/7a7abc94/attachment.html 

From remi.cartier at imetrik.com  Fri Oct  9 12:35:22 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Fri, 9 Oct 2015 16:35:22 +0000
Subject: [keycloak-user] ERROR: value too long for type character
	varying(255)
Message-ID: <6C62AE85-53BD-4A76-8352-D94992688190@imetrik.com>

Hi guys,

it seems the size of an attribute is limited to 255 characters.
That is quite small considering one might want to store JSON into attributes.

Would simply change the hibernate config file to use TEXT vs VARYING(255) be enough ?

any reason for that artificial limitation ?

Cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151009/925a1438/attachment.html 

From ornot2008 at yahoo.com  Fri Oct  9 21:17:57 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Sat, 10 Oct 2015 01:17:57 +0000 (UTC)
Subject: [keycloak-user] Help on admin console
References: <361456651.1609688.1444439877693.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <361456651.1609688.1444439877693.JavaMail.yahoo@mail.yahoo.com>

Hi, There,
Is there a doc to introduce the admin console ? ? Even there are some tips which can be shown on the UI,?it is not helpful enough for me , a newbie , to know what I should do for each item.

T.I.A.
Mai


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151010/67ec714d/attachment-0001.html 

From ornot2008 at yahoo.com  Sat Oct 10 09:22:22 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Sat, 10 Oct 2015 13:22:22 +0000 (UTC)
Subject: [keycloak-user] How to deploy the "customer-app-js" app in a tomcat
	?
References: <123396476.1825457.1444483342484.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <123396476.1825457.1444483342484.JavaMail.yahoo@mail.yahoo.com>

Hi, There,
I am trying to understand the public client ?app and manage to deploy the "customer-app-js" into a ?tomcat server and ?keep the keycloak 1.5 ?demo server as is.?
Is there anyone kindly to tell me what I should ?modify on the original "customer-app-js" to make it work. ??

Thanks a million.
Mai



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151010/1891dc2c/attachment.html 

From hr.stoyanov at peruncs.com  Sun Oct 11 04:11:20 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Sun, 11 Oct 2015 01:11:20 -0700
Subject: [keycloak-user] [1.5.0] KC Issue with filters
Message-ID: <CAHiHDeT2OfjG5_C3SX6o04sk2hOLZ2mTJRfLcKzU85q+kzpA8Q@mail.gmail.com>

Hi all,
has anyone seen a situation where this KC declaration in a WEB.XML:

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Login</web-resource-name>

            <url-pattern>/app-login</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>*</role-name>

        </auth-constraint>

    </security-constraint>


will suppress any filters with the same usrl-pattern and under what
circumstances could  this happen:


   <filter-mapping>

        <filter-name>ErraiLoginRedirectFilter</filter-name>

        <url-pattern>/app-login</url-pattern>

    </filter-mapping>


You can see the full details of my issue in this thread:

https://developer.jboss.org/message/941862#941862
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151011/72b60ac2/attachment.html 

From tdudgeon.ml at gmail.com  Sun Oct 11 07:15:20 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Sun, 11 Oct 2015 12:15:20 +0100
Subject: [keycloak-user] gateway hangs forever on bad requests
Message-ID: <561A44C8.2000408@gmail.com>

I've noticed that requests to the apiman gateway for an invalid 
organisation or service etc. hang forever.
e.g. a request to
https://localhost:8443/apiman-gateway/OrganisationThatDoesntExist/serviceThatDoesntExist/1.0

Shouldn't this return a 404 error (or some other error) immediately?

Tim


From tdudgeon.ml at gmail.com  Sun Oct 11 07:18:05 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Sun, 11 Oct 2015 12:18:05 +0100
Subject: [keycloak-user] gateway hangs forever on bad requests
In-Reply-To: <561A44C8.2000408@gmail.com>
References: <561A44C8.2000408@gmail.com>
Message-ID: <561A456D.4080605@gmail.com>

Sorry - this was sent to the wrong mailing list. Ignore

On 11/10/2015 12:15, Tim Dudgeon wrote:
> I've noticed that requests to the apiman gateway for an invalid 
> organisation or service etc. hang forever.
> e.g. a request to
> https://localhost:8443/apiman-gateway/OrganisationThatDoesntExist/serviceThatDoesntExist/1.0 
>
>
> Shouldn't this return a 404 error (or some other error) immediately?
>
> Tim
>


From akanksha8618 at gmail.com  Sun Oct 11 21:51:59 2015
From: akanksha8618 at gmail.com (Akanksha Mishra)
Date: Sun, 11 Oct 2015 21:51:59 -0400
Subject: [keycloak-user] Connecting to ADFS via SAML2.0
Message-ID: <CAL4m1NeUgxVdO0xmjjuPH9ngyz_UjOs0y3+zp-uF_sBOsRqr5A@mail.gmail.com>

Hi,

I am trying to add Microsoft ADFS as an external identity provider but I am
not able to import the metadata files on both Keycloak and ADFS side.

The fields remain unfilled when I try to import ADFS metadata file on
Keycloak.
Also, I get a format validation error while I try to import Keycloak
metadata file on ADFS.
Please suggest.

Regards,
Akanksha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151011/cb3dc322/attachment.html 

From sthorger at redhat.com  Mon Oct 12 02:23:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 12 Oct 2015 08:23:13 +0200
Subject: [keycloak-user] Help on admin console
In-Reply-To: <361456651.1609688.1444439877693.JavaMail.yahoo@mail.yahoo.com>
References: <361456651.1609688.1444439877693.JavaMail.yahoo@mail.yahoo.com>
	<361456651.1609688.1444439877693.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAcorFyyJ2O=HY1-Ngn7nEhnXfY6_VxCWPLxGQAs3cp-=Q@mail.gmail.com>

We don't have any separate documentation, but we have integrated help in
the admin console itself look for the small "?" icons.

On 10 October 2015 at 03:17, Mai Zi <ornot2008 at yahoo.com> wrote:

> Hi, There,
>
> Is there a doc to introduce the admin console ?   Even there are some tips
> which can be shown on the UI,
> it is not helpful enough for me , a newbie , to know what I should do for
> each item.
>
>
> T.I.A.
>
> Mai
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151012/d5fedfe0/attachment.html 

From sthorger at redhat.com  Mon Oct 12 02:27:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 12 Oct 2015 08:27:57 +0200
Subject: [keycloak-user] ERROR: value too long for type character
	varying(255)
In-Reply-To: <6C62AE85-53BD-4A76-8352-D94992688190@imetrik.com>
References: <6C62AE85-53BD-4A76-8352-D94992688190@imetrik.com>
Message-ID: <CAJgngAcORbw3-fpW+2m9Z2W0Mxs3KaBXMJeHbqStUw=kZexd7A@mail.gmail.com>

255 is the "default" length, no other good explanation why it's that short.
Create a JIRA and we can increase it. Text is not supported by all database
we support so we can't use that, but we can at least increase the size.

We use Liquibase to create db schema, not Hibernate.

On 9 October 2015 at 18:35, Remi Cartier <remi.cartier at imetrik.com> wrote:

> Hi guys,
>
> it seems the size of an attribute is limited to 255 characters.
> That is quite small considering one might want to store JSON into
> attributes.
>
> Would simply change the hibernate config file to use TEXT vs VARYING(255)
> be enough ?
>
> any reason for that artificial limitation ?
>
> Cheers !
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151012/1924e0b4/attachment-0001.html 

From bburke at redhat.com  Mon Oct 12 09:08:22 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 12 Oct 2015 09:08:22 -0400
Subject: [keycloak-user] [1.5.0] KC Issue with filters
In-Reply-To: <CAHiHDeT2OfjG5_C3SX6o04sk2hOLZ2mTJRfLcKzU85q+kzpA8Q@mail.gmail.com>
References: <CAHiHDeT2OfjG5_C3SX6o04sk2hOLZ2mTJRfLcKzU85q+kzpA8Q@mail.gmail.com>
Message-ID: <561BB0C6.604@redhat.com>

Servlet Filters will *NEVER* execute until authentication and 
authorization is complete.   Keycloak adapter acts as a built in servlet 
security mechanism and built-in servlet security mechanisms (BASIC, 
FORM, etc.) need to pass authz before any Filters are executed.



On 10/11/2015 4:11 AM, Hristo Stoyanov wrote:
> Hi all,
> has anyone seen a situation where this KC declaration in a WEB.XML:
>
>      <security-constraint>
>
>          <web-resource-collection>
>
>              <web-resource-name>Login</web-resource-name>
>
>              <url-pattern>/app-login</url-pattern>
>
>          </web-resource-collection>
>
>          <auth-constraint>
>
>              <role-name>*</role-name>
>
>          </auth-constraint>
>
>      </security-constraint>
>
>
> will suppress any filters with the same usrl-pattern and under what
> circumstances could  this happen:
>
>
> <filter-mapping>
>
>          <filter-name>ErraiLoginRedirectFilter</filter-name>
>
>          <url-pattern>/app-login</url-pattern>
>
>      </filter-mapping>
>
>
>
> You can see the full details of my issue in this thread:
>
> https://developer.jboss.org/message/941862#941862
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tdudgeon.ml at gmail.com  Mon Oct 12 13:20:09 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Mon, 12 Oct 2015 18:20:09 +0100
Subject: [keycloak-user] what does "unauthorized_client" mean?
Message-ID: <561BEBC9.4020500@gmail.com>

I'm having problems generating an access token.

$ curl -X POST 
http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/token 
-H "Content-Type: application/x-www-form-urlencoded" -d 'username=user2' 
-d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
{"error":"unauthorized_client"}

 From what I can see everything is set up correctly and looks the same 
to another realm/client/user that does work:
- realm exists and works
- user exists and can log in to console
- client has been created in realm

But I'm getting "unauthorized_client" error.
What should I look at?

Tim

From fadiabdeen at gmail.com  Mon Oct 12 13:51:23 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Mon, 12 Oct 2015 13:51:23 -0400
Subject: [keycloak-user] what does "unauthorized_client" mean?
In-Reply-To: <561BEBC9.4020500@gmail.com>
References: <561BEBC9.4020500@gmail.com>
Message-ID: <CABXXV0S0pJ=KhwG8XMrBZcxTuXgE_riEAyYhtLDbqAct_3VzXg@mail.gmail.com>

make sure they Direct Grant API enabled on the client and the realm


On Mon, Oct 12, 2015 at 1:20 PM, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:

> I'm having problems generating an access token.
>
> $ curl -X POST
>
> http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user2'
> -d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
> {"error":"unauthorized_client"}
>
>  From what I can see everything is set up correctly and looks the same
> to another realm/client/user that does work:
> - realm exists and works
> - user exists and can log in to console
> - client has been created in realm
>
> But I'm getting "unauthorized_client" error.
> What should I look at?
>
> Tim
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151012/000206cf/attachment.html 

From tdudgeon.ml at gmail.com  Mon Oct 12 16:04:31 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Mon, 12 Oct 2015 21:04:31 +0100
Subject: [keycloak-user] what does "unauthorized_client" mean?
In-Reply-To: <CABXXV0S0pJ=KhwG8XMrBZcxTuXgE_riEAyYhtLDbqAct_3VzXg@mail.gmail.com>
References: <561BEBC9.4020500@gmail.com>
	<CABXXV0S0pJ=KhwG8XMrBZcxTuXgE_riEAyYhtLDbqAct_3VzXg@mail.gmail.com>
Message-ID: <561C124F.4050109@gmail.com>

That is enabled on both realm and client.

On 12/10/2015 18:51, Fadi Abdin wrote:
> make sure they Direct Grant API enabled on the client and the realm
>
>
> On Mon, Oct 12, 2015 at 1:20 PM, Tim Dudgeon <tdudgeon.ml at gmail.com 
> <mailto:tdudgeon.ml at gmail.com>> wrote:
>
>     I'm having problems generating an access token.
>
>     $ curl -X POST
>     http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/token
>     -H "Content-Type: application/x-www-form-urlencoded" -d
>     'username=user2'
>     -d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
>     {"error":"unauthorized_client"}
>
>      From what I can see everything is set up correctly and looks the same
>     to another realm/client/user that does work:
>     - realm exists and works
>     - user exists and can log in to console
>     - client has been created in realm
>
>     But I'm getting "unauthorized_client" error.
>     What should I look at?
>
>     Tim
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151012/28d0732c/attachment.html 

From sthorger at redhat.com  Tue Oct 13 02:16:25 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 13 Oct 2015 08:16:25 +0200
Subject: [keycloak-user] what does "unauthorized_client" mean?
In-Reply-To: <561C124F.4050109@gmail.com>
References: <561BEBC9.4020500@gmail.com>
	<CABXXV0S0pJ=KhwG8XMrBZcxTuXgE_riEAyYhtLDbqAct_3VzXg@mail.gmail.com>
	<561C124F.4050109@gmail.com>
Message-ID: <CAJgngAfSvoi-QqFGLvjQ-N0e3ykvCbsQUCtgUVO4CjmGQnG-2g@mail.gmail.com>

Is it a confidential client? If so you must include the clientSecret as well

On 12 October 2015 at 22:04, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:

> That is enabled on both realm and client.
>
>
> On 12/10/2015 18:51, Fadi Abdin wrote:
>
> make sure they Direct Grant API enabled on the client and the realm
>
>
> On Mon, Oct 12, 2015 at 1:20 PM, Tim Dudgeon <tdudgeon.ml at gmail.com>
> wrote:
>
>> I'm having problems generating an access token.
>>
>> $ curl -X POST
>>
>> http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/token
>> -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user2'
>> -d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
>> {"error":"unauthorized_client"}
>>
>>  From what I can see everything is set up correctly and looks the same
>> to another realm/client/user that does work:
>> - realm exists and works
>> - user exists and can log in to console
>> - client has been created in realm
>>
>> But I'm getting "unauthorized_client" error.
>> What should I look at?
>>
>> Tim
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/1526dfdb/attachment.html 

From tdudgeon.ml at gmail.com  Tue Oct 13 05:34:51 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Tue, 13 Oct 2015 10:34:51 +0100
Subject: [keycloak-user] what does "unauthorized_client" mean?
In-Reply-To: <CAJgngAfSvoi-QqFGLvjQ-N0e3ykvCbsQUCtgUVO4CjmGQnG-2g@mail.gmail.com>
References: <561BEBC9.4020500@gmail.com>
	<CABXXV0S0pJ=KhwG8XMrBZcxTuXgE_riEAyYhtLDbqAct_3VzXg@mail.gmail.com>
	<561C124F.4050109@gmail.com>
	<CAJgngAfSvoi-QqFGLvjQ-N0e3ykvCbsQUCtgUVO4CjmGQnG-2g@mail.gmail.com>
Message-ID: <561CD03B.1060802@gmail.com>

Yes, thank you. That was it.
Tim

On 13/10/2015 07:16, Stian Thorgersen wrote:
> Is it a confidential client? If so you must include the clientSecret 
> as well
>
> On 12 October 2015 at 22:04, Tim Dudgeon <tdudgeon.ml at gmail.com 
> <mailto:tdudgeon.ml at gmail.com>> wrote:
>
>     That is enabled on both realm and client.
>
>
>     On 12/10/2015 18:51, Fadi Abdin wrote:
>>     make sure they Direct Grant API enabled on the client and the realm
>>
>>
>>     On Mon, Oct 12, 2015 at 1:20 PM, Tim Dudgeon
>>     <tdudgeon.ml at gmail.com <mailto:tdudgeon.ml at gmail.com>> wrote:
>>
>>         I'm having problems generating an access token.
>>
>>         $ curl -X POST
>>         http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/token
>>         -H "Content-Type: application/x-www-form-urlencoded" -d
>>         'username=user2'
>>         -d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
>>         {"error":"unauthorized_client"}
>>
>>          From what I can see everything is set up correctly and looks
>>         the same
>>         to another realm/client/user that does work:
>>         - realm exists and works
>>         - user exists and can log in to console
>>         - client has been created in realm
>>
>>         But I'm getting "unauthorized_client" error.
>>         What should I look at?
>>
>>         Tim
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/421d5c30/attachment-0001.html 

From kunal at plivo.com  Tue Oct 13 06:43:02 2015
From: kunal at plivo.com (Kunal K)
Date: Tue, 13 Oct 2015 16:13:02 +0530
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
Message-ID: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>

Hi all,

I am setting up an SSO server and i'm evaluating both CAS and Keycloak. One
of my main requirements is letting users have multiple teams and be a part
of multiple organizations. I'm trying to wrap my head around how to do this
in Keycloak. Something on the lines of what Github does -
https://github.com/blog/674-introducing-organizations As an evaluation
process, I've already created a POC using CAS.

I would really appreciate any pointers on how to do this with Keycloak.

Best,

Kunal

-- 
*KUNAL KERKAR *| PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
<http://twitter.com/tsudot>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/e0968ca2/attachment.html 

From subhrajyotim at gmail.com  Tue Oct 13 06:58:52 2015
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Tue, 13 Oct 2015 16:28:52 +0530
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
Message-ID: <CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>

I think u can investigate composite-roles for the same.
http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207

The composite-roles can be client specific roles re-presenting your
organizations, and keycloak roles can be the actual "business roles" under
these composite roles.

HTH.
Subhro.

On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com> wrote:

> Hi all,
>
> I am setting up an SSO server and i'm evaluating both CAS and Keycloak.
> One of my main requirements is letting users have multiple teams and be a
> part of multiple organizations. I'm trying to wrap my head around how to
> do this in Keycloak. Something on the lines of what Github does -
> https://github.com/blog/674-introducing-organizations As an evaluation
> process, I've already created a POC using CAS.
>
> I would really appreciate any pointers on how to do this with Keycloak.
>
> Best,
>
> Kunal
>
> --
> *KUNAL KERKAR *| PRODUCT ENGINEER
> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
> <http://twitter.com/tsudot>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/a563b47c/attachment.html 

From sthorger at redhat.com  Tue Oct 13 07:09:28 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 13 Oct 2015 13:09:28 +0200
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
Message-ID: <CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>

We are also planning on introducing groups soon. Users will be able to
belong to one or more groups and a group can have roles and/or attributes
associated with it.

On 13 October 2015 at 12:58, Subhrajyoti Moitra <subhrajyotim at gmail.com>
wrote:

> I think u can investigate composite-roles for the same.
> http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>
> The composite-roles can be client specific roles re-presenting your
> organizations, and keycloak roles can be the actual "business roles" under
> these composite roles.
>
> HTH.
> Subhro.
>
> On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com> wrote:
>
>> Hi all,
>>
>> I am setting up an SSO server and i'm evaluating both CAS and Keycloak.
>> One of my main requirements is letting users have multiple teams and be a
>> part of multiple organizations. I'm trying to wrap my head around how to
>> do this in Keycloak. Something on the lines of what Github does -
>> https://github.com/blog/674-introducing-organizations As an evaluation
>> process, I've already created a POC using CAS.
>>
>> I would really appreciate any pointers on how to do this with Keycloak.
>>
>> Best,
>>
>> Kunal
>>
>> --
>> *KUNAL KERKAR *| PRODUCT ENGINEER
>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>> <http://twitter.com/tsudot>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/ece57075/attachment.html 

From sthorger at redhat.com  Tue Oct 13 09:00:37 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 13 Oct 2015 15:00:37 +0200
Subject: [keycloak-user] Keycloak 1.5.1 Released
Message-ID: <CAJgngAfJKZ=6ckdqKy-ZXzv1dQgOXqSY4xPBamk6bOPj8E5-iQ@mail.gmail.com>

We've just released Keycloak 1.5.1. This release contains a moderate impact
security fix and we recommend everyone that are currently using 1.5.0 to
upgrade as soon as possible. The security issue does not affect older
releases.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/68bf776c/attachment.html 

From remi.cartier at imetrik.com  Tue Oct 13 09:06:06 2015
From: remi.cartier at imetrik.com (Remi Cartier)
Date: Tue, 13 Oct 2015 13:06:06 +0000
Subject: [keycloak-user] ERROR: value too long for type character
 varying(255)
In-Reply-To: <CAJgngAcORbw3-fpW+2m9Z2W0Mxs3KaBXMJeHbqStUw=kZexd7A@mail.gmail.com>
References: <6C62AE85-53BD-4A76-8352-D94992688190@imetrik.com>
	<CAJgngAcORbw3-fpW+2m9Z2W0Mxs3KaBXMJeHbqStUw=kZexd7A@mail.gmail.com>
Message-ID: <123B9250-88D0-4258-8203-27A742F0C019@imetrik.com>

Stian,

thank you for your response.

255 might be sufficient for most person, I don?t see the need for a JIRA for that.
However if there was an indication on how to change that limit, the file to modify / add, etc ? in some documentation that would be great.

Regards.

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>

On Oct 12, 2015, at 2:27 AM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

255 is the "default" length, no other good explanation why it's that short. Create a JIRA and we can increase it. Text is not supported by all database we support so we can't use that, but we can at least increase the size.

We use Liquibase to create db schema, not Hibernate.

On 9 October 2015 at 18:35, Remi Cartier <remi.cartier at imetrik.com<mailto:remi.cartier at imetrik.com>> wrote:
Hi guys,

it seems the size of an attribute is limited to 255 characters.
That is quite small considering one might want to store JSON into attributes.

Would simply change the hibernate config file to use TEXT vs VARYING(255) be enough ?

any reason for that artificial limitation ?

Cheers !

________________________________

REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)

IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009<tel:514%20448-6407%20x2009>
T : +1 866 276-5382<tel:866%20276-5382> (toll free)
F : +1 514 904-0611<tel:514%20904-0611>

740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/824e75fb/attachment-0001.html 

From subhrajyotim at gmail.com  Tue Oct 13 09:11:14 2015
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Tue, 13 Oct 2015 18:41:14 +0530
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
Message-ID: <CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>

Thanks Stian for the update. any more details about this group feature, if
you can pl share?
We are using composite roles currently to manage "business groups".
Since the group definitions are fixed and mutually exclusive, we are able
to manage it with composite roles.

Regards,
Subhro.

On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We are also planning on introducing groups soon. Users will be able to
> belong to one or more groups and a group can have roles and/or attributes
> associated with it.
>
> On 13 October 2015 at 12:58, Subhrajyoti Moitra <subhrajyotim at gmail.com>
> wrote:
>
>> I think u can investigate composite-roles for the same.
>> http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>>
>> The composite-roles can be client specific roles re-presenting your
>> organizations, and keycloak roles can be the actual "business roles" under
>> these composite roles.
>>
>> HTH.
>> Subhro.
>>
>> On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com> wrote:
>>
>>> Hi all,
>>>
>>> I am setting up an SSO server and i'm evaluating both CAS and Keycloak.
>>> One of my main requirements is letting users have multiple teams and be a
>>> part of multiple organizations. I'm trying to wrap my head around how
>>> to do this in Keycloak. Something on the lines of what Github does -
>>> https://github.com/blog/674-introducing-organizations As an evaluation
>>> process, I've already created a POC using CAS.
>>>
>>> I would really appreciate any pointers on how to do this with Keycloak.
>>>
>>> Best,
>>>
>>> Kunal
>>>
>>> --
>>> *KUNAL KERKAR *| PRODUCT ENGINEER
>>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>>> <http://twitter.com/tsudot>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/0c93ecda/attachment.html 

From bburke at redhat.com  Tue Oct 13 12:18:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 13 Oct 2015 12:18:04 -0400
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
Message-ID: <561D2EBC.50509@redhat.com>

You just want something like github groups?  List your requirements.

I am starting on Groups next week after 1.6 goes out.

On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
> Thanks Stian for the update. any more details about this group feature,
> if you can pl share?
> We are using composite roles currently to manage "business groups".
> Since the group definitions are fixed and mutually exclusive, we are
> able to manage it with composite roles.
>
> Regards,
> Subhro.
>
> On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>     We are also planning on introducing groups soon. Users will be able
>     to belong to one or more groups and a group can have roles and/or
>     attributes associated with it.
>
>     On 13 October 2015 at 12:58, Subhrajyoti Moitra
>     <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>
>         I think u can investigate composite-roles for the same.
>         http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>
>         The composite-roles can be client specific roles re-presenting
>         your organizations, and keycloak roles can be the actual
>         "business roles" under these composite roles.
>
>         HTH.
>         Subhro.
>
>         On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>         <mailto:kunal at plivo.com>> wrote:
>
>             Hi all,
>
>             I am setting up an SSO server and i'm evaluating both CAS
>             and Keycloak. One of my main requirements is letting users
>             have multiple teams and be a part of multiple organizations.
>             I'm trying to wrap my head around how to do this in
>             Keycloak. Something on the lines of what Github does -
>             https://github.com/blog/674-introducing-organizations As an
>             evaluation process, I've already created a POC using CAS.
>
>             I would really appreciate any pointers on how to do this
>             with Keycloak.
>
>             Best,
>
>             Kunal
>
>
>             --
>             *KUNAL KERKAR *| PRODUCT ENGINEER
>             Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>             Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>             <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>
>
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.raehalme at aitiofinland.com  Tue Oct 13 12:59:27 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 13 Oct 2015 19:59:27 +0300
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <561D2EBC.50509@redhat.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com>
Message-ID: <CAPyAMoah+6MPu+2Et+Ax_d=nNsaFvT78PGR0h2gOjfunw3YLAw@mail.gmail.com>

Hi!

Would be great if you could include access control so that you can
administer people in group A but not in group B.

I understand that this request partially overlaps with multi-tenancy but
sometimes you want to have a single instance with separated administrators.
You could have, for example, a SaaS application where creating separate
instances doesn't make sense.

Thanks!

Best regards,
Thomas
On Oct 13, 2015 18:18, "Bill Burke" <bburke at redhat.com> wrote:

> You just want something like github groups?  List your requirements.
>
> I am starting on Groups next week after 1.6 goes out.
>
> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
> > Thanks Stian for the update. any more details about this group feature,
> > if you can pl share?
> > We are using composite roles currently to manage "business groups".
> > Since the group definitions are fixed and mutually exclusive, we are
> > able to manage it with composite roles.
> >
> > Regards,
> > Subhro.
> >
> > On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
> > <mailto:sthorger at redhat.com>> wrote:
> >
> >     We are also planning on introducing groups soon. Users will be able
> >     to belong to one or more groups and a group can have roles and/or
> >     attributes associated with it.
> >
> >     On 13 October 2015 at 12:58, Subhrajyoti Moitra
> >     <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
> >
> >         I think u can investigate composite-roles for the same.
> >         http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
> >
> >         The composite-roles can be client specific roles re-presenting
> >         your organizations, and keycloak roles can be the actual
> >         "business roles" under these composite roles.
> >
> >         HTH.
> >         Subhro.
> >
> >         On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
> >         <mailto:kunal at plivo.com>> wrote:
> >
> >             Hi all,
> >
> >             I am setting up an SSO server and i'm evaluating both CAS
> >             and Keycloak. One of my main requirements is letting users
> >             have multiple teams and be a part of multiple organizations.
> >             I'm trying to wrap my head around how to do this in
> >             Keycloak. Something on the lines of what Github does -
> >             https://github.com/blog/674-introducing-organizations As an
> >             evaluation process, I've already created a POC using CAS.
> >
> >             I would really appreciate any pointers on how to do this
> >             with Keycloak.
> >
> >             Best,
> >
> >             Kunal
> >
> >
> >             --
> >             *KUNAL KERKAR *| PRODUCT ENGINEER
> >             Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
> >             Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
> >             <http://twitter.com/plivo>, @tsudot <
> http://twitter.com/tsudot>
> >
> >
> >             _______________________________________________
> >             keycloak-user mailing list
> >             keycloak-user at lists.jboss.org
> >             <mailto:keycloak-user at lists.jboss.org>
> >             https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >         _______________________________________________
> >         keycloak-user mailing list
> >         keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >         https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/685d5b8d/attachment.html 

From sthorger at redhat.com  Tue Oct 13 13:22:48 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 13 Oct 2015 19:22:48 +0200
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <CAPyAMoah+6MPu+2Et+Ax_d=nNsaFvT78PGR0h2gOjfunw3YLAw@mail.gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com>
	<CAPyAMoah+6MPu+2Et+Ax_d=nNsaFvT78PGR0h2gOjfunw3YLAw@mail.gmail.com>
Message-ID: <CAJgngAfR5N67onGqGzPCD25Nb-3sHkm8w9eU+-K-kLH581=Lrg@mail.gmail.com>

The plan is to introduce more fine grained control over permissions within
Keycloak in the future, but that's a separate issue to introducing group
support. We will most likely leverage group support once we do improve this
though.

On 13 October 2015 at 18:59, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> Hi!
>
> Would be great if you could include access control so that you can
> administer people in group A but not in group B.
>
> I understand that this request partially overlaps with multi-tenancy but
> sometimes you want to have a single instance with separated administrators.
> You could have, for example, a SaaS application where creating separate
> instances doesn't make sense.
>
> Thanks!
>
> Best regards,
> Thomas
> On Oct 13, 2015 18:18, "Bill Burke" <bburke at redhat.com> wrote:
>
>> You just want something like github groups?  List your requirements.
>>
>> I am starting on Groups next week after 1.6 goes out.
>>
>> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
>> > Thanks Stian for the update. any more details about this group feature,
>> > if you can pl share?
>> > We are using composite roles currently to manage "business groups".
>> > Since the group definitions are fixed and mutually exclusive, we are
>> > able to manage it with composite roles.
>> >
>> > Regards,
>> > Subhro.
>> >
>> > On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
>> > <mailto:sthorger at redhat.com>> wrote:
>> >
>> >     We are also planning on introducing groups soon. Users will be able
>> >     to belong to one or more groups and a group can have roles and/or
>> >     attributes associated with it.
>> >
>> >     On 13 October 2015 at 12:58, Subhrajyoti Moitra
>> >     <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>> >
>> >         I think u can investigate composite-roles for the same.
>> >
>> http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>> >
>> >         The composite-roles can be client specific roles re-presenting
>> >         your organizations, and keycloak roles can be the actual
>> >         "business roles" under these composite roles.
>> >
>> >         HTH.
>> >         Subhro.
>> >
>> >         On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>> >         <mailto:kunal at plivo.com>> wrote:
>> >
>> >             Hi all,
>> >
>> >             I am setting up an SSO server and i'm evaluating both CAS
>> >             and Keycloak. One of my main requirements is letting users
>> >             have multiple teams and be a part of multiple organizations.
>> >             I'm trying to wrap my head around how to do this in
>> >             Keycloak. Something on the lines of what Github does -
>> >             https://github.com/blog/674-introducing-organizations As an
>> >             evaluation process, I've already created a POC using CAS.
>> >
>> >             I would really appreciate any pointers on how to do this
>> >             with Keycloak.
>> >
>> >             Best,
>> >
>> >             Kunal
>> >
>> >
>> >             --
>> >             *KUNAL KERKAR *| PRODUCT ENGINEER
>> >             Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>> >             Web: www.plivo.com <http://www.plivo.com/> | Twitter:
>> @plivo
>> >             <http://twitter.com/plivo>, @tsudot <
>> http://twitter.com/tsudot>
>> >
>> >
>> >             _______________________________________________
>> >             keycloak-user mailing list
>> >             keycloak-user at lists.jboss.org
>> >             <mailto:keycloak-user at lists.jboss.org>
>> >             https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> >         _______________________________________________
>> >         keycloak-user mailing list
>> >         keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>
>> >         https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/afb812ec/attachment-0001.html 

From John.Schneider at carrier.utc.com  Tue Oct 13 13:37:53 2015
From: John.Schneider at carrier.utc.com (Schneider, John           DODGE CONSULTING SERVICES, LLC)
Date: Tue, 13 Oct 2015 17:37:53 +0000
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
 (Bill Burke)
Message-ID: <D5998B55A61D334EA803FEB70395CFD70B1EDD7D@UUSNWE3K.na.utcmail.com>

Hi Bill,

For the most part, I liked how PicketLink IDM relationships were structured.  If I recall correctly, it was something like this:
Users could be assigned to 0...n Groups
Groups could have subgroups
Roles could be assigned to 0...n Groups
Roles could be assigned to 0..n Users

So, we could manage security within a hierarchical group structure but also add additional roles on per-user basis when needed.  If it could all also optionally be done with composite roles, all the better. 

Some relevant documentation:
https://docs.jboss.org/picketlink/2/latest/reference/html-single/#chap-Identity_Management_-_Basic_Identity_Model
https://docs.jboss.org/picketlink/2/latest/reference/html-single/#sect-Managing_Relationships
https://docs.jboss.org/picketlink/2/latest/reference/html-single/#Realms_and_Tiers


John

-----Original Message-----
From: Bill Burke <bburke at redhat.com>
Subject: Re: [keycloak-user] Keycloak to set up Teams and
	Organizations
To: keycloak-user at lists.jboss.org
Message-ID: <561D2EBC.50509 at redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

You just want something like github groups?  List your requirements.

I am starting on Groups next week after 1.6 goes out.


From bburke at redhat.com  Tue Oct 13 14:06:18 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 13 Oct 2015 14:06:18 -0400
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
 (Bill Burke)
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD70B1EDD7D@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD70B1EDD7D@UUSNWE3K.na.utcmail.com>
Message-ID: <561D481A.6080009@redhat.com>

Yeah, that's pretty much how we're gonna do it.

On 10/13/2015 1:37 PM, Schneider, John           DODGE CONSULTING 
SERVICES, LLC wrote:
> Hi Bill,
>
> For the most part, I liked how PicketLink IDM relationships were structured.  If I recall correctly, it was something like this:
> Users could be assigned to 0...n Groups
> Groups could have subgroups
> Roles could be assigned to 0...n Groups
> Roles could be assigned to 0..n Users
>
> So, we could manage security within a hierarchical group structure but also add additional roles on per-user basis when needed.  If it could all also optionally be done with composite roles, all the better.
>
> Some relevant documentation:
> https://docs.jboss.org/picketlink/2/latest/reference/html-single/#chap-Identity_Management_-_Basic_Identity_Model
> https://docs.jboss.org/picketlink/2/latest/reference/html-single/#sect-Managing_Relationships
> https://docs.jboss.org/picketlink/2/latest/reference/html-single/#Realms_and_Tiers
>
>
> John
>
> -----Original Message-----
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] Keycloak to set up Teams and
> 	Organizations
> To: keycloak-user at lists.jboss.org
> Message-ID: <561D2EBC.50509 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> You just want something like github groups?  List your requirements.
>
> I am starting on Groups next week after 1.6 goes out.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From davidillsley at gmail.com  Tue Oct 13 14:15:17 2015
From: davidillsley at gmail.com (David Illsley)
Date: Tue, 13 Oct 2015 19:15:17 +0100
Subject: [keycloak-user] KEYCLOAK-1735 - possible to recategorise it as an
	urgent bug not enhancement?
Message-ID: <CA+E3Fw2c38+_-KwkBuBnyU2ivLW92AEck72t5TetaP5=RBnGXQ@mail.gmail.com>

Hi all,
KEYCLOAK-1735 describes that users with the 'manage-users' can role can
self-assign 'manage-realm', and gain substantial extra privileges.

This behaviour came as a substantial surprise to me when I discovered it,
and I suspect there are users out there who have vulnerabilities due to
this unexpected behaviour.

KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
that it might be substantial work to change this behaviour, I think it
should be a priority to make the behaviour clear to users - probably
through documentation, and possibly through renaming the role so that its
expansive powers are clear.

Is this a possibility? What's the best way to get this to happen?
Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/f90db96b/attachment.html 

From srossillo at smartling.com  Tue Oct 13 14:34:13 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Tue, 13 Oct 2015 14:34:13 -0400
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <55D313B2.80104@kroehling.de>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
	<5589774E.9080004@kroehling.de>
	<47189901.24304127.1435072467145.JavaMail.zimbra@redhat.com>
	<55D3058A.3010400@kroehling.de>
	<496860226.12871624.1439895175998.JavaMail.zimbra@redhat.com>
	<55D313B2.80104@kroehling.de>
Message-ID: <FC830F49-A24F-4928-903D-0C1B72ACB552@smartling.com>

Will the option to create an offline token be client specific? For example, client A should follow realm-wide expirations but client B should be able to issue offline refresh tokens.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Aug 18, 2015, at 7:14 AM, Juraci Paix?o Kr?hling <juraci at kroehling.de> wrote:
> 
> Sounds good, thanks!
> 
> - Juca.
> 
> On 08/18/2015 12:52 PM, Stian Thorgersen wrote:
>> We still aim to get this included in 1.5, which is scheduled for early September. It may slip to 1.6 which is scheduled for early October.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151013/14766010/attachment.html 

From harish_k_s007 at yahoo.com  Tue Oct 13 22:36:42 2015
From: harish_k_s007 at yahoo.com (Harish Kumar)
Date: Wed, 14 Oct 2015 02:36:42 +0000 (UTC)
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third party
	example
References: <1254376011.43253.1444790202873.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1254376011.43253.1444790202873.JavaMail.yahoo@mail.yahoo.com>

I was trying out examples from keycloak 1.5.0, specifically i was trying third-party?example. Same example worked fine while i took distribution (keycloak-appliance-dist-all-1.1.0.Final)I did following steps.?

1. Installed keycloak 1.5.02. Set third-party client with valid redirect URL as?/oauth-client/*3. Keycloak Json mentioned below (towards end of that email)4. Initially when i deployed then i got error (No class definition error :Lorg/keycloak/servlet/ServletOAuthClient)? ?then added files from?keycloak-wf9-adapter-dist-1.5.0.Final.zip.5. After that application could deploy but when i type?http://localhost:8080/oauth-client/?and click on "pull data"? ?then getting error. ?I would appreciate if you could pls let me know how this error can be fixed ?? ? Any module missing ?
?javax.servlet.ServletException: java.lang.NoClassDefFoundError: ?org/keycloak/adapters/ServerRequest$HttpFailure
?org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
?org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
?org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
?org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
?org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
?org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)


Keycloak json{
? "realm": "demo",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB",? "auth-server-url": "http://localhost:8080/auth",? "ssl-required": "external",? "resource": "third-party",? "credentials": {? ? "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4"? }}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/9f7cef3f/attachment-0001.html 

From sthorger at redhat.com  Wed Oct 14 00:46:54 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 14 Oct 2015 06:46:54 +0200
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <FC830F49-A24F-4928-903D-0C1B72ACB552@smartling.com>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
	<5589774E.9080004@kroehling.de>
	<47189901.24304127.1435072467145.JavaMail.zimbra@redhat.com>
	<55D3058A.3010400@kroehling.de>
	<496860226.12871624.1439895175998.JavaMail.zimbra@redhat.com>
	<55D313B2.80104@kroehling.de>
	<FC830F49-A24F-4928-903D-0C1B72ACB552@smartling.com>
Message-ID: <CAJgngAftgwM24a66Auyg5KOZwqeyDpS8t+fEUJg-FbN8SEqGxg@mail.gmail.com>

Yes, clients and users have to have permissions to use offline tokens.
Further the client has to explicitly request offline tokens using a scope
query param.

On 13 October 2015 at 20:34, Scott Rossillo <srossillo at smartling.com> wrote:

> Will the option to create an offline token be client specific? For
> example, client A should follow realm-wide expirations but client B should
> be able to issue offline refresh tokens.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Aug 18, 2015, at 7:14 AM, Juraci Paix?o Kr?hling <juraci at kroehling.de>
> wrote:
>
> Sounds good, thanks!
>
> - Juca.
>
> On 08/18/2015 12:52 PM, Stian Thorgersen wrote:
>
> We still aim to get this included in 1.5, which is scheduled for early
> September. It may slip to 1.6 which is scheduled for early October.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/e1fc46a3/attachment.html 

From mstrukel at redhat.com  Wed Oct 14 05:01:31 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 14 Oct 2015 11:01:31 +0200
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third
 party example
In-Reply-To: <1254376011.43253.1444790202873.JavaMail.yahoo@mail.yahoo.com>
References: <1254376011.43253.1444790202873.JavaMail.yahoo@mail.yahoo.com>
	<1254376011.43253.1444790202873.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>

The exception seems to indicate that your adapter was not proprerly
installed.

Make sure that you can see the following file underneath your Wildfly 9
home directory (where you deploy your third party app):

modules/system/layers/base/org/keycloak/keycloak-adapter-core/main/keycloak-adapter-core-1.5.0.Final.jar


It should be there as a result of properly unpacking
keycloak-wf9-adapter-dist-1.5.0.Final.zip
<http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.5.0.Final/adapters/keycloak-wf9-adapter-dist-1.5.0.Final.zip>
into
your Wildfly 9.

I suppose your mentioning keycloak-appliance-dist-all-1.1.0.Final is a
reference to a version that used to work for you some time ago, and not
what you're using now.



On Wed, Oct 14, 2015 at 4:36 AM, Harish Kumar <harish_k_s007 at yahoo.com>
wrote:

> I was trying out examples from keycloak 1.5.0, specifically i was trying
> third-party
> example. Same example worked fine while i took distribution
> (keycloak-appliance-dist-all-1.1.0.Final)
> I did following steps.
>
> 1. Installed keycloak 1.5.0
> 2. Set third-party client with valid redirect URL as /oauth-client/*
> 3. Keycloak Json mentioned below (towards end of that email)
> 4. Initially when i deployed then i got error (No class definition error
> :Lorg/keycloak/servlet/ServletOAuthClient)
>    then added files from keycloak-wf9-adapter-dist-1.5.0.Final.zip
> <http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.5.0.Final/adapters/keycloak-wf9-adapter-dist-1.5.0.Final.zip>
> .
> 5. After that application could deploy but when i type
> http://localhost:8080/oauth-client/ and click on "pull data"
>    then getting error.  I would appreciate if you could pls let me know
> how this error can be fixed ?
>     Any module missing ?
>
>  javax.servlet.ServletException: java.lang.NoClassDefFoundError:
>  org/keycloak/adapters/ServerRequest$HttpFailure
>
>  org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
>
>  org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
>  org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
>  org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
>  javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
>  org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
>  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
>  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
>  javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
>  io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>
>
> *Keycloak json*
> {
>   "realm": "demo",
>   "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB"
> ,
>   "auth-server-url": "http://localhost:8080/auth",
>   "ssl-required": "external",
>   "resource": "third-party",
>   "credentials": {
>     "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4"
>   }
> }
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/a1b36988/attachment.html 

From chenkeong.yap at izeno.com  Wed Oct 14 06:30:15 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Wed, 14 Oct 2015 18:30:15 +0800
Subject: [keycloak-user] spring security adapter
Message-ID: <C473A450-44B6-49E1-814E-9BD877696F19@izeno.com>

hi guys,

do you have any documentation or sample program for configuring keycloak to use with spring security?

Regards,
CK Yap

From tdudgeon.ml at gmail.com  Wed Oct 14 07:29:53 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 14 Oct 2015 12:29:53 +0100
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <561D2EBC.50509@redhat.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com>
Message-ID: <561E3CB1.1090100@gmail.com>

The scope of this is presumably groups within an individual realm?
Is there any possibility for "global" groups and roles that can span 
multiple realms?

Tim

On 13/10/2015 17:18, Bill Burke wrote:
> You just want something like github groups?  List your requirements.
>
> I am starting on Groups next week after 1.6 goes out.
>
> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
>> Thanks Stian for the update. any more details about this group feature,
>> if you can pl share?
>> We are using composite roles currently to manage "business groups".
>> Since the group definitions are fixed and mutually exclusive, we are
>> able to manage it with composite roles.
>>
>> Regards,
>> Subhro.
>>
>> On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>>      We are also planning on introducing groups soon. Users will be able
>>      to belong to one or more groups and a group can have roles and/or
>>      attributes associated with it.
>>
>>      On 13 October 2015 at 12:58, Subhrajyoti Moitra
>>      <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>>
>>          I think u can investigate composite-roles for the same.
>>          http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>>
>>          The composite-roles can be client specific roles re-presenting
>>          your organizations, and keycloak roles can be the actual
>>          "business roles" under these composite roles.
>>
>>          HTH.
>>          Subhro.
>>
>>          On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>>          <mailto:kunal at plivo.com>> wrote:
>>
>>              Hi all,
>>
>>              I am setting up an SSO server and i'm evaluating both CAS
>>              and Keycloak. One of my main requirements is letting users
>>              have multiple teams and be a part of multiple organizations.
>>              I'm trying to wrap my head around how to do this in
>>              Keycloak. Something on the lines of what Github does -
>>              https://github.com/blog/674-introducing-organizations As an
>>              evaluation process, I've already created a POC using CAS.
>>
>>              I would really appreciate any pointers on how to do this
>>              with Keycloak.
>>
>>              Best,
>>
>>              Kunal
>>
>>
>>              --
>>              *KUNAL KERKAR *| PRODUCT ENGINEER
>>              Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>              Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>>              <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>>
>>
>>              _______________________________________________
>>              keycloak-user mailing list
>>              keycloak-user at lists.jboss.org
>>              <mailto:keycloak-user at lists.jboss.org>
>>              https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>          _______________________________________________
>>          keycloak-user mailing list
>>          keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>          https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From mposolda at redhat.com  Wed Oct 14 08:31:43 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 14 Oct 2015 14:31:43 +0200
Subject: [keycloak-user] spring security adapter
In-Reply-To: <C473A450-44B6-49E1-814E-9BD877696F19@izeno.com>
References: <C473A450-44B6-49E1-814E-9BD877696F19@izeno.com>
Message-ID: <561E4B2F.9030702@redhat.com>

Hi,

we have documentation here:
http://keycloak.github.io/docs/userguide/html/ch08.html#spring-boot-adapter
http://keycloak.github.io/docs/userguide/html/ch08.html#spring-security-adapter

Marek


On 14/10/15 12:30, chenkeong.yap at izeno.com wrote:
> hi guys,
>
> do you have any documentation or sample program for configuring keycloak to use with spring security?
>
> Regards,
> CK Yap
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Wed Oct 14 10:34:05 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 14 Oct 2015 10:34:05 -0400
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <561E3CB1.1090100@gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com> <561E3CB1.1090100@gmail.com>
Message-ID: <561E67DD.1060701@redhat.com>

No, we are not creatin "global" groups and roles. use case please?. 
We're trying to keep realms isolated from one another.

On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
> The scope of this is presumably groups within an individual realm?
> Is there any possibility for "global" groups and roles that can span
> multiple realms?
>
> Tim
>
> On 13/10/2015 17:18, Bill Burke wrote:
>> You just want something like github groups?  List your requirements.
>>
>> I am starting on Groups next week after 1.6 goes out.
>>
>> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
>>> Thanks Stian for the update. any more details about this group feature,
>>> if you can pl share?
>>> We are using composite roles currently to manage "business groups".
>>> Since the group definitions are fixed and mutually exclusive, we are
>>> able to manage it with composite roles.
>>>
>>> Regards,
>>> Subhro.
>>>
>>> On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
>>> <mailto:sthorger at redhat.com>> wrote:
>>>
>>>       We are also planning on introducing groups soon. Users will be able
>>>       to belong to one or more groups and a group can have roles and/or
>>>       attributes associated with it.
>>>
>>>       On 13 October 2015 at 12:58, Subhrajyoti Moitra
>>>       <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>>>
>>>           I think u can investigate composite-roles for the same.
>>>           http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>>>
>>>           The composite-roles can be client specific roles re-presenting
>>>           your organizations, and keycloak roles can be the actual
>>>           "business roles" under these composite roles.
>>>
>>>           HTH.
>>>           Subhro.
>>>
>>>           On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>>>           <mailto:kunal at plivo.com>> wrote:
>>>
>>>               Hi all,
>>>
>>>               I am setting up an SSO server and i'm evaluating both CAS
>>>               and Keycloak. One of my main requirements is letting users
>>>               have multiple teams and be a part of multiple organizations.
>>>               I'm trying to wrap my head around how to do this in
>>>               Keycloak. Something on the lines of what Github does -
>>>               https://github.com/blog/674-introducing-organizations As an
>>>               evaluation process, I've already created a POC using CAS.
>>>
>>>               I would really appreciate any pointers on how to do this
>>>               with Keycloak.
>>>
>>>               Best,
>>>
>>>               Kunal
>>>
>>>
>>>               --
>>>               *KUNAL KERKAR *| PRODUCT ENGINEER
>>>               Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>>               Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>>>               <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>>>
>>>
>>>               _______________________________________________
>>>               keycloak-user mailing list
>>>               keycloak-user at lists.jboss.org
>>>               <mailto:keycloak-user at lists.jboss.org>
>>>               https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>           _______________________________________________
>>>           keycloak-user mailing list
>>>           keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>           https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From carmen.checa at masergy.com  Wed Oct 14 10:42:57 2015
From: carmen.checa at masergy.com (carmen)
Date: Wed, 14 Oct 2015 09:42:57 -0500
Subject: [keycloak-user] Issue with XPathFactory
Message-ID: <30B10C22-9EBE-4E33-B52F-619096E2C8D8@masergy.com>

Hi all,

I am writing a federation provider that accesses Oracle using MyBatis.
I get the following error when MyBatis is trying to read its xml configuration:


### Cause: java.lang.RuntimeException: XPathFactory#newInstance() failed to create an XPathFactory for the default object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> with the XPathFactoryConfigurationException: javax.xml.xpath.XPathFactoryConfigurationException: No XPathFactory implementation found for the object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom>
	at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:26)
	at org.apache.ibatis.session.SqlSessionFactoryBuilder.build(SqlSessionFactoryBuilder.java:54)


The federation provider jar is a big fat jar that includes all its dependencies.

Any ideas?

Thank you
Maria
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/9e5c38e0/attachment.html 

From tdudgeon.ml at gmail.com  Wed Oct 14 10:53:18 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 14 Oct 2015 15:53:18 +0100
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <561E67DD.1060701@redhat.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com> <561E3CB1.1090100@gmail.com>
	<561E67DD.1060701@redhat.com>
Message-ID: <561E6C5E.7030402@gmail.com>

The use case for me is to use multiple realms for authentication (e.g. 
one realm for each organisation) that can access a single application 
using a common set of roles.
Its sort of discussed from a different perspective on the apiman list here:
http://lists.jboss.org/pipermail/apiman-user/2015-October/000361.html

Tim

On 14/10/2015 15:34, Bill Burke wrote:
> No, we are not creatin "global" groups and roles. use case please?.
> We're trying to keep realms isolated from one another.
>
> On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
>> The scope of this is presumably groups within an individual realm?
>> Is there any possibility for "global" groups and roles that can span
>> multiple realms?
>>
>> Tim
>>
>> On 13/10/2015 17:18, Bill Burke wrote:
>>> You just want something like github groups?  List your requirements.
>>>
>>> I am starting on Groups next week after 1.6 goes out.
>>>
>>> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
>>>> Thanks Stian for the update. any more details about this group feature,
>>>> if you can pl share?
>>>> We are using composite roles currently to manage "business groups".
>>>> Since the group definitions are fixed and mutually exclusive, we are
>>>> able to manage it with composite roles.
>>>>
>>>> Regards,
>>>> Subhro.
>>>>
>>>> On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
>>>> <mailto:sthorger at redhat.com>> wrote:
>>>>
>>>>        We are also planning on introducing groups soon. Users will be able
>>>>        to belong to one or more groups and a group can have roles and/or
>>>>        attributes associated with it.
>>>>
>>>>        On 13 October 2015 at 12:58, Subhrajyoti Moitra
>>>>        <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>>>>
>>>>            I think u can investigate composite-roles for the same.
>>>>            http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>>>>
>>>>            The composite-roles can be client specific roles re-presenting
>>>>            your organizations, and keycloak roles can be the actual
>>>>            "business roles" under these composite roles.
>>>>
>>>>            HTH.
>>>>            Subhro.
>>>>
>>>>            On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>>>>            <mailto:kunal at plivo.com>> wrote:
>>>>
>>>>                Hi all,
>>>>
>>>>                I am setting up an SSO server and i'm evaluating both CAS
>>>>                and Keycloak. One of my main requirements is letting users
>>>>                have multiple teams and be a part of multiple organizations.
>>>>                I'm trying to wrap my head around how to do this in
>>>>                Keycloak. Something on the lines of what Github does -
>>>>                https://github.com/blog/674-introducing-organizations As an
>>>>                evaluation process, I've already created a POC using CAS.
>>>>
>>>>                I would really appreciate any pointers on how to do this
>>>>                with Keycloak.
>>>>
>>>>                Best,
>>>>
>>>>                Kunal
>>>>
>>>>
>>>>                --
>>>>                *KUNAL KERKAR *| PRODUCT ENGINEER
>>>>                Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>>>                Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>>>>                <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>>>>
>>>>
>>>>                _______________________________________________
>>>>                keycloak-user mailing list
>>>>                keycloak-user at lists.jboss.org
>>>>                <mailto:keycloak-user at lists.jboss.org>
>>>>                https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>            _______________________________________________
>>>>            keycloak-user mailing list
>>>>            keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>            https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From sebastian.olscher at traveltainment.de  Wed Oct 14 11:09:55 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Wed, 14 Oct 2015 15:09:55 +0000
Subject: [keycloak-user]  Different password policies for the same client
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC2942528CAEC@EX-TT-AC-02.traveltainment.int>

Hi guys,

is there any way to configure different password policies for different kind of users in one realm?

We?re dealing with the following use case: Two different types of users: one represents human users, who are able to login via a login page. The second represents other applications which do a system to system communication without login via a login page . For human users we want to specify the policy that they have to change their password at least all 90 days. User which were used for other applications (machine to machine communication) were not able to change their password. So we want to define this policy is only for human users.

I can?t find a possibility to distinguish between user types, so our idea was to use two separated realms. I can add user from type A to Realm 1 and user from type B to Realm 2 and with that, I?m able to configure different password policies for both groups. But at the end if both user types have access to the same client, I have to configure the same client with all its roles in both realms identically to add roles of this client to users within this realm.

What would be your recommendation to fulfil the requirement described in the use case?

Thanks for your help,
Sebastian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/13b135ae/attachment.html 

From bburke at redhat.com  Wed Oct 14 11:30:45 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 14 Oct 2015 11:30:45 -0400
Subject: [keycloak-user] Issue with XPathFactory
In-Reply-To: <30B10C22-9EBE-4E33-B52F-619096E2C8D8@masergy.com>
References: <30B10C22-9EBE-4E33-B52F-619096E2C8D8@masergy.com>
Message-ID: <561E7525.4070607@redhat.com>

include javax.api in your module.xml dependencies.

         <module name="javax.api"/>


On 10/14/2015 10:42 AM, carmen wrote:
> Hi all,
>
> I am writing a federation provider that accesses Oracle using MyBatis.
> I get the following error when MyBatis is trying to read its xml
> configuration:
>
>
> ### Cause: java.lang.RuntimeException: XPathFactory#newInstance() failed
> to create an XPathFactory for the default object model:
> http://java.sun.com/jaxp/xpath/dom with the
> XPathFactoryConfigurationException:
> javax.xml.xpath.XPathFactoryConfigurationException: No XPathFactory
> implementation found for the object model:
> http://java.sun.com/jaxp/xpath/dom
> at
> org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:26)
> at
> org.apache.ibatis.session.SqlSessionFactoryBuilder.build(SqlSessionFactoryBuilder.java:54)
>
>
> The federation provider jar is a big fat jar that includes all its
> dependencies.
>
> Any ideas?
>
> Thank you
> Maria
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Oct 14 11:35:38 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 14 Oct 2015 11:35:38 -0400
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <561E6C5E.7030402@gmail.com>
References: <CAH2rpZsi_KL+2+g_af8gSC3JbfDFbdn=mO8k8qvXRcFGm8+JyQ@mail.gmail.com>
	<CAB6P+-EqrEA2mkQybO2okJChvT87N2a3zV-mw=aVofpwGrwphg@mail.gmail.com>
	<CAJgngAeA-og6X6OGqUrGD0iDLOqi+rcFGYz983FdowT8DgDexA@mail.gmail.com>
	<CAB6P+-Fi0kaeXy8Oy=1GrUjhLwY6YzN8BY0cL=7q9=smwKDZtA@mail.gmail.com>
	<561D2EBC.50509@redhat.com> <561E3CB1.1090100@gmail.com>
	<561E67DD.1060701@redhat.com> <561E6C5E.7030402@gmail.com>
Message-ID: <561E764A.4030706@redhat.com>

That's just not how keycloak was designed.

Realms contain users, applications/clients, roles, groups etc.  Realms 
were meant to be completely isolated from one another.

On 10/14/2015 10:53 AM, Tim Dudgeon wrote:
> The use case for me is to use multiple realms for authentication (e.g.
> one realm for each organisation) that can access a single application
> using a common set of roles.
> Its sort of discussed from a different perspective on the apiman list here:
> http://lists.jboss.org/pipermail/apiman-user/2015-October/000361.html
>
> Tim
>
> On 14/10/2015 15:34, Bill Burke wrote:
>> No, we are not creatin "global" groups and roles. use case please?.
>> We're trying to keep realms isolated from one another.
>>
>> On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
>>> The scope of this is presumably groups within an individual realm?
>>> Is there any possibility for "global" groups and roles that can span
>>> multiple realms?
>>>
>>> Tim
>>>
>>> On 13/10/2015 17:18, Bill Burke wrote:
>>>> You just want something like github groups?  List your requirements.
>>>>
>>>> I am starting on Groups next week after 1.6 goes out.
>>>>
>>>> On 10/13/2015 9:11 AM, Subhrajyoti Moitra wrote:
>>>>> Thanks Stian for the update. any more details about this group feature,
>>>>> if you can pl share?
>>>>> We are using composite roles currently to manage "business groups".
>>>>> Since the group definitions are fixed and mutually exclusive, we are
>>>>> able to manage it with composite roles.
>>>>>
>>>>> Regards,
>>>>> Subhro.
>>>>>
>>>>> On Tue, Oct 13, 2015 at 4:39 PM, Stian Thorgersen <sthorger at redhat.com
>>>>> <mailto:sthorger at redhat.com>> wrote:
>>>>>
>>>>>         We are also planning on introducing groups soon. Users will be able
>>>>>         to belong to one or more groups and a group can have roles and/or
>>>>>         attributes associated with it.
>>>>>
>>>>>         On 13 October 2015 at 12:58, Subhrajyoti Moitra
>>>>>         <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>>>>>
>>>>>             I think u can investigate composite-roles for the same.
>>>>>             http://keycloak.github.io/docs/userguide/html/roles.html#d4e2207
>>>>>
>>>>>             The composite-roles can be client specific roles re-presenting
>>>>>             your organizations, and keycloak roles can be the actual
>>>>>             "business roles" under these composite roles.
>>>>>
>>>>>             HTH.
>>>>>             Subhro.
>>>>>
>>>>>             On Tue, Oct 13, 2015 at 4:13 PM, Kunal K <kunal at plivo.com
>>>>>             <mailto:kunal at plivo.com>> wrote:
>>>>>
>>>>>                 Hi all,
>>>>>
>>>>>                 I am setting up an SSO server and i'm evaluating both CAS
>>>>>                 and Keycloak. One of my main requirements is letting users
>>>>>                 have multiple teams and be a part of multiple organizations.
>>>>>                 I'm trying to wrap my head around how to do this in
>>>>>                 Keycloak. Something on the lines of what Github does -
>>>>>                 https://github.com/blog/674-introducing-organizations As an
>>>>>                 evaluation process, I've already created a POC using CAS.
>>>>>
>>>>>                 I would really appreciate any pointers on how to do this
>>>>>                 with Keycloak.
>>>>>
>>>>>                 Best,
>>>>>
>>>>>                 Kunal
>>>>>
>>>>>
>>>>>                 --
>>>>>                 *KUNAL KERKAR *| PRODUCT ENGINEER
>>>>>                 Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>>>>                 Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>>>>>                 <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 keycloak-user mailing list
>>>>>                 keycloak-user at lists.jboss.org
>>>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             keycloak-user mailing list
>>>>>             keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Oct 14 11:39:09 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 14 Oct 2015 11:39:09 -0400
Subject: [keycloak-user] Different password policies for the same client
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC2942528CAEC@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC2942528CAEC@EX-TT-AC-02.traveltainment.int>
Message-ID: <561E771D.5000501@redhat.com>

Our realms are isolated from one another so I wouldn't recommend having 
2 realms if at all possible.

We don't have per client password policies.  We do have "service 
accounts" now.  A service account belongs to a client.  Client can use 
this to interact with admin console or other services.



On 10/14/2015 11:09 AM, Sebastian Olscher wrote:
> Hi guys,
>
> is there any way to configure different password policies for different
> kind of users in one realm?
>
> We?re dealing with the following use case: Two different types of users:
> one represents human users, who are able to login via a login page. The
> second represents other applications which do a system to system
> communication without login via a login page . For human users we want
> to specify the policy that they have to change their password at least
> all 90 days. User which were used for other applications (machine to
> machine communication) were not able to change their password. So we
> want to define this policy is only for human users.
>
> I can?t find a possibility to distinguish between user types, so our
> idea was to use two separated realms. I can add user from type A to
> Realm 1 and user from type B to Realm 2 and with that, I?m able to
> configure different password policies for both groups. But at the end if
> both user types have access to the same client, I have to configure the
> same client with all its roles in both realms identically to add roles
> of this client to users within this realm.
>
> What would be your recommendation to fulfil the requirement described in
> the use case?
>
> Thanks for your help,
>
> Sebastian
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From carmen.checa at masergy.com  Wed Oct 14 12:20:40 2015
From: carmen.checa at masergy.com (carmen)
Date: Wed, 14 Oct 2015 11:20:40 -0500
Subject: [keycloak-user] Issue with XPathFactory - Additional information
In-Reply-To: <30B10C22-9EBE-4E33-B52F-619096E2C8D8@masergy.com>
References: <30B10C22-9EBE-4E33-B52F-619096E2C8D8@masergy.com>
Message-ID: <75191D0F-7EB6-4C78-97BE-C74A6B614D96@masergy.com>

Hi,
after setting jaxp debug to true, 
I see the following error:

JAXP: using thread context class loader (ModuleClassLoader for Module "deployment.keycloak-server.war:main" from Service Module Loader) for search
11:03:40,517 ERROR [stderr] (default task-2) JAXP: Looking up system property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom'
11:03:40,517 ERROR [stderr] (default task-2) JAXP: The value is '__redirected.__XPathFactory'
11:03:40,517 ERROR [stderr] (default task-2) JAXP: createInstance(__redirected.__XPathFactory)
11:03:40,518 ERROR [stderr] (default task-2) JAXP: loaded __redirected.__XPathFactory from jar:file:/Users/Carmen/software/keycloak-demo-1.5.0.Final/keycloak/jboss-modules.jar!/__redirected/__XPathFactory.class
11:03:40,518 ERROR [stderr] (default task-2) JAXP: could not instantiate __redirected.__XPathFactory
11:03:40,519 ERROR [stderr] (default task-2) java.lang.ClassCastException: __redirected.__XPathFactory cannot be cast to javax.xml.xpath.XPathFactory
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.createInstance(XPathFactoryFinder.java:306)
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder._newFactory(XPathFactoryFinder.java:184)
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.newFactory(XPathFactoryFinder.java:157)


The dependencies in module.xml for my federation provider is as follows:

    <dependencies>
        <module name="org.keycloak.keycloak-core"/>
        <module name="org.keycloak.keycloak-model-api"/>
        <module name="javax.api"/>
    </dependencies>

Thanks again,

Maria


> On Oct 14, 2015, at 9:42 AM, carmen <carmen.checa at masergy.com> wrote:
> 
> Hi all,
> 
> I am writing a federation provider that accesses Oracle using MyBatis.
> I get the following error when MyBatis is trying to read its xml configuration:
> 
> 
> ### Cause: java.lang.RuntimeException: XPathFactory#newInstance() failed to create an XPathFactory for the default object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> with the XPathFactoryConfigurationException: javax.xml.xpath.XPathFactoryConfigurationException: No XPathFactory implementation found for the object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom>
> 	at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:26)
> 	at org.apache.ibatis.session.SqlSessionFactoryBuilder.build(SqlSessionFactoryBuilder.java:54)
> 
> 
> The federation provider jar is a big fat jar that includes all its dependencies.
> 
> Any ideas?
> 
> Thank you
> Maria

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/6bfa8052/attachment.html 

From fadiabdeen at gmail.com  Wed Oct 14 13:48:55 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Wed, 14 Oct 2015 13:48:55 -0400
Subject: [keycloak-user] logging
Message-ID: <CABXXV0S0fLUG7N7YALfgs85a5BSCh_vMZX3XxrwgW7t_RT343g@mail.gmail.com>

Does anyone know if there is a way to enable extra logging in the keycloak
log file ?
Thanks,
Fadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/6932f0f0/attachment.html 

From sthorger at redhat.com  Wed Oct 14 14:11:10 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 14 Oct 2015 20:11:10 +0200
Subject: [keycloak-user] logging
In-Reply-To: <CABXXV0S0fLUG7N7YALfgs85a5BSCh_vMZX3XxrwgW7t_RT343g@mail.gmail.com>
References: <CABXXV0S0fLUG7N7YALfgs85a5BSCh_vMZX3XxrwgW7t_RT343g@mail.gmail.com>
Message-ID: <CAJgngAfjpGGtouWbpZmymcAAyQWjjjGq6DTDB8bVZRzY3XR-Ng@mail.gmail.com>

You can configure logging in standalone/configuration/standalone.xml.
Search for "logging" and add for example:

            <logger category="org.keycloak">
                <level name="DEBUG"/>
            </logger>

On 14 October 2015 at 19:48, Fadi Abdin <fadiabdeen at gmail.com> wrote:

> Does anyone know if there is a way to enable extra logging in the keycloak
> log file ?
> Thanks,
> Fadi
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/748cdc32/attachment.html 

From rafael.coutinho at gmail.com  Wed Oct 14 14:27:34 2015
From: rafael.coutinho at gmail.com (Rafael Coutinho)
Date: Wed, 14 Oct 2015 15:27:34 -0300
Subject: [keycloak-user] Cluster configuration does not work
Message-ID: <CANCuF9iYHFLC5=3EP546-LM2KbquAwPB7uO90e00+vbKuPEUDA@mail.gmail.com>

Hi,

I have an environment with an AngularJS app client, which authenticates
user and keeps its data, and a server app that receive some requests for
Webservices resources.
For some webservices I need, on the server side, to translate the token
into the user information. For that I use the url:

auth/realms/MYREAL/protocol/openid-connect/userinfo

with the Authorization token.

The problem is that the server is behind a load balance and access keycloak
thru port 8080. While AngularJS access the same server thru port 80.

Keycloak complains that the Token was issued from a different url than I'm
querying on the server side. Forcing me to use the same hostname and port
on the server and on the client.

Is that correct? How will I deploy on a distribuited environment?

ps. I'm using my own HTTP client to make that request to userinfo.
ps2. I have added   "auth-server-url-for-backend-requests" however I don't
see any difference.

Rafael Coutinho
Software Engineer
Professional profile: www.linkedin.com/in/rafaelcoutinho
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/c33d35ac/attachment-0001.html 

From harish_k_s007 at yahoo.com  Wed Oct 14 15:36:55 2015
From: harish_k_s007 at yahoo.com (Harish Kumar)
Date: Wed, 14 Oct 2015 19:36:55 +0000 (UTC)
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third
 party example
In-Reply-To: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>
References: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>
Message-ID: <1305714868.348572.1444851415318.JavaMail.yahoo@mail.yahoo.com>

Thanks Marko for response. I checked keycloak-adapter-core-1.5.0.final.jar is presentat ( /modules/system/layers/base/org/keycloak-adapter-core).?
Few things i observed, Not sure if they are related just mentioning#1. After 1.1, release httpcomponents (modules/org/apache) has changed jars from 4.2.#2. No start() method for ServletOAuthClient ( it was there in Bootstrap.java in 1.1)
Pls let me know if i am missing anything ? 
Thanks,Harish

     On Wednesday, October 14, 2015 2:01 AM, Marko Strukelj <mstrukel at redhat.com> wrote:
   

 The exception seems to indicate that your adapter was not proprerly installed.
Make sure that you can see the following file underneath your Wildfly 9 home directory (where you deploy your third party app):
modules/system/layers/base/org/keycloak/keycloak-adapter-core/main/keycloak-adapter-core-1.5.0.Final.jar
It should be there as a result of properly unpacking??keycloak-wf9-adapter-dist-1.5.0.Final.zip?into your Wildfly 9.I suppose your mentioning?keycloak-appliance-dist-all-1.1.0.Final is a reference to a version that used to work for you some time ago, and not what you're using now.

On Wed, Oct 14, 2015 at 4:36 AM, Harish Kumar <harish_k_s007 at yahoo.com> wrote:

I was trying out examples from keycloak 1.5.0, specifically i was trying third-party?example. Same example worked fine while i took distribution (keycloak-appliance-dist-all-1.1.0.Final)I did following steps.?

1. Installed keycloak 1.5.02. Set third-party client with valid redirect URL as?/oauth-client/*3. Keycloak Json mentioned below (towards end of that email)4. Initially when i deployed then i got error (No class definition error :Lorg/keycloak/servlet/ServletOAuthClient)? ?then added files from?keycloak-wf9-adapter-dist-1.5.0.Final.zip.5. After that application could deploy but when i type?http://localhost:8080/oauth-client/?and click on "pull data"? ?then getting error.? I would appreciate if you could pls let me know how this error can be fixed ?? ? Any module missing ?
?javax.servlet.ServletException: java.lang.NoClassDefFoundError: ?org/keycloak/adapters/ServerRequest$HttpFailure
?org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
?org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
?org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
?org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
?org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
?org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)


Keycloak json{
? "realm": "demo",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB",? "auth-server-url": "http://localhost:8080/auth",? "ssl-required": "external",? "resource": "third-party",? "credentials": {? ? "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4"? }}


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151014/677a764a/attachment.html 

From nicolas.grange at retrievercommunications.com  Wed Oct 14 19:06:01 2015
From: nicolas.grange at retrievercommunications.com (Nic Grange)
Date: Wed, 14 Oct 2015 23:06:01 +0000
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
Message-ID: <69F757F4-8C8A-4756-A966-C3284668DEA9@retrievercommunications.com>

>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.



Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.

The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).

Cheers,
Nic


>Date: Wed, 14 Oct 2015 11:35:38 -0400
>From: Bill Burke <bburke at redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
>	Organizations
>To: keycloak-user at lists.jboss.org
>Message-ID: <561E764A.4030706 at redhat.com>
>Content-Type: text/plain; charset=windows-1252; format=flowed
>
>That's just not how keycloak was designed.
>
>Realms contain users, applications/clients, roles, groups etc.  Realms 
>were meant to be completely isolated from one another.
>
>On 10/14/2015 10:53 AM, Tim Dudgeon wrote:
>> The use case for me is to use multiple realms for authentication (e.g.
>> one realm for each organisation) that can access a single application
>> using a common set of roles.
>> Its sort of discussed from a different perspective on the apiman list here:
>> http://lists.jboss.org/pipermail/apiman-user/2015-October/000361.html
>>
>> Tim
>>
>> On 14/10/2015 15:34, Bill Burke wrote:
>>> No, we are not creatin "global" groups and roles. use case please?.
>>> We're trying to keep realms isolated from one another.
>>>
>>> On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
>>>> The scope of this is presumably groups within an individual realm?
>>>> Is there any possibility for "global" groups and roles that can span
>>>> multiple realms?
>>>>
>>>> Tim
>>>>
>>>> On 13/10/2015 17:18, Bill Burke wrote:
>>>>> You just want something like github groups?  List your requirements.


From bburke at redhat.com  Wed Oct 14 19:23:46 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 14 Oct 2015 19:23:46 -0400
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
In-Reply-To: <69F757F4-8C8A-4756-A966-C3284668DEA9@retrievercommunications.com>
References: <69F757F4-8C8A-4756-A966-C3284668DEA9@retrievercommunications.com>
Message-ID: <561EE402.7090608@redhat.com>



On 10/14/2015 7:06 PM, Nic Grange wrote:
>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
>

Exactly.

>
>
> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
>
> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>

I like that idea.  A better alternative might be that each group has an 
"user-admin" role.  If a user has the "user-admin" role of the group, it 
can administer users in that group and assign roles defined in that 
group.  One thing to really think about is, what about sub-groups.  Can 
an admin of the parent group administer sub groups?



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From nicolas.grange at retrievercommunications.com  Wed Oct 14 19:52:59 2015
From: nicolas.grange at retrievercommunications.com (Nic Grange)
Date: Wed, 14 Oct 2015 23:52:59 +0000
Subject: [keycloak-user] Keycloak to set up Teams and Organizations
Message-ID: <07A8AA2F-77DC-4675-A3B7-9974EC4E3CC1@retrievercommunications.com>

Thanks for the quick response.
Can an admin of the parent group administer sub groups?
Yes, I think so. It should be hierarchical. If you don?t want them to have that privilege then make them only admin of the sub-group.

I like the idea of each group having an "user-admin? role.

Say you have an application that allows users to create/modify/share documents.
I see Groups as useful for tagging the document with the Group Id (additionally to the User Id) 
so that if another user logs in from the same group and the original user has chosen to allow this document to be shared within their group,
the application can securely retrieve all the documents that are shared within their group. 

Hope this makes sense,
Nic


>Date: Wed, 14 Oct 2015 19:23:46 -0400
>From: Bill Burke <bburke at redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
>	Organizations
>To: keycloak-user at lists.jboss.org
>Message-ID: <561EE402.7090608 at redhat.com>
>Content-Type: text/plain; charset=windows-1252; format=flowed
>
>
>
>On 10/14/2015 7:06 PM, Nic Grange wrote:
>>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
>>
>
>Exactly.
>
>>
>>
>> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
>>
>> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>>
>
>I like that idea.  A better alternative might be that each group has an 
>"user-admin" role.  If a user has the "user-admin" role of the group, it 
>can administer users in that group and assign roles defined in that 
>group.  One thing to really think about is, what about sub-groups.  Can 
>an admin of the parent group administer sub groups?
>
>
>
>-- 
>Bill Burke


From revanth at arvindinternet.com  Thu Oct 15 03:06:05 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Thu, 15 Oct 2015 12:36:05 +0530
Subject: [keycloak-user] Creating a WAR file.
Message-ID: <CAA1skqVqtO+Bgj2G9Dff9ciT13bneNcyT1eUbyW8Qc3UN2m07w@mail.gmail.com>

Hi,

I am using Keycloak1.5.0 and have used the Keycloak's source code and
extended some of it's classes to make a few adjustment's as per my
requirments. I want to know how i can generate a war file of this code and
deploy it onto my container.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/48690246/attachment.html 

From valerij.timofeev at gmail.com  Thu Oct 15 05:41:39 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Thu, 15 Oct 2015 11:41:39 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
Message-ID: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>

Hi all,

we are interested to know if it is possible to authenticate users of pure
LDAP client against Keycloak?

Why? We are planning to migrate legacy user storage to Keycloak and we'd
like to avoid dead end if for example some product (e.g. SaaS) does not
support user authentication against Keycloak, but does against standard
LDAP server.

If it is impossible, has anybody succeeded to implement reverted direction
of user federation synchronization (all users data from Keycloak should be
copied to a fresh LDAP server installation)?

Answers to these questions may be decisive for the Keycloak usage in our
organization.

Thank you in advance

Valerij Timofeev
Software Engineer
Trusted Shops GmbH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/752cfc1d/attachment.html 

From mposolda at redhat.com  Thu Oct 15 06:42:38 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 15 Oct 2015 12:42:38 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
Message-ID: <561F831E.9080208@redhat.com>

In that case, I would likely use Keycloak with LDAP federation provider, 
which will point to some LDAP server in your environment. KC Federation 
provider needs to be declared with editMode "WRITABLE", so all users 
created through Keycloak will be synced to LDAP server as well including 
their password. Then the legacy product compatible just with LDAP will 
authenticate users against this LDAP server.

Marek

On 15/10/15 11:41, Valerij Timofeev wrote:
> Hi all,
>
> we are interested to know if it is possible to authenticate users of 
> pure LDAP client against Keycloak?
>
> Why? We are planning to migrate legacy user storage to Keycloak and 
> we'd like to avoid dead end if for example some product (e.g. SaaS) 
> does not support user authentication against Keycloak, but does 
> against standard LDAP server.
>
> If it is impossible, has anybody succeeded to implement reverted 
> direction of user federation synchronization (all users data from 
> Keycloak should be copied to a fresh LDAP server installation)?
>
> Answers to these questions may be decisive for the Keycloak usage in 
> our organization.
>
> Thank you in advance
>
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/9b30e4a9/attachment.html 

From valerij.timofeev at gmail.com  Thu Oct 15 07:56:02 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Thu, 15 Oct 2015 13:56:02 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <561F831E.9080208@redhat.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
Message-ID: <CAOy2obHgJRzq_DpEFn1dLz0oiD+vp1Ls1bJnNQk_d_VrVHb=Hw@mail.gmail.com>

The scenario where users are created in Keycloak and then synchronized to
LDAP is clear. It is good documented.
But what about scenario, if LDAP server setup should occur months later
after Keycloak setup?
Would it be possible to synchronize existing Keycloak users including their
password to LDAP for example on successful login?

2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> In that case, I would likely use Keycloak with LDAP federation provider,
> which will point to some LDAP server in your environment. KC Federation
> provider needs to be declared with editMode "WRITABLE", so all users
> created through Keycloak will be synced to LDAP server as well including
> their password. Then the legacy product compatible just with LDAP will
> authenticate users against this LDAP server.
>
> Marek
>
>
> On 15/10/15 11:41, Valerij Timofeev wrote:
>
> Hi all,
>
> we are interested to know if it is possible to authenticate users of pure
> LDAP client against Keycloak?
>
> Why? We are planning to migrate legacy user storage to Keycloak and we'd
> like to avoid dead end if for example some product (e.g. SaaS) does not
> support user authentication against Keycloak, but does against standard
> LDAP server.
>
> If it is impossible, has anybody succeeded to implement reverted direction
> of user federation synchronization (all users data from Keycloak should be
> copied to a fresh LDAP server installation)?
>
> Answers to these questions may be decisive for the Keycloak usage in our
> organization.
>
> Thank you in advance
>
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/4520dc23/attachment.html 

From sebastian.rose at aoe.com  Thu Oct 15 08:14:41 2015
From: sebastian.rose at aoe.com (Sebastian Rose)
Date: Thu, 15 Oct 2015 12:14:41 +0000
Subject: [keycloak-user] Sending Forgot-Password Mail via Admin API/Reverse
	Proxy
Message-ID: <b981dfb875814ed9b67c43bafb1365f9@exchange02.srv.hq.aoe.lan>

Hi all,

we have keycloak configured to live behind a reverse proxy and the external domain ist used in emails (e.g. forgot-passwd) -> fine.

For security reasons i want to use the internal url for the master-realm (externally not reachable). When i send a reset-password mail via the admin interface, the mail contains the wrong URL.

Is there anything i can do about it via configuration?

Best regards,
Sebastian

[AOESigLogo]
Sebastian Rose
Developer
AOE GmbH
LuisenForum, Kirchgasse 6
65185 Wiesbaden
Germany

Tel. +49 6122 70 70 7 -234
Fax. +49 6122 70 70 7 -199
e-Mail: sebastian.rose at aoe.com<mailto:sebastian.rose at aoe.com>
Web: http://www.aoe.com/

Pflichtangaben laut Handelsgesetz ?37a / Aktiengesetz ?35a

USt-ID Nr.: DE250247455
Handelsregister: Wiesbaden B
Handelsregister Nr.: 22567

Stammsitz: Wiesbaden
Creditreform: 625.0209354
Gesch?ftsf?hrer: Kian Toyouri Gould

Diese E-Mail Nachricht enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/e0216292/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6344 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/e0216292/attachment-0001.jpg 

From azenk at umn.edu  Thu Oct 15 09:22:12 2015
From: azenk at umn.edu (Andrew Zenk)
Date: Thu, 15 Oct 2015 08:22:12 -0500
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <CAOy2obHgJRzq_DpEFn1dLz0oiD+vp1Ls1bJnNQk_d_VrVHb=Hw@mail.gmail.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
	<CAOy2obHgJRzq_DpEFn1dLz0oiD+vp1Ls1bJnNQk_d_VrVHb=Hw@mail.gmail.com>
Message-ID: <CA+Evd+HPuWrHkgfb3qRa=Sx0eHo21M5eFA3je-P4OMPgXX7SVQ@mail.gmail.com>

I have a similar use case.  The current approach assumes that the LDAP
server will be available at all times.  If the LDAP server goes offline,
and a user is created, they won't be synced (as far as I'm aware).  I'm
assuming this is primarily due to the issues around transferring the
password information from keycloak to an LDAP server in a useful and
consistent way.  I think adding either an LDAP server, or at the very least
a much better API for accessing user data would be a huge win for keycloak.

We've hacked around this problem by implementing a custom apache ds
partition that uses the keycloak libraries to talk to our database.  This
is made more difficult by the way these libraries are structured.  For
example, at least as of 1.2.0, there is no way to query the database for a
list of members of a particular role.  This means that I have to build this
mapping myself, then cache it so that I don't have to wait many seconds for
every role lookup.  Also, it's not an interface that is meant for public
consumption, so it may change without warning, etc.  The solution we have
works, but certain operations are slow, and it may cause maintenance
issues.  I'm going to explore using the REST API instead, though it may not
expose enough information.

Another potential issue is the IDs assigned to users/roles.  Keycloak
currently doesn't assign IDs that would be easily mapped onto the ID space
that many systems would expect (32 bit int, or similar).  I think this
could be worked around, but it is another challenge for any universally
useful LDAP directory backed by keycloak.

On Thu, Oct 15, 2015 at 6:56 AM, Valerij Timofeev <
valerij.timofeev at gmail.com> wrote:

> The scenario where users are created in Keycloak and then synchronized to
> LDAP is clear. It is good documented.
> But what about scenario, if LDAP server setup should occur months later
> after Keycloak setup?
> Would it be possible to synchronize existing Keycloak users including
> their password to LDAP for example on successful login?
>
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> In that case, I would likely use Keycloak with LDAP federation provider,
>> which will point to some LDAP server in your environment. KC Federation
>> provider needs to be declared with editMode "WRITABLE", so all users
>> created through Keycloak will be synced to LDAP server as well including
>> their password. Then the legacy product compatible just with LDAP will
>> authenticate users against this LDAP server.
>>
>> Marek
>>
>>
>> On 15/10/15 11:41, Valerij Timofeev wrote:
>>
>> Hi all,
>>
>> we are interested to know if it is possible to authenticate users of pure
>> LDAP client against Keycloak?
>>
>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>> like to avoid dead end if for example some product (e.g. SaaS) does not
>> support user authentication against Keycloak, but does against standard
>> LDAP server.
>>
>> If it is impossible, has anybody succeeded to implement reverted
>> direction of user federation synchronization (all users data from Keycloak
>> should be copied to a fresh LDAP server installation)?
>>
>> Answers to these questions may be decisive for the Keycloak usage in our
>> organization.
>>
>> Thank you in advance
>>
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Andrew Zenk, EIT
Polar Geospatial Center
University of Minnesota
Office: (612) 625-0872
Cell: (612) 414-9617
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/87c57808/attachment.html 

From sthorger at redhat.com  Thu Oct 15 10:58:07 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 15 Oct 2015 16:58:07 +0200
Subject: [keycloak-user] Creating a WAR file.
In-Reply-To: <CAA1skqVqtO+Bgj2G9Dff9ciT13bneNcyT1eUbyW8Qc3UN2m07w@mail.gmail.com>
References: <CAA1skqVqtO+Bgj2G9Dff9ciT13bneNcyT1eUbyW8Qc3UN2m07w@mail.gmail.com>
Message-ID: <CAJgngAdPqgyq1KtCtM+P3C34+yzTMBRQb9ZoSyWMw7Y494icrA@mail.gmail.com>

We do not support deploying Keycloak as a WAR. Follow the instructions on
https://github.com/keycloak/keycloak to build the distribution, which will
give you the standalone server, or the overlay that can be added to an
existing WildFly server.

On 15 October 2015 at 09:06, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I am using Keycloak1.5.0 and have used the Keycloak's source code and
> extended some of it's classes to make a few adjustment's as per my
> requirments. I want to know how i can generate a war file of this code and
> deploy it onto my container.
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/5e3d5187/attachment.html 

From harish_k_s007 at yahoo.com  Thu Oct 15 16:56:02 2015
From: harish_k_s007 at yahoo.com (Harish Kumar)
Date: Thu, 15 Oct 2015 20:56:02 +0000 (UTC)
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third
 party example
In-Reply-To: <1305714868.348572.1444851415318.JavaMail.yahoo@mail.yahoo.com>
References: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>
	<1305714868.348572.1444851415318.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1766477144.851532.1444942562699.JavaMail.yahoo@mail.yahoo.com>

I made sure adapter is installed correctly. Now do not see error for Class not found.Now getting following error. Mentioning keycloak.json below.Would appreciate if you could pls let me know how it can be fixed ?


13:44:47,283 WARN? [org.keycloak.events] (default task-115) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=third-party, userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials
Exception13:44:47,284 ERROR [io.undertow.request] (default task-114) UT005023: Exception handling request to /oauth-client/pull_data.jsp: org.apache.jasper.JasperException: java.lang.RuntimeException: org.keycloak.adapters.ServerRequest$HttpFailure
 at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)Caused by: java.lang.RuntimeException: org.keycloak.adapters.ServerRequest$HttpFailure at org.keycloak.example.oauth.ProductDatabaseClient.getTokenResponse(ProductDatabaseClient.java:87) at org.apache.jsp.pull_005fdata_jsp._jspService(pull_005fdata_jsp.java:65) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366) ... 31 moreCaused by: org.keycloak.adapters.ServerRequest$HttpFailure at org.keycloak.adapters.ServerRequest.error(ServerRequest.java:211) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:94) at org.keycloak.servlet.ServletOAuthClient.resolveBearerToken(ServletOAuthClient.java:41) at org.keycloak.servlet.ServletOAuthClient.getBearerToken(ServletOAuthClient.java:146) at org.keycloak.example.oauth.ProductDatabaseClient.getTokenResponse(ProductDatabaseClient.java:70) ... 35 more
Kyecloak.json{
? "realm": "master",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsqzFVCG8nltfcTBL70E5wk2Lh+yu0s5pUvl7rheFBeCb4mSEBwFqLAOIRN3iHVC+A7F8PSp4ZlpqQIBiFXfFiUUSaLfVPVoRapKfi0Wl4+MScFcW2VL4uiIZWR0wIlg0HCZ8EOrHLA6myKi5pc/jhEf7i1FgG+QiTvemQSv9TvLF1xXAXoiNvQbbGzH0t2Pmau9woyHwbiepLp+8pxxIxYupJtBFU+cTc65Rs2wJOmd9snCQQbhTOxeoJLT9J/JkOQcrJUVEracGRx7ebj2pjmUrKx2sAqFH4sCyinODPfFh2OUWUaTSoIN16X2QRyJPbltChjwiu4U2ajD56L5teQIDAQAB",? "auth-server-url": "http://localhost:8080/auth",? "ssl-required": "external",? "resource": "third-party",? "credentials": {? ? "secret": "49f899fa-6208-4eb6-b4fe-e4a8c9b02332"? }}
 


     On Wednesday, October 14, 2015 12:36 PM, Harish Kumar <harish_k_s007 at yahoo.com> wrote:
   

 Thanks Marko for response. I checked keycloak-adapter-core-1.5.0.final.jar is presentat ( /modules/system/layers/base/org/keycloak-adapter-core).?
Few things i observed, Not sure if they are related just mentioning#1. After 1.1, release httpcomponents (modules/org/apache) has changed jars from 4.2.#2. No start() method for ServletOAuthClient ( it was there in Bootstrap.java in 1.1)
Pls let me know if i am missing anything ? 
Thanks,Harish

     On Wednesday, October 14, 2015 2:01 AM, Marko Strukelj <mstrukel at redhat.com> wrote:
   

 The exception seems to indicate that your adapter was not proprerly installed.
Make sure that you can see the following file underneath your Wildfly 9 home directory (where you deploy your third party app):
modules/system/layers/base/org/keycloak/keycloak-adapter-core/main/keycloak-adapter-core-1.5.0.Final.jar
It should be there as a result of properly unpacking??keycloak-wf9-adapter-dist-1.5.0.Final.zip?into your Wildfly 9.I suppose your mentioning?keycloak-appliance-dist-all-1.1.0.Final is a reference to a version that used to work for you some time ago, and not what you're using now.

On Wed, Oct 14, 2015 at 4:36 AM, Harish Kumar <harish_k_s007 at yahoo.com> wrote:

I was trying out examples from keycloak 1.5.0, specifically i was trying third-party?example. Same example worked fine while i took distribution (keycloak-appliance-dist-all-1.1.0.Final)I did following steps.?

1. Installed keycloak 1.5.02. Set third-party client with valid redirect URL as?/oauth-client/*3. Keycloak Json mentioned below (towards end of that email)4. Initially when i deployed then i got error (No class definition error :Lorg/keycloak/servlet/ServletOAuthClient)? ?then added files from?keycloak-wf9-adapter-dist-1.5.0.Final.zip.5. After that application could deploy but when i type?http://localhost:8080/oauth-client/?and click on "pull data"? ?then getting error.? I would appreciate if you could pls let me know how this error can be fixed ?? ? Any module missing ?
?javax.servlet.ServletException: java.lang.NoClassDefFoundError: ?org/keycloak/adapters/ServerRequest$HttpFailure
?org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
?org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
?org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
?org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
?org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
?org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
?javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
?io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)


Keycloak json{
? "realm": "demo",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB",? "auth-server-url": "http://localhost:8080/auth",? "ssl-required": "external",? "resource": "third-party",? "credentials": {? ? "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4"? }}


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/108396ab/attachment-0001.html 

From carmen.checa at masergy.com  Thu Oct 15 17:40:59 2015
From: carmen.checa at masergy.com (carmen)
Date: Thu, 15 Oct 2015 16:40:59 -0500
Subject: [keycloak-user] Issue with XPathFactory
Message-ID: <F31D52FE-4178-46CF-A67B-EEE167EB7903@masergy.com>

Hi Bill,

I already had  <module name="javax.api?/> in my module.xml

I did find a workaround that I do not like and I am hoping that you can help me do it right


Ok so I first set  jaxp debug to true, 
and I was getting the following error

JAXP: using thread context class loader (ModuleClassLoader for Module "deployment.keycloak-server.war:main" from Service Module Loader) for search
11:03:40,517 ERROR [stderr] (default task-2) JAXP: Looking up system property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom' <http://java.sun.com/jaxp/xpath/dom'>
11:03:40,517 ERROR [stderr] (default task-2) JAXP: The value is '__redirected.__XPathFactory'
11:03:40,517 ERROR [stderr] (default task-2) JAXP: createInstance(__redirected.__XPathFactory)
11:03:40,518 ERROR [stderr] (default task-2) JAXP: loaded __redirected.__XPathFactory from jar:file:/Users/Carmen/software/keycloak-demo-1.5.0.Final/keycloak/jboss-modules.jar!/__redirected/__XPathFactory.class
11:03:40,518 ERROR [stderr] (default task-2) JAXP: could not instantiate __redirected.__XPathFactory
11:03:40,519 ERROR [stderr] (default task-2) java.lang.ClassCastException: __redirected.__XPathFactory cannot be cast to javax.xml.xpath.XPathFactory
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.createInstance(XPathFactoryFinder.java:306)
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder._newFactory(XPathFactoryFinder.java:184)
11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.newFactory(XPathFactoryFinder.java:157)


So it looked like there was  a class loader issue and the ClassCast was not working.
I did not know how to fix that, so I went ahead and I changed the property javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> back to the default, to override looking for __redirected.__XPathFactory 
The default implementation is a com.sun?.. class that lives in rt.jar and when I tried that I was getting a ClassNotFound, so I went ahead, added Xalan to my module and changed the property to use the Xalan class: org.apache.path.jaxp.XPathFactoryImpl 
That worked.

I had that same issue with another class that was also overriden with a __redirected class (DocumentBuilderFactory), and once I set the default value to the default implementation, the implementation cannot be loaded because it is in rt.jar. I went around that by adding crimsom to my module.

So it looks like even though there is a dependency defined of java.api, those jars (at least for xml) do not contain implementations, just the interfaces, and the actual providers are in rt.jar and I get an error trying to load them.

So I really do not like what I have done. There?s got to be a way to be able to use the implementations in rt.jar, right?

Thanks
Maria

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/6efd3115/attachment.html 

From carmen.checa at masergy.com  Thu Oct 15 17:44:39 2015
From: carmen.checa at masergy.com (carmen)
Date: Thu, 15 Oct 2015 16:44:39 -0500
Subject: [keycloak-user] User Federation Provider and roles
Message-ID: <A1026A65-0C8C-4DDB-A158-C7D1854C4E35@masergy.com>

Hi all,

I am writing a user federation provider so we can authenticate users stored in a database.
Our roles are also stored there. 
Is there an interface to provide roles to the realm and trap updates so changes to roles in keycloak effect changes in the DB?

Thanks
Maria

From bburke at redhat.com  Thu Oct 15 19:03:12 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 15 Oct 2015 19:03:12 -0400
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third
 party example
In-Reply-To: <1766477144.851532.1444942562699.JavaMail.yahoo@mail.yahoo.com>
References: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>
	<1305714868.348572.1444851415318.JavaMail.yahoo@mail.yahoo.com>
	<1766477144.851532.1444942562699.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <562030B0.8070008@redhat.com>



On 10/15/2015 4:56 PM, Harish Kumar wrote:
> I made sure adapter is installed correctly. Now do not see error for
> Class not found.
> Now getting following error. Mentioning keycloak.json below.
> Would appreciate if you could pls let me know how it can be fixed ?
>
>
> 13:44:47,283 WARN  [org.keycloak.events] (default task-115)
> type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=third-party,
> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials
>

Read the error message.  "invalid_client_credentials".  Does your 
keycloak.json file have the correct client secret?


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Oct 15 19:10:58 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 15 Oct 2015 19:10:58 -0400
Subject: [keycloak-user] User Federation Provider and roles
In-Reply-To: <A1026A65-0C8C-4DDB-A158-C7D1854C4E35@masergy.com>
References: <A1026A65-0C8C-4DDB-A158-C7D1854C4E35@masergy.com>
Message-ID: <56203282.6030508@redhat.com>

For role mappings, you have to proxy UserModel, then you can catch 
whenever the admin console changes role mappings.

For roles themselves, there's nothing you can do except maybe check the 
external db when fetching role mappings.


On 10/15/2015 5:44 PM, carmen wrote:
> Hi all,
>
> I am writing a user federation provider so we can authenticate users stored in a database.
> Our roles are also stored there.
> Is there an interface to provide roles to the realm and trap updates so changes to roles in keycloak effect changes in the DB?
>
> Thanks
> Maria
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From harish_k_s007 at yahoo.com  Thu Oct 15 19:41:42 2015
From: harish_k_s007 at yahoo.com (Harish Kumar)
Date: Thu, 15 Oct 2015 23:41:42 +0000 (UTC)
Subject: [keycloak-user] Exception while running kaycloak 1.5.0 third
 party example
In-Reply-To: <562030B0.8070008@redhat.com>
References: <562030B0.8070008@redhat.com>
Message-ID: <1754695373.945879.1444952502137.JavaMail.yahoo@mail.yahoo.com>

Yes, it has correct secret. ?Same example has run without any issue on 1.1 (keycloak-appliance-dist-all-1.1.0.Fina).Since i moved to 1.5, only then seeing issue.
Is any additional setting/steps required for creation of client in 1.5 ?

 


     On Thursday, October 15, 2015 4:04 PM, Bill Burke <bburke at redhat.com> wrote:
   

 

On 10/15/2015 4:56 PM, Harish Kumar wrote:
> I made sure adapter is installed correctly. Now do not see error for
> Class not found.
> Now getting following error. Mentioning keycloak.json below.
> Would appreciate if you could pls let me know how it can be fixed ?
>
>
> 13:44:47,283 WARN? [org.keycloak.events] (default task-115)
> type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=third-party,
> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials
>

Read the error message.? "invalid_client_credentials".? Does your 
keycloak.json file have the correct client secret?


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/8485ca0d/attachment.html 

From chenkeong.yap at izeno.com  Fri Oct 16 00:04:27 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Fri, 16 Oct 2015 12:04:27 +0800
Subject: [keycloak-user] spring security adapter
In-Reply-To: <561E4B2F.9030702@redhat.com>
References: <C473A450-44B6-49E1-814E-9BD877696F19@izeno.com>
	<561E4B2F.9030702@redhat.com>
Message-ID: <CAC2UnuVB8ORW8X2V69EHTZODTbdHesq0ScmhdBiyJOhaX9ztdw@mail.gmail.com>

thanks marek.

Hi,

It seems like Spring isn't picking up the security rules. Can please
advise? I've attached application security xml files for verification.

On Wed, Oct 14, 2015 at 8:31 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> we have documentation here:
> http://keycloak.github.io/docs/userguide/html/ch08.html#spring-boot-adapter
>
> http://keycloak.github.io/docs/userguide/html/ch08.html#spring-security-adapter
>
> Marek
>
>
>
> On 14/10/15 12:30, chenkeong.yap at izeno.com wrote:
>
>> hi guys,
>>
>> do you have any documentation or sample program for configuring keycloak
>> to use with spring security?
>>
>> Regards,
>> CK Yap
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/feefdd65/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: applicationContext-security.xml
Type: text/xml
Size: 56472 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/feefdd65/attachment-0002.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: applicationContext-security-web.xml
Type: text/xml
Size: 27272 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/feefdd65/attachment-0003.xml 

From satyajit.das at spire2grow.com  Fri Oct 16 02:50:44 2015
From: satyajit.das at spire2grow.com (Satyajit Das)
Date: Fri, 16 Oct 2015 12:20:44 +0530
Subject: [keycloak-user] Regarding Reset Password
Message-ID: <CA+oCsRq+qPjNjuE1jKGkfw8bYdCJjHJSyjAXAuzSDMP3Yut7vQ@mail.gmail.com>

Hi Team,
Kindly answer by below query.

I can see admin api has 2 services for reset password.

Do we have an api where in user can enter new password and it should be
permanent instead of temporarary.

Regards,
Satya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/86af6f70/attachment.html 

From mposolda at redhat.com  Fri Oct 16 02:59:19 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Oct 2015 08:59:19 +0200
Subject: [keycloak-user] [keycloak-dev] Exception while running kaycloak
 1.5.0 third party example
In-Reply-To: <1766477144.851532.1444942562699.JavaMail.yahoo@mail.yahoo.com>
References: <CA+1OW+gVHF=UfJjpFHvocvLsXd1Uc8wPerdZ-krSFKbBcR_ztQ@mail.gmail.com>
	<1305714868.348572.1444851415318.JavaMail.yahoo@mail.yahoo.com>
	<1766477144.851532.1444942562699.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <5620A047.4060401@redhat.com>

According to error, I suppose it is invalid client credentials, so 
likely invalid client secret.

If you go to admin console and click to "thirdparty" client, then tab 
"Credentials" you will see the actual secret of thirdparty client from 
Keycloak database. You need to copy this secret into keycloak.json .

Marek

On 15/10/15 22:56, Harish Kumar wrote:
> I made sure adapter is installed correctly. Now do not see error for 
> Class not found.
> Now getting following error. Mentioning keycloak.json below.
> Would appreciate if you could pls let me know how it can be fixed ?
>
>
> 13:44:47,283 WARN  [org.keycloak.events] (default task-115) 
> type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=third-party, 
> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials
>
> *_Exception_*
> 13:44:47,284 ERROR [io.undertow.request] (default task-114) UT005023: 
> Exception handling request to /oauth-client/pull_data.jsp: 
> org.apache.jasper.JasperException: java.lang.RuntimeException: 
> org.keycloak.adapters.ServerRequest$HttpFailure
> at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410)
> at 
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32)
> at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at 
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.RuntimeException: 
> org.keycloak.adapters.ServerRequest$HttpFailure
> at 
> org.keycloak.example.oauth.ProductDatabaseClient.getTokenResponse(ProductDatabaseClient.java:87)
> at org.apache.jsp.pull_005fdata_jsp._jspService(pull_005fdata_jsp.java:65)
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
> ... 31 more
> Caused by: org.keycloak.adapters.ServerRequest$HttpFailure
> at org.keycloak.adapters.ServerRequest.error(ServerRequest.java:211)
> at 
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:94)
> at 
> org.keycloak.servlet.ServletOAuthClient.resolveBearerToken(ServletOAuthClient.java:41)
> at 
> org.keycloak.servlet.ServletOAuthClient.getBearerToken(ServletOAuthClient.java:146)
> at 
> org.keycloak.example.oauth.ProductDatabaseClient.getTokenResponse(ProductDatabaseClient.java:70)
> ... 35 more
>
> *_Kyecloak.json_*
> {
> "realm": "master",
> "realm-public-key": 
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsqzFVCG8nltfcTBL70E5wk2Lh+yu0s5pUvl7rheFBeCb4mSEBwFqLAOIRN3iHVC+A7F8PSp4ZlpqQIBiFXfFiUUSaLfVPVoRapKfi0Wl4+MScFcW2VL4uiIZWR0wIlg0HCZ8EOrHLA6myKi5pc/jhEf7i1FgG+QiTvemQSv9TvLF1xXAXoiNvQbbGzH0t2Pmau9woyHwbiepLp+8pxxIxYupJtBFU+cTc65Rs2wJOmd9snCQQbhTOxeoJLT9J/JkOQcrJUVEracGRx7ebj2pjmUrKx2sAqFH4sCyinODPfFh2OUWUaTSoIN16X2QRyJPbltChjwiu4U2ajD56L5teQIDAQAB",
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "third-party",
> "credentials": {
> "secret": "49f899fa-6208-4eb6-b4fe-e4a8c9b02332"
>   }
> }
>
>
>
>
> On Wednesday, October 14, 2015 12:36 PM, Harish Kumar 
> <harish_k_s007 at yahoo.com> wrote:
>
>
> Thanks Marko for response. I checked 
> keycloak-adapter-core-1.5.0.final.jar is present
> at ( /modules/system/layers/base/org/keycloak-adapter-core).
>
> Few things i observed, Not sure if they are related just mentioning
> #1. After 1.1, release httpcomponents (modules/org/apache) has changed 
> jars from 4.2.
> #2. No start() method for ServletOAuthClient ( it was there in 
> Bootstrap.java in 1.1)
>
> Pls let me know if i am missing anything ?
>
> Thanks,
> Harish
>
> On Wednesday, October 14, 2015 2:01 AM, Marko Strukelj 
> <mstrukel at redhat.com> wrote:
>
>
> The exception seems to indicate that your adapter was not proprerly 
> installed.
>
> Make sure that you can see the following file underneath your Wildfly 
> 9 home directory (where you deploy your third party app):
>
> modules/system/layers/base/org/keycloak/keycloak-adapter-core/main/keycloak-adapter-core-1.5.0.Final.jar
>
> It should be there as a result of properly unpacking 
> keycloak-wf9-adapter-dist-1.5.0.Final.zip 
> <http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.5.0.Final/adapters/keycloak-wf9-adapter-dist-1.5.0.Final.zip> into 
> your Wildfly 9.
> I suppose your mentioning keycloak-appliance-dist-all-1.1.0.Final is a 
> reference to a version that used to work for you some time ago, and 
> not what you're using now.
>
>
> On Wed, Oct 14, 2015 at 4:36 AM, Harish Kumar <harish_k_s007 at yahoo.com 
> <mailto:harish_k_s007 at yahoo.com>> wrote:
>
>     I was trying out examples from keycloak 1.5.0, specifically i was
>     trying third-party
>     example. Same example worked fine while i took distribution
>     (keycloak-appliance-dist-all-1.1.0.Final)
>     I did following steps.
>
>     1. Installed keycloak 1.5.0
>     2. Set third-party client with valid redirect URL as /oauth-client/*
>     3. Keycloak Json mentioned below (towards end of that email)
>     4. Initially when i deployed then i got error (No class definition
>     error :Lorg/keycloak/servlet/ServletOAuthClient)
>        then added files from keycloak-wf9-adapter-dist-1.5.0.Final.zip
>     <http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.5.0.Final/adapters/keycloak-wf9-adapter-dist-1.5.0.Final.zip>.
>     5. After that application could deploy but when i type
>     http://localhost:8080/oauth-client/ and click on "pull data"
>        then getting error.  I would appreciate if you could pls let me
>     know how this error can be fixed ?
>         Any module missing ?
>
>      javax.servlet.ServletException: java.lang.NoClassDefFoundError:
>      org/keycloak/adapters/ServerRequest$HttpFailure
>      org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
>      org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
>      org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
>      org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
>      javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>      org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
>      org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
>      org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
>      javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>      io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>
>
>     *_Keycloak json_*
>     {
>     "realm": "demo",
>     "realm-public-key":
>     "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB",
>     "auth-server-url": "http://localhost:8080/auth",
>     "ssl-required": "external",
>     "resource": "third-party",
>     "credentials": {
>     "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4"
>       }
>     }
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/92082f41/attachment-0001.html 

From mposolda at redhat.com  Fri Oct 16 03:05:51 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Oct 2015 09:05:51 +0200
Subject: [keycloak-user] Regarding Reset Password
In-Reply-To: <CA+oCsRq+qPjNjuE1jKGkfw8bYdCJjHJSyjAXAuzSDMP3Yut7vQ@mail.gmail.com>
References: <CA+oCsRq+qPjNjuE1jKGkfw8bYdCJjHJSyjAXAuzSDMP3Yut7vQ@mail.gmail.com>
Message-ID: <5620A1CF.5000006@redhat.com>

The API already allows to set credential as permanent instead of 
temporary. There is flag boolean flag "temporary" on 
CredentialRepresentation. You can see the admin console on/off switch 
for temporary password too. So try to switch it off and see how REST 
request sent from admin console looks like (you can use tools like 
firebug to see REST requests sent by browser)

Marek

On 16/10/15 08:50, Satyajit Das wrote:
> Hi Team,
> Kindly answer by below query.
>
> I can see admin api has 2 services for reset password.
>
> Do we have an api where in user can enter new password and it should 
> be permanent instead of temporarary.
>
> Regards,
> Satya
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/a0fb6564/attachment.html 

From chenkeong.yap at izeno.com  Fri Oct 16 05:47:59 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Fri, 16 Oct 2015 17:47:59 +0800
Subject: [keycloak-user] Unexpected element
	'{urn:jboss:domain:keycloak:1.1}subsystem'
Message-ID: <CAC2UnuUaN290ZnKHSusqQQD4O897616Oqi8eXn4cXvXi8ZpdQw@mail.gmail.com>

Hi,

Iam unable to secure war file using jboss subsytem. Can please advise?


error :

Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
at
org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
at
org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1199)
at
org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:457)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:106)
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
... 3 more


snippet of standalone.xml

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
           <web-context>auth</web-context>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
  <secure-deployment name="WAR MODULE NAME.war">
    <realm>demo</realm>

<realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy3CI+Un3CTFC/yoMzXNb7+Zm2gExw7khOduINB6wVIZpx+BT60DtXqcr0jZgxsO06ITL1/whVwHBx8G0KNG+t3McoYjXtEgkU5q0F+UA97M863Sg/762dC/2os7KiD/WVreXxA4wuueil/PPGj8YS0EUacx28yOhbhIIbva/jEWCtgKS3r/H6OtxZNM0lE0taimKlNT7NfLTBm/XH6IsdF75QD2WKTdzMHrd92zBg7lzHvp+/tZ7JwGhlR/+9N8O2qnPZWKVub7Wgum30trV8slFhWsneraosG2mnmeJLuIkNtev2gYvuNc5i8uZuKUnrdz2CUWEbViEReWm3uWRwIDAQAB</realm-public-key>
    <auth-server-url>http://localhost:8080/auth</auth-server-url>
    <bearer-only>true</bearer-only>
    <ssl-required>EXTERNAL</ssl-required>
    <resource>http://localhost:8080/jasperserver-pro/</resource>
</secure-deployment>
</subsystem>
    </profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/f3be60aa/attachment.html 

From sthorger at redhat.com  Fri Oct 16 05:58:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 16 Oct 2015 11:58:51 +0200
Subject: [keycloak-user] Unexpected element
	'{urn:jboss:domain:keycloak:1.1}subsystem'
In-Reply-To: <CAC2UnuUaN290ZnKHSusqQQD4O897616Oqi8eXn4cXvXi8ZpdQw@mail.gmail.com>
References: <CAC2UnuUaN290ZnKHSusqQQD4O897616Oqi8eXn4cXvXi8ZpdQw@mail.gmail.com>
Message-ID: <CAJgngAdy9oj3cfKvtrcZ=VAaoY7ee1ZwmW0YAmnyFUm3XHWfuw@mail.gmail.com>

You're using the old config format. Please refer to
http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter

On 16 October 2015 at 11:47, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:

> Hi,
>
> Iam unable to secure war file using jboss subsytem. Can please advise?
>
>
> error :
>
> Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> at
> org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
> at
> org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1199)
> at
> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:457)
> at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
> at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:106)
> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
> ... 3 more
>
>
> snippet of standalone.xml
>
> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>            <web-context>auth</web-context>
>          </subsystem>
>          <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>   <secure-deployment name="WAR MODULE NAME.war">
>     <realm>demo</realm>
>
> <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy3CI+Un3CTFC/yoMzXNb7+Zm2gExw7khOduINB6wVIZpx+BT60DtXqcr0jZgxsO06ITL1/whVwHBx8G0KNG+t3McoYjXtEgkU5q0F+UA97M863Sg/762dC/2os7KiD/WVreXxA4wuueil/PPGj8YS0EUacx28yOhbhIIbva/jEWCtgKS3r/H6OtxZNM0lE0taimKlNT7NfLTBm/XH6IsdF75QD2WKTdzMHrd92zBg7lzHvp+/tZ7JwGhlR/+9N8O2qnPZWKVub7Wgum30trV8slFhWsneraosG2mnmeJLuIkNtev2gYvuNc5i8uZuKUnrdz2CUWEbViEReWm3uWRwIDAQAB</realm-public-key>
>     <auth-server-url>http://localhost:8080/auth</auth-server-url>
>     <bearer-only>true</bearer-only>
>     <ssl-required>EXTERNAL</ssl-required>
>     <resource>http://localhost:8080/jasperserver-pro/</resource>
> </secure-deployment>
> </subsystem>
>     </profile>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/ef3c5dc9/attachment.html 

From chenkeong.yap at izeno.com  Fri Oct 16 06:28:56 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Fri, 16 Oct 2015 18:28:56 +0800
Subject: [keycloak-user] Unexpected element
	'{urn:jboss:domain:keycloak:1.1}subsystem'
In-Reply-To: <CAJgngAdy9oj3cfKvtrcZ=VAaoY7ee1ZwmW0YAmnyFUm3XHWfuw@mail.gmail.com>
References: <CAC2UnuUaN290ZnKHSusqQQD4O897616Oqi8eXn4cXvXi8ZpdQw@mail.gmail.com>
	<CAJgngAdy9oj3cfKvtrcZ=VAaoY7ee1ZwmW0YAmnyFUm3XHWfuw@mail.gmail.com>
Message-ID: <A3DCF093-F09F-45B1-8F9F-54C206110618@izeno.com>

hi stian,

iam referring to the documentation here http://keycloak.github.io/docs/userguide/pdf/keycloak-reference-guide-en-US.pdf

can i know which part is the old config?

Regards,
CK Yap

> On 16 Oct 2015, at 5:58 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> You're using the old config format. Please refer to http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter
> 
>> On 16 October 2015 at 11:47, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:
>> Hi,
>> 
>> Iam unable to secure war file using jboss subsytem. Can please advise?
>> 
>> 
>> error :
>> 
>> Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
>> 	at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> 	at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
>> 	at org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1199)
>> 	at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:457)
>> 	at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
>> 	at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:106)
>> 	at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>> 	at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> 	at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
>> 	... 3 more
>> 
>> 
>> snippet of standalone.xml
>> 
>> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>            <web-context>auth</web-context>
>>          </subsystem> 
>>          <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>> 		   <secure-deployment name="WAR MODULE NAME.war">
>>     <realm>demo</realm>
>>     <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy3CI+Un3CTFC/yoMzXNb7+Zm2gExw7khOduINB6wVIZpx+BT60DtXqcr0jZgxsO06ITL1/whVwHBx8G0KNG+t3McoYjXtEgkU5q0F+UA97M863Sg/762dC/2os7KiD/WVreXxA4wuueil/PPGj8YS0EUacx28yOhbhIIbva/jEWCtgKS3r/H6OtxZNM0lE0taimKlNT7NfLTBm/XH6IsdF75QD2WKTdzMHrd92zBg7lzHvp+/tZ7JwGhlR/+9N8O2qnPZWKVub7Wgum30trV8slFhWsneraosG2mnmeJLuIkNtev2gYvuNc5i8uZuKUnrdz2CUWEbViEReWm3uWRwIDAQAB</realm-public-key>
>>     <auth-server-url>http://localhost:8080/auth</auth-server-url>
>>     <bearer-only>true</bearer-only>
>>     <ssl-required>EXTERNAL</ssl-required>
>>     <resource>http://localhost:8080/jasperserver-pro/</resource>
>> </secure-deployment>
>> </subsystem> 
>>     </profile>
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/eddf9e35/attachment-0001.html 

From valerij.timofeev at gmail.com  Fri Oct 16 07:57:36 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Fri, 16 Oct 2015 13:57:36 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <CA+Evd+HPuWrHkgfb3qRa=Sx0eHo21M5eFA3je-P4OMPgXX7SVQ@mail.gmail.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
	<CAOy2obHgJRzq_DpEFn1dLz0oiD+vp1Ls1bJnNQk_d_VrVHb=Hw@mail.gmail.com>
	<CA+Evd+HPuWrHkgfb3qRa=Sx0eHo21M5eFA3je-P4OMPgXX7SVQ@mail.gmail.com>
Message-ID: <CAOy2obFu51sW9h1tbSCan2iTOqZFm7AQNX9v8Va274Np3dqzGg@mail.gmail.com>

Thank you, Andrew.

Your approach is an interesting option I did not consider yet.
Would be this URL  a good starting point to estimate complexity of your
approach?
https://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+How+to+write+a+simple+custom+partition+for+ApacheDS
We don't need LDAP just at the moment. But I have to demonstrate to
decision makers in our organization that Keycloak is not a dead end user
management solution.

Have you considered normal LDAP user federation option in combination with
setting up ApacheDS to use PBKDF2 algorithm for compatibility during
migration?
https://issues.apache.org/jira/browse/DIRSERVER-1898





2015-10-15 15:22 GMT+02:00 Andrew Zenk <azenk at umn.edu>:

> I have a similar use case.  The current approach assumes that the LDAP
> server will be available at all times.  If the LDAP server goes offline,
> and a user is created, they won't be synced (as far as I'm aware).  I'm
> assuming this is primarily due to the issues around transferring the
> password information from keycloak to an LDAP server in a useful and
> consistent way.  I think adding either an LDAP server, or at the very least
> a much better API for accessing user data would be a huge win for keycloak.
>
> We've hacked around this problem by implementing a custom apache ds
> partition that uses the keycloak libraries to talk to our database.  This
> is made more difficult by the way these libraries are structured.  For
> example, at least as of 1.2.0, there is no way to query the database for a
> list of members of a particular role.  This means that I have to build this
> mapping myself, then cache it so that I don't have to wait many seconds for
> every role lookup.  Also, it's not an interface that is meant for public
> consumption, so it may change without warning, etc.  The solution we have
> works, but certain operations are slow, and it may cause maintenance
> issues.  I'm going to explore using the REST API instead, though it may not
> expose enough information.
>
> Another potential issue is the IDs assigned to users/roles.  Keycloak
> currently doesn't assign IDs that would be easily mapped onto the ID space
> that many systems would expect (32 bit int, or similar).  I think this
> could be worked around, but it is another challenge for any universally
> useful LDAP directory backed by keycloak.
>
> On Thu, Oct 15, 2015 at 6:56 AM, Valerij Timofeev <
> valerij.timofeev at gmail.com> wrote:
>
>> The scenario where users are created in Keycloak and then synchronized to
>> LDAP is clear. It is good documented.
>> But what about scenario, if LDAP server setup should occur months later
>> after Keycloak setup?
>> Would it be possible to synchronize existing Keycloak users including
>> their password to LDAP for example on successful login?
>>
>> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> In that case, I would likely use Keycloak with LDAP federation provider,
>>> which will point to some LDAP server in your environment. KC Federation
>>> provider needs to be declared with editMode "WRITABLE", so all users
>>> created through Keycloak will be synced to LDAP server as well including
>>> their password. Then the legacy product compatible just with LDAP will
>>> authenticate users against this LDAP server.
>>>
>>> Marek
>>>
>>>
>>> On 15/10/15 11:41, Valerij Timofeev wrote:
>>>
>>> Hi all,
>>>
>>> we are interested to know if it is possible to authenticate users of
>>> pure LDAP client against Keycloak?
>>>
>>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>>> like to avoid dead end if for example some product (e.g. SaaS) does not
>>> support user authentication against Keycloak, but does against standard
>>> LDAP server.
>>>
>>> If it is impossible, has anybody succeeded to implement reverted
>>> direction of user federation synchronization (all users data from Keycloak
>>> should be copied to a fresh LDAP server installation)?
>>>
>>> Answers to these questions may be decisive for the Keycloak usage in
>>> our organization.
>>>
>>> Thank you in advance
>>>
>>> Valerij Timofeev
>>> Software Engineer
>>> Trusted Shops GmbH
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Andrew Zenk, EIT
> Polar Geospatial Center
> University of Minnesota
> Office: (612) 625-0872
> Cell: (612) 414-9617
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/569e2565/attachment.html 

From sascha.skorupa at traveltainment.de  Fri Oct 16 08:00:25 2015
From: sascha.skorupa at traveltainment.de (Sascha Skorupa)
Date: Fri, 16 Oct 2015 12:00:25 +0000
Subject: [keycloak-user] MultiTenancy / MultiRealms
Message-ID: <A4503E2117EA4142B9350E03A84BE3AE253AF9D7@EX-TT-AC-02.traveltainment.int>

Hi,

we want to authenticate users from different realms in one client/application. We looked at the multitenancy example but there the realms are distinguished by the requested URL. In our case the users send tokens to the application from different issuers. Is there any recommendation how to handle this?

Cheers,
sascha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/d9be8e67/attachment.html 

From sthorger at redhat.com  Fri Oct 16 08:21:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 16 Oct 2015 14:21:22 +0200
Subject: [keycloak-user] Unexpected element
	'{urn:jboss:domain:keycloak:1.1}subsystem'
In-Reply-To: <A3DCF093-F09F-45B1-8F9F-54C206110618@izeno.com>
References: <CAC2UnuUaN290ZnKHSusqQQD4O897616Oqi8eXn4cXvXi8ZpdQw@mail.gmail.com>
	<CAJgngAdy9oj3cfKvtrcZ=VAaoY7ee1ZwmW0YAmnyFUm3XHWfuw@mail.gmail.com>
	<A3DCF093-F09F-45B1-8F9F-54C206110618@izeno.com>
Message-ID: <CAJgngAfcrpcY+unKL28gdohcwF9kdYrbC4B2DobbqRiop1U5AQ@mail.gmail.com>

Sorry, I miss-read the snippet you sent. Have you added the extensions? And
also installed the server overlay + adapter overlay?

On 16 October 2015 at 12:28, <chenkeong.yap at izeno.com> wrote:

> hi stian,
>
> iam referring to the documentation here
> http://keycloak.github.io/docs/userguide/pdf/keycloak-reference-guide-en-US.pdf
>
> can i know which part is the old config?
>
> Regards,
> CK Yap
>
> On 16 Oct 2015, at 5:58 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> You're using the old config format. Please refer to
> http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter
>
> On 16 October 2015 at 11:47, Chen Keong Yap <chenkeong.yap at izeno.com>
> wrote:
>
>> Hi,
>>
>> Iam unable to secure war file using jboss subsytem. Can please advise?
>>
>>
>> error :
>>
>> Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
>> at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> at
>> org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
>> at
>> org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1199)
>> at
>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:457)
>> at
>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
>> at
>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:106)
>> at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
>> ... 3 more
>>
>>
>> snippet of standalone.xml
>>
>> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>            <web-context>auth</web-context>
>>          </subsystem>
>>          <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>   <secure-deployment name="WAR MODULE NAME.war">
>>     <realm>demo</realm>
>>
>> <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy3CI+Un3CTFC/yoMzXNb7+Zm2gExw7khOduINB6wVIZpx+BT60DtXqcr0jZgxsO06ITL1/whVwHBx8G0KNG+t3McoYjXtEgkU5q0F+UA97M863Sg/762dC/2os7KiD/WVreXxA4wuueil/PPGj8YS0EUacx28yOhbhIIbva/jEWCtgKS3r/H6OtxZNM0lE0taimKlNT7NfLTBm/XH6IsdF75QD2WKTdzMHrd92zBg7lzHvp+/tZ7JwGhlR/+9N8O2qnPZWKVub7Wgum30trV8slFhWsneraosG2mnmeJLuIkNtev2gYvuNc5i8uZuKUnrdz2CUWEbViEReWm3uWRwIDAQAB</realm-public-key>
>>     <auth-server-url>http://localhost:8080/auth</auth-server-url>
>>     <bearer-only>true</bearer-only>
>>     <ssl-required>EXTERNAL</ssl-required>
>>     <resource>http://localhost:8080/jasperserver-pro/</resource>
>> </secure-deployment>
>> </subsystem>
>>     </profile>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/19df15e1/attachment-0001.html 

From emorny at gmail.com  Fri Oct 16 08:30:14 2015
From: emorny at gmail.com (Edem Morny)
Date: Fri, 16 Oct 2015 12:30:14 +0000
Subject: [keycloak-user] Unable to Add Role Mappings Via REST API in 1.5.1
Message-ID: <1444998614.3644.5.camel@localhost.localdomain>

Hi,

I'm having issues migrating my application from keycloak 1.2.1.Final to
1.5.1.Final.

I already had working code that enables us to create users and assign
role mappings to those users via the REST api. However, whiles testing
the application for migrating to 1.5.1, I get a 404 when application
attempts to add rolemappings to users via the REST api. The REST
invocation to create the user actually works, its the subsequent
invocation to add role-mappings that fails with the 404.

Do you have any idea what has changed?  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/6b4f4e49/attachment.html 

From valerij.timofeev at gmail.com  Fri Oct 16 08:31:57 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Fri, 16 Oct 2015 14:31:57 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <561F831E.9080208@redhat.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
Message-ID: <CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com>

I suppose that implementing LDAP server in Keycloak is not an option for RH
because there is already FreeIPA ;-)
But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I
know there are no plans for that:
https://fedorahosted.org/freeipa/ticket/4182
Are there any plans to make hash algorithms in Keycloak pluggable, in order
for example to ensure compatibility with FreeIPA and thus ease migration
path?
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
- search for *passwordStorageScheme*

Instead of "exposing the whole LDAP server" would it be feasible for
Keycloak to implement SASL for using in LDAP servers instead?

Should I better ask these questions on the Keycloak developers list?

Valerij

2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> In that case, I would likely use Keycloak with LDAP federation provider,
> which will point to some LDAP server in your environment. KC Federation
> provider needs to be declared with editMode "WRITABLE", so all users
> created through Keycloak will be synced to LDAP server as well including
> their password. Then the legacy product compatible just with LDAP will
> authenticate users against this LDAP server.
>
> Marek
>
>
> On 15/10/15 11:41, Valerij Timofeev wrote:
>
> Hi all,
>
> we are interested to know if it is possible to authenticate users of pure
> LDAP client against Keycloak?
>
> Why? We are planning to migrate legacy user storage to Keycloak and we'd
> like to avoid dead end if for example some product (e.g. SaaS) does not
> support user authentication against Keycloak, but does against standard
> LDAP server.
>
> If it is impossible, has anybody succeeded to implement reverted direction
> of user federation synchronization (all users data from Keycloak should be
> copied to a fresh LDAP server installation)?
>
> Answers to these questions may be decisive for the Keycloak usage in our
> organization.
>
> Thank you in advance
>
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/29721812/attachment.html 

From mposolda at redhat.com  Fri Oct 16 09:09:01 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Oct 2015 15:09:01 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
	<CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com>
Message-ID: <5620F6ED.7090204@redhat.com>

On 16/10/15 14:31, Valerij Timofeev wrote:
> I suppose that implementing LDAP server in Keycloak is not an option 
> for RH because there is already FreeIPA ;-)
> But unfortunately 389-DS does not support PBKDF2 algorithm and as far 
> as I know there are no plans for that: 
> https://fedorahosted.org/freeipa/ticket/4182
> Are there any plans to make hash algorithms in Keycloak pluggable, in 
> order for example to ensure compatibility with FreeIPA and thus ease 
> migration path?
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes 
> - search for *passwordStorageScheme*
Yes, it is planned to be pluggable. I think JIRA is already created AFAIK.
>
> Instead of "exposing the whole LDAP server" would it be feasible for 
> Keycloak to implement SASL for using in LDAP servers instead?
Maybe, but that will address just authentication to LDAP right? Not full 
user provisioning from LDAP, which is what Andrew mentioned. Btv. we 
have JAAS DirectAccessGrantsLoginModule, which allows login module 
triggered anywhere to authenticate against Keycloak with usage of Direct 
Grant API. Some docs is here: 
http://keycloak.github.io/docs/userguide/html/ch08.html#jaas-adapter

The Elytron project ( 
https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary ) may 
already provide SASL authentication mechanism for auth against JAAS. So 
it might be already possible to use SASL for authenticate against 
Keycloak. But I am not really sure. You can try to investigate...

Marek
>
> Should I better ask these questions on the Keycloak developers list?
>
> Valerij
>
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     In that case, I would likely use Keycloak with LDAP federation
>     provider, which will point to some LDAP server in your
>     environment. KC Federation provider needs to be declared with
>     editMode "WRITABLE", so all users created through Keycloak will be
>     synced to LDAP server as well including their password. Then the
>     legacy product compatible just with LDAP will authenticate users
>     against this LDAP server.
>
>     Marek
>
>
>     On 15/10/15 11:41, Valerij Timofeev wrote:
>>     Hi all,
>>
>>     we are interested to know if it is possible to authenticate users
>>     of pure LDAP client against Keycloak?
>>
>>     Why? We are planning to migrate legacy user storage to Keycloak
>>     and we'd like to avoid dead end if for example some product (e.g.
>>     SaaS) does not support user authentication against Keycloak, but
>>     does against standard LDAP server.
>>
>>     If it is impossible, has anybody succeeded to implement reverted
>>     direction of user federation synchronization (all users data from
>>     Keycloak should be copied to a fresh LDAP server installation)?
>>
>>     Answers to these questions may be decisive for the Keycloak usage
>>     in our organization.
>>
>>     Thank you in advance
>>
>>     Valerij Timofeev
>>     Software Engineer
>>     Trusted Shops GmbH
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/1e43b4a8/attachment.html 

From valerij.timofeev at gmail.com  Fri Oct 16 09:47:40 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Fri, 16 Oct 2015 15:47:40 +0200
Subject: [keycloak-user] Can Keycloak simulate LDAP server?
In-Reply-To: <5620F6ED.7090204@redhat.com>
References: <CAOy2obEcJtzuCT3JF_cx=Ra1cwHLSWVF1Q7YvHeeVK5zMohBhg@mail.gmail.com>
	<561F831E.9080208@redhat.com>
	<CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com>
	<5620F6ED.7090204@redhat.com>
Message-ID: <CAOy2obE_F_gMtCwkcAC5iCNc=HW0F89A=83PoLkV2TvOf7-JaA@mail.gmail.com>

Thank you, Marek.

I've found the ticket you probably mean:"Pluggable password hashing
algorithm" https://issues.jboss.org/browse/KEYCLOAK-1900

I think that I have now together with JAAS/SASL enough options to convince
my bosses to adopt Keycloak

Valerij

2015-10-16 15:09 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> On 16/10/15 14:31, Valerij Timofeev wrote:
>
> I suppose that implementing LDAP server in Keycloak is not an option for
> RH because there is already FreeIPA ;-)
> But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I
> know there are no plans for that:
> <https://fedorahosted.org/freeipa/ticket/4182>
> https://fedorahosted.org/freeipa/ticket/4182
> Are there any plans to make hash algorithms in Keycloak pluggable, in
> order for example to ensure compatibility with FreeIPA and thus ease
> migration path?
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
> - search for *passwordStorageScheme*
>
> Yes, it is planned to be pluggable. I think JIRA is already created AFAIK.
>
>
> Instead of "exposing the whole LDAP server" would it be feasible for
> Keycloak to implement SASL for using in LDAP servers instead?
>
> Maybe, but that will address just authentication to LDAP right? Not full
> user provisioning from LDAP, which is what Andrew mentioned. Btv. we have
> JAAS DirectAccessGrantsLoginModule, which allows login module triggered
> anywhere to authenticate against Keycloak with usage of Direct Grant API.
> Some docs is here:
> http://keycloak.github.io/docs/userguide/html/ch08.html#jaas-adapter
>
> The Elytron project (
> https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary ) may
> already provide SASL authentication mechanism for auth against JAAS. So it
> might be already possible to use SASL for authenticate against Keycloak.
> But I am not really sure. You can try to investigate...
>
> Marek
>
>
> Should I better ask these questions on the Keycloak developers list?
>
> Valerij
>
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> In that case, I would likely use Keycloak with LDAP federation provider,
>> which will point to some LDAP server in your environment. KC Federation
>> provider needs to be declared with editMode "WRITABLE", so all users
>> created through Keycloak will be synced to LDAP server as well including
>> their password. Then the legacy product compatible just with LDAP will
>> authenticate users against this LDAP server.
>>
>> Marek
>>
>>
>> On 15/10/15 11:41, Valerij Timofeev wrote:
>>
>> Hi all,
>>
>> we are interested to know if it is possible to authenticate users of pure
>> LDAP client against Keycloak?
>>
>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>> like to avoid dead end if for example some product (e.g. SaaS) does not
>> support user authentication against Keycloak, but does against standard
>> LDAP server.
>>
>> If it is impossible, has anybody succeeded to implement reverted
>> direction of user federation synchronization (all users data from Keycloak
>> should be copied to a fresh LDAP server installation)?
>>
>> Answers to these questions may be decisive for the Keycloak usage in our
>> organization.
>>
>> Thank you in advance
>>
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/3edd806b/attachment-0001.html 

From valerij.timofeev at gmail.com  Fri Oct 16 11:59:16 2015
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Fri, 16 Oct 2015 17:59:16 +0200
Subject: [keycloak-user] Password-free login using email link
Message-ID: <CAOy2obEkoVLZzKbFjLU9mw+_XGGoSCbQkEmJ6ezVdTFymBZWJw@mail.gmail.com>

Hi all,

we have a couple of use-cases where login is password-free and is based on
email link with a login key, for example:
* consumer is allowed to review merchant or product without registration
* customer receives confirmation email on review submission
* consumer logs in on a client application without password using a link in
the confirmation email, but is not authorized to update review comment
* if consumer logs in using username/email and password (e.g. after
registration), "update review comment" functionality becomes available

We have to support such use-cases, if we decide to adopt Keycloak.

I searched  through Keycloak JIRA tickets, but found the only similar
feature request "Invitation email"
https://issues.jboss.org/browse/KEYCLOAK-439

Should I submit another feature request for our use case?

My vision:
* implement optional email-link authenticator (
http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walkthrough
)
* client application creates new user via Admin REST API
<http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
sets credential type to "email_link" and value to login key. Then it sends
email including login link
* I suppose that it is difficult or even impossible to transmit query
parameters via Open ID Connect flow, so the link could point to unprotected
page storing username and login key in a cookie
* email-link authenticator checks presence of the email-link cookie and if
found tries to authenticate user using username and key values provided in
the cookie
* if no cookie is set or login fails, user is redirected to login form

Challenge: how to limit roles bound to user session if login type
"email_link" is used, may be via configuration parameter for this
authenticator? The rest of assigned roles should not appear in the user
session.

Thank you in advance
Valerij Timofeev
Software Engineer
Trusted Shops GmbH

P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
redesign, goes ?password-free? http://www.siliconbeat.com/2015/10/15/yahoo/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/73c8977b/attachment.html 

From bburke at redhat.com  Fri Oct 16 12:45:12 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 16 Oct 2015 12:45:12 -0400
Subject: [keycloak-user] Password-free login using email link
In-Reply-To: <CAOy2obEkoVLZzKbFjLU9mw+_XGGoSCbQkEmJ6ezVdTFymBZWJw@mail.gmail.com>
References: <CAOy2obEkoVLZzKbFjLU9mw+_XGGoSCbQkEmJ6ezVdTFymBZWJw@mail.gmail.com>
Message-ID: <56212998.1010800@redhat.com>

You can implement this with our authentication SPI.

On 10/16/2015 11:59 AM, Valerij Timofeev wrote:
> Hi all,
>
> we have a couple of use-cases where login is password-free and is based
> on email link with a login key, for example:
> * consumer is allowed to review merchant or product without registration
> * customer receives confirmation email on review submission
> * consumer logs in on a client application without password using a link
> in the confirmation email, but is not authorized to update review comment
> * if consumer logs in using username/email and password (e.g. after
> registration), "update review comment" functionality becomes available
>
> We have to support such use-cases, if we decide to adopt Keycloak.
>
> I searched  through Keycloak JIRA tickets, but found the only similar
> feature request "Invitation email"
> https://issues.jboss.org/browse/KEYCLOAK-439
>
> Should I submit another feature request for our use case?
>
> My vision:
> * implement optional email-link authenticator
> (http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walkthrough)
> * client application creates new user via Admin REST API
> <http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
> sets credential type to "email_link" and value to login key. Then it
> sends email including login link
> * I suppose that it is difficult or even impossible to transmit query
> parameters via Open ID Connect flow, so the link could point to
> unprotected page storing username and login key in a cookie
> * email-link authenticator checks presence of the email-link cookie and
> if found tries to authenticate user using username and key values
> provided in the cookie
> * if no cookie is set or login fails, user is redirected to login form
>
> Challenge: how to limit roles bound to user session if login type
> "email_link" is used, may be via configuration parameter for this
> authenticator? The rest of assigned roles should not appear in the user
> session.
>
> Thank you in advance
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
> P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
> redesign, goes ?password-free? http://www.siliconbeat.com/2015/10/15/yahoo/
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From carmen.checa at masergy.com  Fri Oct 16 12:49:04 2015
From: carmen.checa at masergy.com (carmen)
Date: Fri, 16 Oct 2015 11:49:04 -0500
Subject: [keycloak-user] Issue with XPathFactory
References: <F31D52FE-4178-46CF-A67B-EEE167EB7903@masergy.com>
Message-ID: <8CADC41B-2140-49D7-9AFE-5796B74C3E5D@masergy.com>

> Hi Bill,
> 
> I already had  <module name="javax.api?/> in my module.xml
> 
> I did find a workaround that I do not like and I am hoping that you can help me do it right
> 
> 
> Ok so I first set  jaxp debug to true, 
> and I was getting the following error
> 
> JAXP: using thread context class loader (ModuleClassLoader for Module "deployment.keycloak-server.war:main" from Service Module Loader) for search
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP: Looking up system property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom' <http://java.sun.com/jaxp/xpath/dom'>
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP: The value is '__redirected.__XPathFactory'
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP: createInstance(__redirected.__XPathFactory)
> 11:03:40,518 ERROR [stderr] (default task-2) JAXP: loaded __redirected.__XPathFactory from jar:file:/Users/Carmen/software/keycloak-demo-1.5.0.Final/keycloak/jboss-modules.jar!/__redirected/__XPathFactory.class
> 11:03:40,518 ERROR [stderr] (default task-2) JAXP: could not instantiate __redirected.__XPathFactory
> 11:03:40,519 ERROR [stderr] (default task-2) java.lang.ClassCastException: __redirected.__XPathFactory cannot be cast to javax.xml.xpath.XPathFactory
> 11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.createInstance(XPathFactoryFinder.java:306)
> 11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder._newFactory(XPathFactoryFinder.java:184)
> 11:03:40,519 ERROR [stderr] (default task-2) 	at javax.xml.xpath.XPathFactoryFinder.newFactory(XPathFactoryFinder.java:157)
> 
> 
> So it looked like there was  a class loader issue and the ClassCast was not working.
> I did not know how to fix that, so I went ahead and I changed the property javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> back to the default, to override looking for __redirected.__XPathFactory 
> The default implementation is a com.sun?.. class that lives in rt.jar and when I tried that I was getting a ClassNotFound, so I went ahead, added Xalan to my module and changed the property to use the Xalan class: org.apache.path.jaxp.XPathFactoryImpl 
> That worked.
> 
> I had that same issue with another class that was also overriden with a __redirected class (DocumentBuilderFactory), and once I set the default value to the default implementation, the implementation cannot be loaded because it is in rt.jar. I went around that by adding crimsom to my module.
> 
> So it looks like even though there is a dependency defined of java.api, those jars (at least for xml) do not contain implementations, just the interfaces, and the actual providers are in rt.jar and I get an error trying to load them.
> 
> I really do not like what I have done. There?s got to be a way to be able to use the implementations in rt.jar, right?
> 
> Thanks
> Maria
> 
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/0d478498/attachment.html 

From mstrukel at redhat.com  Fri Oct 16 14:28:53 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 16 Oct 2015 20:28:53 +0200
Subject: [keycloak-user] Issue with XPathFactory
In-Reply-To: <8CADC41B-2140-49D7-9AFE-5796B74C3E5D@masergy.com>
References: <F31D52FE-4178-46CF-A67B-EEE167EB7903@masergy.com>
	<8CADC41B-2140-49D7-9AFE-5796B74C3E5D@masergy.com>
Message-ID: <CA+1OW+i2Yd+uwy_apPXS2pSkoQADqQUmSm9pTH7VSh16Cai90g@mail.gmail.com>

This looks like your problem primarily involves Wildfly's modular
classloading and how to package MyBatis classes into a module.

You said that the federation provider jar is a big fat jar that includes
all its dependencies. Herein lies your problem. Your jar apparently
contains javax.xml classes, which it shouldn't.

When you define a jboss module for your provider you specify resources and
dependencies in your module.xml. You have to pull in javax.xml as Bill has
specified:

<module name="javax.api"/>

But you also have to make sure that none of the same classes that you pull
in are present in your big fat provider jar. I bet if you do:

jar tf your-provider.jar

you'll see javax.xml classes listed. You have to remove them.


When you pull in javax.api module dependency you are using the rt.jar
implementation - only slightly bytecode-manipulated when it's loaded.


On Fri, Oct 16, 2015 at 6:49 PM, carmen <carmen.checa at masergy.com> wrote:

> Hi Bill,
>
> I already had  <module name="javax.api?/> in my module.xml
>
> I did find a workaround that I do not like and I am hoping that you can
> help me do it right
>
>
> Ok so I first set  jaxp debug to true,
> and I was getting the following error
>
> JAXP: using thread context class loader (ModuleClassLoader for Module
> "deployment.keycloak-server.war:main" from Service Module Loader) for search
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP: Looking up system
> property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom'
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP: The value is
> '__redirected.__XPathFactory'
> 11:03:40,517 ERROR [stderr] (default task-2) JAXP:
> createInstance(__redirected.__XPathFactory)
> 11:03:40,518 ERROR [stderr] (default task-2) JAXP: loaded
> __redirected.__XPathFactory from
> jar:file:/Users/Carmen/software/keycloak-demo-1.5.0.Final/keycloak/jboss-modules.jar!/__redirected/__XPathFactory.class
> 11:03:40,518 ERROR [stderr] (default task-2) JAXP: could not instantiate
> __redirected.__XPathFactory
> 11:03:40,519 ERROR [stderr] (default task-2) java.lang.ClassCastException:
> __redirected.__XPathFactory cannot be cast to javax.xml.xpath.XPathFactory
> 11:03:40,519 ERROR [stderr] (default task-2)  at
> javax.xml.xpath.XPathFactoryFinder.createInstance(XPathFactoryFinder.java:306)
> 11:03:40,519 ERROR [stderr] (default task-2)  at
> javax.xml.xpath.XPathFactoryFinder._newFactory(XPathFactoryFinder.java:184)
> 11:03:40,519 ERROR [stderr] (default task-2)  at
> javax.xml.xpath.XPathFactoryFinder.newFactory(XPathFactoryFinder.java:157)
>
>
> So it looked like there was  a class loader issue and the ClassCast was
> not working.
> I did not know how to fix that, so I went ahead and I changed the property
> javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom back to
> the default, to override looking for __redirected.__XPathFactory
> The default implementation is a com.sun?.. class that lives in rt.jar and
> when I tried that I was getting a ClassNotFound, so I went ahead, added
> Xalan to my module and changed the property to use the Xalan class:
> org.apache.path.jaxp.XPathFactoryImpl
> That worked.
>
> I had that same issue with another class that was also overriden with a
> __redirected class (DocumentBuilderFactory), and once I set the default
> value to the default implementation, the implementation cannot be loaded
> because it is in rt.jar. I went around that by adding crimsom to my module.
>
> So it looks like even though there is a dependency defined of java.api,
> those jars (at least for xml) do not contain implementations, just the
> interfaces, and the actual providers are in rt.jar and I get an error
> trying to load them.
>
> I really do not like what I have done. There?s got to be a way to be able
> to use the implementations in rt.jar, right?
>
> Thanks
> Maria
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/40370667/attachment-0001.html 

From traviskds at gmail.com  Sun Oct 18 19:27:18 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Sun, 18 Oct 2015 23:27:18 +0000
Subject: [keycloak-user] Jackson2 Support for AdminClient
Message-ID: <CACQJ6LSt28d3ix5qyV0dhqcf0UDLvEbR8m0=_XuyMYChbQ6cKw@mail.gmail.com>

Hi,

Some previous posts discuss about the error you get when you use the Admin
Client in Jackson2 environments.

The current solution seems to be

1. Revert to Jackson 1 by specifying it in the jboss deployment xml

2. Use the Admin REST API directly.

Option 1 is possible if your application does not depend on any jackson2
feature (which is not the case for me and I suspect many others as well)

So we end using using the Admin REST API directly which is a shame as the
AdminClient looks a more elegant option that we can use out of the box.

There also seems to be a Jira issue present for this
https://issues.jboss.org/browse/KEYCLOAK-815

Any idea if this will get resolved anytime in the near future.

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151018/2dbf1c5f/attachment.html 

From kflynn at cghtech.com  Sun Oct 18 22:53:01 2015
From: kflynn at cghtech.com (Flynn, Kenneth)
Date: Mon, 19 Oct 2015 02:53:01 +0000
Subject: [keycloak-user] Problem with Keycloak WF 9 adapter and Wildfly 10
	CR2
Message-ID: <453173DC34C009468C1B6FFEBFB931DA4B388279@MSEXCHANGE.cghtech.com>

Hello all,

It looks like Wildfly 10 changes a method interface in undertow and the keycloak is still linking against the old method.  Going across a redirect, I get this exception:

java.lang.NoSuchMethodError: io.undertow.server.Connectors.ungetRequestBytes(Lio/undertow/server/HttpServerExchange;[Lorg/xnio/Pooled;)V
org.keycloak.adapters.undertow.SavedRequest.tryRestoreRequest(SavedRequest.java:112)
org.keycloak.adapters.undertow.ServletSessionTokenStore.restoreRequest(ServletSessionTokenStore.java:119)
org.keycloak.adapters.undertow.ServletSessionTokenStore.isCached(ServletSessionTokenStore.java:67)
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:85)
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114)
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94)

Looking at this commit:

https://github.com/undertow-io/undertow/commit/b62c3f1efadeb86d94ed6577f59a8705e0ba8cb5#diff-5f4196395618b4f5f665d36a4f3773cd

the parameters changed type (from Pooled<ByteBuffer> to PooledByteBuffer).

This is called from here:

https://github.com/keycloak/keycloak/blob/master/integration/undertow/src/main/java/org/keycloak/adapters/undertow/SavedRequest.javahttps://github.com/keycloak/keycloak/blob/master/integration/undertow/src/main/java/org/keycloak/adapters/undertow/SavedRequest.java

I'm guessing the call on 112 needs to make the new object type?

Should I file a bug in the JIRA?

Thanks,
Kenn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151019/77bcba64/attachment.html 

From sthorger at redhat.com  Mon Oct 19 03:02:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 19 Oct 2015 09:02:15 +0200
Subject: [keycloak-user] Jackson2 Support for AdminClient
In-Reply-To: <CACQJ6LSt28d3ix5qyV0dhqcf0UDLvEbR8m0=_XuyMYChbQ6cKw@mail.gmail.com>
References: <CACQJ6LSt28d3ix5qyV0dhqcf0UDLvEbR8m0=_XuyMYChbQ6cKw@mail.gmail.com>
Message-ID: <CAJgngAeT-g8HpHaSOG68V=D0iYxh3CjCyNYg+WWRcMRoeSA3WQ@mail.gmail.com>

We can try to include it in 1.7

On 19 October 2015 at 01:27, Travis De Silva <traviskds at gmail.com> wrote:

> Hi,
>
> Some previous posts discuss about the error you get when you use the Admin
> Client in Jackson2 environments.
>
> The current solution seems to be
>
> 1. Revert to Jackson 1 by specifying it in the jboss deployment xml
>
> 2. Use the Admin REST API directly.
>
> Option 1 is possible if your application does not depend on any jackson2
> feature (which is not the case for me and I suspect many others as well)
>
> So we end using using the Admin REST API directly which is a shame as the
> AdminClient looks a more elegant option that we can use out of the box.
>
> There also seems to be a Jira issue present for this
> https://issues.jboss.org/browse/KEYCLOAK-815
>
> Any idea if this will get resolved anytime in the near future.
>
> Cheers
> Travis
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151019/47b28fec/attachment.html 

From traviskds at gmail.com  Mon Oct 19 03:30:18 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 19 Oct 2015 07:30:18 +0000
Subject: [keycloak-user] Jackson2 Support for AdminClient
In-Reply-To: <CAJgngAeT-g8HpHaSOG68V=D0iYxh3CjCyNYg+WWRcMRoeSA3WQ@mail.gmail.com>
References: <CACQJ6LSt28d3ix5qyV0dhqcf0UDLvEbR8m0=_XuyMYChbQ6cKw@mail.gmail.com>
	<CAJgngAeT-g8HpHaSOG68V=D0iYxh3CjCyNYg+WWRcMRoeSA3WQ@mail.gmail.com>
Message-ID: <CACQJ6LQ3zU4Z1uOhwBBXfn+3GcucSrqhnfCO7KQXAL5pEoLdKg@mail.gmail.com>

Great. Hope it gets into 1.7

On Mon, 19 Oct 2015 at 18:02 Stian Thorgersen <sthorger at redhat.com> wrote:

> We can try to include it in 1.7
>
> On 19 October 2015 at 01:27, Travis De Silva <traviskds at gmail.com> wrote:
>
>> Hi,
>>
>> Some previous posts discuss about the error you get when you use the
>> Admin Client in Jackson2 environments.
>>
>> The current solution seems to be
>>
>> 1. Revert to Jackson 1 by specifying it in the jboss deployment xml
>>
>> 2. Use the Admin REST API directly.
>>
>> Option 1 is possible if your application does not depend on any jackson2
>> feature (which is not the case for me and I suspect many others as well)
>>
>> So we end using using the Admin REST API directly which is a shame as the
>> AdminClient looks a more elegant option that we can use out of the box.
>>
>> There also seems to be a Jira issue present for this
>> https://issues.jboss.org/browse/KEYCLOAK-815
>>
>> Any idea if this will get resolved anytime in the near future.
>>
>> Cheers
>> Travis
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151019/3055b6cd/attachment.html 

From mstrukel at redhat.com  Mon Oct 19 04:38:28 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 19 Oct 2015 10:38:28 +0200
Subject: [keycloak-user] Problem with Keycloak WF 9 adapter and Wildfly
	10 CR2
In-Reply-To: <453173DC34C009468C1B6FFEBFB931DA4B388279@MSEXCHANGE.cghtech.com>
References: <453173DC34C009468C1B6FFEBFB931DA4B388279@MSEXCHANGE.cghtech.com>
Message-ID: <CA+1OW+gu+28rjGzrM270HMOHnuY4-cLnTCfv98-w8yLjqoCJ5g@mail.gmail.com>

I've been trying with Wildfly 10.0.0.CR2 recently, and didn't come across
this problem you describe.

Please file a JIRA, and describe how to reproduce the issue.

On Mon, Oct 19, 2015 at 4:53 AM, Flynn, Kenneth <kflynn at cghtech.com> wrote:

> Hello all,
>
> It looks like Wildfly 10 changes a method interface in undertow and the
> keycloak is still linking against the old method.  Going across a redirect,
> I get this exception:
>
> java.lang.NoSuchMethodError:
> io.undertow.server.Connectors.ungetRequestBytes(Lio/undertow/server/HttpServerExchange;[Lorg/xnio/Pooled;)V
>
> org.keycloak.adapters.undertow.SavedRequest.tryRestoreRequest(SavedRequest.java:112)
>
> org.keycloak.adapters.undertow.ServletSessionTokenStore.restoreRequest(ServletSessionTokenStore.java:119)
>
> org.keycloak.adapters.undertow.ServletSessionTokenStore.isCached(ServletSessionTokenStore.java:67)
>
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:85)
>
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114)
>
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94)
>
> Looking at this commit:
>
>
> https://github.com/undertow-io/undertow/commit/b62c3f1efadeb86d94ed6577f59a8705e0ba8cb5#diff-5f4196395618b4f5f665d36a4f3773cd
>
> the parameters changed type (from Pooled<ByteBuffer> to PooledByteBuffer).
>
> This is called from here:
>
>
> https://github.com/keycloak/keycloak/blob/master/integration/undertow/src/main/java/org/keycloak/adapters/undertow/SavedRequest.java
> https://github.com/keycloak/keycloak/blob/master/integration/undertow/src/main/java/org/keycloak/adapters/undertow/SavedRequest.java
>
> I'm guessing the call on 112 needs to make the new object type?
>
> Should I file a bug in the JIRA?
>
> Thanks,
> Kenn
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151019/168a38ff/attachment-0001.html 

From revanth at arvindinternet.com  Tue Oct 20 06:15:52 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 20 Oct 2015 15:45:52 +0530
Subject: [keycloak-user] Rest api for login
Message-ID: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>

Hi,

I am using Keycloak1.5.0 to secure my application. I want to perform login
using a rest api. I was able to see that they are two parameters that are
sent in the call and wanted to know how i will be able to achieve this
functionality using a rest api.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/7308ec22/attachment.html 

From sthorger at redhat.com  Tue Oct 20 07:41:11 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 20 Oct 2015 13:41:11 +0200
Subject: [keycloak-user] Rest api for login
In-Reply-To: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>
References: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>
Message-ID: <CAJgngAd7p08gaT_nLprCph0JA7K=J7c08dtitSBwoPx5xhxh6w@mail.gmail.com>

Keycloak comes with two protocols OpenID Connect and SAML 2. If you want a
rest based api you want to use OpenID Connect. What application are you
securing? Why not just use one of our adapters?

On 20 October 2015 at 12:15, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I am using Keycloak1.5.0 to secure my application. I want to perform login
> using a rest api. I was able to see that they are two parameters that are
> sent in the call and wanted to know how i will be able to achieve this
> functionality using a rest api.
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/6dc957ee/attachment.html 

From revanth at arvindinternet.com  Tue Oct 20 09:12:06 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 20 Oct 2015 18:42:06 +0530
Subject: [keycloak-user] Rest api for login
In-Reply-To: <CAJgngAd7p08gaT_nLprCph0JA7K=J7c08dtitSBwoPx5xhxh6w@mail.gmail.com>
References: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>
	<CAJgngAd7p08gaT_nLprCph0JA7K=J7c08dtitSBwoPx5xhxh6w@mail.gmail.com>
Message-ID: <CAA1skqUoGNKESwgVYzxPFT8xLjz4w6qBk9g0k8RtYtOtP8iw0w@mail.gmail.com>

Hi,

I want to secure a UI application which is a confidential application that
will talk to 1 or more backend(bearer) applications and fetch data from
these applications and display that information and the product team
doesn't want to use the Keycloak Login UI. So now i want to provide login
from that page using rest API. I also want to maintain a session for the UI
application and then use direct grant api to get token and fetch data from
the other applications. Also, what do you mean by your adapters?

On Tue, Oct 20, 2015 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Keycloak comes with two protocols OpenID Connect and SAML 2. If you want a
> rest based api you want to use OpenID Connect. What application are you
> securing? Why not just use one of our adapters?
>
> On 20 October 2015 at 12:15, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> I am using Keycloak1.5.0 to secure my application. I want to perform
>> login using a rest api. I was able to see that they are two parameters that
>> are sent in the call and wanted to know how i will be able to achieve this
>> functionality using a rest api.
>>
>> Thanks.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/58bd42b9/attachment.html 

From bburke at redhat.com  Tue Oct 20 09:17:17 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 20 Oct 2015 09:17:17 -0400
Subject: [keycloak-user] Rest api for login
In-Reply-To: <CAA1skqUoGNKESwgVYzxPFT8xLjz4w6qBk9g0k8RtYtOtP8iw0w@mail.gmail.com>
References: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>
	<CAJgngAd7p08gaT_nLprCph0JA7K=J7c08dtitSBwoPx5xhxh6w@mail.gmail.com>
	<CAA1skqUoGNKESwgVYzxPFT8xLjz4w6qBk9g0k8RtYtOtP8iw0w@mail.gmail.com>
Message-ID: <56263EDD.2090804@redhat.com>

Our UI is completely templatable so you can add your own styles and 
structures to any page (including the admin console).

You lose a lot of functionality not using our UI.  The most important 
one being SSO.  You also lose forgot password/reset credentials, 
required actions (update password, verify email, configure OTP, etc.), 
user account mgmt, registration, etc...

Our client adapters and have seemless integration with servlet security.


On 10/20/2015 9:12 AM, Revanth Ayalasomayajula wrote:
> Hi,
>
> I want to secure a UI application which is a confidential application
> that will talk to 1 or more backend(bearer) applications and fetch data
> from these applications and display that information and the product
> team doesn't want to use the Keycloak Login UI. So now i want to provide
> login from that page using rest API. I also want to maintain a session
> for the UI application and then use direct grant api to get token and
> fetch data from the other applications. Also, what do you mean by your
> adapters?
>
> On Tue, Oct 20, 2015 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>     Keycloak comes with two protocols OpenID Connect and SAML 2. If you
>     want a rest based api you want to use OpenID Connect. What
>     application are you securing? Why not just use one of our adapters?
>
>     On 20 October 2015 at 12:15, Revanth Ayalasomayajula
>     <revanth at arvindinternet.com <mailto:revanth at arvindinternet.com>> wrote:
>
>         Hi,
>
>         I am using Keycloak1.5.0 to secure my application. I want to
>         perform login using a rest api. I was able to see that they are
>         two parameters that are sent in the call and wanted to know how
>         i will be able to achieve this functionality using a rest api.
>
>         Thanks.
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Tue Oct 20 09:32:24 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 20 Oct 2015 15:32:24 +0200
Subject: [keycloak-user] Unable to Add Role Mappings Via REST API in
	1.5.1
In-Reply-To: <1444998614.3644.5.camel@localhost.localdomain>
References: <1444998614.3644.5.camel@localhost.localdomain>
Message-ID: <56264268.4090201@redhat.com>

I suggest to take a look at latest Rest API docs 
http://keycloak.github.io/docs/rest-api/overview-index.html . It might 
also help to add role mappings in admin console and see which REST 
request admin console invoked and what the format is now (use tool like 
Firebug in FF or similar).

Maybe in 1.2.1 we didn't reference users in REST endpoint by id, but by 
username. So that might be the change, I can't recall TBH.

Marek

On 16/10/15 14:30, Edem Morny wrote:
> Hi,
>
> I'm having issues migrating my application from keycloak 1.2.1.Final 
> to 1.5.1.Final.
>
> I already had working code that enables us to create users and assign 
> role mappings to those users via the REST api. However, whiles testing 
> the application for migrating to 1.5.1, I get a 404 when application 
> attempts to add rolemappings to users via the REST api. The REST 
> invocation to create the user actually works, its the subsequent 
> invocation to add role-mappings that fails with the 404.
>
> Do you have any idea what has changed?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/e2ae1da3/attachment.html 

From mposolda at redhat.com  Tue Oct 20 10:24:21 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 20 Oct 2015 16:24:21 +0200
Subject: [keycloak-user] Cluster configuration does not work
In-Reply-To: <CANCuF9iYHFLC5=3EP546-LM2KbquAwPB7uO90e00+vbKuPEUDA@mail.gmail.com>
References: <CANCuF9iYHFLC5=3EP546-LM2KbquAwPB7uO90e00+vbKuPEUDA@mail.gmail.com>
Message-ID: <56264E95.7040803@redhat.com>

On 14/10/15 20:27, Rafael Coutinho wrote:
> Hi,
>
> I have an environment with an AngularJS app client, which 
> authenticates user and keeps its data, and a server app that receive 
> some requests for Webservices resources.
> For some webservices I need, on the server side, to translate the 
> token into the user information. For that I use the url:
>
> auth/realms/MYREAL/protocol/openid-connect/userinfo
>
> with the Authorization token.
>
> The problem is that the server is behind a load balance and access 
> keycloak thru port 8080. While AngularJS access the same server thru 
> port 80.
>
> Keycloak complains that the Token was issued from a different url than 
> I'm querying on the server side. Forcing me to use the same hostname 
> and port on the server and on the client.
>
> Is that correct? How will I deploy on a distribuited environment?
We don't handle this scenario ideally. Feel free to create JIRA for it.

Currently the "iss" (issuer) field on accessToken is filled from the URL 
of request to the auth-server, which in your case is something like 
yourHost:80 . Then UserInfo endpoint always compare this value with the 
uriInfo from current request, so it doesn't work when requests to 
auth-server is send via yourHost:8080 .

IMO it will be nice if accessToken can have more values for "iss" field 
. Then we can have protocolMapper, which will be able to add any 
configured values to "iss" field in accessToken in addition to the "iss" 
from current request. The adapter/endpoint will reject just if uriInfo 
doesn't match any of the "iss" values.

As of now, I suggest to invoke UserInfo endpoint directly from your 
AngularJS instead of from your webservice. The user info then needs to 
be send to the webservices.

Marek

>
> ps. I'm using my own HTTP client to make that request to userinfo.
> ps2. I have added   "auth-server-url-for-backend-requests" however I 
> don't see any difference.
>
> Rafael Coutinho
> Software Engineer
> Professional profile: www.linkedin.com/in/rafaelcoutinho 
> <http://www.linkedin.com/in/rafaelcoutinho>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/f4c0cd6d/attachment-0001.html 

From sthorger at redhat.com  Tue Oct 20 10:53:39 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 20 Oct 2015 16:53:39 +0200
Subject: [keycloak-user] Keycloak 1.6.0.Final Released
Message-ID: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>

We're pleased to announce the release of Keycloak 1.6.0.Final.

   - *SAML SP* - in the past we only had client libraries for OpenID
   Connect, now we also have client libraries for SAML
   - *Offline Tokens* - if your applications need long term access outside
   of the users session you should take a look at the new offline tokens
   support we've added
   - *Client Registration* - we introduced a new rest api that can be used
   to automate the registration of clients, this includes a java client
   library. This feature will be further polished in a future release,
   including documentation and examples
   - *Import Clients in Admin Console* - it's now possible to import
   clients through the admin console using the Keycloak JSON client
   representation or OpenID Connect descriptions
   - *Added Root URL to Clients* - we've added a root url to clients. For
   clients that have a root url defined you can use relative urls for redirect
   uris and other urls
   - *Internationalization support in Admin Console* - we've added support
   for internationalization of the Admin Console. Around half the pages now
   support translation and the rest will be added in the next release

For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012327788>
and
to download the release go to the Keycloak homepage
<http://keycloak.org/downloads>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/90fdc320/attachment.html 

From jayblanc at gmail.com  Tue Oct 20 11:33:19 2015
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Tue, 20 Oct 2015 15:33:19 +0000
Subject: [keycloak-user] Integration in a federation of identity provider
	liek shibolleth
Message-ID: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>

Hi all,

I'm trying to integrate keycloak in a federation of indentities
(shibolleth) using the SAMLv2 Identity Provider. The problem is that the
federation count something like 100 Identity Providers and I'm afraid of
the L&F of the GUI as for now, adding 3 of them is creating a button for
each. Is there is a limit or something that creates a drop down menu ?
(like this list https://discovery.renater.fr/renater)
<https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
The goal for me is to create a kind of parser for this idps list :
http://federation.renater.fr/renater/idps-renater-metadata.xml
in order to parse this list and maintain my IDPs in keycloak up to date.

Another question is : is each client in keycloak has to be declared as a
Service Provider or only the keycloak server ?

If you have any feedback for shibolleth federation integration using
keycloak I'll be very glad to share them.

Thanks a lot, Best Regards, J?r?me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/dc245bf1/attachment.html 

From mstrukel at redhat.com  Tue Oct 20 11:38:00 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 20 Oct 2015 17:38:00 +0200
Subject: [keycloak-user] Unable to Add Role Mappings Via REST API in
	1.5.1
In-Reply-To: <56264268.4090201@redhat.com>
References: <1444998614.3644.5.camel@localhost.localdomain>
	<56264268.4090201@redhat.com>
Message-ID: <CA+1OW+jy7eX94w2YgXKd6HQodj9n=XrMCRknr8GwYga2pRMnVQ@mail.gmail.com>

The proper link to REST API docs is:
http://keycloak.github.io/docs/rest-api/index.html


On Tue, Oct 20, 2015 at 3:32 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I suggest to take a look at latest Rest API docs
> http://keycloak.github.io/docs/rest-api/overview-index.html . It might
> also help to add role mappings in admin console and see which REST request
> admin console invoked and what the format is now (use tool like Firebug in
> FF or similar).
>
> Maybe in 1.2.1 we didn't reference users in REST endpoint by id, but by
> username. So that might be the change, I can't recall TBH.
>
> Marek
>
>
> On 16/10/15 14:30, Edem Morny wrote:
>
> Hi,
>
> I'm having issues migrating my application from keycloak 1.2.1.Final to
> 1.5.1.Final.
>
> I already had working code that enables us to create users and assign role
> mappings to those users via the REST api. However, whiles testing the
> application for migrating to 1.5.1, I get a 404 when application attempts
> to add rolemappings to users via the REST api. The REST invocation to
> create the user actually works, its the subsequent invocation to add
> role-mappings that fails with the 404.
>
> Do you have any idea what has changed?
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/b26f86cf/attachment.html 

From mposolda at redhat.com  Tue Oct 20 11:42:36 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 20 Oct 2015 17:42:36 +0200
Subject: [keycloak-user] Unable to Add Role Mappings Via REST API in
	1.5.1
In-Reply-To: <CA+1OW+jy7eX94w2YgXKd6HQodj9n=XrMCRknr8GwYga2pRMnVQ@mail.gmail.com>
References: <1444998614.3644.5.camel@localhost.localdomain>
	<56264268.4090201@redhat.com>
	<CA+1OW+jy7eX94w2YgXKd6HQodj9n=XrMCRknr8GwYga2pRMnVQ@mail.gmail.com>
Message-ID: <562660EC.3070605@redhat.com>

Thanks for correcting Marko. So looks we need to upgrade the link on the 
Keycloak page itself too: http://keycloak.jboss.org/docs . Clicking to 
any of "Admin REST API" and "Javadocs" links points to 404 now.

Marek

On 20/10/15 17:38, Marko Strukelj wrote:
> The proper link to REST API docs is: 
> http://keycloak.github.io/docs/rest-api/index.html
>
>
> On Tue, Oct 20, 2015 at 3:32 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I suggest to take a look at latest Rest API docs
>     http://keycloak.github.io/docs/rest-api/overview-index.html . It
>     might also help to add role mappings in admin console and see
>     which REST request admin console invoked and what the format is
>     now (use tool like Firebug in FF or similar).
>
>     Maybe in 1.2.1 we didn't reference users in REST endpoint by id,
>     but by username. So that might be the change, I can't recall TBH.
>
>     Marek
>
>
>     On 16/10/15 14:30, Edem Morny wrote:
>>     Hi,
>>
>>     I'm having issues migrating my application from keycloak
>>     1.2.1.Final to 1.5.1.Final.
>>
>>     I already had working code that enables us to create users and
>>     assign role mappings to those users via the REST api. However,
>>     whiles testing the application for migrating to 1.5.1, I get a
>>     404 when application attempts to add rolemappings to users via
>>     the REST api. The REST invocation to create the user actually
>>     works, its the subsequent invocation to add role-mappings that
>>     fails with the 404.
>>
>>     Do you have any idea what has changed?
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/1c62bfa0/attachment.html 

From thomas.raehalme at aitiofinland.com  Tue Oct 20 12:32:09 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 20 Oct 2015 19:32:09 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
Message-ID: <CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>

Thank you for the release! The new features sound really useful.

One question regarding client registration: Can you see any problems if the
number of clients grow, for example to thousands or tens of thousands?

Best regards,
Thomas
On Oct 20, 2015 17:53, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> We're pleased to announce the release of Keycloak 1.6.0.Final.
>
>    - *SAML SP* - in the past we only had client libraries for OpenID
>    Connect, now we also have client libraries for SAML
>    - *Offline Tokens* - if your applications need long term access
>    outside of the users session you should take a look at the new offline
>    tokens support we've added
>    - *Client Registration* - we introduced a new rest api that can be
>    used to automate the registration of clients, this includes a java client
>    library. This feature will be further polished in a future release,
>    including documentation and examples
>    - *Import Clients in Admin Console* - it's now possible to import
>    clients through the admin console using the Keycloak JSON client
>    representation or OpenID Connect descriptions
>    - *Added Root URL to Clients* - we've added a root url to clients. For
>    clients that have a root url defined you can use relative urls for redirect
>    uris and other urls
>    - *Internationalization support in Admin Console* - we've added
>    support for internationalization of the Admin Console. Around half the
>    pages now support translation and the rest will be added in the next release
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012327788> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/7b2c75f4/attachment-0001.html 

From juraci at kroehling.de  Tue Oct 20 12:39:32 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Tue, 20 Oct 2015 18:39:32 +0200
Subject: [keycloak-user] Keycloak 1.6.0.Final Released
In-Reply-To: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
Message-ID: <56266E44.7030408@kroehling.de>

Awesome news! Congrats to the team!

- Juca.

On 10/20/2015 04:53 PM, Stian Thorgersen wrote:
> We're pleased to announce the release of Keycloak 1.6.0.Final.
>
>   * *SAML SP* - in the past we only had client libraries for OpenID
>     Connect, now we also have client libraries for SAML
>   * *Offline Tokens* - if your applications need long term access
>     outside of the users session you should take a look at the new
>     offline tokens support we've added
>   * *Client Registration* - we introduced a new rest api that can be
>     used to automate the registration of clients, this includes a java
>     client library. This feature will be further polished in a future
>     release, including documentation and examples
>   * *Import Clients in Admin Console* - it's now possible to import
>     clients through the admin console using the Keycloak JSON client
>     representation or OpenID Connect descriptions
>   * *Added Root URL to Clients* - we've added a root url to clients. For
>     clients that have a root url defined you can use relative urls for
>     redirect uris and other urls
>   * *Internationalization support in Admin Console* - we've added
>     support for internationalization of the Admin Console. Around half
>     the pages now support translation and the rest will be added in the
>     next release
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012327788> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Oct 20 13:20:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 20 Oct 2015 19:20:13 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
Message-ID: <CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>

Thousands should be no problem at all. Tens of thousands should be ok, but
we'd have to test that. I guess you're building a public api or something
since you're expecting that many clients?

On 20 October 2015 at 18:32, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> Thank you for the release! The new features sound really useful.
>
> One question regarding client registration: Can you see any problems if
> the number of clients grow, for example to thousands or tens of thousands?
>
> Best regards,
> Thomas
> On Oct 20, 2015 17:53, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> We're pleased to announce the release of Keycloak 1.6.0.Final.
>>
>>    - *SAML SP* - in the past we only had client libraries for OpenID
>>    Connect, now we also have client libraries for SAML
>>    - *Offline Tokens* - if your applications need long term access
>>    outside of the users session you should take a look at the new offline
>>    tokens support we've added
>>    - *Client Registration* - we introduced a new rest api that can be
>>    used to automate the registration of clients, this includes a java client
>>    library. This feature will be further polished in a future release,
>>    including documentation and examples
>>    - *Import Clients in Admin Console* - it's now possible to import
>>    clients through the admin console using the Keycloak JSON client
>>    representation or OpenID Connect descriptions
>>    - *Added Root URL to Clients* - we've added a root url to clients.
>>    For clients that have a root url defined you can use relative urls for
>>    redirect uris and other urls
>>    - *Internationalization support in Admin Console* - we've added
>>    support for internationalization of the Admin Console. Around half the
>>    pages now support translation and the rest will be added in the next release
>>
>> For the full list of issues resolved check out JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012327788> and
>> to download the release go to the Keycloak homepage
>> <http://keycloak.org/downloads>.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/e7256373/attachment.html 

From bburke at redhat.com  Tue Oct 20 13:21:33 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 20 Oct 2015 13:21:33 -0400
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
Message-ID: <5626781D.7090902@redhat.com>

Should be fine.  Keycloak caches everything and evicts as needed 
(Infinispan caching).  If you have a good server with lots of memory, 
you can probably cache pretty much everything.  We haven't really 
benched or stressed in awhile, but have it on the schedule when we go 
into product.


On 10/20/2015 12:32 PM, Thomas Raehalme wrote:
> Thank you for the release! The new features sound really useful.
>
> One question regarding client registration: Can you see any problems if
> the number of clients grow, for example to thousands or tens of thousands?
>
> Best regards,
> Thomas
>
> On Oct 20, 2015 17:53, "Stian Thorgersen" <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>     We're pleased to announce the release of Keycloak 1.6.0.Final.
>
>       * *SAML SP* - in the past we only had client libraries for OpenID
>         Connect, now we also have client libraries for SAML
>       * *Offline Tokens* - if your applications need long term access
>         outside of the users session you should take a look at the new
>         offline tokens support we've added
>       * *Client Registration* - we introduced a new rest api that can be
>         used to automate the registration of clients, this includes a
>         java client library. This feature will be further polished in a
>         future release, including documentation and examples
>       * *Import Clients in Admin Console* - it's now possible to import
>         clients through the admin console using the Keycloak JSON client
>         representation or OpenID Connect descriptions
>       * *Added Root URL to Clients* - we've added a root url to clients.
>         For clients that have a root url defined you can use relative
>         urls for redirect uris and other urls
>       * *Internationalization support in Admin Console* - we've added
>         support for internationalization of the Admin Console. Around
>         half the pages now support translation and the rest will be
>         added in the next release
>
>     For the full list of issues resolved check out JIRA
>     <https://issues.jboss.org/issues/?jql=project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012327788> and
>     to download the release go to the Keycloak homepage
>     <http://keycloak.org/downloads>.
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From revanth at arvindinternet.com  Wed Oct 21 01:58:54 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Wed, 21 Oct 2015 11:28:54 +0530
Subject: [keycloak-user] Rest api for login
In-Reply-To: <56263EDD.2090804@redhat.com>
References: <CAA1skqV+AkVavHNxsV6_r4cfdQCgZH-TA4XLmd_T+u+SOsBKMA@mail.gmail.com>
	<CAJgngAd7p08gaT_nLprCph0JA7K=J7c08dtitSBwoPx5xhxh6w@mail.gmail.com>
	<CAA1skqUoGNKESwgVYzxPFT8xLjz4w6qBk9g0k8RtYtOtP8iw0w@mail.gmail.com>
	<56263EDD.2090804@redhat.com>
Message-ID: <CAA1skqXEoTvG8P9xbcUgQsnPB2t+NQDDXWqGbc575OkqSet_Aw@mail.gmail.com>

Hi,

So i am securing a Single page application and want the login page in a
iframe or bootstrap modal element and not as a separate single page. So is
this possible. If it is, could you please let me know how as it would help
me out a lot.

Thanks.

On Tue, Oct 20, 2015 at 6:47 PM, Bill Burke <bburke at redhat.com> wrote:

> Our UI is completely templatable so you can add your own styles and
> structures to any page (including the admin console).
>
> You lose a lot of functionality not using our UI.  The most important
> one being SSO.  You also lose forgot password/reset credentials,
> required actions (update password, verify email, configure OTP, etc.),
> user account mgmt, registration, etc...
>
> Our client adapters and have seemless integration with servlet security.
>
>
> On 10/20/2015 9:12 AM, Revanth Ayalasomayajula wrote:
> > Hi,
> >
> > I want to secure a UI application which is a confidential application
> > that will talk to 1 or more backend(bearer) applications and fetch data
> > from these applications and display that information and the product
> > team doesn't want to use the Keycloak Login UI. So now i want to provide
> > login from that page using rest API. I also want to maintain a session
> > for the UI application and then use direct grant api to get token and
> > fetch data from the other applications. Also, what do you mean by your
> > adapters?
> >
> > On Tue, Oct 20, 2015 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com
> > <mailto:sthorger at redhat.com>> wrote:
> >
> >     Keycloak comes with two protocols OpenID Connect and SAML 2. If you
> >     want a rest based api you want to use OpenID Connect. What
> >     application are you securing? Why not just use one of our adapters?
> >
> >     On 20 October 2015 at 12:15, Revanth Ayalasomayajula
> >     <revanth at arvindinternet.com <mailto:revanth at arvindinternet.com>>
> wrote:
> >
> >         Hi,
> >
> >         I am using Keycloak1.5.0 to secure my application. I want to
> >         perform login using a rest api. I was able to see that they are
> >         two parameters that are sent in the call and wanted to know how
> >         i will be able to achieve this functionality using a rest api.
> >
> >         Thanks.
> >
> >         _______________________________________________
> >         keycloak-user mailing list
> >         keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >         https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/d142ddf9/attachment.html 

From sthorger at redhat.com  Wed Oct 21 02:34:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Oct 2015 08:34:57 +0200
Subject: [keycloak-user] Integration in a federation of identity
 provider liek shibolleth
In-Reply-To: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
References: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
Message-ID: <CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>

There's no limit with the buttons, although it would become unusable. You
can change this by creating your own theme though and use a drop down or
whatever you'd like.

Another idea is something we've discussed before which is to register
certain email domains with a specific IdP. For example <user>@corp.com is
automatically redirected to idp.corp.com. With the new authenticator SPI
you could create this flow yourself and remove the password field from the
initial screen.

You may end up wanting to implement an authenticator for this in either
case so you can add a cookie to remember the last used IdP.

When you use identity brokering in Keycloak, Keycloak becomes the "Service
Provider" in the external IdP, not the individual clients. So only the
Keycloak server has to be registered with the external IdP.

On 20 October 2015 at 17:33, J?r?me Blanchard <jayblanc at gmail.com> wrote:

> Hi all,
>
> I'm trying to integrate keycloak in a federation of indentities
> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
> federation count something like 100 Identity Providers and I'm afraid of
> the L&F of the GUI as for now, adding 3 of them is creating a button for
> each. Is there is a limit or something that creates a drop down menu ?
> (like this list https://discovery.renater.fr/renater)
> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
> The goal for me is to create a kind of parser for this idps list :
> http://federation.renater.fr/renater/idps-renater-metadata.xml
> in order to parse this list and maintain my IDPs in keycloak up to date.
>
> Another question is : is each client in keycloak has to be declared as a
> Service Provider or only the keycloak server ?
>
> If you have any feedback for shibolleth federation integration using
> keycloak I'll be very glad to share them.
>
> Thanks a lot, Best Regards, J?r?me.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/6876ff7e/attachment-0001.html 

From jayblanc at gmail.com  Wed Oct 21 03:06:42 2015
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Wed, 21 Oct 2015 07:06:42 +0000
Subject: [keycloak-user] Integration in a federation of identity
 provider liek shibolleth
In-Reply-To: <CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>
References: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
	<CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>
Message-ID: <CAPNq5vYUr_vvAWHGVNrc1JE2wAg5aVCnv1ArT-vubQ80ferxAQ@mail.gmail.com>

Hi Stian,

Thanks a lot for your precisions which will help me a lot. I have already
develop a theme in an earlier version and I had completely forgot that it
would do the trick, great idea.
I will also investigate the idea of implementing an authenticator in order
to add a cookie remembering the last used IdP because I also need the
classic login for some users.

Best Regards, J?r?me.

Le mer. 21 oct. 2015 ? 08:34, Stian Thorgersen <sthorger at redhat.com> a
?crit :

> There's no limit with the buttons, although it would become unusable. You
> can change this by creating your own theme though and use a drop down or
> whatever you'd like.
>
> Another idea is something we've discussed before which is to register
> certain email domains with a specific IdP. For example <user>@corp.com is
> automatically redirected to idp.corp.com. With the new authenticator SPI
> you could create this flow yourself and remove the password field from the
> initial screen.
>
> You may end up wanting to implement an authenticator for this in either
> case so you can add a cookie to remember the last used IdP.
>
> When you use identity brokering in Keycloak, Keycloak becomes the "Service
> Provider" in the external IdP, not the individual clients. So only the
> Keycloak server has to be registered with the external IdP.
>
> On 20 October 2015 at 17:33, J?r?me Blanchard <jayblanc at gmail.com> wrote:
>
>> Hi all,
>>
>> I'm trying to integrate keycloak in a federation of indentities
>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>> federation count something like 100 Identity Providers and I'm afraid of
>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>> each. Is there is a limit or something that creates a drop down menu ?
>> (like this list https://discovery.renater.fr/renater)
>> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>> The goal for me is to create a kind of parser for this idps list :
>> http://federation.renater.fr/renater/idps-renater-metadata.xml
>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>
>> Another question is : is each client in keycloak has to be declared as a
>> Service Provider or only the keycloak server ?
>>
>> If you have any feedback for shibolleth federation integration using
>> keycloak I'll be very glad to share them.
>>
>> Thanks a lot, Best Regards, J?r?me.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/97a50f13/attachment.html 

From sthorger at redhat.com  Wed Oct 21 03:13:46 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Oct 2015 09:13:46 +0200
Subject: [keycloak-user] Integration in a federation of identity
 provider liek shibolleth
In-Reply-To: <CAPNq5vYUr_vvAWHGVNrc1JE2wAg5aVCnv1ArT-vubQ80ferxAQ@mail.gmail.com>
References: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
	<CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>
	<CAPNq5vYUr_vvAWHGVNrc1JE2wAg5aVCnv1ArT-vubQ80ferxAQ@mail.gmail.com>
Message-ID: <CAJgngAfnTGjmT1JMD5mREhZFMUi_ZHTzq4aTH_Vn-KX_VMid0g@mail.gmail.com>

One flow that I've considered would be:

1. Ask for email only
2. Lookup user, if user is found and has link to IdP redirect directly to
IdP
3. Go through list of IdPs - each IdP would have a email domain associated
with it. If one matches the provided email redirect to IdP
4. If neither 2 or 3 matches then display ask for password. As we know the
user know we can also ask for OTP on the same page if user has OTP enabled

Is that a flow that would work for you?

On 21 October 2015 at 09:06, J?r?me Blanchard <jayblanc at gmail.com> wrote:

> Hi Stian,
>
> Thanks a lot for your precisions which will help me a lot. I have already
> develop a theme in an earlier version and I had completely forgot that it
> would do the trick, great idea.
> I will also investigate the idea of implementing an authenticator in order
> to add a cookie remembering the last used IdP because I also need the
> classic login for some users.
>
> Best Regards, J?r?me.
>
> Le mer. 21 oct. 2015 ? 08:34, Stian Thorgersen <sthorger at redhat.com> a
> ?crit :
>
>> There's no limit with the buttons, although it would become unusable. You
>> can change this by creating your own theme though and use a drop down or
>> whatever you'd like.
>>
>> Another idea is something we've discussed before which is to register
>> certain email domains with a specific IdP. For example <user>@corp.com
>> is automatically redirected to idp.corp.com. With the new authenticator
>> SPI you could create this flow yourself and remove the password field from
>> the initial screen.
>>
>> You may end up wanting to implement an authenticator for this in either
>> case so you can add a cookie to remember the last used IdP.
>>
>> When you use identity brokering in Keycloak, Keycloak becomes the
>> "Service Provider" in the external IdP, not the individual clients. So only
>> the Keycloak server has to be registered with the external IdP.
>>
>> On 20 October 2015 at 17:33, J?r?me Blanchard <jayblanc at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> I'm trying to integrate keycloak in a federation of indentities
>>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>>> federation count something like 100 Identity Providers and I'm afraid of
>>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>>> each. Is there is a limit or something that creates a drop down menu ?
>>> (like this list https://discovery.renater.fr/renater)
>>> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>>> The goal for me is to create a kind of parser for this idps list :
>>> http://federation.renater.fr/renater/idps-renater-metadata.xml
>>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>>
>>> Another question is : is each client in keycloak has to be declared as a
>>> Service Provider or only the keycloak server ?
>>>
>>> If you have any feedback for shibolleth federation integration using
>>> keycloak I'll be very glad to share them.
>>>
>>> Thanks a lot, Best Regards, J?r?me.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/64988e3c/attachment.html 

From jayblanc at gmail.com  Wed Oct 21 03:21:06 2015
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Wed, 21 Oct 2015 07:21:06 +0000
Subject: [keycloak-user] Integration in a federation of identity
 provider liek shibolleth
In-Reply-To: <CAJgngAfnTGjmT1JMD5mREhZFMUi_ZHTzq4aTH_Vn-KX_VMid0g@mail.gmail.com>
References: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
	<CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>
	<CAPNq5vYUr_vvAWHGVNrc1JE2wAg5aVCnv1ArT-vubQ80ferxAQ@mail.gmail.com>
	<CAJgngAfnTGjmT1JMD5mREhZFMUi_ZHTzq4aTH_Vn-KX_VMid0g@mail.gmail.com>
Message-ID: <CAPNq5vZrFAbUEA_Lu2nBLtr-FUDkAp6E=wDLrw_tY+xAUabbwg@mail.gmail.com>

Actually, my internal keycloak users use only a login for authentication
but I suppose it is possible to ask for the internal keycloak email first.
I think in my use case, a simple choice list for using a federation and the
login/password on the left is great. Storing the latest used IdP in a
cookie will increase the user experience for federated users.
Your flow is great also but in my case I don't know the proportion of
internal users and federated users... so I think keeping a visible
login/password box is not a big deal for now.
This system will be in production end of year so we'll have feedback at
this time. We also have some existing users that will be migrated as
internal user keycloak.

Le mer. 21 oct. 2015 ? 09:13, Stian Thorgersen <sthorger at redhat.com> a
?crit :

> One flow that I've considered would be:
>
> 1. Ask for email only
> 2. Lookup user, if user is found and has link to IdP redirect directly to
> IdP
> 3. Go through list of IdPs - each IdP would have a email domain associated
> with it. If one matches the provided email redirect to IdP
> 4. If neither 2 or 3 matches then display ask for password. As we know the
> user know we can also ask for OTP on the same page if user has OTP enabled
>
> Is that a flow that would work for you?
>
> On 21 October 2015 at 09:06, J?r?me Blanchard <jayblanc at gmail.com> wrote:
>
>> Hi Stian,
>>
>> Thanks a lot for your precisions which will help me a lot. I have already
>> develop a theme in an earlier version and I had completely forgot that it
>> would do the trick, great idea.
>> I will also investigate the idea of implementing an authenticator in
>> order to add a cookie remembering the last used IdP because I also need the
>> classic login for some users.
>>
>> Best Regards, J?r?me.
>>
>> Le mer. 21 oct. 2015 ? 08:34, Stian Thorgersen <sthorger at redhat.com> a
>> ?crit :
>>
>>> There's no limit with the buttons, although it would become unusable.
>>> You can change this by creating your own theme though and use a drop down
>>> or whatever you'd like.
>>>
>>> Another idea is something we've discussed before which is to register
>>> certain email domains with a specific IdP. For example <user>@corp.com
>>> is automatically redirected to idp.corp.com. With the new authenticator
>>> SPI you could create this flow yourself and remove the password field from
>>> the initial screen.
>>>
>>> You may end up wanting to implement an authenticator for this in either
>>> case so you can add a cookie to remember the last used IdP.
>>>
>>> When you use identity brokering in Keycloak, Keycloak becomes the
>>> "Service Provider" in the external IdP, not the individual clients. So only
>>> the Keycloak server has to be registered with the external IdP.
>>>
>>> On 20 October 2015 at 17:33, J?r?me Blanchard <jayblanc at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm trying to integrate keycloak in a federation of indentities
>>>> (shibolleth) using the SAMLv2 Identity Provider. The problem is that the
>>>> federation count something like 100 Identity Providers and I'm afraid of
>>>> the L&F of the GUI as for now, adding 3 of them is creating a button for
>>>> each. Is there is a limit or something that creates a drop down menu ?
>>>> (like this list https://discovery.renater.fr/renater)
>>>> <https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>>>> The goal for me is to create a kind of parser for this idps list :
>>>> http://federation.renater.fr/renater/idps-renater-metadata.xml
>>>> in order to parse this list and maintain my IDPs in keycloak up to date.
>>>>
>>>> Another question is : is each client in keycloak has to be declared as
>>>> a Service Provider or only the keycloak server ?
>>>>
>>>> If you have any feedback for shibolleth federation integration using
>>>> keycloak I'll be very glad to share them.
>>>>
>>>> Thanks a lot, Best Regards, J?r?me.
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/60d5312a/attachment-0001.html 

From chenkeong.yap at izeno.com  Wed Oct 21 05:36:24 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 21 Oct 2015 17:36:24 +0800
Subject: [keycloak-user] Keycloak 1.1.0 Beta2
Message-ID: <CAC2UnuUTdG434yK-uqWA4TubRqhHYUbyhNGaF5QasRhhD5goDQ@mail.gmail.com>

Hi Stian,

Please advise if Keycloak failover working in 2 nodes cluster in jboss?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/970ba617/attachment.html 

From sthorger at redhat.com  Wed Oct 21 05:58:59 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Oct 2015 11:58:59 +0200
Subject: [keycloak-user] Keycloak 1.1.0 Beta2
In-Reply-To: <CAC2UnuUTdG434yK-uqWA4TubRqhHYUbyhNGaF5QasRhhD5goDQ@mail.gmail.com>
References: <CAC2UnuUTdG434yK-uqWA4TubRqhHYUbyhNGaF5QasRhhD5goDQ@mail.gmail.com>
Message-ID: <CAJgngAeBKRZcXgzOwKYdiwTP2xiLc9Ciht0AhNNXaNFeUd-iyQ@mail.gmail.com>

If you're still using 1.1.0.Beta2 I strongly suggest you upgrade.

Yes, we do support failover when configured in a cluster. Please refer to
http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html

On 21 October 2015 at 11:36, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:

> Hi Stian,
>
> Please advise if Keycloak failover working in 2 nodes cluster in jboss?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/9b0c94cc/attachment.html 

From tdudgeon.ml at gmail.com  Wed Oct 21 07:04:15 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 21 Oct 2015 12:04:15 +0100
Subject: [keycloak-user] Accessing authenticated user's details
Message-ID: <5627712F.4040200@gmail.com>

In the case of a web application (e.g. Tomcat app secured by the 
keycloak adapter) the web app might need to access details of the 
authenticated user (e.g. full name or email).
I've found that this information is available from the session like this:

KeycloakSecurityContext session = 
(KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
IDToken idToken = session.getIdToken();
String email = idToken.getEmail();

One issue with this is that all your web apps are tied to keycloak.

Is this the right way to handle this?
Are there alternatives?

Tim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/8a3db56a/attachment.html 

From b.hansmann at alphaapps.de  Wed Oct 21 08:21:02 2015
From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps])
Date: Wed, 21 Oct 2015 14:21:02 +0200
Subject: [keycloak-user] Brute force protector and service accounts/Login
	actions URI
Message-ID: <1445430062.3555.23.camel@alphaapps.de>

Hi,

great to see rapid progress on keycloak and regular releases with new
features added.

I am on Keycloak 1.4.0 and have two questions regarding 2 recently added
features:

- The service accounts introduced in 1.5.0 and the possibility to
autenticate them with certificates in 1.6.0 is a great feature. I am
asking myself if these will be excluded from the brute force protection
mechanism. I would like to use a service account in my app when a user
is not logged in (which is now just a regular account). If this account
will be subject to get locked out after a few consecutive failed login
attempts, all users will not be able to use the features which do not
require an active user session but rely on the service account. So
someone could deliberately lock the service account.

- I was having trouble with keycloak-services
(Urls.java:loginActionsBase): I have a rest web service which also acts
as a keycloak facade for registration, reset password, resend
verification email etc... From within my web service I use the keycloak
admin-client to e.g. trigger a reset-password-email or registration. The
problem was that emails sent by keycloak then contained links referring
to localhost:8080 because my web service contacts keycloak locally on
the server. I worked around this issue by patching the loginActionsBase
methdo in Urls.java to replace hostname, scheme and port of the returned
URI. This seemed ugly to me and I am asking if the feature "Added root
URL to clients" in the just released 1.6.0 version makes this workaround
obsolete?

Best regards,
Benjamin


From thomas.raehalme at aitiofinland.com  Wed Oct 21 08:38:33 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Wed, 21 Oct 2015 15:38:33 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
Message-ID: <CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>

On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Thousands should be no problem at all. Tens of thousands should be ok, but
> we'd have to test that. I guess you're building a public api or something
> since you're expecting that many clients?
>

I have been thinking of various ways to utilize Keycloak in a SaaS
application. A separate realm per tenant is probably the most natural
option, but how about using a single realm with individual clients for each
tenant, would that make any sense? I think it would have its advantages
(eg. the SaaS service provider could use a single account to access any
tenant, and tenants could register themselves as clients when being
deployed?).

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/bbceb621/attachment.html 

From sthorger at redhat.com  Wed Oct 21 08:46:33 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Oct 2015 14:46:33 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
Message-ID: <CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>

I think the first question to ask is do you want to share users and config
between tenants? If you do you should have a single realm, if not you
should have separate realms.

On 21 October 2015 at 14:38, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Thousands should be no problem at all. Tens of thousands should be ok,
>> but we'd have to test that. I guess you're building a public api or
>> something since you're expecting that many clients?
>>
>
> I have been thinking of various ways to utilize Keycloak in a SaaS
> application. A separate realm per tenant is probably the most natural
> option, but how about using a single realm with individual clients for each
> tenant, would that make any sense? I think it would have its advantages
> (eg. the SaaS service provider could use a single account to access any
> tenant, and tenants could register themselves as clients when being
> deployed?).
>
> Best regards,
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/09fb0e6e/attachment.html 

From thomas.raehalme at aitiofinland.com  Wed Oct 21 09:04:11 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Wed, 21 Oct 2015 16:04:11 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
	<CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
Message-ID: <CAPyAMoZu2aOHdQ8_BKdgy0FHwXY+SZ8UaAePsUcxTquB5Lk5MQ@mail.gmail.com>

On Wed, Oct 21, 2015 at 3:46 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I think the first question to ask is do you want to share users and config
> between tenants? If you do you should have a single realm, if not you
> should have separate realms.
>

Sharing users and config between tenants sure could be useful, but I'm
wondering how to enable tenants to manage access to their instance. I
wonder if the new group management would provide support for this?

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/bcf7517e/attachment.html 

From sthorger at redhat.com  Wed Oct 21 09:37:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Oct 2015 15:37:24 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAPyAMoZu2aOHdQ8_BKdgy0FHwXY+SZ8UaAePsUcxTquB5Lk5MQ@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
	<CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
	<CAPyAMoZu2aOHdQ8_BKdgy0FHwXY+SZ8UaAePsUcxTquB5Lk5MQ@mail.gmail.com>
Message-ID: <CAJgngAdi9F+tk+-ZHwsu4BzQjOO65bxGzKwOgpKaFpE9dVV2gw@mail.gmail.com>

We're not providing more fine grained access control in the admin console
yet. First we need to introduce groups and role namespaces, then we'll
re-work the permissions to the admin console later.

On 21 October 2015 at 15:04, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

>
>
> On Wed, Oct 21, 2015 at 3:46 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I think the first question to ask is do you want to share users and
>> config between tenants? If you do you should have a single realm, if not
>> you should have separate realms.
>>
>
> Sharing users and config between tenants sure could be useful, but I'm
> wondering how to enable tenants to manage access to their instance. I
> wonder if the new group management would provide support for this?
>
> Best regards,
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/fbff5538/attachment-0001.html 

From bburke at redhat.com  Wed Oct 21 09:40:24 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 21 Oct 2015 09:40:24 -0400
Subject: [keycloak-user] Integration in a federation of identity
 provider liek shibolleth
In-Reply-To: <CAPNq5vZrFAbUEA_Lu2nBLtr-FUDkAp6E=wDLrw_tY+xAUabbwg@mail.gmail.com>
References: <CAPNq5vZjsFJzdPOjDjR5kNrjTM6oX5iHsp_bTbOCU-Jh9-tr2Q@mail.gmail.com>
	<CAJgngAd5hvpoYEgtpc8dmr7ftzqos6fhVjSBX36PC0qp7d+HdA@mail.gmail.com>
	<CAPNq5vYUr_vvAWHGVNrc1JE2wAg5aVCnv1ArT-vubQ80ferxAQ@mail.gmail.com>
	<CAJgngAfnTGjmT1JMD5mREhZFMUi_ZHTzq4aTH_Vn-KX_VMid0g@mail.gmail.com>
	<CAPNq5vZrFAbUEA_Lu2nBLtr-FUDkAp6E=wDLrw_tY+xAUabbwg@mail.gmail.com>
Message-ID: <562795C8.1090603@redhat.com>

Another option is to model the google account chooser page.  Have an 
"add account" button which allows you to choose the IDP to use which is 
remembered via a cookie.

On 10/21/2015 3:21 AM, J?r?me Blanchard wrote:
> Actually, my internal keycloak users use only a login for authentication
> but I suppose it is possible to ask for the internal keycloak email first.
> I think in my use case, a simple choice list for using a federation and
> the login/password on the left is great. Storing the latest used IdP in
> a cookie will increase the user experience for federated users.
> Your flow is great also but in my case I don't know the proportion of
> internal users and federated users... so I think keeping a visible
> login/password box is not a big deal for now.
> This system will be in production end of year so we'll have feedback at
> this time. We also have some existing users that will be migrated as
> internal user keycloak.
>
> Le mer. 21 oct. 2015 ? 09:13, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> a ?crit :
>
>     One flow that I've considered would be:
>
>     1. Ask for email only
>     2. Lookup user, if user is found and has link to IdP redirect
>     directly to IdP
>     3. Go through list of IdPs - each IdP would have a email domain
>     associated with it. If one matches the provided email redirect to IdP
>     4. If neither 2 or 3 matches then display ask for password. As we
>     know the user know we can also ask for OTP on the same page if user
>     has OTP enabled
>
>     Is that a flow that would work for you?
>
>     On 21 October 2015 at 09:06, J?r?me Blanchard <jayblanc at gmail.com
>     <mailto:jayblanc at gmail.com>> wrote:
>
>         Hi Stian,
>
>         Thanks a lot for your precisions which will help me a lot. I
>         have already develop a theme in an earlier version and I had
>         completely forgot that it would do the trick, great idea.
>         I will also investigate the idea of implementing an
>         authenticator in order to add a cookie remembering the last used
>         IdP because I also need the classic login for some users.
>
>         Best Regards, J?r?me.
>
>         Le mer. 21 oct. 2015 ? 08:34, Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> a ?crit :
>
>             There's no limit with the buttons, although it would become
>             unusable. You can change this by creating your own theme
>             though and use a drop down or whatever you'd like.
>
>             Another idea is something we've discussed before which is to
>             register certain email domains with a specific IdP. For
>             example <user>@corp.com <http://corp.com> is automatically
>             redirected to idp.corp.com <http://idp.corp.com>. With the
>             new authenticator SPI you could create this flow yourself
>             and remove the password field from the initial screen.
>
>             You may end up wanting to implement an authenticator for
>             this in either case so you can add a cookie to remember the
>             last used IdP.
>
>             When you use identity brokering in Keycloak, Keycloak
>             becomes the "Service Provider" in the external IdP, not the
>             individual clients. So only the Keycloak server has to be
>             registered with the external IdP.
>
>             On 20 October 2015 at 17:33, J?r?me Blanchard
>             <jayblanc at gmail.com <mailto:jayblanc at gmail.com>> wrote:
>
>                 Hi all,
>
>                 I'm trying to integrate keycloak in a federation of
>                 indentities (shibolleth) using the SAMLv2 Identity
>                 Provider. The problem is that the federation count
>                 something like 100 Identity Providers and I'm afraid of
>                 the L&F of the GUI as for now, adding 3 of them is
>                 creating a button for each. Is there is a limit or
>                 something that creates a drop down menu ? (like this
>                 list
>                 https://discovery.renater.fr/renater)<https://discovery.renater.fr/renater/?entityID=https%3A%2F%2Fsaga.renater.fr%2F&return=https%3A%2F%2Fsaga.renater.fr%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26passwd%3DhT6oU5$.%21%26submit_saga%3DConnexion%26%26target%3Dss%253Amem%253Aa66aa537777acf60e05706949b588b203be0a12e>
>                 The goal for me is to create a kind of parser for this
>                 idps list :
>                 http://federation.renater.fr/renater/idps-renater-metadata.xml
>                 in order to parse this list and maintain my IDPs in
>                 keycloak up to date.
>
>                 Another question is : is each client in keycloak has to
>                 be declared as a Service Provider or only the keycloak
>                 server ?
>
>                 If you have any feedback for shibolleth federation
>                 integration using keycloak I'll be very glad to share them.
>
>                 Thanks a lot, Best Regards, J?r?me.
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From p.naef at naef-itcom.ch  Wed Oct 21 09:53:03 2015
From: p.naef at naef-itcom.ch (=?UTF-8?Q?Patrick_Andreas_N=c3=a4f?=)
Date: Wed, 21 Oct 2015 15:53:03 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
	<CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
Message-ID: <562798BF.8030607@naef-itcom.ch>

Here i have a similar requirement for a saas application. Need to have a 
single login form for all users and when the user logs in, i have to 
descide to which tenant (and server) a user belongs. Then i do a 
redirect to the right server / tenant.
It's the same way most saas applications works (one login screen, then 
you get redirected to the right server / application).

If we want to have one single login form for all tenants, then we can 
only have the users in the same realm i think, because you must be sure 
that all the users are unique.
But we also need a way to let a user log in into several tenants with 
the same user. For that i plan to add a role for every tenant. If a user 
has several such roles, he must choose to which tenant he wants to connect.
The application makes sure only a user with the correct role can use a 
tenant.

Maybe there is a better way to solve that?

The best way to solve it would be to allow a user to be in more than one 
realm and support a way to test in which realms a user is. Then we can 
login the user and test the realm(s).
But i think that wouldn't be possible because the hole design is 
different. Maybe a "super realm" is possible that is a container for 
such users?

Best regards,
Patrick


Am 21.10.2015 um 14:46 schrieb Stian Thorgersen:
> I think the first question to ask is do you want to share users and 
> config between tenants? If you do you should have a single realm, if 
> not you should have separate realms.
>
> On 21 October 2015 at 14:38, Thomas Raehalme 
> <thomas.raehalme at aitiofinland.com 
> <mailto:thomas.raehalme at aitiofinland.com>> wrote:
>
>     On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
>         Thousands should be no problem at all. Tens of thousands
>         should be ok, but we'd have to test that. I guess you're
>         building a public api or something since you're expecting that
>         many clients?
>
>
>     I have been thinking of various ways to utilize Keycloak in a SaaS
>     application. A separate realm per tenant is probably the most
>     natural option, but how about using a single realm with individual
>     clients for each tenant, would that make any sense? I think it
>     would have its advantages (eg. the SaaS service provider could use
>     a single account to access any tenant, and tenants could register
>     themselves as clients when being deployed?).
>
>     Best regards,
>     Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
N?f ITCom AG
Patrick Andreas N?f
CEO / Owner
MSc ETH Inf.-Ing.
H?henweg 7
4917 Melchnau

web: www.naef-itcom.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/a09c7cd3/attachment.html 

From bburke at redhat.com  Wed Oct 21 11:43:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 21 Oct 2015 11:43:21 -0400
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <562798BF.8030607@naef-itcom.ch>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
	<CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
	<562798BF.8030607@naef-itcom.ch>
Message-ID: <5627B299.90003@redhat.com>



On 10/21/2015 9:53 AM, Patrick Andreas N?f wrote:
> Here i have a similar requirement for a saas application. Need to have a
> single login form for all users and when the user logs in, i have to
> descide to which tenant (and server) a user belongs. Then i do a
> redirect to the right server / tenant.
> It's the same way most saas applications works (one login screen, then
> you get redirected to the right server / application).
>
> If we want to have one single login form for all tenants, then we can
> only have the users in the same realm i think, because you must be sure
> that all the users are unique.
> But we also need a way to let a user log in into several tenants with
> the same user. For that i plan to add a role for every tenant. If a user
> has several such roles, he must choose to which tenant he wants to connect.
> The application makes sure only a user with the correct role can use a
> tenant.
>
> Maybe there is a better way to solve that?
>
> The best way to solve it would be to allow a user to be in more than one
> realm and support a way to test in which realms a user is. Then we can
> login the user and test the realm(s).
> But i think that wouldn't be possible because the hole design is
> different. Maybe a "super realm" is possible that is a container for
> such users?
>

We originally took this route with Keycloak.  The idea that Keycloak 
could be a SAAS...But we decided that the best way to deploy Keycloak in 
the cloud would be to create a cloud instance of Keycloak per 
organization.  In Red Hat OpenShift terms:  Keycloak would be a 
cartridge and the organization could opt to install it within their 
cloud account.

The reason for this is to isolate one paying customer from a different 
one.  You probably don't want them sharing database instances, IP 
addresses, etc.

If that is not possible, we can discuss other possibilities.  Right now 
though Realm is a completely isolated unit.  Users belong to one realm 
and one realm only.
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.raehalme at aitiofinland.com  Wed Oct 21 11:49:53 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Wed, 21 Oct 2015 18:49:53 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
In-Reply-To: <5627B299.90003@redhat.com>
References: <CAJgngAfTkT3H1X=GgsgYfp7PXMd1F3X103SUSzn21rmnhQSNsw@mail.gmail.com>
	<CAPyAMob356ON-t7nc00bG8qC193X7WHZL3=XV7c8rayMs+8GOA@mail.gmail.com>
	<CAJgngAcmi1xbq9ObmLV1RxASE_p77Rd+RSY7B4xf43=JkKiPCA@mail.gmail.com>
	<CAPyAMoZbXP2+BKoc247hN-M2dCxOjBqKTHbQJTr+MyveqtevHA@mail.gmail.com>
	<CAJgngAcHFw=6EfqD96J=yaWEDxWV++hPjEdxO5hCw4XHfekUEQ@mail.gmail.com>
	<562798BF.8030607@naef-itcom.ch> <5627B299.90003@redhat.com>
Message-ID: <CAPyAMoZA1wbJEPk+OmB6ufzL7w50cSqpa_yqqn5e_jBNcQd2Tg@mail.gmail.com>

On Wed, Oct 21, 2015 at 6:43 PM, Bill Burke <bburke at redhat.com> wrote:

> We originally took this route with Keycloak.  The idea that Keycloak
> could be a SAAS...But we decided that the best way to deploy Keycloak in
> the cloud would be to create a cloud instance of Keycloak per
> organization.  In Red Hat OpenShift terms:  Keycloak would be a
> cartridge and the organization could opt to install it within their
> cloud account.
>
> The reason for this is to isolate one paying customer from a different
> one.  You probably don't want them sharing database instances, IP
> addresses, etc.
>
> If that is not possible, we can discuss other possibilities.  Right now
> though Realm is a completely isolated unit.  Users belong to one realm
> and one realm only.
>

I think you have the best of both worlds, ie. you can create multiple
realms with a single Keycloak install to manage multiple customers, or you
could install Keycloak for each customer separately as you describe above.

Now we app developers just need to figure out the best way to handle this
on our side :-)

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/613fc816/attachment.html 

From fmrage at hotmail.com  Wed Oct 21 12:57:35 2015
From: fmrage at hotmail.com (Fabio Monteiro)
Date: Wed, 21 Oct 2015 18:57:35 +0200
Subject: [keycloak-user] Changing url in reset-password emails
Message-ID: <DUB131-W86EF9BD2F312C7EBF6318BD5380@phx.gbl>

Hi,  
We use keycloak API rest to send email password reset to users. But we would need to change the host part of the url  used in the email link presented to users in the email sent to them. 
Is there an easy way to do so, you guys know??
This is quite critical right now for our app so any help would be MUCH appreciated. THANKS A LOT

Fabio Monteiro 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/86753d4d/attachment-0001.html 

From b.hansmann at alphaapps.de  Wed Oct 21 13:10:34 2015
From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps])
Date: Wed, 21 Oct 2015 19:10:34 +0200
Subject: [keycloak-user] Changing url in reset-password emails
Message-ID: <veccoflm1ineuy265gph9n4g.1445447434444@email.android.com>

That's exactly what I was asking two hours ago. I've found a temporary workaround:

In the keycloak services module I patched the method loginBase in Urls.java to replace hostname. I added a nullcheck and used an Uribuilder to keep everything else as is, otherwise it failed to reset password. I built the module with maven and replaced just the keycloak-services jar on my server. Maybe this causes issues somewhere else, I don't know...


-------- Urspr?ngliche Nachricht --------
Von: Fabio Monteiro <fmrage at hotmail.com> 
Datum:21.10.2015  18:57  (GMT+01:00) 
An: keycloak-user at lists.jboss.org 
Cc:  
Betreff: [keycloak-user] Changing url in reset-password emails 

Hi,  

We use keycloak API rest to send email password reset to users. But we would need to change the host part of the url  used in the email link presented to users in the email sent to them. 

Is there an easy way to do so, you guys know??

This is quite critical right now for our app so any help would be MUCH appreciated. THANKS A LOT

Fabio Monteiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/36c9a92d/attachment.html 

From bburke at redhat.com  Wed Oct 21 13:44:58 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 21 Oct 2015 13:44:58 -0400
Subject: [keycloak-user] Changing url in reset-password emails
In-Reply-To: <DUB131-W86EF9BD2F312C7EBF6318BD5380@phx.gbl>
References: <DUB131-W86EF9BD2F312C7EBF6318BD5380@phx.gbl>
Message-ID: <5627CF1A.6080107@redhat.com>

You can do it from the template file (.ftl) in the email theme.

On 10/21/2015 12:57 PM, Fabio Monteiro wrote:
> Hi,
>
> We use keycloak API rest to send email password reset to users. But we
> would need to change the host part of the url  used in the email link
> presented to users in the email sent to them.
>
> Is there an easy way to do so, you guys know??
>
> This is quite critical right now for our app so any help would be MUCH
> appreciated. THANKS A LOT
>
> Fabio Monteiro
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Thu Oct 22 02:30:46 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 22 Oct 2015 08:30:46 +0200
Subject: [keycloak-user] Brute force protector and service
 accounts/Login actions URI
In-Reply-To: <1445430062.3555.23.camel@alphaapps.de>
References: <1445430062.3555.23.camel@alphaapps.de>
Message-ID: <CAJgngAcF-MBBDd=Z4BYo79CQauamnYO7No+GQkfLPODJnGpJPw@mail.gmail.com>

On 21 October 2015 at 14:21, Benjamin Hansmann [alphaApps] <
b.hansmann at alphaapps.de> wrote:

> Hi,
>
> great to see rapid progress on keycloak and regular releases with new
> features added.
>
> I am on Keycloak 1.4.0 and have two questions regarding 2 recently added
> features:
>
> - The service accounts introduced in 1.5.0 and the possibility to
> autenticate them with certificates in 1.6.0 is a great feature. I am
> asking myself if these will be excluded from the brute force protection
> mechanism. I would like to use a service account in my app when a user
> is not logged in (which is now just a regular account). If this account
> will be subject to get locked out after a few consecutive failed login
> attempts, all users will not be able to use the features which do not
> require an active user session but rely on the service account. So
> someone could deliberately lock the service account.
>

Same argument can be made for user accounts. I'm not actually sure if
service accounts use the brute force protection atm, they should - Marek
can you confirm?


>
> - I was having trouble with keycloak-services
> (Urls.java:loginActionsBase): I have a rest web service which also acts
> as a keycloak facade for registration, reset password, resend
> verification email etc... From within my web service I use the keycloak
> admin-client to e.g. trigger a reset-password-email or registration. The
> problem was that emails sent by keycloak then contained links referring
> to localhost:8080 because my web service contacts keycloak locally on
> the server. I worked around this issue by patching the loginActionsBase
> methdo in Urls.java to replace hostname, scheme and port of the returned
> URI. This seemed ugly to me and I am asking if the feature "Added root
> URL to clients" in the just released 1.6.0 version makes this workaround
> obsolete?
>

Why not just use the theme support and modify the pages directly in KC?
Seems much simpler and better ;)

We actually have others that have a similar issue where they contact KC
internally on one hostname. So we may add some sort of alias mechanism or a
fixed hostname option for KC.


>
> Best regards,
> Benjamin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/89094666/attachment.html 

From mposolda at redhat.com  Thu Oct 22 04:50:47 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 22 Oct 2015 10:50:47 +0200
Subject: [keycloak-user] Brute force protector and service
 accounts/Login actions URI
In-Reply-To: <CAJgngAcF-MBBDd=Z4BYo79CQauamnYO7No+GQkfLPODJnGpJPw@mail.gmail.com>
References: <1445430062.3555.23.camel@alphaapps.de>
	<CAJgngAcF-MBBDd=Z4BYo79CQauamnYO7No+GQkfLPODJnGpJPw@mail.gmail.com>
Message-ID: <5628A367.3090406@redhat.com>

On 22/10/15 08:30, Stian Thorgersen wrote:
>
>
> On 21 October 2015 at 14:21, Benjamin Hansmann [alphaApps] 
> <b.hansmann at alphaapps.de <mailto:b.hansmann at alphaapps.de>> wrote:
>
>     Hi,
>
>     great to see rapid progress on keycloak and regular releases with new
>     features added.
>
>     I am on Keycloak 1.4.0 and have two questions regarding 2 recently
>     added
>     features:
>
>     - The service accounts introduced in 1.5.0 and the possibility to
>     autenticate them with certificates in 1.6.0 is a great feature. I am
>     asking myself if these will be excluded from the brute force
>     protection
>     mechanism. I would like to use a service account in my app when a user
>     is not logged in (which is now just a regular account). If this
>     account
>     will be subject to get locked out after a few consecutive failed login
>     attempts, all users will not be able to use the features which do not
>     require an active user session but rely on the service account. So
>     someone could deliberately lock the service account.
>
>
> Same argument can be made for user accounts. I'm not actually sure if 
> service accounts use the brute force protection atm, they should - 
> Marek can you confirm?
nope, the client authentication in general is not tracked with 
BruteForceProtector now. Do you want me to create JIRA?

Marek
>
>
>     - I was having trouble with keycloak-services
>     (Urls.java:loginActionsBase): I have a rest web service which also
>     acts
>     as a keycloak facade for registration, reset password, resend
>     verification email etc... From within my web service I use the
>     keycloak
>     admin-client to e.g. trigger a reset-password-email or
>     registration. The
>     problem was that emails sent by keycloak then contained links
>     referring
>     to localhost:8080 because my web service contacts keycloak locally
>     onlogFailure
>     the server. I worked around this issue by patching the
>     loginActionsBase
>     methdo in Urls.java to replace hostname, scheme and port of the
>     returned
>     URI. This seemed ugly to me and I am asking if the feature "Added root
>     URL to clients" in the just released 1.6.0 version makes this
>     workaround
>     obsolete?
>
>
> Why not just use the theme support and modify the pages directly in 
> KC? Seems much simpler and better ;)
>
> We actually have others that have a similar issue where they contact 
> KC internally on one hostname. So we may add some sort of alias 
> mechanism or a fixed hostname option for KC.
>
>
>     Best regards,
>     Benjamin
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/f41f87cf/attachment.html 

From sthorger at redhat.com  Thu Oct 22 05:49:00 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 22 Oct 2015 11:49:00 +0200
Subject: [keycloak-user] Brute force protector and service
 accounts/Login actions URI
In-Reply-To: <5628A367.3090406@redhat.com>
References: <1445430062.3555.23.camel@alphaapps.de>
	<CAJgngAcF-MBBDd=Z4BYo79CQauamnYO7No+GQkfLPODJnGpJPw@mail.gmail.com>
	<5628A367.3090406@redhat.com>
Message-ID: <CAJgngAc6VX98-ymub7Nu14_7C_KDXit2jgB7ezDc0d9Zmo9-8Q@mail.gmail.com>

On 22 October 2015 at 10:50, Marek Posolda <mposolda at redhat.com> wrote:

> On 22/10/15 08:30, Stian Thorgersen wrote:
>
>
>
> On 21 October 2015 at 14:21, Benjamin Hansmann [alphaApps] <
> <b.hansmann at alphaapps.de>b.hansmann at alphaapps.de> wrote:
>
>> Hi,
>>
>> great to see rapid progress on keycloak and regular releases with new
>> features added.
>>
>> I am on Keycloak 1.4.0 and have two questions regarding 2 recently added
>> features:
>>
>> - The service accounts introduced in 1.5.0 and the possibility to
>> autenticate them with certificates in 1.6.0 is a great feature. I am
>> asking myself if these will be excluded from the brute force protection
>> mechanism. I would like to use a service account in my app when a user
>> is not logged in (which is now just a regular account). If this account
>> will be subject to get locked out after a few consecutive failed login
>> attempts, all users will not be able to use the features which do not
>> require an active user session but rely on the service account. So
>> someone could deliberately lock the service account.
>>
>
> Same argument can be made for user accounts. I'm not actually sure if
> service accounts use the brute force protection atm, they should - Marek
> can you confirm?
>
> nope, the client authentication in general is not tracked with
> BruteForceProtector now. Do you want me to create JIRA?
>

Yes, please


>
> Marek
>
>
>
>>
>> - I was having trouble with keycloak-services
>> (Urls.java:loginActionsBase): I have a rest web service which also acts
>> as a keycloak facade for registration, reset password, resend
>> verification email etc... From within my web service I use the keycloak
>> admin-client to e.g. trigger a reset-password-email or registration. The
>> problem was that emails sent by keycloak then contained links referring
>> to localhost:8080 because my web service contacts keycloak locally
>> onlogFailure
>> the server. I worked around this issue by patching the loginActionsBase
>> methdo in Urls.java to replace hostname, scheme and port of the returned
>> URI. This seemed ugly to me and I am asking if the feature "Added root
>> URL to clients" in the just released 1.6.0 version makes this workaround
>> obsolete?
>>
>
> Why not just use the theme support and modify the pages directly in KC?
> Seems much simpler and better ;)
>
> We actually have others that have a similar issue where they contact KC
> internally on one hostname. So we may add some sort of alias mechanism or a
> fixed hostname option for KC.
>
>
>>
>> Best regards,
>> Benjamin
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/12d2e681/attachment-0001.html 

From sascha.skorupa at traveltainment.de  Thu Oct 22 10:46:35 2015
From: sascha.skorupa at traveltainment.de (Sascha Skorupa)
Date: Thu, 22 Oct 2015 14:46:35 +0000
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <55FFF8C9.1000300@redhat.com>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
Message-ID: <A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>

Hi,

if this is currently not possible what does the "Multivalued" flag mean in the mappers section of a client?

Is there any example / documentation how to implement and integrate custom protocol mappers?

Cheers
sascha

Von: Marek Posolda [mailto:mposolda at redhat.com]
Gesendet: Montag, 21. September 2015 14:32
An: Sascha Skorupa <sascha.skorupa at traveltainment.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Multivalued user attributes mapping

On 21/09/15 11:52, Sascha Skorupa wrote:
Hi,

we are currently evaluating Keycloak as IDM solution for our company. In doing so we encountered the following questions according to storing authorization data:


1)      In the "Mapper" section it is possible to configure how user attributes are mapped to tokens/claims.  It is also possible to turn on "Multivalued" mapping, so that every value of one attribute is set as claim. But, how you can configure multiple values for one attribute? If you save another value with the same key the existing one is overwritten.
You mean to map multiple different attributes from User into one attribute of AccessToken? That's not possible with the existing mappers . The thing is that you can write your own protocol mapper implementation and map the claims exactly how you want.


2)      One of requirements is to persist custom authorization data hierarchically and to map this data into access tokens. Is there any recommendation how to realize this in keycloak or is the only way to use flat user attributes (key/value).
The accessToken has "otherClaims" map on it. You can use any hierarchy you want to map your stuff into the access token. The best is again to write your own protocol mapper to achieve exactly what you want.

Marek


Thanks, Sascha




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/b3678a61/attachment.html 

From vbhadrir at us.ibm.com  Thu Oct 22 12:02:42 2015
From: vbhadrir at us.ibm.com (Vijay Bhadriraju)
Date: Thu, 22 Oct 2015 12:02:42 -0400
Subject: [keycloak-user] Exception loading Keycloak modules in Wildfly 9.0
Message-ID: <201510221602.t9MG2oaK026097@d01av04.pok.ibm.com>

I am getting the following exception after unzipping the 
keycloak-wildfly-adapter-dist-1.1.0.Final.zip into the WildFly 9.0 server 
and configuring the standalone.xml file with the following lines as 
described in the keycloak documentation. I have tried this with Wildfly 
10.0 version also and get the same error.

<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
...
</profile>

How do I resolve this keycloak module loading exception?


11:35:36,018 ERROR [org.jboss.as.server] (Controller Boot Thread) 
WFLYSRV0055: Caught exce
ption during boot: 
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
        at 
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:131) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at org.jboss.as.server.ServerService.boot(ServerService.java:356) 
[wildfly-server-
2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerServi
ce.java:299) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to 
load module org.key
cloak.keycloak-adapter-subsystem
        at 
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
155) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.j
ava:220) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:14
3) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:69) 
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:47) 
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) 
[staxm
apper-1.2.0.Final.jar:1.2.0.Final]
        at 
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) 
[staxma
pper-1.2.0.Final.jar:1.2.0.Final]
        at 
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:123) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 3 more
Caused by: java.util.concurrent.ExecutionException: 
javax.xml.stream.XMLStreamException: W
FLYCTL0083: Failed to load module
        at java.util.concurrent.FutureTask.report(Unknown Source) 
[rt.jar:1.8.0_65]
        at java.util.concurrent.FutureTask.get(Unknown Source) 
[rt.jar:1.8.0_65]
        at 
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
147) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 10 more
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to 
load module
        at 
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:196)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:69) 
[
wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:127) 
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:124) 
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at java.util.concurrent.FutureTask.run(Unknown Source) 
[rt.jar:1.8.0_65]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
Source) [rt.jar:1.8.0
_65]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown 
Source) [rt.jar:1.8.
0_65]
        at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
        at org.jboss.threads.JBossThread.run(JBossThread.java:320) 
[jboss-threads-2.2.1.Fi
nal.jar:2.2.1.Final]
Caused by: org.jboss.modules.ModuleNotFoundException: 
org.keycloak.keycloak-adapter-subsys
tem:main
        at 
org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:236) 
[jboss-modules
.jar:1.4.4.Final]
        at 
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:178)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 8 more

Regards, Vijay


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/fde94b67/attachment-0001.html 

From alex_orl1079 at yahoo.it  Thu Oct 22 12:36:50 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Thu, 22 Oct 2015 16:36:50 +0000 (UTC)
Subject: [keycloak-user] Adding custom Error Messages from federation
	provider
References: <513060128.2404412.1445531810825.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <513060128.2404412.1445531810825.JavaMail.yahoo@mail.yahoo.com>

Hi to all,i need to handle some use-cases in which custom messages should be rised up to the login user interface. I saw keycloak themes offer messages_xx.properties for that, but my real need is to send? new messages dealing with not handled specific cases up from my user federation provider implementation.Thanks a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/91672796/attachment.html 

From mstrukel at redhat.com  Thu Oct 22 12:46:55 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 22 Oct 2015 18:46:55 +0200
Subject: [keycloak-user] Exception loading Keycloak modules in Wildfly
	9.0
In-Reply-To: <201510221602.t9MG2oaK026097@d01av04.pok.ibm.com>
References: <201510221602.t9MG2oaK026097@d01av04.pok.ibm.com>
Message-ID: <CA+1OW+hdkpbH1ANtpKvpgUtFB5ed1yUoB06XU3y8sd+g28=GOA@mail.gmail.com>

Use the latest keycloak-wf9-adapter-dist from the download site:
http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B

You're trying to use latest config syntax with an old version that uses a
different kind of config, and is outdated.

On Thu, Oct 22, 2015 at 6:02 PM, Vijay Bhadriraju <vbhadrir at us.ibm.com>
wrote:

> I am getting the following exception after unzipping the
> keycloak-wildfly-adapter-dist-1.1.0.Final.zip into the WildFly 9.0 server
> and configuring the standalone.xml file with the following lines as
> described in the keycloak documentation. I have tried this with Wildfly
> 10.0 version also and get the same error.
>
> <server xmlns="urn:jboss:domain:1.4">
> <extensions>
> *<extension module="org.keycloak.keycloak-adapter-subsystem"/>*
> ...
> </extensions>
> <profile>
> *<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>*
> ...
> </profile>
>
> How do I resolve this keycloak module loading exception?
>
>
> 11:35:36,018 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exce
> ption during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085: Failed to parse configuration
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
> tionPersister.java:131) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at org.jboss.as.server.ServerService.boot(ServerService.java:356)
> [wildfly-server-
> 2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerServi
> ce.java:299) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
> Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
> load module org.key
> cloak.keycloak-adapter-subsystem
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
> 155) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.j
> ava:220) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:14
> 3) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:69)
> [w
> ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:47)
> [w
> ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
> [staxm
> apper-1.2.0.Final.jar:1.2.0.Final]
>         at
> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxma
> pper-1.2.0.Final.jar:1.2.0.Final]
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
> tionPersister.java:123) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 3 more
> Caused by: java.util.concurrent.ExecutionException:
> javax.xml.stream.XMLStreamException: W
> FLYCTL0083: Failed to load module
>         at java.util.concurrent.FutureTask.report(Unknown Source)
> [rt.jar:1.8.0_65]
>         at java.util.concurrent.FutureTask.get(Unknown Source)
> [rt.jar:1.8.0_65]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
> 147) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 10 more
> Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
> load module
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:196)
> [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:69)
> [
> wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:127)
> [wil
> dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:124)
> [wil
> dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at java.util.concurrent.FutureTask.run(Unknown Source)
> [rt.jar:1.8.0_65]
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source) [rt.jar:1.8.0
> _65]
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source) [rt.jar:1.8.
> 0_65]
>         at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
>         at org.jboss.threads.JBossThread.run(JBossThread.java:320) [
> jboss-threads-2.2.1.Fi
> nal.jar:2.2.1.Final]
> Caused by: org.jboss.modules.ModuleNotFoundException:
> org.keycloak.keycloak-adapter-subsys
> tem:main
>         at
> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:236)
> [jboss-modules
> .jar:1.4.4.Final]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:178)
> [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 8 more
>
> Regards, Vijay
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/88b4331a/attachment.html 

From sthorger at redhat.com  Thu Oct 22 13:48:11 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 22 Oct 2015 19:48:11 +0200
Subject: [keycloak-user] OpenShift and Docker updated to 1.6.0.Final
Message-ID: <CAJgngAdQuZihuPrfpqnWthybHM0Cjr=p-Er2Vmc8gcDuajyohw@mail.gmail.com>

The Keycloak OpenShift cartridge and Docker image has been updated to
1.6.0.Final
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/eb818c6e/attachment.html 

From akanksha8618 at gmail.com  Thu Oct 22 14:30:35 2015
From: akanksha8618 at gmail.com (Akanksha Mishra)
Date: Thu, 22 Oct 2015 14:30:35 -0400
Subject: [keycloak-user] Mapper for External Identity provider
Message-ID: <CAL4m1NcMYtgweQ4_uhskg9SL7Wns_fActO8F7UXKaXuskLqdvQ@mail.gmail.com>

Hi,

While configuring Keycloak as SP with ADFS 2.0 as external IDP, the user
authentication fails in my app's backend after passing the credentials in
ADFS login page.

On investigating, Found out that the Username of the external user is
stored by his email address in Keycloak-Users while the username is
configured as "LDAP entry dn" for internal users in keycloak.

I wish to get the DN of this external user in the username field. Do we
need to configure a mapper for the same?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/8a51be38/attachment.html 

From mposolda at redhat.com  Thu Oct 22 15:51:36 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 22 Oct 2015 21:51:36 +0200
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
Message-ID: <56293E48.9070702@redhat.com>

On 22/10/15 16:46, Sascha Skorupa wrote:
>
> Hi,
>
> if this is currently not possible what does the ?Multivalued? flag 
> mean in the mappers section of a client?
>
It is used if your user has multiple values of same attribute. For 
example user "john" works in 2 departments "finance" and "development", 
so attribute "department" of user "john" has 2 values in model - 
"finance" and "development" .
So when "multivalued" is on, then both values of the attribute will be 
propagated to accessToken and they will be available in accessToken in 
list (array). However when "multivalued" is off, then just single value 
of attribute is propagated to accessToken and it's available in 
accessToken as String (or any other simple type).

 From what I understood, your usecase is that you have 2 different 
attributes on UserModel and you want to map them into single attribute 
in accessToken. For example you have attribute "department" with value 
"finance" and attribute "secondaryDepartment" with value "development" 
and you want them both to be mapped into accessToken into single 
attribute "department" with 2 values "finance" and "development" . Is it 
correct?

That's what we don't have and you may write custom protocol mapper for it.
>
> Is there any example / documentation how to implement and integrate 
> custom protocol mappers?
>
Looks we don't have example for protocol mapper, but we have some 
examples for other providers. See the example distribution and it's 
subdirectory "providers" .

Marek
>
> Cheers
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Montag, 21. September 2015 14:32
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>; 
> keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 21/09/15 11:52, Sascha Skorupa wrote:
>
>     Hi,
>
>     we are currently evaluating Keycloak as IDM solution for our
>     company. In doing so we encountered the following questions
>     according to storing authorization data:
>
>     1)In the ?Mapper? section it is possible to configure how user
>     attributes are mapped to tokens/claims.  It is also possible to
>     turn on ?Multivalued? mapping, so that every value of one
>     attribute is set as claim. But, how you can configure multiple
>     values for one attribute? If you save another value with the same
>     key the existing one is overwritten.
>
> You mean to map multiple different attributes from User into one 
> attribute of AccessToken? That's not possible with the existing 
> mappers . The thing is that you can write your own protocol mapper 
> implementation and map the claims exactly how you want.
>
>     2)One of requirements is to persist custom authorization data
>     hierarchically and to map this data into access tokens. Is there
>     any recommendation how to realize this in keycloak or is the only
>     way to use flat user attributes (key/value).
>
> The accessToken has "otherClaims" map on it. You can use any hierarchy 
> you want to map your stuff into the access token. The best is again to 
> write your own protocol mapper to achieve exactly what you want.
>
> Marek
>
>     Thanks, Sascha
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/8e0d24d1/attachment-0001.html 

From vbhadrir at us.ibm.com  Thu Oct 22 15:51:46 2015
From: vbhadrir at us.ibm.com (Vijay Bhadriraju)
Date: Thu, 22 Oct 2015 15:51:46 -0400
Subject: [keycloak-user] Exception loading Keycloak modules in Wildfly
	9.0
In-Reply-To: <CA+1OW+hdkpbH1ANtpKvpgUtFB5ed1yUoB06XU3y8sd+g28=GOA@mail.gmail.com>
References: <201510221602.t9MG2oaK026097@d01av04.pok.ibm.com>
	<CA+1OW+hdkpbH1ANtpKvpgUtFB5ed1yUoB06XU3y8sd+g28=GOA@mail.gmail.com>
Message-ID: <201510221951.t9MJpr5o025302@d01av01.pok.ibm.com>

Thanks, Marco. I was able to move forward by using the latest adapter you 
pointed me to. I was able to bring up the Wildfly 9.0 server with the 
adapter installed and was able to install the Customer-Portal and 
Product-Portal example apps successfully. But, when I install the Database 
example app, I get the following error. Any tips on how to resolve this 
error ? Thanks.

15:39:28,922 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) 
MSC000001: Failed
 to start service jboss.deployment.unit.database.POST_MODULE: 
org.jboss.msc.service.StartE
xception in service jboss.deployment.unit.database.POST_MODULE: 
WFLYSRV0153: Failed to pro
cess phase POST_MODULE of deployment "database"
        at 
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitP
haseService.java:163)
        at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceContr
ollerImpl.java:1948)
        at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl
.java:1881)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown 
Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: 
org.jboss.as.server.deployment.DeploymentUnitProcessingException: 
WFLYRS0006: C
ould not load JAX-RS Application class
        at 
org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.scan(JaxrsScanningProcesso
r.java:205)
        at 
org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.deploy(JaxrsScanningProces
sor.java:101)
        at 
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitP
haseService.java:156)
        ... 5 more
Caused by: java.lang.ClassNotFoundException: 
org.keycloak.example.oauth.DataApplication fr
om [Module "deployment.database:main" from Service Module Loader]
        at 
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205)
        at 
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentCla
ssLoader.java:455)
        at 
org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClass
Loader.java:404)
        at 
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.
java:385)
        at 
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:13
0)
        at 
org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.scan(JaxrsScanningProcesso
r.java:201)
        ... 7 more

15:39:28,937 ERROR [org.jboss.as.controller.management-operation] 
(management-handler-thre
ad - 5) WFLYCTL0013: Operation ("add") failed - address: ({"deployment" => 
"database"}) -
failure description: {"WFLYCTL0080: Failed services" => 
{"jboss.deployment.unit.database.P
OST_MODULE" => "org.jboss.msc.service.StartException in service 
jboss.deployment.unit.data
base.POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of 
deployment \"databas
e\"
    Caused by: 
org.jboss.as.server.deployment.DeploymentUnitProcessingException: 
WFLYRS000
6: Could not load JAX-RS Application class
    Caused by: java.lang.ClassNotFoundException: 
org.keycloak.example.oauth.DataApplicatio
n from [Module \"deployment.database:main\" from Service Module Loader]"}}
15:39:28,953 ERROR [org.jboss.as.server] (management-handler-thread - 5) 
WFLYSRV0021: Depl
oy of deployment "database" was rolled back with the following failure 
message:
{"WFLYCTL0080: Failed services" => 
{"jboss.deployment.unit.database.POST_MODULE" => "org.j
boss.msc.service.StartException in service 
jboss.deployment.unit.database.POST_MODULE: WFL
YSRV0153: Failed to process phase POST_MODULE of deployment \"database\"
    Caused by: 
org.jboss.as.server.deployment.DeploymentUnitProcessingException: 
WFLYRS000
6: Could not load JAX-RS Application class
    Caused by: java.lang.ClassNotFoundException: 
org.keycloak.example.oauth.DataApplicatio
n from [Module \"deployment.database:main\" from Service Module Loader]"}}
15:39:28,953 INFO  [org.jboss.as.server.deployment] (MSC service thread 
1-1) WFLYSRV0028:
Stopped deployment database (runtime-name: database) in 11ms
15:39:28,953 INFO  [org.jboss.as.controller] (management-handler-thread - 
5) WFLYCTL0183:
Service status report
WFLYCTL0186:   Services which failed to start:      service 
jboss.deployment.unit.database
.POST_MODULE

Regards, Vijay




From:   Marko Strukelj <mstrukel at redhat.com>
To:     Vijay Bhadriraju/Raleigh/IBM at IBMUS
Cc:     keycloak-user <keycloak-user at lists.jboss.org>
Date:   10/22/2015 12:47 PM
Subject:        Re: [keycloak-user] Exception loading Keycloak modules in 
Wildfly 9.0



Use the latest keycloak-wf9-adapter-dist from the download site: 
http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B

You're trying to use latest config syntax with an old version that uses a 
different kind of config, and is outdated.

On Thu, Oct 22, 2015 at 6:02 PM, Vijay Bhadriraju <vbhadrir at us.ibm.com> 
wrote:
I am getting the following exception after unzipping the 
keycloak-wildfly-adapter-dist-1.1.0.Final.zip into the WildFly 9.0 server 
and configuring the standalone.xml file with the following lines as 
described in the keycloak documentation. I have tried this with Wildfly 
10.0 version also and get the same error.

<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
...
</profile>

How do I resolve this keycloak module loading exception?


11:35:36,018 ERROR [org.jboss.as.server] (Controller Boot Thread) 
WFLYSRV0055: Caught exce
ption during boot: 
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
        at 
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:131) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at org.jboss.as.server.ServerService.boot(ServerService.java:356) 
[wildfly-server-
2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerServi
ce.java:299) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to 
load module org.key
cloak.keycloak-adapter-subsystem
        at 
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
155) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.j
ava:220) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:14
3) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:69) 
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:47) 
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) 
[staxm
apper-1.2.0.Final.jar:1.2.0.Final]
        at 
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) 
[staxma
pper-1.2.0.Final.jar:1.2.0.Final]
        at 
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:123) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 3 more
Caused by: java.util.concurrent.ExecutionException: 
javax.xml.stream.XMLStreamException: W
FLYCTL0083: Failed to load module
        at java.util.concurrent.FutureTask.report(Unknown Source) 
[rt.jar:1.8.0_65]
        at java.util.concurrent.FutureTask.get(Unknown Source) 
[rt.jar:1.8.0_65]
        at 
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
147) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 10 more
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to 
load module
        at 
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:196)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:69) 
[
wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:127) 
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at 
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:124) 
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        at java.util.concurrent.FutureTask.run(Unknown Source) 
[rt.jar:1.8.0_65]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
Source) [rt.jar:1.8.0
_65]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown 
Source) [rt.jar:1.8.
0_65]
        at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
        at org.jboss.threads.JBossThread.run(JBossThread.java:320) [
jboss-threads-2.2.1.Fi
nal.jar:2.2.1.Final]
Caused by: org.jboss.modules.ModuleNotFoundException: 
org.keycloak.keycloak-adapter-subsys
tem:main
        at 
org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:236) 
[jboss-modules
.jar:1.4.4.Final]
        at 
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:178)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
        ... 8 more

Regards, Vijay


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/2d65c6c0/attachment-0001.html 

From matthew.casperson at autogeneral.com.au  Thu Oct 22 18:31:10 2015
From: matthew.casperson at autogeneral.com.au (Matthew Casperson)
Date: Fri, 23 Oct 2015 08:31:10 +1000
Subject: [keycloak-user] Securing the Wildfly management console with
	Keycloak
Message-ID: <CADwJB2a-xHCzor8jBLTqSeM4dBwJUQm+oq8QVN3zdO8ixn4j5Q@mail.gmail.com>

Is it possible to use KeyCloak to restrict access to the Wildfly web
administration console? It would be handy to be able to treat the web admin
console like any other administrator web site that might be protected with
a Keycloak realm rather than manage mgmt-users.properties files
individually.

-- 
*Matthew Casperson*
*Senior Front End Developer*
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833

-- 


This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright. 
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised. 
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/02bf8451/attachment.html 

From ssilvert at redhat.com  Thu Oct 22 18:33:55 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 22 Oct 2015 18:33:55 -0400
Subject: [keycloak-user] Securing the Wildfly management console with
 Keycloak
In-Reply-To: <CADwJB2a-xHCzor8jBLTqSeM4dBwJUQm+oq8QVN3zdO8ixn4j5Q@mail.gmail.com>
References: <CADwJB2a-xHCzor8jBLTqSeM4dBwJUQm+oq8QVN3zdO8ixn4j5Q@mail.gmail.com>
Message-ID: <56296453.5020308@redhat.com>

On 10/22/2015 6:31 PM, Matthew Casperson wrote:
> Is it possible to use KeyCloak to restrict access to the Wildfly web 
> administration console? It would be handy to be able to treat the web 
> admin console like any other administrator web site that might be 
> protected with a Keycloak realm rather than manage 
> mgmt-users.properties files individually.
Not yet.  But this is on the WildFly roadmap.  Hopefully soon.
>
> -- 
> *Matthew Casperson*
> *Senior Front End Developer*
> Technology, Space & Distribution
> Auto & General Holdings Pty Ltd
> P: 07) 3377 8751 (Direct: 3377 8751)
> F: 07) 3377 8833
>
>
>
> This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
> The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright.
> It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised.
> If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151022/0458f90a/attachment.html 

From sthorger at redhat.com  Fri Oct 23 01:52:08 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 23 Oct 2015 07:52:08 +0200
Subject: [keycloak-user] KEYCLOAK-1735 - possible to recategorise it as
 an urgent bug not enhancement?
In-Reply-To: <CA+E3Fw2c38+_-KwkBuBnyU2ivLW92AEck72t5TetaP5=RBnGXQ@mail.gmail.com>
References: <CA+E3Fw2c38+_-KwkBuBnyU2ivLW92AEck72t5TetaP5=RBnGXQ@mail.gmail.com>
Message-ID: <CAJgngAfkMYzNn6NuAa_nW+70FhLqSzVOUKUadJQVFrcygRFqWQ@mail.gmail.com>

Sorry for late response, but this one ended up in my spam for some reason.

KEYCLOAK-1735 is not a bug as by definition a bug is something that not
works as designed. I agree with you that the approach is less than elegant,
which is why we have an outstanding issue to enhance this.

At some point we are going to redesign the admin permissions to provide
more fine grained control, which will make it possible to create admins
that can manage groups of users and/or roles. However, the way it works now
is that it's an all or nothing thing. End of the day though if someone with
manage-users role was prevented from making them selves an admin of
Keycloak, they would still have the power to make themselves an admin (or
the equivalent role) in your applications and in that way obtaining full
permissions to all your business logic/data. So that's a permissions you
should only give to a trusted individual in the first place. With that in
mind I disagree that this is really a vulnerability, but I appreciate that
the permission is to course for most.

On 13 October 2015 at 20:15, David Illsley <davidillsley at gmail.com> wrote:

> Hi all,
> KEYCLOAK-1735 describes that users with the 'manage-users' can role can
> self-assign 'manage-realm', and gain substantial extra privileges.
>
> This behaviour came as a substantial surprise to me when I discovered it,
> and I suspect there are users out there who have vulnerabilities due to
> this unexpected behaviour.
>
> KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
> that it might be substantial work to change this behaviour, I think it
> should be a priority to make the behaviour clear to users - probably
> through documentation, and possibly through renaming the role so that its
> expansive powers are clear.
>
> Is this a possibility? What's the best way to get this to happen?
> Thanks,
> David
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/eb6fedc5/attachment.html 

From joseph at djomeda.com  Fri Oct 23 03:59:14 2015
From: joseph at djomeda.com (Joseph Djomeda)
Date: Fri, 23 Oct 2015 07:59:14 +0000
Subject: [keycloak-user] Unified login for existing applications
Message-ID: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>

Hi Community,

Thanks for all the amazing features list I have read about this product and
that is truly exciting.Kudos for pulling down all that. I am new to the
world of SSO and so on but I am doing my home work catching up.

I have a problem and I am wondering whether keycloak is the solution. We
have 5 different applications each using etiher apache shiro or spring
security for authentication. Those using shiro have different hashing
algorithm and different number of iterations. We are about to launch new
products each with their own authentication so we were like why not go
google model.

here are few questions I would like to ask those of you actively using
keycloak.


   - Can I build an application with keycloak embedded in it where keycloak
   provides identity based on some logic that we will put in the parent
   application. Logic like how to merge all products mentioned earlier?
   - Supposing no work is needed and everything I mentioned is supported
   can keycloak allow relooking/branding of UI such a way it's inline with
   most of UI directions we have for all our existing products?
   - Can I use keycloak to not only provide SSO for our own applications
   but also make that keycloak become and ID provider (likes of openID etc )
   for other applicaitons that we don't own?


Thanks for reading my questions and I hope I will be able to learn from all
of you

Best Regards,
-- 
Joseph Kodjo-Kuma Djomeda
check out my pains at : www.mycodingpains.com
We become what we think about ourselves........
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/d0f9d07e/attachment.html 

From sthorger at redhat.com  Fri Oct 23 04:16:00 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 23 Oct 2015 10:16:00 +0200
Subject: [keycloak-user] Unified login for existing applications
In-Reply-To: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>
References: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>
Message-ID: <CAJgngAckC5aHaG6iL+QnzzvrQmx0bcu-pei83tOr+r-Qk7By6g@mail.gmail.com>

On 23 October 2015 at 09:59, Joseph Djomeda <joseph at djomeda.com> wrote:

> Hi Community,
>
> Thanks for all the amazing features list I have read about this product
> and that is truly exciting.Kudos for pulling down all that. I am new to the
> world of SSO and so on but I am doing my home work catching up.
>
> I have a problem and I am wondering whether keycloak is the solution. We
> have 5 different applications each using etiher apache shiro or spring
> security for authentication. Those using shiro have different hashing
> algorithm and different number of iterations. We are about to launch new
> products each with their own authentication so we were like why not go
> google model.
>
> here are few questions I would like to ask those of you actively using
> keycloak.
>
>
>    - Can I build an application with keycloak embedded in it where
>    keycloak provides identity based on some logic that we will put in the
>    parent application. Logic like how to merge all products mentioned earlier?
>
> Depends - what is your application deployed to? Keycloak is meant to be a
standalone service, but can be deployed to WildFly alongside JavaEE apps.

>
>    - Supposing no work is needed and everything I mentioned is supported
>    can keycloak allow relooking/branding of UI such a way it's inline with
>    most of UI directions we have for all our existing products?
>
> Yes, we have theme support that lets you modify the l&f of all pages

>
>    - Can I use keycloak to not only provide SSO for our own applications
>    but also make that keycloak become and ID provider (likes of openID etc )
>    for other applicaitons that we don't own?
>
> Yes, not OpenID though. We support OpenID Connect and SAML v2.


>
> Thanks for reading my questions and I hope I will be able to learn from
> all of you
>
> Best Regards,
> --
> Joseph Kodjo-Kuma Djomeda
> check out my pains at : www.mycodingpains.com
> We become what we think about ourselves........
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/dd339b3b/attachment-0001.html 

From joseph at djomeda.com  Fri Oct 23 04:35:32 2015
From: joseph at djomeda.com (Joseph Djomeda)
Date: Fri, 23 Oct 2015 08:35:32 +0000
Subject: [keycloak-user] Unified login for existing applications
In-Reply-To: <CAJgngAckC5aHaG6iL+QnzzvrQmx0bcu-pei83tOr+r-Qk7By6g@mail.gmail.com>
References: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>
	<CAJgngAckC5aHaG6iL+QnzzvrQmx0bcu-pei83tOr+r-Qk7By6g@mail.gmail.com>
Message-ID: <CAKDXoaKb2UUoubSCDd6bezQVf6sxDog1Qn0uHdR-3xBzt7RYyw@mail.gmail.com>

Hi Stian,

Thanks for the swift reply. I have put some comments inline. Is there any
example , tutorial towards what I would like to achieve meaning building on
top of keycloak.

Best Regards,

On Fri, Oct 23, 2015 at 8:16 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> On 23 October 2015 at 09:59, Joseph Djomeda <joseph at djomeda.com> wrote:
>
>> Hi Community,
>>
>> Thanks for all the amazing features list I have read about this product
>> and that is truly exciting.Kudos for pulling down all that. I am new to the
>> world of SSO and so on but I am doing my home work catching up.
>>
>> I have a problem and I am wondering whether keycloak is the solution. We
>> have 5 different applications each using etiher apache shiro or spring
>> security for authentication. Those using shiro have different hashing
>> algorithm and different number of iterations. We are about to launch new
>> products each with their own authentication so we were like why not go
>> google model.
>>
>> here are few questions I would like to ask those of you actively using
>> keycloak.
>>
>>
>>    - Can I build an application with keycloak embedded in it where
>>    keycloak provides identity based on some logic that we will put in the
>>    parent application. Logic like how to merge all products mentioned earlier?
>>
>> Depends - what is your application deployed to? Keycloak is meant to be a
> standalone service, but can be deployed to WildFly alongside JavaEE apps.
>

It's going to basically be a java webapp deployed into tomcat or jetty but
can try wildfly.


>>    - Supposing no work is needed and everything I mentioned is supported
>>    can keycloak allow relooking/branding of UI such a way it's inline with
>>    most of UI directions we have for all our existing products?
>>
>> Yes, we have theme support that lets you modify the l&f of all pages
>
Awesome


>
>>    - Can I use keycloak to not only provide SSO for our own applications
>>    but also make that keycloak become and ID provider (likes of openID etc )
>>    for other applicaitons that we don't own?
>>
>> Yes, not OpenID though. We support OpenID Connect and SAML v2.
>

Awesome

>
>
>>
>> Thanks for reading my questions and I hope I will be able to learn from
>> all of you
>>
>> Best Regards,
>> --
>> Joseph Kodjo-Kuma Djomeda
>> check out my pains at : www.mycodingpains.com
>> We become what we think about ourselves........
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
Joseph Kodjo-Kuma Djomeda
check out my pains at : www.mycodingpains.com
We become what we think about ourselves........
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/7a85a4a2/attachment.html 

From sthorger at redhat.com  Fri Oct 23 04:40:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 23 Oct 2015 10:40:42 +0200
Subject: [keycloak-user] Unified login for existing applications
In-Reply-To: <CAKDXoaKb2UUoubSCDd6bezQVf6sxDog1Qn0uHdR-3xBzt7RYyw@mail.gmail.com>
References: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>
	<CAJgngAckC5aHaG6iL+QnzzvrQmx0bcu-pei83tOr+r-Qk7By6g@mail.gmail.com>
	<CAKDXoaKb2UUoubSCDd6bezQVf6sxDog1Qn0uHdR-3xBzt7RYyw@mail.gmail.com>
Message-ID: <CAJgngAevYTQvADSk8PSWCgjjSU9MxaELCk7P+MiXM6w4Rg3_rA@mail.gmail.com>

We have plenty of examples available from the downloads.

If you want to bundle your app together with Keycloak you'd need:

* WildFly (needs to match version used by Keycloak as we only support one
version)
* Add the server overlay (look at server installation in the docs)
* Add the WildFly adapter (look at adapter installation in the docs)
* Add your app

Then create a zip or whatever of that ;)

On 23 October 2015 at 10:35, Joseph Djomeda <joseph at djomeda.com> wrote:

> Hi Stian,
>
> Thanks for the swift reply. I have put some comments inline. Is there any
> example , tutorial towards what I would like to achieve meaning building on
> top of keycloak.
>
> Best Regards,
>
> On Fri, Oct 23, 2015 at 8:16 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> On 23 October 2015 at 09:59, Joseph Djomeda <joseph at djomeda.com> wrote:
>>
>>> Hi Community,
>>>
>>> Thanks for all the amazing features list I have read about this product
>>> and that is truly exciting.Kudos for pulling down all that. I am new to the
>>> world of SSO and so on but I am doing my home work catching up.
>>>
>>> I have a problem and I am wondering whether keycloak is the solution. We
>>> have 5 different applications each using etiher apache shiro or spring
>>> security for authentication. Those using shiro have different hashing
>>> algorithm and different number of iterations. We are about to launch new
>>> products each with their own authentication so we were like why not go
>>> google model.
>>>
>>> here are few questions I would like to ask those of you actively using
>>> keycloak.
>>>
>>>
>>>    - Can I build an application with keycloak embedded in it where
>>>    keycloak provides identity based on some logic that we will put in the
>>>    parent application. Logic like how to merge all products mentioned earlier?
>>>
>>> Depends - what is your application deployed to? Keycloak is meant to be
>> a standalone service, but can be deployed to WildFly alongside JavaEE apps.
>>
>
> It's going to basically be a java webapp deployed into tomcat or jetty but
> can try wildfly.
>
>
>>>    - Supposing no work is needed and everything I mentioned is
>>>    supported can keycloak allow relooking/branding of UI such a way it's
>>>    inline with most of UI directions we have for all our existing products?
>>>
>>> Yes, we have theme support that lets you modify the l&f of all pages
>>
> Awesome
>
>
>>
>>>    - Can I use keycloak to not only provide SSO for our own
>>>    applications but also make that keycloak become and ID provider (likes of
>>>    openID etc ) for other applicaitons that we don't own?
>>>
>>> Yes, not OpenID though. We support OpenID Connect and SAML v2.
>>
>
> Awesome
>
>>
>>
>>>
>>> Thanks for reading my questions and I hope I will be able to learn from
>>> all of you
>>>
>>> Best Regards,
>>> --
>>> Joseph Kodjo-Kuma Djomeda
>>> check out my pains at : www.mycodingpains.com
>>> We become what we think about ourselves........
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
> Joseph Kodjo-Kuma Djomeda
> check out my pains at : www.mycodingpains.com
> We become what we think about ourselves........
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/7910eaca/attachment.html 

From joseph at djomeda.com  Fri Oct 23 05:04:48 2015
From: joseph at djomeda.com (Joseph Djomeda)
Date: Fri, 23 Oct 2015 09:04:48 +0000
Subject: [keycloak-user] Unified login for existing applications
In-Reply-To: <CAJgngAevYTQvADSk8PSWCgjjSU9MxaELCk7P+MiXM6w4Rg3_rA@mail.gmail.com>
References: <CAKDXoaJ+TaiXJ6V=w-CCcYqXx6TPfeYgv=6Uz40EavCyubz9hQ@mail.gmail.com>
	<CAJgngAckC5aHaG6iL+QnzzvrQmx0bcu-pei83tOr+r-Qk7By6g@mail.gmail.com>
	<CAKDXoaKb2UUoubSCDd6bezQVf6sxDog1Qn0uHdR-3xBzt7RYyw@mail.gmail.com>
	<CAJgngAevYTQvADSk8PSWCgjjSU9MxaELCk7P+MiXM6w4Rg3_rA@mail.gmail.com>
Message-ID: <CAKDXoaLpfGY3T_GnrF=16Gwa_wFU+b+HBc6kkkf19EJXEu4=VA@mail.gmail.com>

Hi Stian,

You have been very helpful starting this. Please receive my gratitude. I
will start diving into it .

Best Regards,

On Fri, Oct 23, 2015 at 8:40 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> We have plenty of examples available from the downloads.
>
> If you want to bundle your app together with Keycloak you'd need:
>
> * WildFly (needs to match version used by Keycloak as we only support one
> version)
> * Add the server overlay (look at server installation in the docs)
> * Add the WildFly adapter (look at adapter installation in the docs)
> * Add your app
>
> Then create a zip or whatever of that ;)
>
> On 23 October 2015 at 10:35, Joseph Djomeda <joseph at djomeda.com> wrote:
>
>> Hi Stian,
>>
>> Thanks for the swift reply. I have put some comments inline. Is there any
>> example , tutorial towards what I would like to achieve meaning building on
>> top of keycloak.
>>
>> Best Regards,
>>
>> On Fri, Oct 23, 2015 at 8:16 AM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> On 23 October 2015 at 09:59, Joseph Djomeda <joseph at djomeda.com> wrote:
>>>
>>>> Hi Community,
>>>>
>>>> Thanks for all the amazing features list I have read about this product
>>>> and that is truly exciting.Kudos for pulling down all that. I am new to the
>>>> world of SSO and so on but I am doing my home work catching up.
>>>>
>>>> I have a problem and I am wondering whether keycloak is the solution.
>>>> We have 5 different applications each using etiher apache shiro or spring
>>>> security for authentication. Those using shiro have different hashing
>>>> algorithm and different number of iterations. We are about to launch new
>>>> products each with their own authentication so we were like why not go
>>>> google model.
>>>>
>>>> here are few questions I would like to ask those of you actively using
>>>> keycloak.
>>>>
>>>>
>>>>    - Can I build an application with keycloak embedded in it where
>>>>    keycloak provides identity based on some logic that we will put in the
>>>>    parent application. Logic like how to merge all products mentioned earlier?
>>>>
>>>> Depends - what is your application deployed to? Keycloak is meant to be
>>> a standalone service, but can be deployed to WildFly alongside JavaEE apps.
>>>
>>
>> It's going to basically be a java webapp deployed into tomcat or jetty
>> but can try wildfly.
>>
>>
>>>>    - Supposing no work is needed and everything I mentioned is
>>>>    supported can keycloak allow relooking/branding of UI such a way it's
>>>>    inline with most of UI directions we have for all our existing products?
>>>>
>>>> Yes, we have theme support that lets you modify the l&f of all pages
>>>
>> Awesome
>>
>>
>>>
>>>>    - Can I use keycloak to not only provide SSO for our own
>>>>    applications but also make that keycloak become and ID provider (likes of
>>>>    openID etc ) for other applicaitons that we don't own?
>>>>
>>>> Yes, not OpenID though. We support OpenID Connect and SAML v2.
>>>
>>
>> Awesome
>>
>>>
>>>
>>>>
>>>> Thanks for reading my questions and I hope I will be able to learn from
>>>> all of you
>>>>
>>>> Best Regards,
>>>> --
>>>> Joseph Kodjo-Kuma Djomeda
>>>> check out my pains at : www.mycodingpains.com
>>>> We become what we think about ourselves........
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>> Joseph Kodjo-Kuma Djomeda
>> check out my pains at : www.mycodingpains.com
>> We become what we think about ourselves........
>>
>
> --
Joseph Kodjo-Kuma Djomeda
check out my pains at : www.mycodingpains.com
We become what we think about ourselves........
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/70eb35cf/attachment-0001.html 

From sthorger at redhat.com  Fri Oct 23 05:39:39 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 23 Oct 2015 11:39:39 +0200
Subject: [keycloak-user] Considering to introduce release candidates
Message-ID: <CAJgngAcswemoUBH+PETPmDG0DTBmf29MF90Onc5R1sgN_hB0cQ@mail.gmail.com>

Lately we've been following a pretty aggressive release schedule with a new
Final released every 4 to 6 weeks. We want to continue having frequent
releases, but at the same time it would be good to give people the
opportunity to test things out in advance of a release.

I propose we continue doing releases every 4-6 weeks, but instead of going
straight to Final we'll release a CR1. If there are no high priority issues
reported against within a week we'll release the Final. Otherwise we'll
release CR2, but this time reduce the wait to roughly half a week before
releasing Final (or CR3).

We would not support migrating between CR releases as they are purely
targeted towards testing. These releases should only be used in
staging/test environments. Ideally with a copy of the production database.
Basically that would mean that upgrading from 1.6.0.Final to 1.7.0.CR1 and
then upgrading to 1.7.0.Final would not work. You would have to upgrade
directly from 1.6.0.Final to 1.7.0.Final.

I'd like to ask the community is this something that would be beneficial?
Would you actually play with and test release candidates, or would you
simply wait for the Final to be released?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/dbb27565/attachment.html 

From lkrzyzan at redhat.com  Fri Oct 23 07:25:36 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Fri, 23 Oct 2015 13:25:36 +0200
Subject: [keycloak-user] Considering to introduce release candidates
In-Reply-To: <CAJgngAcswemoUBH+PETPmDG0DTBmf29MF90Onc5R1sgN_hB0cQ@mail.gmail.com>
References: <CAJgngAcswemoUBH+PETPmDG0DTBmf29MF90Onc5R1sgN_hB0cQ@mail.gmail.com>
Message-ID: <DBA52FEC-204A-44B0-9318-6C7E24616160@redhat.com>

This makes a lot of sense to me even It would not be possible to upgrade from CR1 to Final on staging.

For those who?re waiting for upcoming release and need to be sure that Final version will work (like we do with 1.6.0) that approach will help for sure.

Thanks for considering it.

Libor Krzy?anek
jboss.org Development Team

> On Oct 23, 2015, at 11:39 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Lately we've been following a pretty aggressive release schedule with a new Final released every 4 to 6 weeks. We want to continue having frequent releases, but at the same time it would be good to give people the opportunity to test things out in advance of a release.
> 
> I propose we continue doing releases every 4-6 weeks, but instead of going straight to Final we'll release a CR1. If there are no high priority issues reported against within a week we'll release the Final. Otherwise we'll release CR2, but this time reduce the wait to roughly half a week before releasing Final (or CR3).
> 
> We would not support migrating between CR releases as they are purely targeted towards testing. These releases should only be used in staging/test environments. Ideally with a copy of the production database. Basically that would mean that upgrading from 1.6.0.Final to 1.7.0.CR1 and then upgrading to 1.7.0.Final would not work. You would have to upgrade directly from 1.6.0.Final to 1.7.0.Final.
> 
> I'd like to ask the community is this something that would be beneficial? Would you actually play with and test release candidates, or would you simply wait for the Final to be released?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From fmrage at hotmail.com  Fri Oct 23 09:01:50 2015
From: fmrage at hotmail.com (Fabio Monteiro)
Date: Fri, 23 Oct 2015 15:01:50 +0200
Subject: [keycloak-user] Choose redirection url of immediate login after a
 required change of password
Message-ID: <DUB131-W19081C826CECECB833AB59D5260@phx.gbl>

Hi, 
after an reset passwrod email is sent to the user and the user clicked on this email, he does enter its password 2 times. He is then invinted to click on a link "Back to application" and ten authenticates himself on the keycloak login screen. All ok.
BUT he is then redirect by default (it seems) to the page here:
http://localhost:8080/auth/realms/master/account/

Which is in the keycloak webapp.

Is there a way to change it ? I tried to put some redirects in the initial url values but it didn't seem to work.

Any help? Thanks a lot for your time !

Fabio Monteiro 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/8a3040a4/attachment.html 

From mstrukel at redhat.com  Fri Oct 23 10:33:13 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 23 Oct 2015 16:33:13 +0200
Subject: [keycloak-user] Exception loading Keycloak modules in Wildfly
	9.0
In-Reply-To: <201510221951.t9MJptPq024105@d03av02.boulder.ibm.com>
References: <201510221602.t9MG2oaK026097@d01av04.pok.ibm.com>
	<CA+1OW+hdkpbH1ANtpKvpgUtFB5ed1yUoB06XU3y8sd+g28=GOA@mail.gmail.com>
	<201510221951.t9MJptPq024105@d03av02.boulder.ibm.com>
Message-ID: <CA+1OW+iA8uVT7ST8Jy+Sv79r65DZFEA91F70dvT=CK9todwFiA@mail.gmail.com>

Checking the documentation for our examples I realise it needs a lot of
improvement, and it's especially out of date for the demo :/

So here are the full command line instructions that work for me. If you're
on windows you'll have to translate some of these commands into CLI /
PowerShell.

Since you are only trying to install adapter I assume you want to run
Keycloak server separately from your content server, but the demo works
out-of-the box only when server and protected content are deployed in the
same Wildfly instance. The instructions here configure server part
separately from the client part, but within the same Wildfly instance.

So here we go ...

Download Wildfly 9.0.1, Keycloak Server, Keycloak Wildfly 9 Adapter, and
Keycloak Examples. Use Google to find the Download pages ...

mkdir keycloak
cd keycloak
unzip ~/Downloads/wildfly-9.0.1.Final.zip
cd wildfly-9.0.1.Final

unzip ~/Downloads/keycloak-overlay-1.6.0.Final.zip
unzip ~/Downloads/keycloak-wf9-adapter-dist-1.6.0.Final.zip

(press 'A' for All when ask if you want to overwrite existing files -
adapter and server overlay contain some of the same modules, since each has
to be fully functional by itself)


Now we should open and edit standalone/configuration/standalone.xml to
configure the server (and adapter) part, but we can also configure it
directly through shell using jboss-cli tool:

bin/jboss-cli.sh

embed-server
/subsystem=datasources/data-source=KeycloakDS/:add(connection-url="jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE",driver-name=h2,jndi-name=java:jboss/datasources/KeycloakDS,password=sa,user-name=sa,use-java-context=true)
/subsystem=infinispan/cache-container=keycloak:add(jndi-name="infinispan/Keycloak")
/subsystem=infinispan/cache-container=keycloak/local-cache=realms:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=users:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=sessions:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=loginFailures:add()
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
/subsystem=keycloak-server:add(web-context=auth)
quit


The configuration changes will be saved to standalone.xml file.


We can do the same in order to configure the adapter part:

bin/jboss-cli.sh

embed-server
/extension=org.keycloak.keycloak-adapter-subsystem/:add(module=org.keycloak.keycloak-adapter-subsystem)
/subsystem=keycloak:add()
quit


Again the changes will be saved to standalone.xml file.


Keycloak is now ready to run, but let's build, and deploy the demo, so that
when we run Wildfly everything will be set up already.


Unpack, and build the demo:

cd ..

unzip ~/Downloads/keycloak-examples-1.6.0.Final.zip
cd keycloak-examples-1.6.0.Final/
cd preconfigured-demo/
mvn clean install


Deploy by copying to deployments dir:

cp database-service/target/database.war
../../wildfly-9.0.1.Final/standalone/deployments/
cp customer-app/target/customer-portal.war
../../wildfly-9.0.1.Final/standalone/deployments/
cp product-app/target/product-portal.war
../../wildfly-9.0.1.Final/standalone/deployments/


We also need to load into Keycloak server the demo realm that contains
roles, users, and application clients for our demo to work. We can do this
while starting up Keycloak server.

cd ../..

cd wildfly-9.0.1.Final

bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.realmName=demo
-Dkeycloak.migration.file=../keycloak-examples-1.6.0.Final/preconfigured-demo/testrealm.json


Next time you start up Wildfly only use:

bin/standalone.sh


Otherwise you'll get an exception during startup notifying you that the
'demo' realm can't be imported, as it already exists!


Your Wildfly running Keycloak server, and the content apps (our demo,
composed of customer-portal.war, product-portal.war, and database.war) is
now ready for use. You can go to:

http://localhost:8080/customer-portal

and click around. When prompted for login, use 'bburke at redhat.com' as a
username, and 'password' as a password.

Let me know if these instructions still don't work for you.

- marko

On Thu, Oct 22, 2015 at 9:51 PM, Vijay Bhadriraju <vbhadrir at us.ibm.com>
wrote:

> Thanks, Marco. I was able to move forward by using the latest adapter you
> pointed me to. I was able to bring up the Wildfly 9.0 server with the
> adapter installed and was able to install the Customer-Portal and
> Product-Portal example apps successfully. But, when I install the Database
> example app, I get the following error. Any tips on how to resolve this
> error ? Thanks.
>
> 15:39:28,922 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5)
> MSC000001: Failed
>  to start service jboss.deployment.unit.database.POST_MODULE:
> org.jboss.msc.service.StartE
> xception in service jboss.deployment.unit.database.POST_MODULE:
> WFLYSRV0153: Failed to pro
> cess phase POST_MODULE of deployment "database"
>         at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitP
> haseService.java:163)
>         at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceContr
> ollerImpl.java:1948)
>         at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl
> .java:1881)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>         at java.lang.Thread.run(Unknown Source)
> Caused by:
> org.jboss.as.server.deployment.DeploymentUnitProcessingException:
> WFLYRS0006: C
> ould not load JAX-RS Application class
>         at
> org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.scan(JaxrsScanningProcesso
> r.java:205)
>         at
> org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.deploy(JaxrsScanningProces
> sor.java:101)
>         at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitP
> haseService.java:156)
>         ... 5 more
> Caused by: java.lang.ClassNotFoundException:
> org.keycloak.example.oauth.DataApplication fr
> om [Module "deployment.database:main" from Service Module Loader]
>         at
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205)
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentCla
> ssLoader.java:455)
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClass
> Loader.java:404)
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.
> java:385)
>         at
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:13
> 0)
>         at
> org.jboss.as.jaxrs.deployment.JaxrsScanningProcessor.scan(JaxrsScanningProcesso
> r.java:201)
>         ... 7 more
>
> 15:39:28,937 ERROR [org.jboss.as.controller.management-operation]
> (management-handler-thre
> ad - 5) WFLYCTL0013: Operation ("add") failed - address: ({"deployment" =>
> "database"}) -
> failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.deployment.unit.database.P
> OST_MODULE" => "org.jboss.msc.service.StartException in service
> jboss.deployment.unit.data
> base.POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of
> deployment \"databas
> e\"
>     Caused by:
> org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYRS000
> 6: Could not load JAX-RS Application class
>     Caused by: java.lang.ClassNotFoundException:
> org.keycloak.example.oauth.DataApplicatio
> n from [Module \"deployment.database:main\" from Service Module Loader]"}}
> 15:39:28,953 ERROR [org.jboss.as.server] (management-handler-thread - 5)
> WFLYSRV0021: Depl
> oy of deployment "database" was rolled back with the following failure
> message:
> {"WFLYCTL0080: Failed services" =>
> {"jboss.deployment.unit.database.POST_MODULE" => "org.j
> boss.msc.service.StartException in service
> jboss.deployment.unit.database.POST_MODULE: WFL
> YSRV0153: Failed to process phase POST_MODULE of deployment \"database\"
>     Caused by:
> org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYRS000
> 6: Could not load JAX-RS Application class
>     Caused by: java.lang.ClassNotFoundException:
> org.keycloak.example.oauth.DataApplicatio
> n from [Module \"deployment.database:main\" from Service Module Loader]"}}
> 15:39:28,953 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-1) WFLYSRV0028:
> Stopped deployment database (runtime-name: database) in 11ms
> 15:39:28,953 INFO  [org.jboss.as.controller] (management-handler-thread -
> 5) WFLYCTL0183:
> Service status report
> WFLYCTL0186:   Services which failed to start:      service
> jboss.deployment.unit.database
> .POST_MODULE
>
> Regards, Vijay
>
>
>
>
> From:        Marko Strukelj <mstrukel at redhat.com>
> To:        Vijay Bhadriraju/Raleigh/IBM at IBMUS
> Cc:        keycloak-user <keycloak-user at lists.jboss.org>
> Date:        10/22/2015 12:47 PM
> Subject:        Re: [keycloak-user] Exception loading Keycloak modules in
> Wildfly 9.0
> ------------------------------
>
>
>
> Use the latest keycloak-wf9-adapter-dist from the download site:
> *http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B*
> <http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B>
>
> You're trying to use latest config syntax with an old version that uses a
> different kind of config, and is outdated.
>
> On Thu, Oct 22, 2015 at 6:02 PM, Vijay Bhadriraju <*vbhadrir at us.ibm.com*
> <vbhadrir at us.ibm.com>> wrote:
> I am getting the following exception after unzipping the
> keycloak-wildfly-adapter-dist-1.1.0.Final.zip into the WildFly 9.0 server
> and configuring the standalone.xml file with the following lines as
> described in the keycloak documentation. I have tried this with Wildfly
> 10.0 version also and get the same error.
>
> <server xmlns="urn:jboss:domain:1.4">
> <extensions>
> *<extension module="org.keycloak.keycloak-adapter-subsystem"/>*
> ...
> </extensions>
> <profile>
> *<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>*
> ...
> </profile>
>
> How do I resolve this keycloak module loading exception?
>
>
> 11:35:36,018 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exce
> ption during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085: Failed to parse configuration
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
> tionPersister.java:131) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at org.jboss.as.server.ServerService.boot(ServerService.java:356)
> [wildfly-server-
> 2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerServi
> ce.java:299) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
> Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
> load module org.key
> cloak.keycloak-adapter-subsystem
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
> 155) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.j
> ava:220) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:14
> 3) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:69)
> [w
> ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:47)
> [w
> ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
> [staxm
> apper-1.2.0.Final.jar:1.2.0.Final]
>         at
> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxma
> pper-1.2.0.Final.jar:1.2.0.Final]
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
> tionPersister.java:123) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 3 more
> Caused by: java.util.concurrent.ExecutionException:
> javax.xml.stream.XMLStreamException: W
> FLYCTL0083: Failed to load module
>         at java.util.concurrent.FutureTask.report(Unknown Source)
> [rt.jar:1.8.0_65]
>         at java.util.concurrent.FutureTask.get(Unknown Source)
> [rt.jar:1.8.0_65]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
> 147) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 10 more
> Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
> load module
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:196)
> [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:69)
> [
> wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:127)
> [wil
> dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:124)
> [wil
> dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         at java.util.concurrent.FutureTask.run(Unknown Source)
> [rt.jar:1.8.0_65]
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source) [rt.jar:1.8.0
> _65]
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source) [rt.jar:1.8.
> 0_65]
>         at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
>         at org.jboss.threads.JBossThread.run(JBossThread.java:320) [
> *jboss-threads-2.2.1.Fi* <http://jboss-threads-2.2.1.fi/>
> nal.jar:2.2.1.Final]
> Caused by: org.jboss.modules.ModuleNotFoundException:
> org.keycloak.keycloak-adapter-subsys
> tem:main
>         at
> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:236)
> [jboss-modules
> .jar:1.4.4.Final]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:178)
> [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
>         ... 8 more
>
> Regards, Vijay
>
>
> _______________________________________________
> keycloak-user mailing list
> *keycloak-user at lists.jboss.org* <keycloak-user at lists.jboss.org>
> *https://lists.jboss.org/mailman/listinfo/keycloak-user*
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151023/94f1ffc6/attachment-0001.html 

From alex_orl1079 at yahoo.it  Sat Oct 24 17:27:58 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Sat, 24 Oct 2015 21:27:58 +0000 (UTC)
Subject: [keycloak-user] UserFederationProvider CredentialValidationOutput
 validCredentials and close method never called
References: <1792405579.3711775.1445722078748.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1792405579.3711775.1445722078748.JavaMail.yahoo@mail.yahoo.com>

I'm using jboss keycloak 1.5 final version.I developed my custom user federation provider interfacing with keycloak properties and my user enterprise database.?
My need is to send up to user the login interface custom error messages based on particular specific error related to my legacy user db.
I saw keycloak themes have a resources folder by which i can localize and add new messages. Then i can reference them by angular js using?
? ? $myMessage
notation. The problem is i want to rise up a message from keycloak server. My user federation provider implements UserFederationProvider interface. So i should have to override:
? ? @Override public CredentialValidationOutput validCredentials(RealmModel realm, UserCredentialModel credential) { LOGGER.info("validCredentials(realm, credential)"); return CredentialValidationOutput.failed(); }
In the UserFederationProvider interface i read that?validCredentials :Validate credentials of unknown user. The authenticated user is recognized based on provided credentials and returned back in CredentialValidationOutput
It seems to be the method i was looking for just because CredentialValidationOutput contains custom messages to be sent as validation output. The problem is this method is never called.
The same happens to the close method. It's never called at the end of each request so i cannot dispose my objectsWhy?
Thanks a lot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151024/6c515ec2/attachment.html 

From mposolda at redhat.com  Mon Oct 26 03:48:54 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Oct 2015 08:48:54 +0100
Subject: [keycloak-user] UserFederationProvider
 CredentialValidationOutput validCredentials and close method never called
In-Reply-To: <1792405579.3711775.1445722078748.JavaMail.yahoo@mail.yahoo.com>
References: <1792405579.3711775.1445722078748.JavaMail.yahoo@mail.yahoo.com>
	<1792405579.3711775.1445722078748.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <562DDAE6.4020900@redhat.com>

On 24/10/15 23:27, alex orl wrote:
> I'm using jboss keycloak 1.5 final version.
> I developed my custom user federation provider interfacing with 
> keycloak properties and my user enterprise database.
>
> My need is to send up to user the login interface custom error 
> messages based on particular specific error related to my legacy user db.
>
> I saw keycloak themes have a resources folder by which i can localize 
> and add new messages. Then i can reference them by angular js using
>
> $myMessage
>
> notation. The problem is i want to rise up a message from keycloak 
> server. My user federation provider implements UserFederationProvider 
> interface. So i should have to override:
>
> @Override
> public CredentialValidationOutput validCredentials(RealmModel realm, 
> UserCredentialModel credential) {
> LOGGER.info("validCredentials(realm, credential)");
> return CredentialValidationOutput.failed();
> }
>
> In the UserFederationProvider interface i read that validCredentials :
> Validate credentials of unknown user. The authenticated user is 
> recognized based on provided credentials and returned back in 
> CredentialValidationOutput
>
> It seems to be the method i was looking for just because 
> CredentialValidationOutput contains custom messages to be sent as 
> validation output. The problem is this method is never called.
This method is called by Keycloak just during use-cases, when you want 
to authenticate with unknown user. Which is currently during 
Kerberos/SPNEGO login. It's not called during basic flow with 
username/password authentication.

I think if you want to propagate error messages, you can for example 
throw ModelException with the error message you want.
>
> The same happens to the close method. It's never called at the end of 
> each request so i cannot dispose my objects
> Why?
Feel free to create JIRA for the close method.

Marek
> Thanks a lot
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/b492ba0b/attachment-0001.html 

From ornot2008 at yahoo.com  Mon Oct 26 04:16:55 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Mon, 26 Oct 2015 08:16:55 +0000 (UTC)
Subject: [keycloak-user] Failed to import IDP meta data into keycloak
References: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>

Hi, there,
1) We failed to import ?idp meta data into keycloak (see attachment for the sample xml). ?Pls help taka a look what's going on.?
2) Suppose we can not import the metadata , based on the sample xml given in the attachment, which fields should we fill??? ??

3) ?In the user guide, there is one sentence: ?"Once you create a SAML provider, there is an?EXPORT?button that appears when viewing that provider. Clicking this button will export a SAML entity descriptor which you can use to"?
? ? ?Here "That provider" means the keycloak as a SP provider ? ?From the demo exported data , it seems so. ?Am I right? ?
? ? ?To work with the 3rd party IDP, we should provide the exported metadata to idp, shouldn't we?


I am not familiar with saml concept so any help will be greatly appreciated.

Mai

?? ??



?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/c7d624f5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: federationmetadata-Pre-production.xml
Type: text/xml
Size: 43643 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/c7d624f5/attachment-0001.xml 

From tdudgeon.ml at gmail.com  Mon Oct 26 04:52:10 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Mon, 26 Oct 2015 08:52:10 +0000
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <5627712F.4040200@gmail.com>
References: <5627712F.4040200@gmail.com>
Message-ID: <562DE9BA.9030703@gmail.com>

Wondered if anyone had any thoughts on this?

On 21/10/2015 12:04, Tim Dudgeon wrote:
> In the case of a web application (e.g. Tomcat app secured by the 
> keycloak adapter) the web app might need to access details of the 
> authenticated user (e.g. full name or email).
> I've found that this information is available from the session like this:
>
> KeycloakSecurityContext session = 
> (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
> IDToken idToken = session.getIdToken();
> String email = idToken.getEmail();
>
> One issue with this is that all your web apps are tied to keycloak.
>
> Is this the right way to handle this?
> Are there alternatives?
>
> Tim
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/be776869/attachment.html 

From mposolda at redhat.com  Mon Oct 26 05:24:06 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Oct 2015 10:24:06 +0100
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <562DE9BA.9030703@gmail.com>
References: <5627712F.4040200@gmail.com> <562DE9BA.9030703@gmail.com>
Message-ID: <562DF136.5010209@redhat.com>

If you don't want Keycloak dependencies, you can use 
request.getRemoteUser() or request.getPrincipal().getName() to access 
just the userId of authenticated user. If you use "principal-attribute" 
in keycloak.json, it will return the configured attribute instead of 
userId, so you can receive for example username or email instead. But 
that way, you will be able to access just this single attribute.

Marek

On 26/10/15 09:52, Tim Dudgeon wrote:
> Wondered if anyone had any thoughts on this?
>
> On 21/10/2015 12:04, Tim Dudgeon wrote:
>> In the case of a web application (e.g. Tomcat app secured by the 
>> keycloak adapter) the web app might need to access details of the 
>> authenticated user (e.g. full name or email).
>> I've found that this information is available from the session like 
>> this:
>>
>> KeycloakSecurityContext session = 
>> (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
>> IDToken idToken = session.getIdToken();
>> String email = idToken.getEmail();
>>
>> One issue with this is that all your web apps are tied to keycloak.
>>
>> Is this the right way to handle this?
>> Are there alternatives?
>>
>> Tim
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/e53a5420/attachment.html 

From alex_orl1079 at yahoo.it  Mon Oct 26 06:32:16 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Mon, 26 Oct 2015 10:32:16 +0000 (UTC)
Subject: [keycloak-user] UserFederationProvider
 CredentialValidationOutput validCredentials and close method never called
In-Reply-To: <562DDAE6.4020900@redhat.com>
References: <562DDAE6.4020900@redhat.com>
Message-ID: <562231933.4426568.1445855536365.JavaMail.yahoo@mail.yahoo.com>

thanks for your answer. Well, i suddenly tried your suggestion adding a throw new ModelException("My message"); inside my provider class.The exception is thrown but the login page is redirected to the standard error page just displaying the message:
     We're sorry ...       
         Unexpected error when handling authentication request to identity provider.      

How can i make the "My Message" exception message to be displayed on the login page?thanks
 


     Il Luned? 26 Ottobre 2015 8:49, Marek Posolda <mposolda at redhat.com> ha scritto:
   

  On 24/10/15 23:27, alex orl wrote:
  
  I'm using jboss keycloak 1.5 final version. I developed my custom user federation provider interfacing with keycloak properties and my user enterprise database.? 
  My need is to send up to user the login interface custom error messages based on particular specific error related to my legacy user db. 
  I saw keycloak themes have a resources folder by which i can localize and add new messages. Then i can reference them by angular js using? 
  ? ? $myMessage 
  notation. The problem is i want to rise up a message from keycloak server. My user federation provider implements UserFederationProvider interface. So i should have to override: 
  ? ? @Override  public CredentialValidationOutput validCredentials(RealmModel realm, UserCredentialModel credential) {  LOGGER.info("validCredentials(realm, credential)");  return CredentialValidationOutput.failed();  } 
   In the UserFederationProvider interface i read that?validCredentials : Validate credentials of unknown user. The authenticated user is recognized based on provided credentials and returned back in CredentialValidationOutput  
  It seems to be the method i was looking for just because CredentialValidationOutput contains custom messages to be sent as validation output. The problem is this method is never called.  
 This method is called by Keycloak just during use-cases, when you want to authenticate with unknown user. Which is currently during Kerberos/SPNEGO login. It's not called during basic flow with username/password authentication. 
 
 I think if you want to propagate error messages, you can for example throw ModelException with the error message you want.
 
  
  The same happens to the close method. It's never called at the end of each request so i cannot dispose my objects Why?
   
 Feel free to create JIRA for the close method.
 
 Marek
 
  Thanks a lot  
  
 _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 
 
 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/09f099fa/attachment-0001.html 

From mposolda at redhat.com  Mon Oct 26 07:29:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Oct 2015 12:29:46 +0100
Subject: [keycloak-user] UserFederationProvider
 CredentialValidationOutput validCredentials and close method never called
In-Reply-To: <562231933.4426568.1445855536365.JavaMail.yahoo@mail.yahoo.com>
References: <562DDAE6.4020900@redhat.com>
	<562231933.4426568.1445855536365.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <562E0EAA.2080807@redhat.com>

ah, you want to display custom error messages on login screen. It seems 
you may need to override the UsernamePasswordForm . Take a look at 
Authentication SPI documentation and examples for how to do it.

Btv. not sure if it's very good to create custom messages based on 
errors as it can give potential attacker some details about your users. 
For example we always display "Invalid username or password" error 
regardless if tried username exists or not, so the attacked doesn't have 
possibility to "guess" usernames (Some sites display "Invalid user" if 
username doesn't exist and "Invalid password" if user exists, but 
password is incorrect. We display single message in both cases).

Marek

On 26/10/15 11:32, alex orl wrote:
> thanks for your answer. Well, i suddenly tried your suggestion adding 
> a throw new ModelException("My message"); inside my provider class.
> The exception is thrown but the login page is redirected to the 
> standard error page just displaying the message:
>
> We're *sorry* ...
>
> Unexpected error when handling authentication request to identity 
> provider.
>
>
> How can i make the "My Message" exception message to be displayed on 
> the login page?
> thanks
>
>
>
> Il Luned? 26 Ottobre 2015 8:49, Marek Posolda <mposolda at redhat.com> ha 
> scritto:
>
>
> On 24/10/15 23:27, alex orl wrote:
>> I'm using jboss keycloak 1.5 final version.
>> I developed my custom user federation provider interfacing with 
>> keycloak properties and my user enterprise database.
>>
>> My need is to send up to user the login interface custom error 
>> messages based on particular specific error related to my legacy user db.
>>
>> I saw keycloak themes have a resources folder by which i can localize 
>> and add new messages. Then i can reference them by angular js using
>>
>>     $myMessage
>>
>> notation. The problem is i want to rise up a message from keycloak 
>> server. My user federation provider implements UserFederationProvider 
>> interface. So i should have to override:
>>
>>     @Override
>> public CredentialValidationOutput validCredentials(RealmModel realm, 
>> UserCredentialModel credential) {
>> LOGGER.info("validCredentials(realm, credential)");
>> return CredentialValidationOutput.failed();
>> }
>>
>> In the UserFederationProvider interface i read that validCredentials :
>> Validate credentials of unknown user. The authenticated user is 
>> recognized based on provided credentials and returned back in 
>> CredentialValidationOutput
>>
>> It seems to be the method i was looking for just because 
>> CredentialValidationOutput contains custom messages to be sent as 
>> validation output. The problem is this method is never called.
> This method is called by Keycloak just during use-cases, when you want 
> to authenticate with unknown user. Which is currently during 
> Kerberos/SPNEGO login. It's not called during basic flow with 
> username/password authentication.
>
> I think if you want to propagate error messages, you can for example 
> throw ModelException with the error message you want.
>>
>> The same happens to the close method. It's never called at the end of 
>> each request so i cannot dispose my objects
>> Why?
> Feel free to create JIRA for the close method.
>
> Marek
>
>> Thanks a lot
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/8e25187c/attachment-0001.html 

From keycloak-user.myq at xoxy.net  Mon Oct 26 09:26:11 2015
From: keycloak-user.myq at xoxy.net (keycloak-user.myq at xoxy.net)
Date: Mon, 26 Oct 2015 09:26:11 -0400
Subject: [keycloak-user] set session cookie domain?
Message-ID: <CAKtZx8qWGwR7y=qicTcNnFnP_QoL4HhbTPwdPTmm4vbZrmhfZw@mail.gmail.com>

Hello. How can I set the domain of session cookies?

I want to run keycloak at auth.mydomain.com and get the session cookies
(for SSO) at other subdomains of mydomain.com.

Browsers will allow sub.domain.com to set cookies for domain.com, but I
can't figure out how to get Keycloak to do this.

Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/20cc1162/attachment.html 

From mposolda at redhat.com  Mon Oct 26 09:49:38 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Oct 2015 14:49:38 +0100
Subject: [keycloak-user] set session cookie domain?
In-Reply-To: <CAKtZx8qWGwR7y=qicTcNnFnP_QoL4HhbTPwdPTmm4vbZrmhfZw@mail.gmail.com>
References: <CAKtZx8qWGwR7y=qicTcNnFnP_QoL4HhbTPwdPTmm4vbZrmhfZw@mail.gmail.com>
Message-ID: <562E2F72.7030407@redhat.com>

This doesn't seem to be supported. Question is why you need it? All the 
cookies like KEYCLOAK_IDENTITY are set by keycloak server and it's just 
the keycloak server, which is supposed to read them.

Marek

On 26/10/15 14:26, keycloak-user.myq at xoxy.net wrote:
> Hello. How can I set the domain of session cookies?
>
> I want to run keycloak at auth.mydomain.com <http://auth.mydomain.com> 
> and get the session cookies (for SSO) at other subdomains of 
> mydomain.com <http://mydomain.com>.
>
> Browsers will allow sub.domain.com <http://sub.domain.com> to set 
> cookies for domain.com <http://domain.com>, but I can't figure out how 
> to get Keycloak to do this.
>
> Thanks in advance!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/e7bea218/attachment.html 

From keycloak-user.myq at xoxy.net  Mon Oct 26 10:21:58 2015
From: keycloak-user.myq at xoxy.net (keycloak-user.myq at xoxy.net)
Date: Mon, 26 Oct 2015 10:21:58 -0400
Subject: [keycloak-user] set session cookie domain?
Message-ID: <CAKtZx8pKhz0K=D77Heus-=TcBHDDyhU=yGfk9rcJ52qkba9grQ@mail.gmail.com>

My goal is to have several web services (which reside at sub1.domain.com,
sub2.domain.com, etc.) all redirect users to auth.domain.com for login.
When a user is logged in and visits one of the web services, the web
service should be able to get the user's identity from a claim signed by
the authentication service (keycloak). The only way I know of to do this is
to pass a claim in a cookie.

Ideally, the web service should be able to verify the identity claim
without needing to emit an HTTP request to the auth service (by verifying
the signature against the realm's public key).

Is keycloak the right choice for this? and if not, do you have any
recommendations?

On Mon, Oct 26, 2015 at 9:49 AM, Marek Posolda - mposolda at redhat.com <
keycloak-user.myq.aa3199607d.mposolda#redhat.com at ob.0sg.net> wrote:

> This doesn't seem to be supported. Question is why you need it? All the
> cookies like KEYCLOAK_IDENTITY are set by keycloak server and it's just the
> keycloak server, which is supposed to read them.
>
> Marek
>
> On 26/10/15 14:26, keycloak-user.myq at xoxy.net wrote:
>
> Hello. How can I set the domain of session cookies?
>
> I want to run keycloak at auth.mydomain.com and get the session cookies
> (for SSO) at other subdomains of mydomain.com.
>
> Browsers will allow sub.domain.com to set cookies for domain.com, but I
> can't figure out how to get Keycloak to do this.
>
> Thanks in advance!
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/d316fee5/attachment.html 

From bburke at redhat.com  Mon Oct 26 10:57:18 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 26 Oct 2015 10:57:18 -0400
Subject: [keycloak-user] set session cookie domain?
In-Reply-To: <CAKtZx8pKhz0K=D77Heus-=TcBHDDyhU=yGfk9rcJ52qkba9grQ@mail.gmail.com>
References: <CAKtZx8pKhz0K=D77Heus-=TcBHDDyhU=yGfk9rcJ52qkba9grQ@mail.gmail.com>
Message-ID: <562E3F4E.5010702@redhat.com>

These are browser based apps?  If so, Keycloak *ALREADY* does this. 
Obtaining claims is not done by cookies, but rather the SSO protocol 
(OpenID Connect or SAML).

On 10/26/2015 10:21 AM, keycloak-user.myq at xoxy.net wrote:
> My goal is to have several web services (which reside at sub1.domain.com
> <http://sub1.domain.com>, sub2.domain.com <http://sub2.domain.com>,
> etc.) all redirect users to auth.domain.com <http://auth.domain.com> for
> login. When a user is logged in and visits one of the web services, the
> web service should be able to get the user's identity from a claim
> signed by the authentication service (keycloak). The only way I know of
> to do this is to pass a claim in a cookie.
>
> Ideally, the web service should be able to verify the identity claim
> without needing to emit an HTTP request to the auth service (by
> verifying the signature against the realm's public key).
>
> Is keycloak the right choice for this? and if not, do you have any
> recommendations?
>
> On Mon, Oct 26, 2015 at 9:49 AM, Marek Posolda - mposolda at redhat.com
> <mailto:mposolda at redhat.com>
> <keycloak-user.myq.aa3199607d.mposolda#redhat.com at ob.0sg.net
> <mailto:keycloak-user.myq.aa3199607d.mposolda#redhat.com at ob.0sg.net>> wrote:
>
>     This doesn't seem to be supported. Question is why you need it? All
>     the cookies like KEYCLOAK_IDENTITY are set by keycloak server and
>     it's just the keycloak server, which is supposed to read them.
>
>     Marek
>
>     On 26/10/15 14:26, keycloak-user.myq at xoxy.net
>     <mailto:keycloak-user.myq at xoxy.net> wrote:
>>     Hello. How can I set the domain of session cookies?
>>
>>     I want to run keycloak at auth.mydomain.com
>>     <http://auth.mydomain.com> and get the session cookies (for SSO)
>>     at other subdomains of mydomain.com <http://mydomain.com>.
>>
>>     Browsers will allow sub.domain.com <http://sub.domain.com> to set
>>     cookies for domain.com <http://domain.com>, but I can't figure out
>>     how to get Keycloak to do this.
>>
>>     Thanks in advance!
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alex_orl1079 at yahoo.it  Mon Oct 26 11:08:13 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Mon, 26 Oct 2015 15:08:13 +0000 (UTC)
Subject: [keycloak-user] UserFederationProvider
 CredentialValidationOutput validCredentials and close method never called
In-Reply-To: <562E0EAA.2080807@redhat.com>
References: <562E0EAA.2080807@redhat.com>
Message-ID: <405970208.4766145.1445872093912.JavaMail.yahoo@mail.yahoo.com>

i agree but you know...if a single-sign-on server is used inside an enterprise cloud/environment, giving the possibility to handle authentication by a custom UserFederationProvider implementation, could be very frequent the need to have custom, and sometimes more meaningful, messages to send to users, not necessarily bringing in security leak.thanks 


     Il Luned? 26 Ottobre 2015 12:29, Marek Posolda <mposolda at redhat.com> ha scritto:
   

  ah, you want to display custom error messages on login screen. It seems you may need to override the UsernamePasswordForm . Take a look at Authentication SPI documentation and examples for how to do it.
 
 Btv. not sure if it's very good to create custom messages based on errors as it can give potential attacker some details about your users. For example we always display "Invalid username or password" error regardless if tried username exists or not, so the attacked doesn't have possibility to "guess" usernames (Some sites  display "Invalid user" if username doesn't exist and "Invalid password" if user exists, but password is incorrect. We display single message in both cases).
 
 Marek
 
 On 26/10/15 11:32, alex orl wrote:
  
  thanks for your answer. Well, i suddenly tried your suggestion adding a throw new ModelException("My message"); inside my provider class. The exception is thrown but the login page is redirected to the standard error page just displaying the message: 
      We're sorry ...        
         Unexpected error when handling authentication request to identity provider.        
  
  How can i make the "My Message" exception message to be displayed on the login page? thanks
   
 
 
       Il Luned? 26 Ottobre 2015 8:49, Marek Posolda <mposolda at redhat.com> ha scritto:
   
 
    On 24/10/15 23:27, alex orl wrote:
  
  I'm using jboss keycloak 1.5 final version. I developed my custom user federation provider interfacing with keycloak properties and my user enterprise database.? 
  My need is to send up to user the login interface custom error messages based on particular  specific error related to my legacy user db. 
  I saw keycloak themes have a resources folder by which i can localize and add new messages. Then i  can reference them by angular js using? 
  ? ? $myMessage 
  notation. The problem is i want to rise up a message from keycloak server. My user federation  provider implements UserFederationProvider interface. So i should have to override: 
  ? ? @Override  public CredentialValidationOutput validCredentials(RealmModel realm, UserCredentialModel credential) {  LOGGER.info("validCredentials(realm, credential)");  return CredentialValidationOutput.failed();  } 
    In the UserFederationProvider interface i read that?validCredentials : Validate credentials of unknown user. The authenticated user is recognized based on provided credentials and returned back in CredentialValidationOutput  
  It seems to be the method i was looking for just because CredentialValidationOutput contains custom messages to be sent as validation output. The problem is this method is never called.  
 This method is called by Keycloak just during use-cases, when you want to authenticate with unknown user. Which is currently during Kerberos/SPNEGO login. It's not called during basic flow with username/password authentication. 
 
 I think if you want to propagate error messages, you can for example throw ModelException with the error message you want.
 
  
  The same happens to the close method. It's never called at the end of each request so i cannot dispose my objects Why?
   
 Feel free to create JIRA for the close method.
 
 Marek 
  
     Thanks a lot   
  
 _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user   
  
    
 
      
 
 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/5f617e76/attachment-0001.html 

From kevin.thorpe at p-i.net  Mon Oct 26 12:29:25 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Mon, 26 Oct 2015 16:29:25 +0000
Subject: [keycloak-user] Problems when changing ID of a federated LDAP user.
Message-ID: <CAFMa6BbaCMdc1AQRVhON6guCCx378svG_B8ABRDEyV7O1Ri+vA@mail.gmail.com>

We changed the uid of an LDAP user to bring it into line with our policy on
user
ids. This has broken the federation because of the id change. I'm not sure
how
to work round this but can we at least have some form of notification
outside of
the application logs?

Message in logs:
10/26/2015 4:20:30 PM [0m [31m16:20:30,439 ERROR
[org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
task-45) Failed during import user from LDAP:
org.keycloak.models.ModelDuplicateException: Can't import user 'will.cross'
from LDAP because email 'will at pibenchmark.com' already exists in Keycloak.
Existing user with this email is 'will_cross'


*Kevin Thorpe*
CTO
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/753c081d/attachment.html 

From arun.patnaik at informatica.com  Mon Oct 26 12:56:20 2015
From: arun.patnaik at informatica.com (Patnaik, Arun)
Date: Mon, 26 Oct 2015 16:56:20 +0000
Subject: [keycloak-user] MultiTenancy / MultiRealms
Message-ID: <BL2PR03MB3546CBAAC82A0C5F0A322A494230@BL2PR03MB354.namprd03.prod.outlook.com>

Did you get any response to this question? This looks like a limitation in keycloak. Has anyone been able to set this up?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/bf95d33d/attachment.html 

From shivasaxena999 at gmail.com  Mon Oct 26 13:13:00 2015
From: shivasaxena999 at gmail.com (Shiva Saxena)
Date: Mon, 26 Oct 2015 22:43:00 +0530
Subject: [keycloak-user] MultiTenancy / MultiRealms
In-Reply-To: <BL2PR03MB3546CBAAC82A0C5F0A322A494230@BL2PR03MB354.namprd03.prod.outlook.com>
References: <BL2PR03MB3546CBAAC82A0C5F0A322A494230@BL2PR03MB354.namprd03.prod.outlook.com>
Message-ID: <CADjggumTD5+GdLpChtzduaWB1r2kmQ+sLOg3ESX1tBTeEGdyvQ@mail.gmail.com>

Hi,

We have been able to set it up and its working quite well. You can refer to
this sample to setup a multi realm setup in keycloak.
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant

On Mon, Oct 26, 2015 at 10:26 PM, Patnaik, Arun <
arun.patnaik at informatica.com> wrote:

> Did you get any response to this question? This looks like a limitation in
> keycloak. Has anyone been able to set this up?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Best Regards
*Shiva Saxena*
*Blog <http://metalop.com/> | Linkedin
<http://in.linkedin.com/in/shivasaxena/> | StackOverflow
<http://stackoverflow.com/users/2490343/shiva>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151026/863eb733/attachment.html 

From juraci at kroehling.de  Mon Oct 26 13:17:40 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Mon, 26 Oct 2015 18:17:40 +0100
Subject: [keycloak-user] MultiTenancy / MultiRealms
In-Reply-To: <A4503E2117EA4142B9350E03A84BE3AE253AF9D7@EX-TT-AC-02.traveltainment.int>
References: <A4503E2117EA4142B9350E03A84BE3AE253AF9D7@EX-TT-AC-02.traveltainment.int>
Message-ID: <562E6034.9060208@kroehling.de>

On 10/16/2015 02:00 PM, Sascha Skorupa wrote:
> we want to authenticate users from different realms in one
> client/application. We looked at the multitenancy example but there the
> realms are distinguished by the requested URL. In our case the users
> send tokens to the application from different issuers. Is there any
> recommendation how to handle this?

If you are able to determine the realm from the token, then you can just 
implement your own KeycloakConfigResolver.

http://git.io/vW6kF


- Juca.

From mposolda at redhat.com  Tue Oct 27 02:29:21 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 27 Oct 2015 07:29:21 +0100
Subject: [keycloak-user] UserFederationProvider
 CredentialValidationOutput validCredentials and close method never called
In-Reply-To: <405970208.4766145.1445872093912.JavaMail.yahoo@mail.yahoo.com>
References: <562E0EAA.2080807@redhat.com>
	<405970208.4766145.1445872093912.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <562F19C1.7010908@redhat.com>

Ok. Still the error message on login screen is not the responsibility of 
federation provider though. Federation provider is more low level SPI 
for user's operations. You can handle this with Authentication SPI.

For example you can throw the exception from federation provider and 
catch it in authenticator and display some message based on that.

Marek

On 26/10/15 16:08, alex orl wrote:
> i agree but you know...if a single-sign-on server is used inside an 
> enterprise cloud/environment, giving the possibility to handle 
> authentication by a custom UserFederationProvider implementation, 
> could be very frequent the need to have custom, and sometimes more 
> meaningful, messages to send to users, not necessarily bringing in 
> security leak.
> thanks
>
>
>
> Il Luned? 26 Ottobre 2015 12:29, Marek Posolda <mposolda at redhat.com> 
> ha scritto:
>
>
> ah, you want to display custom error messages on login screen. It 
> seems you may need to override the UsernamePasswordForm . Take a look 
> at Authentication SPI documentation and examples for how to do it.
>
> Btv. not sure if it's very good to create custom messages based on 
> errors as it can give potential attacker some details about your 
> users. For example we always display "Invalid username or password" 
> error regardless if tried username exists or not, so the attacked 
> doesn't have possibility to "guess" usernames (Some sites display 
> "Invalid user" if username doesn't exist and "Invalid password" if 
> user exists, but password is incorrect. We display single message in 
> both cases).
>
> Marek
>
> On 26/10/15 11:32, alex orl wrote:
>> thanks for your answer. Well, i suddenly tried your suggestion adding 
>> a throw new ModelException("My message"); inside my provider class.
>> The exception is thrown but the login page is redirected to the 
>> standard error page just displaying the message:
>>
>> We're *sorry* ...
>>
>> Unexpected error when handling authentication request to identity 
>> provider.
>>
>>
>> How can i make the "My Message" exception message to be displayed on 
>> the login page?
>> thanks
>>
>>
>>
>> Il Luned? 26 Ottobre 2015 8:49, Marek Posolda <mposolda at redhat.com> 
>> <mailto:mposolda at redhat.com> ha scritto:
>>
>>
>> On 24/10/15 23:27, alex orl wrote:
>>> I'm using jboss keycloak 1.5 final version.
>>> I developed my custom user federation provider interfacing with 
>>> keycloak properties and my user enterprise database.
>>>
>>> My need is to send up to user the login interface custom error 
>>> messages based on particular specific error related to my legacy 
>>> user db.
>>>
>>> I saw keycloak themes have a resources folder by which i can 
>>> localize and add new messages. Then i can reference them by angular 
>>> js using
>>>
>>>     $myMessage
>>>
>>> notation. The problem is i want to rise up a message from keycloak 
>>> server. My user federation provider implements 
>>> UserFederationProvider interface. So i should have to override:
>>>
>>>     @Override
>>> public CredentialValidationOutput validCredentials(RealmModel realm, 
>>> UserCredentialModel credential) {
>>> LOGGER.info("validCredentials(realm, credential)");
>>> return CredentialValidationOutput.failed();
>>> }
>>>
>>> In the UserFederationProvider interface i read that validCredentials :
>>> Validate credentials of unknown user. The authenticated user is 
>>> recognized based on provided credentials and returned back in 
>>> CredentialValidationOutput
>>>
>>> It seems to be the method i was looking for just because 
>>> CredentialValidationOutput contains custom messages to be sent as 
>>> validation output. The problem is this method is never called.
>> This method is called by Keycloak just during use-cases, when you 
>> want to authenticate with unknown user. Which is currently during 
>> Kerberos/SPNEGO login. It's not called during basic flow with 
>> username/password authentication.
>>
>> I think if you want to propagate error messages, you can for example 
>> throw ModelException with the error message you want.
>>>
>>> The same happens to the close method. It's never called at the end 
>>> of each request so i cannot dispose my objects
>>> Why?
>> Feel free to create JIRA for the close method.
>>
>> Marek
>>
>>> Thanks a lot
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/e843786d/attachment-0001.html 

From mposolda at redhat.com  Tue Oct 27 02:47:50 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 27 Oct 2015 07:47:50 +0100
Subject: [keycloak-user] Problems when changing ID of a federated LDAP
 user.
In-Reply-To: <CAFMa6BbaCMdc1AQRVhON6guCCx378svG_B8ABRDEyV7O1Ri+vA@mail.gmail.com>
References: <CAFMa6BbaCMdc1AQRVhON6guCCx378svG_B8ABRDEyV7O1Ri+vA@mail.gmail.com>
Message-ID: <562F1E16.5000305@redhat.com>

Hi Kevin,

I've created https://issues.jboss.org/browse/KEYCLOAK-2022 for add admin 
events to sync. This will help to track how many errors happened during 
periodic sync etc.

Marek

On 26/10/15 17:29, Kevin Thorpe wrote:
> We changed the uid of an LDAP user to bring it into line with our 
> policy on user
> ids. This has broken the federation because of the id change. I'm not 
> sure how
> to work round this but can we at least have some form of notification 
> outside of
> the application logs?
> Message in logs:
> 10/26/2015 4:20:30 PM[0m [31m16:20:30,439 ERROR 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default 
> task-45) Failed during import user from LDAP: 
> org.keycloak.models.ModelDuplicateException: Can't import user 
> 'will.cross' from LDAP because email 'will at pibenchmark.com 
> <mailto:will at pibenchmark.com>' already exists in Keycloak. Existing 
> user with this email is 'will_cross'
> *Kevin Thorpe
> *
> CTO
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/cf6ecfd1/attachment.html 

From revanth at arvindinternet.com  Tue Oct 27 03:08:22 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 27 Oct 2015 12:38:22 +0530
Subject: [keycloak-user] Call back URI after Registration.
Message-ID: <CAA1skqV7zAWeY=v8LYZMxSzmiEOP7JDZh1HD6H1FJcSSjhGtQA@mail.gmail.com>

Hi all,

I am using Keycloak 1.5.0 to secure my application and wanted to know if it
is possible to have a call back uri after the user registers sucessfully
which performs some action and then keycloak redirects it to the respective
page.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/890eed9d/attachment.html 

From sascha.skorupa at traveltainment.de  Tue Oct 27 04:36:34 2015
From: sascha.skorupa at traveltainment.de (Sascha Skorupa)
Date: Tue, 27 Oct 2015 08:36:34 +0000
Subject: [keycloak-user] MultiTenancy / MultiRealms
In-Reply-To: <562E6034.9060208@kroehling.de>
References: <A4503E2117EA4142B9350E03A84BE3AE253AF9D7@EX-TT-AC-02.traveltainment.int>
	<562E6034.9060208@kroehling.de>
Message-ID: <A4503E2117EA4142B9350E03A84BE3AE253B26A9@EX-TT-AC-02.traveltainment.int>

Hi,

currently we have implemented an own Resolver that loads the "keycloak.json" configuration by extracting the realm name from the issuer element of the token because the realm name is not explicitly mapped. But I think it is possible to implement a custom protocol mapper to map the realm explicitly to the token.

It is not finally clarified how to load the configuration dynamically from a wildfly subsystem. 

- sascha

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Juraci Paix?o Kr?hling
Gesendet: Montag, 26. Oktober 2015 18:18
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] MultiTenancy / MultiRealms

On 10/16/2015 02:00 PM, Sascha Skorupa wrote:
> we want to authenticate users from different realms in one 
> client/application. We looked at the multitenancy example but there 
> the realms are distinguished by the requested URL. In our case the 
> users send tokens to the application from different issuers. Is there 
> any recommendation how to handle this?

If you are able to determine the realm from the token, then you can just implement your own KeycloakConfigResolver.

http://git.io/vW6kF


- Juca.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sascha.skorupa at traveltainment.de  Tue Oct 27 04:39:35 2015
From: sascha.skorupa at traveltainment.de (Sascha Skorupa)
Date: Tue, 27 Oct 2015 08:39:35 +0000
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <56293E48.9070702@redhat.com>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
	<56293E48.9070702@redhat.com>
Message-ID: <A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>

Hi Marek,

I think what we want is a composition of both options. Something like this:

[...]
"additional_info": {
                "departments": {
                               "finance",
                               "development"
                },
                "organization":  "ABC"
}
[...]

I take a look at the AccessTokenTest where multiple values of the same attribute are mapped to an array in the accessToken. This is fine, but how can I configure multiple values for one attribute? The first value is always overwritten.

Cheers,

sascha


Von: Marek Posolda [mailto:mposolda at redhat.com]
Gesendet: Donnerstag, 22. Oktober 2015 21:52
An: Sascha Skorupa <sascha.skorupa at traveltainment.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Multivalued user attributes mapping

On 22/10/15 16:46, Sascha Skorupa wrote:
Hi,

if this is currently not possible what does the "Multivalued" flag mean in the mappers section of a client?
It is used if your user has multiple values of same attribute. For example user "john" works in 2 departments "finance" and "development", so attribute "department" of user "john" has 2 values in model - "finance" and "development" .
So when "multivalued" is on, then both values of the attribute will be propagated to accessToken and they will be available in accessToken in list (array). However when "multivalued" is off, then just single value of attribute is propagated to accessToken and it's available in accessToken as String (or any other simple type).

>From what I understood, your usecase is that you have 2 different attributes on UserModel and you want to map them into single attribute in accessToken. For example you have attribute "department" with value "finance" and attribute "secondaryDepartment" with value "development" and you want them both to be mapped into accessToken into single attribute "department" with 2 values "finance" and "development" . Is it correct?

That's what we don't have and you may write custom protocol mapper for it.


Is there any example / documentation how to implement and integrate custom protocol mappers?
Looks we don't have example for protocol mapper, but we have some examples for other providers. See the example distribution and it's subdirectory "providers" .

Marek


Cheers
sascha

Von: Marek Posolda [mailto:mposolda at redhat.com]
Gesendet: Montag, 21. September 2015 14:32
An: Sascha Skorupa <sascha.skorupa at traveltainment.de><mailto:sascha.skorupa at traveltainment.de>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Multivalued user attributes mapping

On 21/09/15 11:52, Sascha Skorupa wrote:
Hi,

we are currently evaluating Keycloak as IDM solution for our company. In doing so we encountered the following questions according to storing authorization data:


1)      In the "Mapper" section it is possible to configure how user attributes are mapped to tokens/claims.  It is also possible to turn on "Multivalued" mapping, so that every value of one attribute is set as claim. But, how you can configure multiple values for one attribute? If you save another value with the same key the existing one is overwritten.
You mean to map multiple different attributes from User into one attribute of AccessToken? That's not possible with the existing mappers . The thing is that you can write your own protocol mapper implementation and map the claims exactly how you want.



2)      One of requirements is to persist custom authorization data hierarchically and to map this data into access tokens. Is there any recommendation how to realize this in keycloak or is the only way to use flat user attributes (key/value).
The accessToken has "otherClaims" map on it. You can use any hierarchy you want to map your stuff into the access token. The best is again to write your own protocol mapper to achieve exactly what you want.

Marek



Thanks, Sascha





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/87a22ba5/attachment-0001.html 

From matt at woolnough.com.au  Tue Oct 27 07:32:03 2015
From: matt at woolnough.com.au (Matthew Woolnough)
Date: Tue, 27 Oct 2015 21:32:03 +1000
Subject: [keycloak-user] SAML IdP Mapping
Message-ID: <CAKTcrg6SKqcTDkn8AQbF2U-F2SxhqCxTMWJY6xGij27hhcGFBw@mail.gmail.com>

I have added a SAML IdP and can successfully authenticate.

I have also added some mappings to map assertions in the SAML token to
database fields.
I can see that the SAML token is in the POST back to keycloak contains the
assertions i am after, but nothing is appearing in Keycloak.

How do I go about debugging this scenario? I'm new to the product. I've
switched to DEBUG mode, but I'm not seeing anything definitive.

Thanks,

Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/2558266f/attachment.html 

From bburke at redhat.com  Tue Oct 27 09:09:02 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 27 Oct 2015 09:09:02 -0400
Subject: [keycloak-user] SAML IdP Mapping
In-Reply-To: <CAKTcrg6SKqcTDkn8AQbF2U-F2SxhqCxTMWJY6xGij27hhcGFBw@mail.gmail.com>
References: <CAKTcrg6SKqcTDkn8AQbF2U-F2SxhqCxTMWJY6xGij27hhcGFBw@mail.gmail.com>
Message-ID: <562F776E.7040308@redhat.com>



On 10/27/2015 7:32 AM, Matthew Woolnough wrote:
> I have added a SAML IdP and can successfully authenticate.
>
> I have also added some mappings to map assertions in the SAML token to
> database fields.
> I can see that the SAML token is in the POST back to keycloak contains
> the assertions i am after, but nothing is appearing in Keycloak.
>

Which leg is missing the SAML assertion?  You have to do 2 different 
mappings:

#1 Map SAML assertion that you receive rom the external IDP into 
keycloak user db.

#2  Map keycloak user db into the assertion created for the client 
application.  This 2nd part must be done for each client application in 
the "Clients" tab.

Does that answer the question?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Tue Oct 27 09:11:45 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 27 Oct 2015 09:11:45 -0400
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
	<56293E48.9070702@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>
Message-ID: <562F7811.5080401@redhat.com>

I'm wondering if we should just greatly increase the attribute value 
column size and just marshal the attribute into json or something.

On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
> Hi Marek,
>
> I think what we want is a composition of both options. Something like this:
>
> [?]
>
> ?additional_info?: {
>
>                  ?departments?: {
>
>                                 ?finance?,
>
>                                 ?development?
>
>                  },
>
>                  ?organization?:  ?ABC?
>
> }
>
> [...]
>
> I take a look at the AccessTokenTest where multiple values of the same
> attribute are mapped to an array in the accessToken. This is fine, but
> how can I configure multiple values for one attribute? The first value
> is always overwritten.
>
> Cheers,
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
> keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 22/10/15 16:46, Sascha Skorupa wrote:
>
>     Hi,
>
>     if this is currently not possible what does the ?Multivalued? flag
>     mean in the mappers section of a client?
>
> It is used if your user has multiple values of same attribute. For
> example user "john" works in 2 departments "finance" and "development",
> so attribute "department" of user "john" has 2 values in model -
> "finance" and "development" .
> So when "multivalued" is on, then both values of the attribute will be
> propagated to accessToken and they will be available in accessToken in
> list (array). However when "multivalued" is off, then just single value
> of attribute is propagated to accessToken and it's available in
> accessToken as String (or any other simple type).
>
>>From what I understood, your usecase is that you have 2 different attributes on UserModel and you want to map them into single attribute in accessToken. For example you have attribute "department" with value "finance" and attribute "secondaryDepartment" with  value "development" and you want them both to be mapped into
> accessToken into single attribute "department" with 2 values "finance"
> and "development" . Is it correct?
>
> That's what we don't have and you may write custom protocol mapper for it.
>
>     Is there any example / documentation how to implement and integrate
>     custom protocol mappers?
>
> Looks we don't have example for protocol mapper, but we have some
> examples for other providers. See the example distribution and it's
> subdirectory "providers" .
>
> Marek
>
>     Cheers
>
>     sascha
>
>     *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Gesendet:* Montag, 21. September 2015 14:32
>     *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>
>     <mailto:sascha.skorupa at traveltainment.de>;
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
>     On 21/09/15 11:52, Sascha Skorupa wrote:
>
>         Hi,
>
>         we are currently evaluating Keycloak as IDM solution for our
>         company. In doing so we encountered the following questions
>         according to storing authorization data:
>
>         1)In the ?Mapper? section it is possible to configure how user
>         attributes are mapped to tokens/claims.  It is also possible to
>         turn on ?Multivalued? mapping, so that every value of one
>         attribute is set as claim. But, how you can configure multiple
>         values for one attribute? If you save another value with the
>         same key the existing one is overwritten.
>
>     You mean to map multiple different attributes from User into one
>     attribute of AccessToken? That's not possible with the existing
>     mappers . The thing is that you can write your own protocol mapper
>     implementation and map the claims exactly how you want.
>
>
>         2)One of requirements is to persist custom authorization data
>         hierarchically and to map this data into access tokens. Is there
>         any recommendation how to realize this in keycloak or is the
>         only way to use flat user attributes (key/value).
>
>     The accessToken has "otherClaims" map on it. You can use any
>     hierarchy you want to map your stuff into the access token. The best
>     is again to write your own protocol mapper to achieve exactly what
>     you want.
>
>     Marek
>
>
>         Thanks, Sascha
>
>
>
>
>
>         _______________________________________________
>
>         keycloak-user mailing list
>
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Tue Oct 27 12:40:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Oct 2015 09:40:19 -0700
Subject: [keycloak-user] Keycloak 1.6.1.Final Released
Message-ID: <CAJgngAc7ji7u0Bm0buTVCGv53cPYDuCFyjGMU6AErrc1e9n6Ww@mail.gmail.com>

We've just released Keycloak 1.6.1.Final. After releasing 1.6.0.Final we
discovered some issues with migration that has been resolved in this
release. There's also a fix to a medium security issue that was introduced
in 1.6.0.Final.

For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.6.1.Final>
and
to download the release go to the Keycloak homepage
<http://keycloak.org/downloads>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/4ee00d66/attachment.html 

From hr.stoyanov at peruncs.com  Tue Oct 27 13:22:29 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Tue, 27 Oct 2015 10:22:29 -0700
Subject: [keycloak-user] Keycloak 1.6.1.Final Released
In-Reply-To: <CAJgngAc7ji7u0Bm0buTVCGv53cPYDuCFyjGMU6AErrc1e9n6Ww@mail.gmail.com>
References: <CAJgngAc7ji7u0Bm0buTVCGv53cPYDuCFyjGMU6AErrc1e9n6Ww@mail.gmail.com>
Message-ID: <CAHiHDeQL6dRpH+r70LURROz6c_KqNK-4kE+oSkw1Dyj1R_pjmQ@mail.gmail.com>

1.6.1 still not showing on the web site for download?

/Hristo Stoyanov
On Oct 27, 2015 9:41 AM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> We've just released Keycloak 1.6.1.Final. After releasing 1.6.0.Final we
> discovered some issues with migration that has been resolved in this
> release. There's also a fix to a medium security issue that was introduced
> in 1.6.0.Final.
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.6.1.Final> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/0947ed2b/attachment.html 

From sthorger at redhat.com  Tue Oct 27 22:56:44 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Oct 2015 19:56:44 -0700
Subject: [keycloak-user] Call back URI after Registration.
In-Reply-To: <CAA1skqV7zAWeY=v8LYZMxSzmiEOP7JDZh1HD6H1FJcSSjhGtQA@mail.gmail.com>
References: <CAA1skqV7zAWeY=v8LYZMxSzmiEOP7JDZh1HD6H1FJcSSjhGtQA@mail.gmail.com>
Message-ID: <CAJgngAdP+51n+pxPWudKCo22DdGJiXxZGkeh4R5FbVaY94-yhA@mail.gmail.com>

Do you just want to invoke something when the user is registered? If so you
can implement an EventListener which can perform whatever action you want
when users are registered.

On 27 October 2015 at 00:08, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi all,
>
> I am using Keycloak 1.5.0 to secure my application and wanted to know if
> it is possible to have a call back uri after the user registers sucessfully
> which performs some action and then keycloak redirects it to the respective
> page.
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/6189fd96/attachment.html 

From sthorger at redhat.com  Tue Oct 27 22:59:21 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Oct 2015 19:59:21 -0700
Subject: [keycloak-user] Keycloak 1.6.1.Final Released
In-Reply-To: <CAHiHDeQL6dRpH+r70LURROz6c_KqNK-4kE+oSkw1Dyj1R_pjmQ@mail.gmail.com>
References: <CAJgngAc7ji7u0Bm0buTVCGv53cPYDuCFyjGMU6AErrc1e9n6Ww@mail.gmail.com>
	<CAHiHDeQL6dRpH+r70LURROz6c_KqNK-4kE+oSkw1Dyj1R_pjmQ@mail.gmail.com>
Message-ID: <CAJgngAdinXYSZVV8RSqC-Z4mo4Sizf8T88fW1-6RFbPH34-X8g@mail.gmail.com>

There's an issue with the website at the moment so it's not updating itself
correctly. Should be fixed soon, but in the mean time you can use
http://keycloak.jboss.org/keycloak/downloads-archive.html?dir=0%3D1.6.1.Final%3B
to download 1.6.1.Final.

On 27 October 2015 at 10:22, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> 1.6.1 still not showing on the web site for download?
>
> /Hristo Stoyanov
> On Oct 27, 2015 9:41 AM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> We've just released Keycloak 1.6.1.Final. After releasing 1.6.0.Final we
>> discovered some issues with migration that has been resolved in this
>> release. There's also a fix to a medium security issue that was introduced
>> in 1.6.0.Final.
>>
>> For the full list of issues resolved check out JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.6.1.Final> and
>> to download the release go to the Keycloak homepage
>> <http://keycloak.org/downloads>.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/a74ebca7/attachment-0001.html 

From M.Notarnicola at klopotek.it  Wed Oct 28 05:12:11 2015
From: M.Notarnicola at klopotek.it (Notarnicola, Mara)
Date: Wed, 28 Oct 2015 09:12:11 +0000
Subject: [keycloak-user] info about sso without login prompt
Message-ID: <6fed8fe757db4b5e89d4f1bb26c98377@kidd.core.klopotek.local>

Dear all,
I'm using keycloak js adapter in order to log in user into an application.
I need to integrate a previous system of authentication with this new one.
To do this, I use user's credentials passed by the old system, to automatically retrieve keycloak grant calling the related web service.
So I have the session data but I'm not able to use single-sign-on in fact when I open another tab the user isn't logged in anymore.
I need to know if there is a way to create a sso session, if I must use cookies or browser local storage.

Thank you for your time
Sincerely,

Marianna Notarnicola



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/b5a642d7/attachment.html 

From revanth at arvindinternet.com  Wed Oct 28 06:38:38 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Wed, 28 Oct 2015 16:08:38 +0530
Subject: [keycloak-user] Login from Native App.
Message-ID: <CAA1skqV8_WwcmRWPbXXG2YwYiVWxCKx_+S4B-4mwATV66S4T9w@mail.gmail.com>

Hi,

I am using Keycloak1.5.0 to secure my applications and have an android
application that requests data from these applications and displays that
information. I wanted to know if it possible using keycloak that after a
user log's in, that user persists forever like in Gmail android app where
in it never asks the user to login again once he log's in.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/9de30db2/attachment.html 

From sebastian.olscher at traveltainment.de  Wed Oct 28 07:12:47 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Wed, 28 Oct 2015 11:12:47 +0000
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <562F7811.5080401@redhat.com>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
	<56293E48.9070702@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>
	<562F7811.5080401@redhat.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC2942529CD19@EX-TT-AC-02.traveltainment.int>

I?m trying to follow this example but I?m not able to assign two different values with the same key to an user in the Keycloak admin console frontend.

I have tried the following:
Added a key "department" with a single value for example "finance". Adding a second key "department" with another value "development" overwrites the initial entry. I also have tried to put something like a list into the value column, such as "development, finance" but this is treated as a single value.

So, my question is: How to add multiple user attribute values for the same key in the frontend?

Thanks,
Sebastian
??? ????????
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Tuesday, October 27, 2015 2:12 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Multivalued user attributes mapping

I'm wondering if we should just greatly increase the attribute value column size and just marshal the attribute into json or something.

On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
> Hi Marek,
>
> I think what we want is a composition of both options. Something like this:
>
> [.]
>
> "additional_info": {
>
>                  "departments": {
>
>                                 "finance",
>
>                                 "development"
>
>                  },
>
>                  "organization":  "ABC"
>
> }
>
> [...]
>
> I take a look at the AccessTokenTest where multiple values of the same 
> attribute are mapped to an array in the accessToken. This is fine, but 
> how can I configure multiple values for one attribute? The first value 
> is always overwritten.
>
> Cheers,
>
> sascha
>
> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
> keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
> On 22/10/15 16:46, Sascha Skorupa wrote:
>
>     Hi,
>
>     if this is currently not possible what does the "Multivalued" flag
>     mean in the mappers section of a client?
>
> It is used if your user has multiple values of same attribute. For 
> example user "john" works in 2 departments "finance" and 
> "development", so attribute "department" of user "john" has 2 values 
> in model - "finance" and "development" .
> So when "multivalued" is on, then both values of the attribute will be 
> propagated to accessToken and they will be available in accessToken in 
> list (array). However when "multivalued" is off, then just single 
> value of attribute is propagated to accessToken and it's available in 
> accessToken as String (or any other simple type).
>
>>From what I understood, your usecase is that you have 2 different 
>>attributes on UserModel and you want to map them into single attribute 
>>in accessToken. For example you have attribute "department" with value 
>>"finance" and attribute "secondaryDepartment" with  value 
>>"development" and you want them both to be mapped into
> accessToken into single attribute "department" with 2 values "finance"
> and "development" . Is it correct?
>
> That's what we don't have and you may write custom protocol mapper for it.
>
>     Is there any example / documentation how to implement and integrate
>     custom protocol mappers?
>
> Looks we don't have example for protocol mapper, but we have some 
> examples for other providers. See the example distribution and it's 
> subdirectory "providers" .
>
> Marek
>
>     Cheers
>
>     sascha
>
>     *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Gesendet:* Montag, 21. September 2015 14:32
>     *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>
>     <mailto:sascha.skorupa at traveltainment.de>;
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>
>     On 21/09/15 11:52, Sascha Skorupa wrote:
>
>         Hi,
>
>         we are currently evaluating Keycloak as IDM solution for our
>         company. In doing so we encountered the following questions
>         according to storing authorization data:
>
>         1)In the "Mapper" section it is possible to configure how user
>         attributes are mapped to tokens/claims.  It is also possible to
>         turn on "Multivalued" mapping, so that every value of one
>         attribute is set as claim. But, how you can configure multiple
>         values for one attribute? If you save another value with the
>         same key the existing one is overwritten.
>
>     You mean to map multiple different attributes from User into one
>     attribute of AccessToken? That's not possible with the existing
>     mappers . The thing is that you can write your own protocol mapper
>     implementation and map the claims exactly how you want.
>
>
>         2)One of requirements is to persist custom authorization data
>         hierarchically and to map this data into access tokens. Is there
>         any recommendation how to realize this in keycloak or is the
>         only way to use flat user attributes (key/value).
>
>     The accessToken has "otherClaims" map on it. You can use any
>     hierarchy you want to map your stuff into the access token. The best
>     is again to write your own protocol mapper to achieve exactly what
>     you want.
>
>     Marek
>
>
>         Thanks, Sascha
>
>
>
>
>
>         _______________________________________________
>
>         keycloak-user mailing list
>
>         keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>
>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From tdudgeon.ml at gmail.com  Wed Oct 28 07:17:24 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 28 Oct 2015 11:17:24 +0000
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <562DF136.5010209@redhat.com>
References: <5627712F.4040200@gmail.com> <562DE9BA.9030703@gmail.com>
	<562DF136.5010209@redhat.com>
Message-ID: <5630AEC4.8020301@gmail.com>

So if I understand correctly the only way to handle multiple attributes 
of the user (e.g name and email) is to use the Keycloak IDToken approach 
and so be dependent on the Keycloak implementation (or create my own API 
that wraps this)?

Tim

On 26/10/2015 09:24, Marek Posolda wrote:
> If you don't want Keycloak dependencies, you can use 
> request.getRemoteUser() or request.getPrincipal().getName() to access 
> just the userId of authenticated user. If you use 
> "principal-attribute" in keycloak.json, it will return the configured 
> attribute instead of userId, so you can receive for example username 
> or email instead. But that way, you will be able to access just this 
> single attribute.
>
> Marek
>
> On 26/10/15 09:52, Tim Dudgeon wrote:
>> Wondered if anyone had any thoughts on this?
>>
>> On 21/10/2015 12:04, Tim Dudgeon wrote:
>>> In the case of a web application (e.g. Tomcat app secured by the 
>>> keycloak adapter) the web app might need to access details of the 
>>> authenticated user (e.g. full name or email).
>>> I've found that this information is available from the session like 
>>> this:
>>>
>>> KeycloakSecurityContext session = 
>>> (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
>>> IDToken idToken = session.getIdToken();
>>> String email = idToken.getEmail();
>>>
>>> One issue with this is that all your web apps are tied to keycloak.
>>>
>>> Is this the right way to handle this?
>>> Are there alternatives?
>>>
>>> Tim
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/d723a7f7/attachment.html 

From sthorger at redhat.com  Wed Oct 28 07:54:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 28 Oct 2015 04:54:42 -0700
Subject: [keycloak-user] Login from Native App.
In-Reply-To: <CAA1skqV8_WwcmRWPbXXG2YwYiVWxCKx_+S4B-4mwATV66S4T9w@mail.gmail.com>
References: <CAA1skqV8_WwcmRWPbXXG2YwYiVWxCKx_+S4B-4mwATV66S4T9w@mail.gmail.com>
Message-ID: <CAJgngAfbSsKGjroOb3tzPOdtZ06cJLp25g43WPYAAjMAc81r6Q@mail.gmail.com>

We recently introduced offline tokens that can be used for this purpose.
Offline tokens are not bound to the users session and remain active until
revoked by either the admin or the user.

On 28 October 2015 at 03:38, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I am using Keycloak1.5.0 to secure my applications and have an android
> application that requests data from these applications and displays that
> information. I wanted to know if it possible using keycloak that after a
> user log's in, that user persists forever like in Gmail android app where
> in it never asks the user to login again once he log's in.
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/a370031b/attachment-0001.html 

From sthorger at redhat.com  Wed Oct 28 07:59:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 28 Oct 2015 04:59:35 -0700
Subject: [keycloak-user] info about sso without login prompt
In-Reply-To: <6fed8fe757db4b5e89d4f1bb26c98377@kidd.core.klopotek.local>
References: <6fed8fe757db4b5e89d4f1bb26c98377@kidd.core.klopotek.local>
Message-ID: <CAJgngAdfD2Pr58A3PUJG4PA+oibHA_WEhB3gdPsq=urxzGLn9w@mail.gmail.com>

Not exactly sure what you are doing here, but I assume you are using direct
grant (or resource owner password credential grant as oauth2 calls is) to
exchange a username+password for a token? If so that will not support SSO.
To enable SSO you must use the proper redirect based login and have your
users login through Keycloak's login page.

On 28 October 2015 at 02:12, Notarnicola, Mara <M.Notarnicola at klopotek.it>
wrote:

> Dear all,
>
> I?m using keycloak js adapter in order to log in user into an application.
>
> I need to integrate a previous system of authentication with this new one.
>
> To do this, I use user?s credentials passed by the old system, to
> automatically retrieve keycloak grant calling the related web service.
>
> So I have the session data but I?m not able to use single-sign-on in fact
> when I open another tab the user isn?t logged in anymore.
>
> I need to know if there is a way to create a sso session, if I must use
> cookies or browser local storage.
>
>
>
> Thank you for your time
>
> Sincerely,
>
>
>
> Marianna Notarnicola
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/a5fd0676/attachment.html 

From sthorger at redhat.com  Wed Oct 28 08:01:17 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 28 Oct 2015 05:01:17 -0700
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <5630AEC4.8020301@gmail.com>
References: <5627712F.4040200@gmail.com> <562DE9BA.9030703@gmail.com>
	<562DF136.5010209@redhat.com> <5630AEC4.8020301@gmail.com>
Message-ID: <CAJgngAe0KQ5i_TngJuoKoS8TvdbvhexYS9x1V3DRVDbbH+wJ_A@mail.gmail.com>

Yes, JavaEE currently has no standard way of obtaining a user profile.

On 28 October 2015 at 04:17, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:

> So if I understand correctly the only way to handle multiple attributes of
> the user (e.g name and email) is to use the Keycloak IDToken approach and
> so be dependent on the Keycloak implementation (or create my own API that
> wraps this)?
>
> Tim
>
> On 26/10/2015 09:24, Marek Posolda wrote:
>
> If you don't want Keycloak dependencies, you can use
> request.getRemoteUser() or request.getPrincipal().getName() to access just
> the userId of authenticated user. If you use "principal-attribute" in
> keycloak.json, it will return the configured attribute instead of userId,
> so you can receive for example username or email instead. But that way, you
> will be able to access just this single attribute.
>
> Marek
>
> On 26/10/15 09:52, Tim Dudgeon wrote:
>
> Wondered if anyone had any thoughts on this?
>
> On 21/10/2015 12:04, Tim Dudgeon wrote:
>
> In the case of a web application (e.g. Tomcat app secured by the keycloak
> adapter) the web app might need to access details of the authenticated user
> (e.g. full name or email).
> I've found that this information is available from the session like this:
>
> KeycloakSecurityContext session =
> (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
> IDToken idToken = session.getIdToken();
> String email = idToken.getEmail();
>
> One issue with this is that all your web apps are tied to keycloak.
>
> Is this the right way to handle this?
> Are there alternatives?
>
> Tim
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/f2294313/attachment.html 

From M.Notarnicola at klopotek.it  Wed Oct 28 08:12:48 2015
From: M.Notarnicola at klopotek.it (Notarnicola, Mara)
Date: Wed, 28 Oct 2015 12:12:48 +0000
Subject: [keycloak-user] info about sso without login prompt
In-Reply-To: <CAJgngAdfD2Pr58A3PUJG4PA+oibHA_WEhB3gdPsq=urxzGLn9w@mail.gmail.com>
References: <6fed8fe757db4b5e89d4f1bb26c98377@kidd.core.klopotek.local>
	<CAJgngAdfD2Pr58A3PUJG4PA+oibHA_WEhB3gdPsq=urxzGLn9w@mail.gmail.com>
Message-ID: <961c92ef3a8b41fcbfd2c1ec45719481@kidd.core.klopotek.local>

Yes you have perfectly understood what I mean.
Ok thanks

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Wednesday, October 28, 2015 1:00 PM
To: Notarnicola, Mara <M.Notarnicola at klopotek.it>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] info about sso without login prompt

Not exactly sure what you are doing here, but I assume you are using direct grant (or resource owner password credential grant as oauth2 calls is) to exchange a username+password for a token? If so that will not support SSO. To enable SSO you must use the proper redirect based login and have your users login through Keycloak's login page.

On 28 October 2015 at 02:12, Notarnicola, Mara <M.Notarnicola at klopotek.it<mailto:M.Notarnicola at klopotek.it>> wrote:
Dear all,
I?m using keycloak js adapter in order to log in user into an application.
I need to integrate a previous system of authentication with this new one.
To do this, I use user?s credentials passed by the old system, to automatically retrieve keycloak grant calling the related web service.
So I have the session data but I?m not able to use single-sign-on in fact when I open another tab the user isn?t logged in anymore.
I need to know if there is a way to create a sso session, if I must use cookies or browser local storage.

Thank you for your time
Sincerely,

Marianna Notarnicola




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/3941eb61/attachment-0001.html 

From ornot2008 at yahoo.com  Wed Oct 28 09:01:32 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Wed, 28 Oct 2015 13:01:32 +0000 (UTC)
Subject: [keycloak-user] Fw: Failed to import IDP meta data into keycloak
In-Reply-To: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
References: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>

Can anybody help on this ?
Thank you very much.
    ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 26, 2015 4:16 PM
 Subject: Failed to import IDP meta data into keycloak
   
Hi, there,
1) We failed to import ?idp meta data into keycloak (see attachment for the sample xml). ?Pls help taka a look what's going on.?
2) Suppose we can not import the metadata , based on the sample xml given in the attachment, which fields should we fill??? ??

3) ?In the user guide, there is one sentence: ?"Once you create a SAML provider, there is an?EXPORT?button that appears when viewing that provider. Clicking this button will export a SAML entity descriptor which you can use to"?
? ? ?Here "That provider" means the keycloak as a SP provider ? ?From the demo exported data , it seems so. ?Am I right? ?
? ? ?To work with the 3rd party IDP, we should provide the exported metadata to idp, shouldn't we?


I am not familiar with saml concept so any help will be greatly appreciated.

Mai

?? ??



?

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/714bf5b0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: federationmetadata-Pre-production.xml
Type: text/xml
Size: 43643 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/714bf5b0/attachment-0001.xml 

From bburke at redhat.com  Wed Oct 28 09:47:48 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 28 Oct 2015 09:47:48 -0400
Subject: [keycloak-user] Fw: Failed to import IDP meta data into keycloak
In-Reply-To: <409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>
References: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <5630D204.3060402@redhat.com>

What are you trying to do?  Use brokering?  That is, you want Keycloak 
to delegate authentication to an external SAML IDP?  Or, do you want to 
connect an existing SAML client to keycloak?

On 10/28/2015 9:01 AM, Mai Zi wrote:
> Can anybody help on this ?
>
> Thank you very much.
>
> ----- Forwarded Message -----
> *From:* Mai Zi <ornot2008 at yahoo.com>
> *To:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, October 26, 2015 4:16 PM
> *Subject:* Failed to import IDP meta data into keycloak
>
> Hi, there,
>
> 1) We failed to import  idp meta data into keycloak (see attachment for
> the sample xml).  Pls help taka a look what's going on.
>
> 2) Suppose we can not import the metadata , based on the sample xml
> given in the attachment, which fields should we fill?
>
>
> 3)  In the user guide, there is one sentence:  "Once you create a SAML
> provider, there is an |EXPORT| button that appears when viewing that
> provider. Clicking this button will export a SAML entity descriptor
> which you can use to"
>
>       Here "That provider" means the keycloak as a SP provider ?  From
> the demo exported data , it seems so.  Am I right?
>
>       To work with the 3rd party IDP, we should provide the exported
> metadata to idp, shouldn't we?
>
>
>
> I am not familiar with saml concept so any help will be greatly appreciated.
>
>
> Mai
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ornot2008 at yahoo.com  Wed Oct 28 19:09:14 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Wed, 28 Oct 2015 23:09:14 +0000 (UTC)
Subject: [keycloak-user] Fw: Failed to import IDP meta data into keycloak
In-Reply-To: <409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>
References: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <444315878.4748478.1446073755113.JavaMail.yahoo@mail.yahoo.com>

Hi, B.B,
We are using keycloak ?for?brokering.


Thanks a lot.


    ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: Keycloak-user <keycloak-user at lists.jboss.org> 
 Sent: Wednesday, October 28, 2015 9:01 PM
 Subject: Fw: Failed to import IDP meta data into keycloak
   
Can anybody help on this ?
Thank you very much.
 

   ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 26, 2015 4:16 PM
 Subject: Failed to import IDP meta data into keycloak
   
Hi, there,
1) We failed to import ?idp meta data into keycloak (see attachment for the sample xml). ?Pls help taka a look what's going on.?
2) Suppose we can not import the metadata , based on the sample xml given in the attachment, which fields should we fill??? ??

3) ?In the user guide, there is one sentence: ?"Once you create a SAML provider, there is an?EXPORT?button that appears when viewing that provider. Clicking this button will export a SAML entity descriptor which you can use to"?
? ? ?Here "That provider" means the keycloak as a SP provider ? ?From the demo exported data , it seems so. ?Am I right? ?
? ? ?To work with the 3rd party IDP, we should provide the exported metadata to idp, shouldn't we?


I am not familiar with saml concept so any help will be greatly appreciated.

Mai

?? ??



?

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/817412da/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: federationmetadata-Pre-production.xml
Type: text/xml
Size: 43643 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151028/817412da/attachment-0001.xml 

From ornot2008 at yahoo.com  Wed Oct 28 21:06:57 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Thu, 29 Oct 2015 01:06:57 +0000 (UTC)
Subject: [keycloak-user] Fw: Failed to import IDP meta data into keycloak
In-Reply-To: <444315878.4748478.1446073755113.JavaMail.yahoo@mail.yahoo.com>
References: <327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<327649871.3047983.1445847416071.JavaMail.yahoo@mail.yahoo.com>
	<409013529.4373502.1446037293108.JavaMail.yahoo@mail.yahoo.com>
	<444315878.4748478.1446073755113.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <661675123.4735364.1446080817353.JavaMail.yahoo@mail.yahoo.com>

Hi,?
? ? I re-check the issue :
1) ?For version 1.5, ?the metadata can be imported ?with a popup : ? ?Success!?The IDP metadata has been loaded from file.? ? ?but when you presses the save button, ?an error message is shown :?Error!?Missing or invalid field(s). Please verify the fields in red.
2) ?I install 1.6.0, now it is fine. So it seem a bug for 1.5
3) ?For 1.6.0, when I turn on?Validate Signature?,the field??Validating X509 Certificate ??is shown and filed. ?This seems good than 1.5 ,which?? ? ?shows nothing. ?
? ? But for 1.6, turn on?Validate Signature, there is nothing changed in the export tab.?This is expected ?

?
?? , ?


    ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Thursday, October 29, 2015 7:09 AM
 Subject: Fw: Failed to import IDP meta data into keycloak
   
Hi, B.B,
We are using keycloak ?for?brokering.


Thanks a lot.


 

   ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: Keycloak-user <keycloak-user at lists.jboss.org> 
 Sent: Wednesday, October 28, 2015 9:01 PM
 Subject: Fw: Failed to import IDP meta data into keycloak
   
Can anybody help on this ?
Thank you very much.
 

   ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 26, 2015 4:16 PM
 Subject: Failed to import IDP meta data into keycloak
   
Hi, there,
1) We failed to import ?idp meta data into keycloak (see attachment for the sample xml). ?Pls help taka a look what's going on.?
2) Suppose we can not import the metadata , based on the sample xml given in the attachment, which fields should we fill??? ??

3) ?In the user guide, there is one sentence: ?"Once you create a SAML provider, there is an?EXPORT?button that appears when viewing that provider. Clicking this button will export a SAML entity descriptor which you can use to"?
? ? ?Here "That provider" means the keycloak as a SP provider ? ?From the demo exported data , it seems so. ?Am I right? ?
? ? ?To work with the 3rd party IDP, we should provide the exported metadata to idp, shouldn't we?


I am not familiar with saml concept so any help will be greatly appreciated.

Mai

?? ??



?

   

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151029/99abb868/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: federationmetadata-Pre-production.xml
Type: text/xml
Size: 43643 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151029/99abb868/attachment-0001.xml 

From mposolda at redhat.com  Thu Oct 29 04:24:06 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 29 Oct 2015 09:24:06 +0100
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC2942529CD19@EX-TT-AC-02.traveltainment.int>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
	<56293E48.9070702@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>
	<562F7811.5080401@redhat.com>
	<5C3DDBFAC4DBF04084678703EC0AC2942529CD19@EX-TT-AC-02.traveltainment.int>
Message-ID: <5631D7A6.2080904@redhat.com>

On 28/10/15 12:12, Sebastian Olscher wrote:
> I?m trying to follow this example but I?m not able to assign two different values with the same key to an user in the Keycloak admin console frontend.
>
> I have tried the following:
> Added a key "department" with a single value for example "finance". Adding a second key "department" with another value "development" overwrites the initial entry. I also have tried to put something like a list into the value column, such as "development, finance" but this is treated as a single value.
If you use "development##finance" in admin console, the user in DB will 
have "department" attribute with 2 values "development" and "finance" . 
The ## is used as delimiter. That's something, which I've added 
temporarily, hope it can be removed if we figure more proper way for 
multivalued attributes support in admin console, account management and 
registration screen.

But the protocol mapper already supports this well, so if you mark 
"multivalued" switch for your protocolMapper for "department" attribute, 
the accessToken will contain list with 2 values "development" and 
"finance" .

The usecase with mapping multiple different user model attributes into 
single access token attribute or even more advanced usecase with your 
"additional_info" example is not supported OOTB, but you can implement 
your own ProtocolMapper for it.

Marek
>
> So, my question is: How to add multiple user attribute values for the same key in the frontend?
>
> Thanks,
> Sebastian
>              
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Tuesday, October 27, 2015 2:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Multivalued user attributes mapping
>
> I'm wondering if we should just greatly increase the attribute value column size and just marshal the attribute into json or something.
>
> On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
>> Hi Marek,
>>
>> I think what we want is a composition of both options. Something like this:
>>
>> [.]
>>
>> "additional_info": {
>>
>>                   "departments": {
>>
>>                                  "finance",
>>
>>                                  "development"
>>
>>                   },
>>
>>                   "organization":  "ABC"
>>
>> }
>>
>> [...]
>>
>> I take a look at the AccessTokenTest where multiple values of the same
>> attribute are mapped to an array in the accessToken. This is fine, but
>> how can I configure multiple values for one attribute? The first value
>> is always overwritten.
>>
>> Cheers,
>>
>> sascha
>>
>> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
>> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
>> keycloak-user at lists.jboss.org
>> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>>
>> On 22/10/15 16:46, Sascha Skorupa wrote:
>>
>>      Hi,
>>
>>      if this is currently not possible what does the "Multivalued" flag
>>      mean in the mappers section of a client?
>>
>> It is used if your user has multiple values of same attribute. For
>> example user "john" works in 2 departments "finance" and
>> "development", so attribute "department" of user "john" has 2 values
>> in model - "finance" and "development" .
>> So when "multivalued" is on, then both values of the attribute will be
>> propagated to accessToken and they will be available in accessToken in
>> list (array). However when "multivalued" is off, then just single
>> value of attribute is propagated to accessToken and it's available in
>> accessToken as String (or any other simple type).
>>
>> >From what I understood, your usecase is that you have 2 different
>>> attributes on UserModel and you want to map them into single attribute
>>> in accessToken. For example you have attribute "department" with value
>>> "finance" and attribute "secondaryDepartment" with  value
>>> "development" and you want them both to be mapped into
>> accessToken into single attribute "department" with 2 values "finance"
>> and "development" . Is it correct?
>>
>> That's what we don't have and you may write custom protocol mapper for it.
>>
>>      Is there any example / documentation how to implement and integrate
>>      custom protocol mappers?
>>
>> Looks we don't have example for protocol mapper, but we have some
>> examples for other providers. See the example distribution and it's
>> subdirectory "providers" .
>>
>> Marek
>>
>>      Cheers
>>
>>      sascha
>>
>>      *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>>      *Gesendet:* Montag, 21. September 2015 14:32
>>      *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>
>>      <mailto:sascha.skorupa at traveltainment.de>;
>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>      *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>>
>>      On 21/09/15 11:52, Sascha Skorupa wrote:
>>
>>          Hi,
>>
>>          we are currently evaluating Keycloak as IDM solution for our
>>          company. In doing so we encountered the following questions
>>          according to storing authorization data:
>>
>>          1)In the "Mapper" section it is possible to configure how user
>>          attributes are mapped to tokens/claims.  It is also possible to
>>          turn on "Multivalued" mapping, so that every value of one
>>          attribute is set as claim. But, how you can configure multiple
>>          values for one attribute? If you save another value with the
>>          same key the existing one is overwritten.
>>
>>      You mean to map multiple different attributes from User into one
>>      attribute of AccessToken? That's not possible with the existing
>>      mappers . The thing is that you can write your own protocol mapper
>>      implementation and map the claims exactly how you want.
>>
>>
>>          2)One of requirements is to persist custom authorization data
>>          hierarchically and to map this data into access tokens. Is there
>>          any recommendation how to realize this in keycloak or is the
>>          only way to use flat user attributes (key/value).
>>
>>      The accessToken has "otherClaims" map on it. You can use any
>>      hierarchy you want to map your stuff into the access token. The best
>>      is again to write your own protocol mapper to achieve exactly what
>>      you want.
>>
>>      Marek
>>
>>
>>          Thanks, Sascha
>>
>>
>>
>>
>>
>>          _______________________________________________
>>
>>          keycloak-user mailing list
>>
>>          keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>>
>>          https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>      _______________________________________________
>>
>>      keycloak-user mailing list
>>
>>      keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sascha.skorupa at traveltainment.de  Thu Oct 29 04:55:02 2015
From: sascha.skorupa at traveltainment.de (Sascha Skorupa)
Date: Thu, 29 Oct 2015 08:55:02 +0000
Subject: [keycloak-user] Multivalued user attributes mapping
In-Reply-To: <5631D7A6.2080904@redhat.com>
References: <A4503E2117EA4142B9350E03A84BE3AE2538325D@EX-TT-AC-02.traveltainment.int>
	<55FFF8C9.1000300@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B140A@EX-TT-AC-02.traveltainment.int>
	<56293E48.9070702@redhat.com>
	<A4503E2117EA4142B9350E03A84BE3AE253B26C1@EX-TT-AC-02.traveltainment.int>
	<562F7811.5080401@redhat.com>
	<5C3DDBFAC4DBF04084678703EC0AC2942529CD19@EX-TT-AC-02.traveltainment.int>
	<5631D7A6.2080904@redhat.com>
Message-ID: <A4503E2117EA4142B9350E03A84BE3AE253B3365@EX-TT-AC-02.traveltainment.int>

Ok, as you have proposed we have implemented our own Mapper for this usecase. The multivalued problem was not in the mapper, but in the management frontend where I want to store multivalued attributes. I do not find anything in the documentation about this. It seems that the solution is to split the values with "##". 

For example:
Key:Value
Departments: finance##development

Thanks,
Sascha


-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marek Posolda
Gesendet: Donnerstag, 29. Oktober 2015 09:24
An: Sebastian Olscher <sebastian.olscher at traveltainment.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Multivalued user attributes mapping

On 28/10/15 12:12, Sebastian Olscher wrote:
> I?m trying to follow this example but I?m not able to assign two different values with the same key to an user in the Keycloak admin console frontend.
>
> I have tried the following:
> Added a key "department" with a single value for example "finance". Adding a second key "department" with another value "development" overwrites the initial entry. I also have tried to put something like a list into the value column, such as "development, finance" but this is treated as a single value.
If you use "development##finance" in admin console, the user in DB will have "department" attribute with 2 values "development" and "finance" . 
The ## is used as delimiter. That's something, which I've added temporarily, hope it can be removed if we figure more proper way for multivalued attributes support in admin console, account management and registration screen.

But the protocol mapper already supports this well, so if you mark "multivalued" switch for your protocolMapper for "department" attribute, the accessToken will contain list with 2 values "development" and "finance" .

The usecase with mapping multiple different user model attributes into single access token attribute or even more advanced usecase with your "additional_info" example is not supported OOTB, but you can implement your own ProtocolMapper for it.

Marek
>
> So, my question is: How to add multiple user attribute values for the same key in the frontend?
>
> Thanks,
> Sebastian
>              
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org 
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Tuesday, October 27, 2015 2:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Multivalued user attributes mapping
>
> I'm wondering if we should just greatly increase the attribute value column size and just marshal the attribute into json or something.
>
> On 10/27/2015 4:39 AM, Sascha Skorupa wrote:
>> Hi Marek,
>>
>> I think what we want is a composition of both options. Something like this:
>>
>> [.]
>>
>> "additional_info": {
>>
>>                   "departments": {
>>
>>                                  "finance",
>>
>>                                  "development"
>>
>>                   },
>>
>>                   "organization":  "ABC"
>>
>> }
>>
>> [...]
>>
>> I take a look at the AccessTokenTest where multiple values of the 
>> same attribute are mapped to an array in the accessToken. This is 
>> fine, but how can I configure multiple values for one attribute? The 
>> first value is always overwritten.
>>
>> Cheers,
>>
>> sascha
>>
>> *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>> *Gesendet:* Donnerstag, 22. Oktober 2015 21:52
>> *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>;
>> keycloak-user at lists.jboss.org
>> *Betreff:* Re: [keycloak-user] Multivalued user attributes mapping
>>
>> On 22/10/15 16:46, Sascha Skorupa wrote:
>>
>>      Hi,
>>
>>      if this is currently not possible what does the "Multivalued" flag
>>      mean in the mappers section of a client?
>>
>> It is used if your user has multiple values of same attribute. For 
>> example user "john" works in 2 departments "finance" and 
>> "development", so attribute "department" of user "john" has 2 values 
>> in model - "finance" and "development" .
>> So when "multivalued" is on, then both values of the attribute will 
>> be propagated to accessToken and they will be available in 
>> accessToken in list (array). However when "multivalued" is off, then 
>> just single value of attribute is propagated to accessToken and it's 
>> available in accessToken as String (or any other simple type).
>>
>> >From what I understood, your usecase is that you have 2 different
>>> attributes on UserModel and you want to map them into single 
>>> attribute in accessToken. For example you have attribute 
>>> "department" with value "finance" and attribute 
>>> "secondaryDepartment" with  value "development" and you want them 
>>> both to be mapped into
>> accessToken into single attribute "department" with 2 values "finance"
>> and "development" . Is it correct?
>>
>> That's what we don't have and you may write custom protocol mapper for it.
>>
>>      Is there any example / documentation how to implement and integrate
>>      custom protocol mappers?
>>
>> Looks we don't have example for protocol mapper, but we have some 
>> examples for other providers. See the example distribution and it's 
>> subdirectory "providers" .
>>
>> Marek
>>
>>      Cheers
>>
>>      sascha
>>
>>      *Von:*Marek Posolda [mailto:mposolda at redhat.com]
>>      *Gesendet:* Montag, 21. September 2015 14:32
>>      *An:* Sascha Skorupa <sascha.skorupa at traveltainment.de>
>>      <mailto:sascha.skorupa at traveltainment.de>;
>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>      *Betreff:* Re: [keycloak-user] Multivalued user attributes 
>> mapping
>>
>>      On 21/09/15 11:52, Sascha Skorupa wrote:
>>
>>          Hi,
>>
>>          we are currently evaluating Keycloak as IDM solution for our
>>          company. In doing so we encountered the following questions
>>          according to storing authorization data:
>>
>>          1)In the "Mapper" section it is possible to configure how user
>>          attributes are mapped to tokens/claims.  It is also possible to
>>          turn on "Multivalued" mapping, so that every value of one
>>          attribute is set as claim. But, how you can configure multiple
>>          values for one attribute? If you save another value with the
>>          same key the existing one is overwritten.
>>
>>      You mean to map multiple different attributes from User into one
>>      attribute of AccessToken? That's not possible with the existing
>>      mappers . The thing is that you can write your own protocol mapper
>>      implementation and map the claims exactly how you want.
>>
>>
>>          2)One of requirements is to persist custom authorization data
>>          hierarchically and to map this data into access tokens. Is there
>>          any recommendation how to realize this in keycloak or is the
>>          only way to use flat user attributes (key/value).
>>
>>      The accessToken has "otherClaims" map on it. You can use any
>>      hierarchy you want to map your stuff into the access token. The best
>>      is again to write your own protocol mapper to achieve exactly what
>>      you want.
>>
>>      Marek
>>
>>
>>          Thanks, Sascha
>>
>>
>>
>>
>>
>>          _______________________________________________
>>
>>          keycloak-user mailing list
>>
>>          keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>
>>
>>          https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>      _______________________________________________
>>
>>      keycloak-user mailing list
>>
>>      keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From eduard.matuszak at atos.net  Thu Oct 29 08:57:50 2015
From: eduard.matuszak at atos.net (Matuszak, Eduard)
Date: Thu, 29 Oct 2015 12:57:50 +0000
Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation
	via database
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

I am trying to implement a userfederation-provider based on a jpa-connection. My approach was:

According to an additional datasource-defintion for  the federated DB in the standalone.xml

                <datasource jta="true" jndi-name="java:jboss/datasources/CCPDS" pool-name="CCPDS" enabled="true" use-ccm="true">
                    <connection-url>jdbc:oracle:thin:@servername:1521:schemaname</connection-url>
      ..

, I tried to register this datasource as an additional connectionJpa-entry in keycloak-server.json as follows:

..
    "connectionsJpa": {
        "default": {
            "dataSource": "java:jboss/datasources/CCPKCDS",
            "databaseSchema": "update"
        },
        "FED-DB": {
            "dataSource": "java:jboss/datasources/CCPDS"
        }
    },
..

According to these configuration I hoped to be able to establish the appropriate entity manager by coding:

        // Get the appropriate entity manager from the KeycloakSession
        EntityManager em = session.getProvider(JpaConnectionProvider.class, "FED-DB").getEntityManager();

This did not work, indeed there is still only one (default) JpaConnectionProvider available in the session (JpaConnectionProviderList size is 1):

        Set<JpaConnectionProvider> JpaConnectionProviderList = session.getAllProviders(JpaConnectionProvider.class);

My question is: isn't it in principle possible to register a second jpaConnector additionally to the default one or is there something missing or wrong in my approach?

Thanks for any help in advance.

Best regards, Eduard Matuszak


Dr. Eduard Matuszak

Worldline, an atos company
T  +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak at atos.net<mailto:eduard.matuszak at atos.net>
Max-Stromeyer-Stra?e 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>



Worldline GmbH
Gesch?ftsf?hrer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417

* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151029/379d202f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 1.jpg
Type: image/jpeg
Size: 1226 bytes
Desc: Picture (Device Independent Bitmap) 1.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151029/379d202f/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 2.jpg
Type: image/jpeg
Size: 2886 bytes
Desc: Picture (Device Independent Bitmap) 2.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151029/379d202f/attachment-0003.jpg 

From m.hayen at first8.nl  Fri Oct 30 09:09:51 2015
From: m.hayen at first8.nl (Mark Hayen)
Date: Fri, 30 Oct 2015 14:09:51 +0100
Subject: [keycloak-user] Documentation on website
Message-ID: <56336C1F.8090106@first8.nl>

An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/cb5a2042/attachment.html 

From sthorger at redhat.com  Fri Oct 30 09:14:05 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Oct 2015 13:14:05 +0000
Subject: [keycloak-user] Documentation on website
In-Reply-To: <56336C1F.8090106@first8.nl>
References: <56336C1F.8090106@first8.nl>
Message-ID: <CAJgngAdK19zRpvUraBJNQX0-rTEMdjS58KOEvH+AT48jZdgHFA@mail.gmail.com>

We're having some issues with the website - in the mean time you can get
the docs from http://keycloak.github.io/docs/index.html

On 30 October 2015 at 13:09, Mark Hayen <m.hayen at first8.nl> wrote:

> Hi guys,
>
> I tried to look into the documenation of keycloak, but suddenly the links
> are dead.
> On http://keycloak.jboss.org/ the documentation link is grey
> and when googling I get a 404
> How can I access the keycloak docs?
>
> Mark
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/e540d285/attachment.html 

From orby at sendregning.no  Fri Oct 30 09:51:57 2015
From: orby at sendregning.no (=?UTF-8?B?UMOlbCBPcmJ5?=)
Date: Fri, 30 Oct 2015 14:51:57 +0100
Subject: [keycloak-user] Generate offline token
Message-ID: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>

We have two clients registered in our realm; frontend and backend. Frontend
is defined openid-connect/public (HTML/Javascript app) and backend is
openid-connect/bearer-only.

How can we generate an offline token for a given user that can be used
towards our backend (which is bearer only)?

We have a lot of customers that is integrated to our API (which is our
backend client).

*P?l Orby*
UNIT4 Agresso AS
DevOps
Tlf: 22 58 85 00
Mobil: 900 91 705

SendRegning - Gj?r det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/fb1d4dc7/attachment.html 

From sthorger at redhat.com  Fri Oct 30 10:06:50 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Oct 2015 14:06:50 +0000
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
Message-ID: <CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>

Heisann,

Nice to see fellow Norwegians are using Keycloak :)

For offline tokens the idea is that you'd have a frontend app (server or
client, whichever floats your boat) that can bootstrap the offline token.

Not sure offline tokens is quite what you need though - can you elaborate a
bit on your use case?

On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no> wrote:

> We have two clients registered in our realm; frontend and backend.
> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
> is openid-connect/bearer-only.
>
> How can we generate an offline token for a given user that can be used
> towards our backend (which is bearer only)?
>
> We have a lot of customers that is integrated to our API (which is our
> backend client).
>
> *P?l Orby*
> UNIT4 Agresso AS
> DevOps
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gj?r det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/f949ad0c/attachment.html 

From sthorger at redhat.com  Fri Oct 30 10:10:59 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Oct 2015 14:10:59 +0000
Subject: [keycloak-user] Getting Started with Keycloak blog posts
Message-ID: <CAJgngAeGdUwpt3gAhoywq=FS9knRUP+QEr9syNdRB4zmDkeM6Q@mail.gmail.com>

For anyone struggling to get started with Keycloak. I've started a new
series of blog posts there's two posts so far:

* Installing the Server
* Securing a REST Service

If you're not already watching our blog <http://blog.keycloak.org/> do it
now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/ec952bf7/attachment.html 

From orby at sendregning.no  Fri Oct 30 10:36:45 2015
From: orby at sendregning.no (=?UTF-8?B?UMOlbCBPcmJ5?=)
Date: Fri, 30 Oct 2015 15:36:45 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
Message-ID: <CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>

Saw your session at JavaZone, so thought we could give KC a try :-)

Our web application is split on two; frontend (HTML5/Javascript) and our
backend (REST lv. 3 developed in Java, currently running inside Tomcat).

Our frontend is just a consumer of our backend API (just like any other
client), and I've successfully configured KC to use openid-connect/public
for our frontend with keycloak.js, and openid-connect/bearer-only for our
backend (API) in our test environment (sending the Authorization header
with Bearer and keycloak.token to backend when doing ajax requests). This
work like expected. Even written our own federation doing password
validation from our user database.

But, a lot of our customers have integrated their application to our
backend API, doing REST calls for issuing invoices, etc...)

Most other services that provides you with an API offers tokens that can be
used for identification and authentication. And as far as I can see, this
is offline tokens in KC.

So we want to have our users log in to our service with their browser, go
to our "API key page" and create a new token to be used by the integrations
(moving away from Basic auth).

I've created an offline token by hitting a keycloak protected html file and
requested a resource with parameter ?scope=offline_access. I do see KC
gives me a value back:
http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846

But there is no way I can use this for anything (and in KC it seems to be
bound to our frontend application).

Why can't I use the admin rest api to say something like: give me an
offline token for this user for this app?

/P?l

2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> Heisann,
>
> Nice to see fellow Norwegians are using Keycloak :)
>
> For offline tokens the idea is that you'd have a frontend app (server or
> client, whichever floats your boat) that can bootstrap the offline token.
>
> Not sure offline tokens is quite what you need though - can you elaborate
> a bit on your use case?
>
> On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no> wrote:
>
>> We have two clients registered in our realm; frontend and backend.
>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>> is openid-connect/bearer-only.
>>
>> How can we generate an offline token for a given user that can be used
>> towards our backend (which is bearer only)?
>>
>> We have a lot of customers that is integrated to our API (which is our
>> backend client).
>>
>> *P?l Orby*
>> UNIT4 Agresso AS
>> DevOps
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>>
>> SendRegning - Gj?r det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/b45e1913/attachment-0001.html 

From bburke at redhat.com  Fri Oct 30 10:41:17 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 30 Oct 2015 10:41:17 -0400
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
Message-ID: <5633818D.8090903@redhat.com>

You can obtain tokens from a non-browser client.  We have two types:

session-based tokens:  These are associated with an in-memory(cluster 
aware) session and have a short expiration (minutes), but can be 
refreshed with a refresh token.  These sessions can be closed 
automatically if they are idle too long

offline tokens:  They are persisted and have much longer expiration 
times.  They do have timeouts, but these times are generally much longer.

On 10/30/2015 10:36 AM, P?l Orby wrote:
> Saw your session at JavaZone, so thought we could give KC a try :-)
>
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use
> openid-connect/public for our frontend with keycloak.js, and
> openid-connect/bearer-only for our backend (API) in our test environment
> (sending the Authorization header with Bearer and keycloak.token to
> backend when doing ajax requests). This work like expected. Even written
> our own federation doing password validation from our user database.
>
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
>
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
>
> So we want to have our users log in to our service with their browser,
> go to our "API key page" and create a new token to be used by the
> integrations (moving away from Basic auth).
>
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see
> KC gives me a value back:
> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
> But there is no way I can use this for anything (and in KC it seems to
> be bound to our frontend application).
>
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
>
> /P?l
>
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>>:
>
>     Heisann,
>
>     Nice to see fellow Norwegians are using Keycloak :)
>
>     For offline tokens the idea is that you'd have a frontend app
>     (server or client, whichever floats your boat) that can bootstrap
>     the offline token.
>
>     Not sure offline tokens is quite what you need though - can you
>     elaborate a bit on your use case?
>
>     On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no
>     <mailto:orby at sendregning.no>> wrote:
>
>         We have two clients registered in our realm; frontend and
>         backend. Frontend is defined openid-connect/public
>         (HTML/Javascript app) and backend is openid-connect/bearer-only.
>
>         How can we generate an offline token for a given user that can
>         be used towards our backend (which is bearer only)?
>
>         We have a lot of customers that is integrated to our API (which
>         is our backend client).
>
>         *P?l Orby*
>         UNIT4 Agresso AS*
>         *DevOps
>         Tlf: 22 58 85 00
>         Mobil: 900 91 705
>
>         SendRegning - Gj?r det enkelt!
>         http://www.sendregning.no
>         http://facebook.com/sendregning
>         http://twitter.com/sendregning
>         http://faktura.no
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christian_hebert at hotmail.com  Fri Oct 30 13:34:52 2015
From: christian_hebert at hotmail.com (Christian Hebert)
Date: Fri, 30 Oct 2015 13:34:52 -0400
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <CAJgngAe0KQ5i_TngJuoKoS8TvdbvhexYS9x1V3DRVDbbH+wJ_A@mail.gmail.com>
References: <5627712F.4040200@gmail.com>
	<562DE9BA.9030703@gmail.com>,<562DF136.5010209@redhat.com>
	<5630AEC4.8020301@gmail.com>,
	<CAJgngAe0KQ5i_TngJuoKoS8TvdbvhexYS9x1V3DRVDbbH+wJ_A@mail.gmail.com>
Message-ID: <SNT150-W7874CC205F2AA1927182ABED2F0@phx.gbl>

How about wrapping your application under a filter (or a valve in JBoss or Tomcat) ? From there you could populate your authenticated subject (or the session?) with whatever information your keycloak token could provide.
Would that be a good idea ?
Date: Wed, 28 Oct 2015 05:01:17 -0700
From: sthorger at redhat.com
To: tdudgeon.ml at gmail.com
CC: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Accessing authenticated user's details

Yes, JavaEE currently has no standard way of obtaining a user profile.
On 28 October 2015 at 04:17, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:

  
    
  
  
    So if I understand correctly the only way to handle multiple
    attributes of the user (e.g name and email) is to use the Keycloak
    IDToken approach and so be dependent on the Keycloak implementation
    (or create my own API that wraps this)?

    

    Tim 

    

    On 26/10/2015 09:24, Marek Posolda
      wrote:

    
    
      
      If you don't want Keycloak
        dependencies, you can use request.getRemoteUser() or
        request.getPrincipal().getName() to access just the userId of
        authenticated user. If you use "principal-attribute" in
        keycloak.json, it will return the configured attribute instead
        of userId, so you can receive for example username or email
        instead. But that way, you will be able to access just this
        single attribute.

        

        Marek

        

        On 26/10/15 09:52, Tim Dudgeon wrote:

      
      
        
        Wondered if anyone had any thoughts on this?

        

        On 21/10/2015 12:04, Tim Dudgeon
          wrote:

        
        
          
          In the case of a web application (e.g. Tomcat app secured by
          the keycloak adapter) the web app might need to access details
          of the authenticated user (e.g. full name or email).

          I've found that this information is available from the session
          like this: 

          

          KeycloakSecurityContext session =
(KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());

            IDToken idToken = session.getIdToken();

            String email = idToken.getEmail();

          

          One issue with this is that all your web apps are tied to
          keycloak.

          

          Is this the right way to handle this?

          Are there alternatives?

          

          Tim

          

        
        

        

        
        

        _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
      
      

    
    

  


_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151030/10c546ef/attachment.html