From srinivas.nangunoori at hpe.com Tue Sep 1 03:37:54 2015 From: srinivas.nangunoori at hpe.com (Nangunoori, Srinivas) Date: Tue, 1 Sep 2015 07:37:54 +0000 Subject: [keycloak-user] Query regarding import multiple realms through single json file In-Reply-To: <55E46C08.8040805@redhat.com> References: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDDCF0@G9W0758.americas.hpqcorp.net> <55E46C08.8040805@redhat.com> Message-ID: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> There are no errors in server logs, 07:32:58,073 INFO [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (ServerService Thread Pool -- 62) Full importing from file /opt/jboss/keycloak/paas.json 07:33:01,517 INFO [org.keycloak.exportimport.util.ImportUtils] (ServerService Thread Pool -- 62) Realm 'Test2' imported 07:33:01,531 INFO [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool -- 62) Import finished successfully Test2 is last realm entry in my paas.json file. Here Test1 was not imported. JSON has following entries., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- }] -Srini From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, August 31, 2015 8:30 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Query regarding import multiple realms through single json file Is there something in server log when you start the server? Especially look at logged lines from "ExportImportManager" and "ImportUtils" categories. Could you also try to use absolute path for the file (just for sure?). You used "paas.json", but later you mentioned "pass.json", but I believe this is just typo in email rather than bad file path? Marek On 31/08/15 15:16, Nangunoori, Srinivas wrote: Hi Experts, I am trying to import multiple relams info through single json file using following command, here pass.json has multiple realm info. But, only last realm is getting imported in keycloak bin/standalone.sh -c standalone-ha.xml -b= -bmanagement= -Djboss.node.name= -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=paas.json Here pass.json has multiple realm info. But, only last realm is getting imported in keycloak. JSON has info., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- } ] In this case, always "Test2" is getting imported not the "Test1". Regards, Srini _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/ee969573/attachment-0001.html From mposolda at redhat.com Tue Sep 1 03:49:26 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 1 Sep 2015 09:49:26 +0200 Subject: [keycloak-user] Query regarding import multiple realms through single json file In-Reply-To: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> References: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDDCF0@G9W0758.americas.hpqcorp.net> <55E46C08.8040805@redhat.com> <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> Message-ID: <55E55886.3060204@redhat.com> Could you send me the JSON with your rep? I will try in my environment. Btv. which keycloak version are you using? Thanks, Marek On 01/09/15 09:37, Nangunoori, Srinivas wrote: > > There are no errors in server logs, > > 07:32:58,073 INFO > [org.keycloak.exportimport.singlefile.SingleFileImportProvider] > (ServerService Thread Pool -- 62) Full importing from file > /opt/jboss/keycloak/paas.json > > 07:33:01,517 INFO [org.keycloak.exportimport.util.ImportUtils] > (ServerService Thread Pool -- 62) Realm 'Test2' imported > > 07:33:01,531 INFO [org.keycloak.exportimport.ExportImportManager] > (ServerService Thread Pool -- 62) Import finished successfully > > Test2 is last realm entry in my paas.json file. Here Test1 was not > imported. > > JSON has following entries., > > [ { > > "realm" : "Test1", > > ----- > > }, { > > "realm" : "Test2", > > ----- > > }] > > -Srini > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Monday, August 31, 2015 8:30 PM > *To:* Nangunoori, Srinivas; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Query regarding import multiple realms > through single json file > > Is there something in server log when you start the server? Especially > look at logged lines from "ExportImportManager" and "ImportUtils" > categories. > > Could you also try to use absolute path for the file (just for sure?). > You used "paas.json", but later you mentioned "pass.json", but I > believe this is just typo in email rather than bad file path? > > Marek > > On 31/08/15 15:16, Nangunoori, Srinivas wrote: > > Hi Experts, > > I am trying to import multiple relams info through single json > file using following command, here pass.json has multiple realm > info. But, only last realm is getting imported in keycloak > > bin/standalone.sh -c standalone-ha.xml -b= > -bmanagement= -Djboss.node.name= > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=paas.json > > Here pass.json has multiple realm info. But, only last realm is > getting imported in keycloak. > > JSON has info., > > [ > > { > > "realm" : "Test1", > > ----- > > }, > > { > > "realm" : "Test2", > > ----- > > } > > ] > > In this case, always ?Test2? is getting imported not the ?Test1?. > > Regards, > > Srini > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/aa52a2de/attachment.html From srinivas.nangunoori at hpe.com Tue Sep 1 04:02:54 2015 From: srinivas.nangunoori at hpe.com (Nangunoori, Srinivas) Date: Tue, 1 Sep 2015 08:02:54 +0000 Subject: [keycloak-user] Query regarding import multiple realms through single json file In-Reply-To: <55E55886.3060204@redhat.com> References: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDDCF0@G9W0758.americas.hpqcorp.net> <55E46C08.8040805@redhat.com> <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> <55E55886.3060204@redhat.com> Message-ID: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF92@G9W0758.americas.hpqcorp.net> Thanks for the quick reply. I am using 1.5.0 with August 7th code base. Please find attached json file which I am using for import realms. -Srini From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, September 01, 2015 1:19 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Query regarding import multiple realms through single json file Could you send me the JSON with your rep? I will try in my environment. Btv. which keycloak version are you using? Thanks, Marek On 01/09/15 09:37, Nangunoori, Srinivas wrote: There are no errors in server logs, 07:32:58,073 INFO [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (ServerService Thread Pool -- 62) Full importing from file /opt/jboss/keycloak/paas.json 07:33:01,517 INFO [org.keycloak.exportimport.util.ImportUtils] (ServerService Thread Pool -- 62) Realm 'Test2' imported 07:33:01,531 INFO [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool -- 62) Import finished successfully Test2 is last realm entry in my paas.json file. Here Test1 was not imported. JSON has following entries., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- }] -Srini From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, August 31, 2015 8:30 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Query regarding import multiple realms through single json file Is there something in server log when you start the server? Especially look at logged lines from "ExportImportManager" and "ImportUtils" categories. Could you also try to use absolute path for the file (just for sure?). You used "paas.json", but later you mentioned "pass.json", but I believe this is just typo in email rather than bad file path? Marek On 31/08/15 15:16, Nangunoori, Srinivas wrote: Hi Experts, I am trying to import multiple relams info through single json file using following command, here pass.json has multiple realm info. But, only last realm is getting imported in keycloak bin/standalone.sh -c standalone-ha.xml -b= -bmanagement= -Djboss.node.name= -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=paas.json Here pass.json has multiple realm info. But, only last realm is getting imported in keycloak. JSON has info., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- } ] In this case, always "Test2" is getting imported not the "Test1". Regards, Srini _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/c6ae8318/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: paas.json Type: application/octet-stream Size: 1459 bytes Desc: paas.json Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/c6ae8318/attachment-0001.obj From srinivas.nangunoori at hpe.com Tue Sep 1 04:23:29 2015 From: srinivas.nangunoori at hpe.com (Nangunoori, Srinivas) Date: Tue, 1 Sep 2015 08:23:29 +0000 Subject: [keycloak-user] Query regarding import multiple realms through single json file References: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDDCF0@G9W0758.americas.hpqcorp.net> <55E46C08.8040805@redhat.com> <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> <55E55886.3060204@redhat.com> Message-ID: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFFA9@G9W0758.americas.hpqcorp.net> Quick Update: I just updated with latest master (Today's code base). Still I am seeing the same issue. -Srini From: Nangunoori, Srinivas Sent: Tuesday, September 01, 2015 1:33 PM To: 'Marek Posolda'; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Query regarding import multiple realms through single json file Thanks for the quick reply. I am using 1.5.0 with August 7th code base. Please find attached json file which I am using for import realms. -Srini From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, September 01, 2015 1:19 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Query regarding import multiple realms through single json file Could you send me the JSON with your rep? I will try in my environment. Btv. which keycloak version are you using? Thanks, Marek On 01/09/15 09:37, Nangunoori, Srinivas wrote: There are no errors in server logs, 07:32:58,073 INFO [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (ServerService Thread Pool -- 62) Full importing from file /opt/jboss/keycloak/paas.json 07:33:01,517 INFO [org.keycloak.exportimport.util.ImportUtils] (ServerService Thread Pool -- 62) Realm 'Test2' imported 07:33:01,531 INFO [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool -- 62) Import finished successfully Test2 is last realm entry in my paas.json file. Here Test1 was not imported. JSON has following entries., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- }] -Srini From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, August 31, 2015 8:30 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Query regarding import multiple realms through single json file Is there something in server log when you start the server? Especially look at logged lines from "ExportImportManager" and "ImportUtils" categories. Could you also try to use absolute path for the file (just for sure?). You used "paas.json", but later you mentioned "pass.json", but I believe this is just typo in email rather than bad file path? Marek On 31/08/15 15:16, Nangunoori, Srinivas wrote: Hi Experts, I am trying to import multiple relams info through single json file using following command, here pass.json has multiple realm info. But, only last realm is getting imported in keycloak bin/standalone.sh -c standalone-ha.xml -b= -bmanagement= -Djboss.node.name= -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=paas.json Here pass.json has multiple realm info. But, only last realm is getting imported in keycloak. JSON has info., [ { "realm" : "Test1", ----- }, { "realm" : "Test2", ----- } ] In this case, always "Test2" is getting imported not the "Test1". Regards, Srini _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/289afe74/attachment.html From mposolda at redhat.com Tue Sep 1 09:57:39 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 1 Sep 2015 15:57:39 +0200 Subject: [keycloak-user] Query regarding import multiple realms through single json file In-Reply-To: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFFA9@G9W0758.americas.hpqcorp.net> References: <8FD052C8E2EC9B40B07B148AF2E1E77A39EDDCF0@G9W0758.americas.hpqcorp.net> <55E46C08.8040805@redhat.com> <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFF78@G9W0758.americas.hpqcorp.net> <55E55886.3060204@redhat.com> <8FD052C8E2EC9B40B07B148AF2E1E77A39EDFFA9@G9W0758.americas.hpqcorp.net> Message-ID: <55E5AED3.6010504@redhat.com> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-1789 and have a fix, which will be available for 1.5.0 version. As a workaround, you can add ids to the realms in JSON file. In that case, it will import both realms. Like this: [ { "id" : "Test1", "realm" : "Test1", ----- }, { "id": "Test2", "realm" : "Test2", ----- }] Marek On 01/09/15 10:23, Nangunoori, Srinivas wrote: > > Quick Update: > > I just updated with latest master (Today?s code base). Still I am > seeing the same issue. > > -Srini > > *From:*Nangunoori, Srinivas > *Sent:* Tuesday, September 01, 2015 1:33 PM > *To:* 'Marek Posolda'; keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Query regarding import multiple realms > through single json file > > Thanks for the quick reply. > > I am using 1.5.0 with August 7^th code base. > > Please find attached json file which I am using for import realms. > > -Srini > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Tuesday, September 01, 2015 1:19 PM > *To:* Nangunoori, Srinivas; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Query regarding import multiple realms > through single json file > > Could you send me the JSON with your rep? I will try in my > environment. Btv. which keycloak version are you using? > > Thanks, > Marek > > On 01/09/15 09:37, Nangunoori, Srinivas wrote: > > There are no errors in server logs, > > 07:32:58,073 INFO > [org.keycloak.exportimport.singlefile.SingleFileImportProvider] > (ServerService Thread Pool -- 62) Full importing from file > /opt/jboss/keycloak/paas.json > > 07:33:01,517 INFO [org.keycloak.exportimport.util.ImportUtils] > (ServerService Thread Pool -- 62) Realm 'Test2' imported > > 07:33:01,531 INFO [org.keycloak.exportimport.ExportImportManager] > (ServerService Thread Pool -- 62) Import finished successfully > > Test2 is last realm entry in my paas.json file. Here Test1 was not > imported. > > JSON has following entries., > > [ { > > "realm" : "Test1", > > ----- > > }, { > > "realm" : "Test2", > > ----- > > }] > > -Srini > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Monday, August 31, 2015 8:30 PM > *To:* Nangunoori, Srinivas; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Query regarding import multiple > realms through single json file > > Is there something in server log when you start the server? > Especially look at logged lines from "ExportImportManager" and > "ImportUtils" categories. > > Could you also try to use absolute path for the file (just for > sure?). You used "paas.json", but later you mentioned "pass.json", > but I believe this is just typo in email rather than bad file path? > > Marek > > On 31/08/15 15:16, Nangunoori, Srinivas wrote: > > Hi Experts, > > I am trying to import multiple relams info through single json > file using following command, here pass.json has multiple > realm info. But, only last realm is getting imported in keycloak > > bin/standalone.sh -c standalone-ha.xml -b= > -bmanagement= -Djboss.node.name= > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=paas.json > > Here pass.json has multiple realm info. But, only last realm > is getting imported in keycloak. > > JSON has info., > > [ > > { > > "realm" : "Test1", > > ----- > > }, > > { > > "realm" : "Test2", > > ----- > > } > > ] > > In this case, always ?Test2? is getting imported not the ?Test1?. > > Regards, > > Srini > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/beb2aa7c/attachment-0001.html From robin1233 at gmail.com Tue Sep 1 10:39:43 2015 From: robin1233 at gmail.com (robinfernandes .) Date: Tue, 1 Sep 2015 10:39:43 -0400 Subject: [keycloak-user] Different token timeouts for clients under the same realm In-Reply-To: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> References: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> Message-ID: Thank you so much for that information. So would these offline tokens be at the realm level as well as currently all token settings are at the realm level? Is there a roadmap for the 1.6 release? Thanks, Robin On Mon, Aug 31, 2015 at 7:27 AM, Stian Thorgersen wrote: > Sounds like what you might want are offline tokens. They will allow > clients to get a permanent token, which can be revoked by a user or admin, > but doesn't expire. These should be added to 1.6 release. > > ----- Original Message ----- > > From: "robinfernandes ." > > To: keycloak-user at lists.jboss.org > > Sent: Friday, 28 August, 2015 12:32:07 PM > > Subject: [keycloak-user] Different token timeouts for clients under the > same realm > > > > Hi All, > > > > Is there a possibility where we can set different token timeouts for > clients > > under the same realm? > > > > The use case why we are trying to achieve this is basically we have 2 > > applications which require 2 different timeout settings. > > We want the web client timeouts to be short since there would be human > > intervention there always, however we want our Agent timeouts to be very > > large since there might not be anyone to log into it again. > > > > Using Keycloak we have seen that the timeout settings can be applied > only at > > the realm level though, which forces us to have each application in a > > different realm. > > > > Can we have the timeout settings at the client(application) level rather > than > > the realm level so that we can put both the applications in the same > realm? > > > > Thanks & Regards, > > Robin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/fd653a56/attachment.html From Henk.Laracker at planonsoftware.com Tue Sep 1 13:20:43 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Tue, 1 Sep 2015 19:20:43 +0200 Subject: [keycloak-user] Identity Provider Saml HTTP-Redirect binding Message-ID: Hi, We use keycloak with a SAML Identity provider, we have to use http-redirect binding. The customer expect a SAML request something like https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?IdP=LoginFormIdentityProviderPlanOn&SAMLRequest=rVNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKBC3Ls110Lxw5%2BTt But keycloak generates a response like https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?SAMLRequest=rVNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKBC3Ls110Lxw5%2BTtj How do I achieve this in keycloak Henk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150901/b3099166/attachment.html From bburke at redhat.com Tue Sep 1 16:44:13 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 1 Sep 2015 16:44:13 -0400 Subject: [keycloak-user] Identity Provider Saml HTTP-Redirect binding In-Reply-To: References: Message-ID: <55E60E1D.6020609@redhat.com> IdP=LoginFormIdentityProviderPlanOn You need to add this? Is it a hardcoded string? Is Keycloak the IDP? Or is Keycloak delegating login to an external IDP? We don't support this currently. But it may be something I can quickly add for the next release. On 9/1/2015 1:20 PM, Henk Laracker wrote: > Hi, > > We use keycloak with a SAML Identity provider, we have to use > http-redirect binding. > > The customer expect a SAML request something like > > https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?IdP=LoginFormIdentityProviderPlanOn&SAMLRequest=rVNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKBC3Ls110Lxw5%2BTt > > But keycloak generates a response like > > https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?SAMLRequest=rVNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKBC3Ls110Lxw5%2BTtj > > How do I achieve this in keycloak > Henk > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Wed Sep 2 01:29:40 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 2 Sep 2015 07:29:40 +0200 Subject: [keycloak-user] Different token timeouts for clients under the same realm In-Reply-To: References: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> Message-ID: <55E68944.9040500@redhat.com> I am thinking about enable/disable offline tokens per client. So in admin console in "Client settings" tab there will be on/off switch "Enable offline tokens" and you will be able to request offline token for particular client just if switch is enabled. Offline token won't never timeout, so there won't be any new option in realm timeout settings though. Marek On 01/09/15 16:39, robinfernandes . wrote: > Thank you so much for that information. > So would these offline tokens be at the realm level as well as > currently all token settings are at the realm level? > Is there a roadmap for the 1.6 release? > > Thanks, > Robin > > On Mon, Aug 31, 2015 at 7:27 AM, Stian Thorgersen > wrote: > > Sounds like what you might want are offline tokens. They will > allow clients to get a permanent token, which can be revoked by a > user or admin, but doesn't expire. These should be added to 1.6 > release. > > ----- Original Message ----- > > From: "robinfernandes ." > > > To: keycloak-user at lists.jboss.org > > > Sent: Friday, 28 August, 2015 12:32:07 PM > > Subject: [keycloak-user] Different token timeouts for clients > under the same realm > > > > Hi All, > > > > Is there a possibility where we can set different token timeouts > for clients > > under the same realm? > > > > The use case why we are trying to achieve this is basically we > have 2 > > applications which require 2 different timeout settings. > > We want the web client timeouts to be short since there would be > human > > intervention there always, however we want our Agent timeouts to > be very > > large since there might not be anyone to log into it again. > > > > Using Keycloak we have seen that the timeout settings can be > applied only at > > the realm level though, which forces us to have each application > in a > > different realm. > > > > Can we have the timeout settings at the client(application) > level rather than > > the realm level so that we can put both the applications in the > same realm? > > > > Thanks & Regards, > > Robin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150902/e9546f1d/attachment.html From ah at tradeworks.io Wed Sep 2 05:18:41 2015 From: ah at tradeworks.io (Anton Hughes) Date: Wed, 2 Sep 2015 11:18:41 +0200 Subject: [keycloak-user] Latest OpenShift version? In-Reply-To: <1649384474.21988663.1441020316057.JavaMail.zimbra@redhat.com> References: <55DABEF1.9030702@redhat.com> <1649384474.21988663.1441020316057.JavaMail.zimbra@redhat.com> Message-ID: On 31 August 2015 at 13:25, Stian Thorgersen wrote: > Keycloak is no longer deployed as a WAR it's deployed as a WildFly > extension > Ok. Thanks Stian. So, how do I access it? What is the url, and the initial username/password? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150902/217d2214/attachment.html From orestis.tsakiridis at telestax.com Wed Sep 2 05:25:10 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 2 Sep 2015 12:25:10 +0300 Subject: [keycloak-user] Occasional NPE while retrieving token Message-ID: Hello, I'm experiencing a strange error while trying to retrieve a token. Although initially the application may function properly and tokens issued normally, something happens when i use the Admin REST api that triggers the error. After that no tokens can be issued and an NPE appears in the log. Usually this happens after trying to drop some clients. Btw, i'm using keycloak-1.4.0.Final. Here is the command i use to get the token: curl -k -X POST https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d "username=otsakir" -d "password=...." And here is what i get in the logs: 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023: Exception handling request to /auth/realms/restcomm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/restcomm/protocol/openid-connect/token at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) ... 29 more Caused by: java.lang.NullPointerException at org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more Regards Orestis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150902/aaba4075/attachment-0001.html From mposolda at redhat.com Wed Sep 2 09:45:18 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 2 Sep 2015 15:45:18 +0200 Subject: [keycloak-user] Occasional NPE while retrieving token In-Reply-To: References: Message-ID: <55E6FD6E.80404@redhat.com> It looks you deleted some client, but his composite roles were not properly deleted. It might be a bug though, but not sure. It will be cool if you can provide more detailed steps to reproduce. Are you using default H2 DB or some else? Thanks, Marek On 02/09/15 11:25, Orestis Tsakiridis wrote: > Hello, > > I'm experiencing a strange error while trying to retrieve a token. > Although initially the application may function properly and tokens > issued normally, something happens when i use the Admin REST api that > triggers the error. After that no tokens can be issued and an NPE > appears in the log. Usually this happens after trying to drop some > clients. > > Btw, i'm using keycloak-1.4.0.Final. > > Here is the command i use to get the token: > > curl -k -X POST > https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token > -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d > "username=otsakir" -d "password=...." > > And here is what i get in the logs: > > 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023: > Exception handling request to > /auth/realms/restcomm/protocol/openid-connect/token: > java.lang.RuntimeException: request path: > /auth/realms/restcomm/protocol/openid-connect/token > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) > ... 29 more > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) > at > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) > at > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) > at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > ... 37 more > > > Regards > > Orestis > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150902/da555d1e/attachment.html From getbhanu30 at gmail.com Thu Sep 3 15:07:19 2015 From: getbhanu30 at gmail.com (Bhanu Kiran) Date: Thu, 3 Sep 2015 14:07:19 -0500 Subject: [keycloak-user] Overriding Theme related Java functionalities. Message-ID: Team, Keycloak supports users to develop customized design themes for Login and other pages. 1. Please let us know for functionalities like forgot password, multi -step registration can we override the java functionality methods and store user provided data in other DB. 2. Let us know if we can add new link like security questions in login page and map it to java class. Thanks, Bhanu Kiran -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150903/218f3481/attachment.html From kclark at mbopartners.com Thu Sep 3 22:08:34 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Fri, 4 Sep 2015 02:08:34 +0000 Subject: [keycloak-user] Able To Access Token Without Using Password Message-ID: We were testing mobile access scenarios and discovered that we are able to obtain an access token using an AD user with a blank password. Keycloak works as expected if the password parameter is not sent, password sent is correct or password sent is incorrect; however, when we send a password without a value Keycloak returns an access token. We are using Keycloak 1.4.0.Final. We have confirmed with the issue using two different installations of 1.4.0.Final. We have tested the same scenario with Keycloak 1.3.1.Final and it works as expected. Kenyatta Clark Principal Engineer, Systems Development MBO Partners t: 703.793.6314 w: www.mbopartners.com [cid:3BC34E4D-47BF-4F18-A628-A8098BE79BE3] Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster at mbopartners.comand permanently delete the e-mail and files. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/e6d03c29/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: qrcode[1][4].png Type: image/png Size: 10866 bytes Desc: qrcode[1][4].png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/e6d03c29/attachment-0001.png From satyajit.das at spire2grow.com Fri Sep 4 00:53:34 2015 From: satyajit.das at spire2grow.com (Satyajit Das) Date: Fri, 4 Sep 2015 10:23:34 +0530 Subject: [keycloak-user] Keycloak Authentication Switch off Message-ID: Hi Team, I am using keycloak with tomcat integration along with multi tenancy. I use Keycloak to secure rest services. Is there any way to switch off the authentication when not required I dont want to make any changes to web.xml or the context.xml, which contains the adapter I also have pathresolver to resolve the multitenancy. Is there anyway to switch off authentication. Regards, Satya. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/e88ec719/attachment.html From Henk.Laracker at planonsoftware.com Fri Sep 4 02:50:44 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Fri, 4 Sep 2015 08:50:44 +0200 Subject: [keycloak-user] Identity Provider Saml HTTP-Redirect binding In-Reply-To: <55E60E1D.6020609@redhat.com> References: <55E60E1D.6020609@redhat.com> Message-ID: Bill, Keycloak is delegating the login to a external IDP. It is a hardcoded string but If it could be a little bit more flexible that would be great. If we could add custom key=value pairs to the url. Which are defined per SAML definition. Thanks, Henk On 01/09/15 22:44, "keycloak-user-bounces at lists.jboss.org on behalf of Bill Burke" wrote: >IdP=LoginFormIdentityProviderPlanOn > >You need to add this? Is it a hardcoded string? Is Keycloak the IDP? >Or is Keycloak delegating login to an external IDP? > >We don't support this currently. But it may be something I can quickly >add for the next release. > >On 9/1/2015 1:20 PM, Henk Laracker wrote: >> Hi, >> >> We use keycloak with a SAML Identity provider, we have to use >> http-redirect binding. >> >> The customer expect a SAML request something like >> >> >>https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?IdP=LoginForm >>IdentityProviderPlanOn&SAMLRequest=rVNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKB >>C3Ls110Lxw5%2BTt >> >> But keycloak generates a response like >> >> >>https://samlfeddev.cscdev.com/EasyConnect/SSO/redirect.aspx?SAMLRequest=r >>VNNj9MwFPwrke%2BOk5ayjdUUlS2ISIWN2sKBC3Ls110Lxw5%2BTtj >> >> How do I achieve this in keycloak >> Henk >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >-- >Bill Burke >JBoss, a division of Red Hat >http://bill.burkecentral.com >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From orestis.tsakiridis at telestax.com Fri Sep 4 04:54:16 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Fri, 4 Sep 2015 11:54:16 +0300 Subject: [keycloak-user] Occasional NPE while retrieving token In-Reply-To: <55E6FD6E.80404@redhat.com> References: <55E6FD6E.80404@redhat.com> Message-ID: Hi Marek, Hmmm, indeed, that happens after having deleted clients. But, i haven't defined any composite roles. The rest of the REST api operation i've used don't seem to trigger it. But wait! i think you rung a bell. The clients i remove have their own application-level roles created and bound to them. They are not composite though in the strict sense of the term. Possibly the user that tries to get a token is also assigned these roles. Btw, is it proper practice to remove a client without removing its own application roles first? Also, I'm using the default H2 DB setup. I will try to reproduce and post my findings to this thread. Thanks Marek Orestis On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda wrote: > It looks you deleted some client, but his composite roles were not > properly deleted. It might be a bug though, but not sure. It will be cool > if you can provide more detailed steps to reproduce. Are you using default > H2 DB or some else? > > Thanks, > Marek > > > On 02/09/15 11:25, Orestis Tsakiridis wrote: > > Hello, > > I'm experiencing a strange error while trying to retrieve a token. > Although initially the application may function properly and tokens issued > normally, something happens when i use the Admin REST api that triggers the > error. After that no tokens can be issued and an NPE appears in the log. > Usually this happens after trying to drop some clients. > > Btw, i'm using keycloak-1.4.0.Final. > > Here is the command i use to get the token: > > curl -k -X POST > https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token > -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d > "username=otsakir" -d "password=...." > > And here is what i get in the logs: > > 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023: > Exception handling request to > /auth/realms/restcomm/protocol/openid-connect/token: > java.lang.RuntimeException: request path: > /auth/realms/restcomm/protocol/openid-connect/token > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) > ... 29 more > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) > at > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) > at > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) > at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > ... 37 more > > > Regards > > Orestis > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/6c6a034d/attachment-0001.html From mposolda at redhat.com Fri Sep 4 06:23:15 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 4 Sep 2015 12:23:15 +0200 Subject: [keycloak-user] Able To Access Token Without Using Password In-Reply-To: References: Message-ID: <55E97113.9060907@redhat.com> Thanks for pointing this. Will be fixed in 1.5.0. Marek On 04/09/15 04:08, Kenyatta Clark wrote: > We were testing mobile access scenarios and discovered that we are > able to obtain an access token using an AD user with a blank password. > Keycloak works as expected if the password parameter is not sent, > password sent is correct or password sent is incorrect; however, when > we send a password without a value Keycloak returns an access token. > We are using Keycloak 1.4.0.Final. We have confirmed with the issue > using two different installations of 1.4.0.Final. We have tested the > same scenario with Keycloak 1.3.1.Final and it works as expected. > > > *Kenyatta Clark* > > *Principal Engineer, Systems Development* > > MBO Partners > > *t:* 703.793.6314 > > *w:*www.mbopartners.com > > > Notice: This email and any files transmitted with it are confidential. > They are intended solely for the use of the individual addressed. If > you have received this email in error please notify > postmaster at mbopartners.com and > permanently delete the e-mail and files. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 10866 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150904/c8b52892/attachment.png From peterson.dean at gmail.com Sun Sep 6 20:47:42 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sun, 6 Sep 2015 19:47:42 -0500 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out Message-ID: There may be a serious bug in Keycloak. I have a number of users that have been completely wiped from the Keycloak mongodb database after a power outage. Luckily I retain their information in a separate mongodb database with other information or they would be gone forever. When does Keycloak commit user data? The users that are missing are users that registered after the last system restart but before the system went down after a power outage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150906/0ee9f5af/attachment.html From peterson.dean at gmail.com Sun Sep 6 23:19:52 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sun, 6 Sep 2015 22:19:52 -0500 Subject: [keycloak-user] This is horrible MORE USERS GONE than I thought Message-ID: At least 42 days worth of registered users are simply gone. There was a power outage today and the keycloak server went down. When I brought it back up, all of the users that registered in the last 42 days were GONE!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150906/86a416d4/attachment.html From peterson.dean at gmail.com Mon Sep 7 00:02:48 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sun, 6 Sep 2015 23:02:48 -0500 Subject: [keycloak-user] This is horrible MORE USERS GONE than I thought In-Reply-To: References: Message-ID: I just figured out what I did. I use Docker and the last time I updated to the latest version of keycloak I automated restoring data from a json file. Every time I restarted, I lost all the new users because of restoring with the file. On Sun, Sep 6, 2015 at 10:19 PM, Dean Peterson wrote: > At least 42 days worth of registered users are simply gone. There was a > power outage today and the keycloak server went down. When I brought it > back up, all of the users that registered in the last 42 days were GONE!! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150906/d09d9e65/attachment-0001.html From bburke at redhat.com Mon Sep 7 09:50:24 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 7 Sep 2015 09:50:24 -0400 Subject: [keycloak-user] This is horrible MORE USERS GONE than I thought In-Reply-To: References: Message-ID: <55ED9620.9000509@redhat.com> Sucks, but am I allowed to say I'm glad it wasn't us? On 9/7/2015 12:02 AM, Dean Peterson wrote: > I just figured out what I did. I use Docker and the last time I updated > to the latest version of keycloak I automated restoring data from a json > file. Every time I restarted, I lost all the new users because of > restoring with the file. > > On Sun, Sep 6, 2015 at 10:19 PM, Dean Peterson > wrote: > > At least 42 days worth of registered users are simply gone. There > was a power outage today and the keycloak server went down. When I > brought it back up, all of the users that registered in the last 42 > days were GONE!! > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mstrukel at redhat.com Mon Sep 7 10:55:21 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 7 Sep 2015 16:55:21 +0200 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out In-Reply-To: References: Message-ID: Sounds like we might not be using WriteConcern.ACKNOWLEDGED. I think there should be this.db.setWriteConcern(WriteConcern.ACKNOWLEDGED); in this line: https://github.com/keycloak/keycloak/blob/master/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java#L92 On Mon, Sep 7, 2015 at 2:47 AM, Dean Peterson wrote: > There may be a serious bug in Keycloak. I have a number of users that > have been completely wiped from the Keycloak mongodb database after a power > outage. Luckily I retain their information in a separate mongodb database > with other information or they would be gone forever. When does Keycloak > commit user data? The users that are missing are users that registered > after the last system restart but before the system went down after a power > outage. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150907/0aa1ded6/attachment.html From peterson.dean at gmail.com Mon Sep 7 11:05:21 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 7 Sep 2015 10:05:21 -0500 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out In-Reply-To: References: Message-ID: I replied to this list. I figured it out. It was my stupid mistake. I use Docker and I automated restoring data from a json file the last time I upgraded keycloak. I never took that line out; it had been a long time since I restarted and when I finally did, that line was still in the Dockerfile. I restored back to the old user data by accident. On Mon, Sep 7, 2015 at 9:55 AM, Marko Strukelj wrote: > Sounds like we might not be using WriteConcern.ACKNOWLEDGED. > > I think there should be > > this.db.setWriteConcern(WriteConcern.ACKNOWLEDGED); > > in this line: > https://github.com/keycloak/keycloak/blob/master/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java#L92 > > > > On Mon, Sep 7, 2015 at 2:47 AM, Dean Peterson > wrote: > >> There may be a serious bug in Keycloak. I have a number of users that >> have been completely wiped from the Keycloak mongodb database after a power >> outage. Luckily I retain their information in a separate mongodb database >> with other information or they would be gone forever. When does Keycloak >> commit user data? The users that are missing are users that registered >> after the last system restart but before the system went down after a power >> outage. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150907/4156f3a7/attachment.html From mstrukel at redhat.com Mon Sep 7 11:12:18 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 7 Sep 2015 17:12:18 +0200 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out In-Reply-To: References: Message-ID: Thanks for followup. Still, I don't see us set WriteConcern.ACKNOWLEDGED anywhere, and it's the only reliable setting to use AFAIK. So unless it's turned on by default (not AFAIK), it's not used. So we should take a closer look at that or someone can point out how completely wrong I am here :) On Mon, Sep 7, 2015 at 5:05 PM, Dean Peterson wrote: > I replied to this list. I figured it out. It was my stupid mistake. I > use Docker and I automated restoring data from a json file the last time I > upgraded keycloak. I never took that line out; it had been a long time > since I restarted and when I finally did, that line was still in the > Dockerfile. I restored back to the old user data by accident. > > On Mon, Sep 7, 2015 at 9:55 AM, Marko Strukelj > wrote: > >> Sounds like we might not be using WriteConcern.ACKNOWLEDGED. >> >> I think there should be >> >> this.db.setWriteConcern(WriteConcern.ACKNOWLEDGED); >> >> in this line: >> https://github.com/keycloak/keycloak/blob/master/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java#L92 >> >> >> >> On Mon, Sep 7, 2015 at 2:47 AM, Dean Peterson >> wrote: >> >>> There may be a serious bug in Keycloak. I have a number of users that >>> have been completely wiped from the Keycloak mongodb database after a power >>> outage. Luckily I retain their information in a separate mongodb database >>> with other information or they would be gone forever. When does Keycloak >>> commit user data? The users that are missing are users that registered >>> after the last system restart but before the system went down after a power >>> outage. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150907/22c96c5f/attachment.html From mposolda at redhat.com Mon Sep 7 15:43:07 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 7 Sep 2015 21:43:07 +0200 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out In-Reply-To: References: Message-ID: <55EDE8CB.1040806@redhat.com> On 07/09/15 17:12, Marko Strukelj wrote: > Thanks for followup. > > Still, I don't see us set WriteConcern.ACKNOWLEDGED anywhere, and it's > the only reliable setting to use AFAIK. So unless it's turned on by > default (not AFAIK), it's not used. So we should take a closer look at > that or someone can point out how completely wrong I am here :) Yeah, sorry but it looks I can point that :) I am seeing in com.mongodb.MongoClientOptions.Builder that ACKNOWLEDGED is the default settings and just verified with debugger that it is really the case. I agree that it is bit misleading as WriteConcern.NORMAL is same as UNACKNOWLEDGED and "NORMAL" may imply that it's default, but it's not. Marek > > On Mon, Sep 7, 2015 at 5:05 PM, Dean Peterson > wrote: > > I replied to this list. I figured it out. It was my stupid > mistake. I use Docker and I automated restoring data from a json > file the last time I upgraded keycloak. I never took that line > out; it had been a long time since I restarted and when I finally > did, that line was still in the Dockerfile. I restored back to > the old user data by accident. > > On Mon, Sep 7, 2015 at 9:55 AM, Marko Strukelj > > wrote: > > Sounds like we might not be using WriteConcern.ACKNOWLEDGED. > > I think there should be > > this.db.setWriteConcern(WriteConcern.ACKNOWLEDGED); > > in this line: > https://github.com/keycloak/keycloak/blob/master/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java#L92 > > > > On Mon, Sep 7, 2015 at 2:47 AM, Dean Peterson > > wrote: > > There may be a serious bug in Keycloak. I have a number > of users that have been completely wiped from the Keycloak > mongodb database after a power outage. Luckily I retain > their information in a separate mongodb database with > other information or they would be gone forever. When > does Keycloak commit user data? The users that are > missing are users that registered after the last system > restart but before the system went down after a power outage. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150907/e22c35c3/attachment-0001.html From mr.graf at gmx.net Mon Sep 7 18:29:23 2015 From: mr.graf at gmx.net (Mr. Graf) Date: Tue, 8 Sep 2015 00:29:23 +0200 Subject: [keycloak-user] refresh_token request should trigger update of access token payload Message-ID: <8C316C24-4FE2-4AA0-AE9D-4039210E4C2A@gmx.net> Hey all, we are evaluating keycloak and run into an issue. We implemented a UserFederationProvider. This Provider authenticates let?s say old users and new users. ?old? users should receive an LTPA token within the payload of the access token. We used user attributes to achieve it. Fine so far. Our current issue is, that this LTPA token needs to be updated when a refresh_token request comes in and should be put into the ?new? access token too. Initially we tried to achieve it using the refresh_token event until we noticed that this is fired after the ?new? access token has been created, so too late. Does someone has a smart approach or an example how to add custom payload, to be retrieved from a legacy system, to the access token when refreshing it? Thanks in advance Thomas From mstrukel at redhat.com Tue Sep 8 05:09:33 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 8 Sep 2015 11:09:33 +0200 Subject: [keycloak-user] Users added since last restart MISSING/GONE after power went out In-Reply-To: <55EDE8CB.1040806@redhat.com> References: <55EDE8CB.1040806@redhat.com> Message-ID: Thanks Marek for explaining. This setting defaulted to something else not so long ago, and it caused many problems - like intermittent test failures due to race conditions ... Good to see WriteConcern.ACKNOWLEDGED is now the default. On Mon, Sep 7, 2015 at 9:43 PM, Marek Posolda wrote: > On 07/09/15 17:12, Marko Strukelj wrote: > > Thanks for followup. > > Still, I don't see us set WriteConcern.ACKNOWLEDGED anywhere, and it's the > only reliable setting to use AFAIK. So unless it's turned on by default > (not AFAIK), it's not used. So we should take a closer look at that or > someone can point out how completely wrong I am here :) > > Yeah, sorry but it looks I can point that :) I am seeing in > com.mongodb.MongoClientOptions.Builder that ACKNOWLEDGED is the default > settings and just verified with debugger that it is really the case. I > agree that it is bit misleading as WriteConcern.NORMAL is same as > UNACKNOWLEDGED and "NORMAL" may imply that it's default, but it's not. > > Marek > > > On Mon, Sep 7, 2015 at 5:05 PM, Dean Peterson > wrote: > >> I replied to this list. I figured it out. It was my stupid mistake. I >> use Docker and I automated restoring data from a json file the last time I >> upgraded keycloak. I never took that line out; it had been a long time >> since I restarted and when I finally did, that line was still in the >> Dockerfile. I restored back to the old user data by accident. >> >> On Mon, Sep 7, 2015 at 9:55 AM, Marko Strukelj < >> mstrukel at redhat.com> wrote: >> >>> Sounds like we might not be using WriteConcern.ACKNOWLEDGED. >>> >>> I think there should be >>> >>> this.db.setWriteConcern(WriteConcern.ACKNOWLEDGED); >>> >>> in this line: >>> https://github.com/keycloak/keycloak/blob/master/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java#L92 >>> >>> >>> >>> On Mon, Sep 7, 2015 at 2:47 AM, Dean Peterson >>> wrote: >>> >>>> There may be a serious bug in Keycloak. I have a number of users that >>>> have been completely wiped from the Keycloak mongodb database after a power >>>> outage. Luckily I retain their information in a separate mongodb database >>>> with other information or they would be gone forever. When does Keycloak >>>> commit user data? The users that are missing are users that registered >>>> after the last system restart but before the system went down after a power >>>> outage. >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150908/7378c19d/attachment.html From anunay.sinha at arvindinternet.com Tue Sep 8 06:35:39 2015 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Tue, 8 Sep 2015 16:05:39 +0530 Subject: [keycloak-user] Help with keycloak integration with Spring boot rest api Message-ID: Hi Everyone, I am new to both spring and keycloak and I do admit that am writing this before exhausting all my options, but I have spent quite a good amount of time on this. So here is my deal. I have created a spring boot rest api and have tested it. Next I was trying to integrate it with keyCloak I modified my gradle for keycloak I configured a client in KeyCloak admin console. It was bearer only. { "realm": "TestMyAccount", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkqKhSVCGWBxzT5nFByxE1EbJ7YVo05JxO4wVVJJsp25gy7GQhR89qidSUkT3onlc4jLEDH5hLt/mszuDSmSUAHrHhSrTWbgF6Ii4L1fwU57+a6W2vVDI3UvSeTxiTnIrvpeD7g9hw/cscOMD7ngiqFAuh0fLj6IS4mmMfGsVf35IfiHpEfRpTS+Th/Y48AAYxJxbZlmNmJe91xCxdbPi36tb2Ecv7kPnXdI3a+ZhSm/NhP3ZYURu9SWcXlCJfRcOo9eATgGu2PruOsrHKl/YKf3+nGTDSmiHLOCRoL2gvedgr/3VzsEFpcJRjrNCWaKhsgMSdr+0N/CDOA6TR76uewIDAQAB", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth", "ssl-required": "none", "resource": "AIL_MYACCOUNT" } Next I added the following items to my application.properties keycloak.realm = TestMyAccount keycloak.realmKey = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkqKhSVCGWBxzT5nFByxE1EbJ7YVo05JxO4wVVJJsp25gy7GQhR89qidSUkT3onlc4jLEDH5hLt/mszuDSmSUAHrHhSrTWbgF6Ii4L1fwU57+a6W2vVDI3UvSeTxiTnIrvpeD7g9hw/cscOMD7ngiqFAuh0fLj6IS4mmMfGsVf35IfiHpEfRpTS+Th/Y48AAYxJxbZlmNmJe91xCxdbPi36tb2Ecv7kPnXdI3a+ZhSm/NhP3ZYURu9SWcXlCJfRcOo9eATgGu2PruOsrHKl/YKf3+nGTDSmiHLOCRoL2gvedgr/3VzsEFpcJRjrNCWaKhsgMSdr+0N/CDOA6TR76uewIDAQAB keycloak.auth-server-url = http://127.0.0.1:8080/auth keycloak.ssl-required = external keycloak.resource = AIL_MYACCOUNT use-resource-role-mappings = false ssl-not-required = true bearer-only = true This is as per the documentation I don't have a web.xml in my project and going as per the video tutorial I ignored those settings. My access to api was restricted and it is asking me for the authorization. But am not able to provide it. As per the example in the document, it seems like bearer only application work on tokens only. ------------------------------------------------- Here is my first question. Is there a way to generate the tokens for bearers only applications ------------------------------------------------- To get the token I created another client, this time "confidential" redirecting to same base URI and used it to generate the access token When am using this access token to access my API am still getting the 401 error. Am not sure what am doing wrong and where am doing wrong. Request you to please help me with this -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150908/0503b48f/attachment.html From khirschmann at huebinet.de Tue Sep 8 09:27:54 2015 From: khirschmann at huebinet.de (Kevin Hirschmann) Date: Tue, 8 Sep 2015 15:27:54 +0200 Subject: [keycloak-user] ldap synch filtered by group membership Message-ID: <01d301d0ea3a$2b410ab0$81c32010$@huebinet.de> Hello, I want to synch from an active directory. But the selection should be limited to users which are members in a specific group. CN=Group, OU=Users,DC=company,DC=de gives no result. Is this possible? If so, which keycloak version supports this? Thx for your help. Kind regards Kevin Hirschmann HUEBINET Informationsmanagement GmbH & Co. KG ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------- Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann. Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150908/56eee968/attachment-0001.html From nielsbne at gmail.com Wed Sep 9 00:41:33 2015 From: nielsbne at gmail.com (Niels Bertram) Date: Wed, 9 Sep 2015 14:41:33 +1000 Subject: [keycloak-user] Can TOTP be configured to be optional? Message-ID: We would like to give users a choice to further enhance their profile security by enabling TOTP. We can only see this being configured at a realm level. Is it possible to enable this at an account level too? Kind Regards, Niels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/4f9fe656/attachment.html From mposolda at redhat.com Wed Sep 9 04:13:04 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Sep 2015 10:13:04 +0200 Subject: [keycloak-user] ldap synch filtered by group membership In-Reply-To: <01d301d0ea3a$2b410ab0$81c32010$@huebinet.de> References: <01d301d0ea3a$2b410ab0$81c32010$@huebinet.de> Message-ID: <55EFEA10.5030000@redhat.com> You mean that only users from the group "CN=Group,OU=Users,DC=company,DC=de" should be recognized by keycloak and all other users from your LDAP, which are not members of that group, should be ignored? That should be doable by writing your own LDAPFederationMapper and implement "beforeQuery" so that you add the condition for "member=CN=Group,OU=Users,DC=company,DC=de" to the query. So you will need to write your own code for it. I am not sure if we should provide the functionality like this by default in Keycloak, as your usecase seems to be quite uncommon to me. Maybe I am wrong, but didn't here about similar usecase so far. Marek On 08/09/15 15:27, Kevin Hirschmann wrote: > > Hello, > > I want to synch from an active directory. But the selection should > > be limited to users which are members in a specific group. > > CN=Group, OU=Users,DC=company,DC=de gives no result. > > Is this possible? If so, which keycloak version supports this? > > Thx for your help. > > Kind regards > > Kevin Hirschmann > > HUEBINET Informationsmanagement GmbH & Co. KG > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & > Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. > Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber > dieses Medium nicht ausgetauscht werden, da die Manipulation von > E-Mails durch Dritte nicht ausgeschlossen werden kann. > > Email communication with HUEBINET Informationsmanagement GmbH & Co. KG > is only intended to provide information of a general kind, and shall > not be used for any statement with binding contents in respect to > legal relations. It is not totally possible to prevent a third party > from manipulating emails and email contents. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/0584229a/attachment.html From mposolda at redhat.com Wed Sep 9 04:17:10 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Sep 2015 10:17:10 +0200 Subject: [keycloak-user] Can TOTP be configured to be optional? In-Reply-To: References: Message-ID: <55EFEB06.60700@redhat.com> That's already available and it's the default setting how is Keycloak configured. In other words, the TOTP is not mandatory by default, but each user can go to the account management and setup TOTP if he wants to. Then he will always need to provide TOTP credentials during login (in other words, TOTP will become mandatory for him). Marek On 09/09/15 06:41, Niels Bertram wrote: > We would like to give users a choice to further enhance their profile > security by enabling TOTP. We can only see this being configured at a > realm level. Is it possible to enable this at an account level too? > > Kind Regards, > Niels > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/173a7326/attachment.html From DSzeto at investlab.com Wed Sep 9 06:09:36 2015 From: DSzeto at investlab.com (Doug Szeto) Date: Wed, 9 Sep 2015 10:09:36 +0000 Subject: [keycloak-user] Help with keycloak integration with Spring boot rest api In-Reply-To: Message-ID: If you use the keycloak-spring-boot adapter, it only supports basic authentication (username + password). If you use the keycloak-spring-security adaptor, it gives more options including bearer token support. The bearer token is the access token put into the http header. Specifically you set the ?Authentication? header with ?Bearer {access token}?. You get the access token from the oauth 2 login process. A good example of code is available in keycloak/examples/cors. ?Doug From: Anunay Sinha > Date: Tue, 8 Sep 2015 16:05:39 +0530 To: > Subject: [keycloak-user] Help with keycloak integration with Spring boot rest api Hi Everyone, I am new to both spring and keycloak and I do admit that am writing this before exhausting all my options, but I have spent quite a good amount of time on this. So here is my deal. I have created a spring boot rest api and have tested it. Next I was trying to integrate it with keyCloak I modified my gradle for keycloak I configured a client in KeyCloak admin console. It was bearer only. { "realm": "TestMyAccount", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkqKhSVCGWBxzT5nFByxE1EbJ7YVo05JxO4wVVJJsp25gy7GQhR89qidSUkT3onlc4jLEDH5hLt/mszuDSmSUAHrHhSrTWbgF6Ii4L1fwU57+a6W2vVDI3UvSeTxiTnIrvpeD7g9hw/cscOMD7ngiqFAuh0fLj6IS4mmMfGsVf35IfiHpEfRpTS+Th/Y48AAYxJxbZlmNmJe91xCxdbPi36tb2Ecv7kPnXdI3a+ZhSm/NhP3ZYURu9SWcXlCJfRcOo9eATgGu2PruOsrHKl/YKf3+nGTDSmiHLOCRoL2gvedgr/3VzsEFpcJRjrNCWaKhsgMSdr+0N/CDOA6TR76uewIDAQAB", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth", "ssl-required": "none", "resource": "AIL_MYACCOUNT" } Next I added the following items to my application.properties keycloak.realm = TestMyAccount keycloak.realmKey = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkqKhSVCGWBxzT5nFByxE1EbJ7YVo05JxO4wVVJJsp25gy7GQhR89qidSUkT3onlc4jLEDH5hLt/mszuDSmSUAHrHhSrTWbgF6Ii4L1fwU57+a6W2vVDI3UvSeTxiTnIrvpeD7g9hw/cscOMD7ngiqFAuh0fLj6IS4mmMfGsVf35IfiHpEfRpTS+Th/Y48AAYxJxbZlmNmJe91xCxdbPi36tb2Ecv7kPnXdI3a+ZhSm/NhP3ZYURu9SWcXlCJfRcOo9eATgGu2PruOsrHKl/YKf3+nGTDSmiHLOCRoL2gvedgr/3VzsEFpcJRjrNCWaKhsgMSdr+0N/CDOA6TR76uewIDAQAB keycloak.auth-server-url = http://127.0.0.1:8080/auth keycloak.ssl-required = external keycloak.resource = AIL_MYACCOUNT use-resource-role-mappings = false ssl-not-required = true bearer-only = true This is as per the documentation I don't have a web.xml in my project and going as per the video tutorial I ignored those settings. My access to api was restricted and it is asking me for the authorization. But am not able to provide it. As per the example in the document, it seems like bearer only application work on tokens only. ------------------------------------------------- Here is my first question. Is there a way to generate the tokens for bearers only applications ------------------------------------------------- To get the token I created another client, this time "confidential" redirecting to same base URI and used it to generate the access token When am using this access token to access my API am still getting the 401 error. Am not sure what am doing wrong and where am doing wrong. Request you to please help me with this _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/8c8b1447/attachment-0001.html From thomas.raehalme at aitiofinland.com Wed Sep 9 06:37:35 2015 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Wed, 9 Sep 2015 13:37:35 +0300 Subject: [keycloak-user] ldap synch filtered by group membership In-Reply-To: <55EFEA10.5030000@redhat.com> References: <01d301d0ea3a$2b410ab0$81c32010$@huebinet.de> <55EFEA10.5030000@redhat.com> Message-ID: Hi! On Wed, Sep 9, 2015 at 11:13 AM, Marek Posolda wrote: > You mean that only users from the group "CN=Group,OU=Users,DC=company,DC=de" > should be recognized by keycloak and all other users from your LDAP, which > are not members of that group, should be ignored?Hi,Hi, > +1 I can definitely see this as a useful feature for AD users, and actually quite common in application configuration to be able to restrict users. Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/9aa2943e/attachment.html From prabhalar at yahoo.com Wed Sep 9 07:11:31 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Wed, 9 Sep 2015 11:11:31 +0000 (UTC) Subject: [keycloak-user] UMA Profile for OAuth 2 Message-ID: <1259115717.296353.1441797091124.JavaMail.yahoo@mail.yahoo.com> Bill/Stian, Do you have any plans to support the UMA profile for OAuth 2 in the near future? http://tools.ietf.org/html/draft-hardjono-oauth-umacore-13 Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/30d42ca4/attachment.html From bburke at redhat.com Wed Sep 9 08:14:12 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 9 Sep 2015 08:14:12 -0400 Subject: [keycloak-user] UMA Profile for OAuth 2 In-Reply-To: <1259115717.296353.1441797091124.JavaMail.yahoo@mail.yahoo.com> References: <1259115717.296353.1441797091124.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55F02294.2060305@redhat.com> Pedro is working on a permission service on top of UMA, but it will be a separate service and/or an optional addon to keycloak. On 9/9/2015 7:11 AM, Raghu Prabhala wrote: > Bill/Stian, > > Do you have any plans to support the UMA profile for OAuth 2 in the near > future? > > http://tools.ietf.org/html/draft-hardjono-oauth-umacore-13 > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Wed Sep 9 08:33:00 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Sep 2015 14:33:00 +0200 Subject: [keycloak-user] ldap synch filtered by group membership In-Reply-To: References: <01d301d0ea3a$2b410ab0$81c32010$@huebinet.de> <55EFEA10.5030000@redhat.com> Message-ID: <55F026FC.3000404@redhat.com> Feel free to create JIRA. I will try to take a look once there is time.. Thanks, Marek On 09/09/15 12:37, Thomas Raehalme wrote: > Hi! > > On Wed, Sep 9, 2015 at 11:13 AM, Marek Posolda > wrote: > > You mean that only users from the group > "CN=Group,OU=Users,DC=company,DC=de" should be recognized by > keycloak and all other users from your LDAP, which are not members > of that group, should be ignored?Hi,Hi, > > > +1 I can definitely see this as a useful feature for AD users, and > actually quite common in application configuration to be able to > restrict users. > > Best regards, > Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/047660aa/attachment.html From psilva at redhat.com Wed Sep 9 10:44:55 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 9 Sep 2015 10:44:55 -0400 (EDT) Subject: [keycloak-user] UMA Profile for OAuth 2 In-Reply-To: <55F02294.2060305@redhat.com> References: <1259115717.296353.1441797091124.JavaMail.yahoo@mail.yahoo.com> <55F02294.2060305@redhat.com> Message-ID: <614420284.25750679.1441809895608.JavaMail.zimbra@redhat.com> Hey Raghu, Fell free to share your requirements around authz and UMA. We're considering two use cases and scenarios where the subject of a transaction can be an individual or a NPE (Non-person entity). Right now, I'm focusing on NPE use cases, where an organization is both the resource owner and the authorizing party, acting on its own behalf, protecting its own resources. Which, IMO, helps to address most of the authz requirements for those applications that need to protect their own resources. Regards. Pedro Igor ----- Original Message ----- From: "Bill Burke" To: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 9:14:12 AM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Pedro is working on a permission service on top of UMA, but it will be a separate service and/or an optional addon to keycloak. On 9/9/2015 7:11 AM, Raghu Prabhala wrote: > Bill/Stian, > > Do you have any plans to support the UMA profile for OAuth 2 in the near > future? > > http://tools.ietf.org/html/draft-hardjono-oauth-umacore-13 > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From atgnatus at yahoo.com Wed Sep 9 11:54:02 2015 From: atgnatus at yahoo.com (Chris Atkinson) Date: Wed, 9 Sep 2015 15:54:02 +0000 (UTC) Subject: [keycloak-user] Password Expiration not applied to Token Message-ID: <1284934002.3754703.1441814042010.JavaMail.yahoo@mail.yahoo.com> Hi, We have set a password policy to have passwords expire after a number of days.? This works fine through the Keycloak login screen.? However, when we use the REST API to do a direct grant (we call '/protocol/openid-connect/token' on Keycloack 1.3.1) a valid token is returned even after the password has expired. This does not seem like the correct behavior.? Is there an issue here? Thanks,Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/8ad01f6f/attachment.html From prabhalar at yahoo.com Wed Sep 9 22:50:36 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 10 Sep 2015 02:50:36 +0000 (UTC) Subject: [keycloak-user] UMA Profile for OAuth 2 In-Reply-To: <614420284.25750679.1441809895608.JavaMail.zimbra@redhat.com> References: <614420284.25750679.1441809895608.JavaMail.zimbra@redhat.com> Message-ID: <976410301.261244.1441853436096.JavaMail.yahoo@mail.yahoo.com> Hi Pedro - Nice to hear from you after a long time. Whatever you are planning to implement for an organization is perhaps what we are looking for a resource application within an organization. There are two different scenarios we are trying to handle which may be different from what this spec is about but we are trying to tie everything together. ? 1) A Client application will register with the Auth Server a list of "scopes" or permissions to access certain resource applications. But it doesn't mean that it will be able to gain access to all those resource apps (see the second point) 2) Each of the resource applications will register its own policy (a policy engine will need to be built to evaluate the requests and provide a decision) on what a client application can/cannot access - for example, a client application with client_id "client1" can only have read only access to resource app1 or even a certain part of the app. 3) When the client app uses the client credentials grant to obtain an access token to access resource application, the auth server will check both the policies and then provide the access token. I haven't yet gone through the spec - so not clear whether it addresses the above but just wanted to share our thoughts with you. Thanks,Raghu From: Pedro Igor Silva To: Bill Burke Cc: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 10:44 AM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Hey Raghu, ? ? Fell free to share your requirements around authz and UMA. ? ? We're considering two use cases and scenarios where the subject of a transaction can be an individual or a NPE (Non-person entity).? ? ? ? Right now, I'm focusing on NPE use cases, where an organization is both the resource owner and the authorizing party, acting on its own behalf, protecting its own resources. Which, IMO, helps to address most of the authz requirements for those applications that need to protect their own resources. Regards. Pedro Igor ? ? ----- Original Message ----- From: "Bill Burke" To: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 9:14:12 AM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Pedro is working on a permission service on top of UMA, but it will be a separate service and/or an optional addon to keycloak. On 9/9/2015 7:11 AM, Raghu Prabhala wrote: > Bill/Stian, > > Do you have any plans to support the UMA profile for OAuth 2 in the near > future? > > http://tools.ietf.org/html/draft-hardjono-oauth-umacore-13 > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150910/d37c7d57/attachment-0001.html From orestis.tsakiridis at telestax.com Thu Sep 10 05:51:47 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Thu, 10 Sep 2015 12:51:47 +0300 Subject: [keycloak-user] Occasional NPE while retrieving token In-Reply-To: References: <55E6FD6E.80404@redhat.com> Message-ID: Hello Marek, It looks like we've cornered the issue after all :-) I managed to reproduce it on a relatively clean keycloak setup with the following steps: 1. Create application app-dg that will be used to get tokens using direct access grants. Accesstype: Public Direct Grants Onlye: true 2. Create application app-test. AccessType: Bearer only 3. Create application level role 'role-test' in app-test. 4. Create user user-test. Assign it application level role app-test:role-test and set his password to 'password' 5. Retrieve a token for user-test using direct access grants: $ curl -k -X POST http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token -d "grant_type=password" -d "client_id=app-dg" -d "username=user-test" -d "password=password" And the token: { "jti": "f68e595e-d612-42a1-b4f2-0af2b32b7dd7", "exp": 1441881384, "nbf": 0, "iat": 1441877784, "iss": "http://127.0.0.1:8080/auth/realms/restcomm", "aud": "app-dg", "sub": "067021e3-0fac-49dd-931b-1d26eb8ceb70", "azp": "app-dg", "session_state": "03903e0d-4748-4aba-bf5e-c0529757c13d", "client_session": "7f8417c0-9fd0-4e65-a3d8-a9335cb1f704", "allowed-origins": [], "resource_access": { "app-test": { "roles": [ "role-test" ] }, "account": { "roles": [ "view-profile", "manage-account" ] } }, "name": "", "preferred_username": "user-test" } 6. Remove app-test 7. Try to retrieve a token once more and the error appears: 12:39:37,260 ERROR [io.undertow.request] (default task-17) UT005023: Exception handling request to /auth/realms/restcomm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/restcomm/protocol/openid-connect/token at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) ... 29 more Caused by: java.lang.NullPointerException at org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more I rule i tried to make up is the following: "If for user Alice exists an active token with application roles for an application and this application is removed, you can't get a token for this user anymore" Also note that in my tests i've increased realm 'Access token lifespan' to 60 min. Maybe having a short lifespan discards the token before making any damage and the exception is not thrown. Just guessing here... I hope this helps Regards Orestis On Fri, Sep 4, 2015 at 11:54 AM, Orestis Tsakiridis < orestis.tsakiridis at telestax.com> wrote: > Hi Marek, > > Hmmm, indeed, that happens after having deleted clients. But, i haven't > defined any composite roles. The rest of the REST api operation i've used > don't seem to trigger it. > > But wait! i think you rung a bell. The clients i remove have their own > application-level roles created and bound to them. They are not composite > though in the strict sense of the term. Possibly the user that tries to get > a token is also assigned these roles. Btw, is it proper practice to remove > a client without removing its own application roles first? > > Also, I'm using the default H2 DB setup. > > I will try to reproduce and post my findings to this thread. > > > Thanks Marek > > Orestis > > On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda wrote: > >> It looks you deleted some client, but his composite roles were not >> properly deleted. It might be a bug though, but not sure. It will be cool >> if you can provide more detailed steps to reproduce. Are you using default >> H2 DB or some else? >> >> Thanks, >> Marek >> >> >> On 02/09/15 11:25, Orestis Tsakiridis wrote: >> >> Hello, >> >> I'm experiencing a strange error while trying to retrieve a token. >> Although initially the application may function properly and tokens issued >> normally, something happens when i use the Admin REST api that triggers the >> error. After that no tokens can be issued and an NPE appears in the log. >> Usually this happens after trying to drop some clients. >> >> Btw, i'm using keycloak-1.4.0.Final. >> >> Here is the command i use to get the token: >> >> curl -k -X POST >> https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token >> -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d >> "username=otsakir" -d "password=...." >> >> And here is what i get in the logs: >> >> 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023: >> Exception handling request to >> /auth/realms/restcomm/protocol/openid-connect/token: >> java.lang.RuntimeException: request path: >> /auth/realms/restcomm/protocol/openid-connect/token >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NullPointerException >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) >> ... 29 more >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) >> at >> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) >> at >> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) >> at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) >> ... 37 more >> >> >> Regards >> >> Orestis >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150910/73c7031c/attachment-0001.html From felipe.braun at intelbras.com.br Thu Sep 10 08:36:58 2015 From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja) Date: Thu, 10 Sep 2015 09:36:58 -0300 Subject: [keycloak-user] AWS IAM Message-ID: <55F1796A.2010201@intelbras.com.br> Hey all, Has anyone configured Amazon IAM console to authenticate using Keycloak? I tried, but... Nothing so far :( -- Felipe Braun Azambuja DBA Tecnologia da Informa??o e Comunica??o (48) 3281 9577 felipe.braun at intelbras.com.br Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. From bburke at redhat.com Thu Sep 10 09:21:54 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 10 Sep 2015 09:21:54 -0400 Subject: [keycloak-user] Need your help! Need Keycloak references! Message-ID: <55F183F2.7090704@redhat.com> Hey all, If you are using or are planning to use Keycloak in product, please email me offline. I want to know if I can include you in a "customer testimonial" page. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From tdudgeon.ml at gmail.com Thu Sep 10 12:27:02 2015 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Thu, 10 Sep 2015 17:27:02 +0100 Subject: [keycloak-user] keycloak with nginx or apache Message-ID: <55F1AF56.7020403@gmail.com> Hi All, the docs describe adapters for Java app servers like Jetty and Tomcat, but is it also possible to use keycloak for securing apps/pages running in app servers like nginx for apache web server? Tim From bburke at redhat.com Thu Sep 10 14:16:54 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 10 Sep 2015 14:16:54 -0400 Subject: [keycloak-user] keycloak with nginx or apache In-Reply-To: <55F1AF56.7020403@gmail.com> References: <55F1AF56.7020403@gmail.com> Message-ID: <55F1C916.4030803@redhat.com> mod_auth_mellon is a SAML adapter. Works with Keycloak. On 9/10/2015 12:27 PM, Tim Dudgeon wrote: > Hi All, > > the docs describe adapters for Java app servers like Jetty and Tomcat, > but is it also possible to use keycloak for securing apps/pages running > in app servers like nginx for apache web server? > > Tim > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nielsbne at gmail.com Thu Sep 10 14:21:18 2015 From: nielsbne at gmail.com (Niels Bertram) Date: Fri, 11 Sep 2015 04:21:18 +1000 Subject: [keycloak-user] Can TOTP be configured to be optional? In-Reply-To: <55EFEB06.60700@redhat.com> References: <55EFEB06.60700@redhat.com> Message-ID: Thanks Marek, I will check it out. Is there a way to use TOTP for step-up authentication? for instance I may log into my account using a password and just browse my profile information. I then initiate editing my address details. When I submit the edits I am prompted with an additional form of authentication (e.g. TOTP) as an authentication step up. Kind Regards, Niels On Wed, Sep 9, 2015 at 6:17 PM, Marek Posolda wrote: > That's already available and it's the default setting how is Keycloak > configured. In other words, the TOTP is not mandatory by default, but each > user can go to the account management and setup TOTP if he wants to. Then > he will always need to provide TOTP credentials during login (in other > words, TOTP will become mandatory for him). > > Marek > > > On 09/09/15 06:41, Niels Bertram wrote: > > We would like to give users a choice to further enhance their profile > security by enabling TOTP. We can only see this being configured at a realm > level. Is it possible to enable this at an account level too? > > Kind Regards, > Niels > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/32355c76/attachment.html From bburke at redhat.com Thu Sep 10 14:23:22 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 10 Sep 2015 14:23:22 -0400 Subject: [keycloak-user] Can TOTP be configured to be optional? In-Reply-To: References: <55EFEB06.60700@redhat.com> Message-ID: <55F1CA9A.1060807@redhat.com> We don't have support for that. On 9/10/2015 2:21 PM, Niels Bertram wrote: > Thanks Marek, I will check it out. Is there a way to use TOTP for > step-up authentication? for instance I may log into my account using a > password and just browse my profile information. I then initiate editing > my address details. When I submit the edits I am prompted with an > additional form of authentication (e.g. TOTP) as an authentication step up. > > Kind Regards, > Niels > > On Wed, Sep 9, 2015 at 6:17 PM, Marek Posolda > wrote: > > That's already available and it's the default setting how is > Keycloak configured. In other words, the TOTP is not mandatory by > default, but each user can go to the account management and setup > TOTP if he wants to. Then he will always need to provide TOTP > credentials during login (in other words, TOTP will become mandatory > for him). > > Marek > > > On 09/09/15 06:41, Niels Bertram wrote: >> We would like to give users a choice to further enhance their >> profile security by enabling TOTP. We can only see this being >> configured at a realm level. Is it possible to enable this at an >> account level too? >> >> Kind Regards, >> Niels >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Thu Sep 10 15:30:56 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 10 Sep 2015 15:30:56 -0400 (EDT) Subject: [keycloak-user] Password Expiration not applied to Token In-Reply-To: <1284934002.3754703.1441814042010.JavaMail.yahoo@mail.yahoo.com> References: <1284934002.3754703.1441814042010.JavaMail.yahoo@mail.yahoo.com> Message-ID: <821723612.30156533.1441913456624.JavaMail.zimbra@redhat.com> The direct grant shouldn't return any tokens if there are required actions so this is a bug. Can you create a bug report please? ----- Original Message ----- > From: "Chris Atkinson" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 9 September, 2015 5:54:02 PM > Subject: [keycloak-user] Password Expiration not applied to Token > > > Hi, > > We have set a password policy to have passwords expire after a number of > days. This works fine through the Keycloak login screen. However, when we > use the REST API to do a direct grant (we call > '/protocol/openid-connect/token' on Keycloack 1.3.1) a valid token is > returned even after the password has expired. > > This does not seem like the correct behavior. Is there an issue here? > > Thanks, > Chris > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From a at soliduslink.com Fri Sep 11 05:09:38 2015 From: a at soliduslink.com (Andrew Moedinger) Date: Fri, 11 Sep 2015 11:09:38 +0200 Subject: [keycloak-user] KeyCloak Server as OpenID provider for AppEngine Message-ID: Hi folks! I'd like to use my KeyCloak server to authenticate an AppEngine application. I'm currently authenticating using Google accounts as it works out of the box, but I want to handle account management myself, largely for user perception issues. I see two options: 1) Implement a new KeyCloak Adapter for AppEngine - I haven't found an existing one so far. -- This seems pretty doable with all the examples to base it on... but I'd rather not write and maintain another 1000 lines of code if it's not necessary! 2) Use the experimental OpenID Connect-based federated login of AppEngine -- I'm currently hitting an issue here where AppEngine is looking for an XRDS document. I'll try returning one pointing to the OpenId service of my server, but I suspect more issues will come up with this route, and debugging issues in the internal AppEngine auth flow is a bit tricky. Is this a crazy approach? Has anyone else tried something similar or have better ideas? Cheers, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/fd1c8d0a/attachment.html From p.naef at naef-itcom.ch Fri Sep 11 07:17:20 2015 From: p.naef at naef-itcom.ch (=?UTF-8?Q?Patrick_Andreas_N=c3=a4f?=) Date: Fri, 11 Sep 2015 13:17:20 +0200 Subject: [keycloak-user] Can't get roles of user via REST Message-ID: <55F2B840.7080201@naef-itcom.ch> Hi everybody Started with the example: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java That worked. Then tried to get also the other interfaces. Also that works: /auth/admin/realms/REALM/users But i don't get the roles of the user here. So i think the permissions are there, i can get data. If i try this: /auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings i get an 404 error. my code is: String url = "http://localhost:8081/auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings"; HttpGet get = new HttpGet(url); get.addHeader("Authorization", "Bearer " + res.getToken()); HttpResponse response = client.execute(get); if i open the same url in the browser i see "Bearer", what is logic to me and it shows that the server is there and the url is correct. Keycloak version is 1.3.1.Final Java: 8 Thanks a lot for you help / pointing me to the right place. From kclark at mbopartners.com Fri Sep 11 07:48:59 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Fri, 11 Sep 2015 11:48:59 +0000 Subject: [keycloak-user] Only Allowing Access To Master Realm From Internal Network Message-ID: First of all, I would like to thank your team for doing such a nice job on Keycloak. It is a very solid project. We are getting ready to deploy Keycloak to production and our IT director is nervous about having the Master realm accessible from the internet. Is there anyway to configure Keycloak to disallow access to the Master realm from the open internet? If not, what methods do you suggest employing that would mitigate the risk? Kenyatta Clark Principal Engineer, Systems Development MBO Partners t: 703.793.6314 w: www.mbopartners.com [cid:42F12EDC-D9A1-4A54-90DA-E2D34ED2DD68] Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster at mbopartners.comand permanently delete the e-mail and files. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/e2cf77a1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: qrcode[1][22].png Type: image/png Size: 10866 bytes Desc: qrcode[1][22].png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/e2cf77a1/attachment-0001.png From felipe.braun at intelbras.com.br Fri Sep 11 07:54:16 2015 From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja) Date: Fri, 11 Sep 2015 08:54:16 -0300 Subject: [keycloak-user] Only Allowing Access To Master Realm From Internal Network In-Reply-To: References: Message-ID: <55F2C0E8.20005@intelbras.com.br> I have put some rules on my reverse proxy (nginx), at least to stop access to the admin console: location / { allow 1.2.3.4; deny all; proxy_pass http://keycloak:8080$request_uri; } location /auth/realms allow all; proxy_pass http://keycloak:8080$request_uri; } location /auth/resources allow all; proxy_pass http://keycloak:8080$request_uri; } Il 11/09/2015 08:48, Kenyatta Clark ha scritto: > First of all, I would like to thank your team for doing such a nice job > on Keycloak. It is a very solid project. > > We are getting ready to deploy Keycloak to production and our IT > director is nervous about having the Master realm accessible from the > internet. Is there anyway to configure Keycloak to disallow access to > the Master realm from the open internet? If not, what methods do you > suggest employing that would mitigate the risk? > > > *Kenyatta Clark* > > *Principal Engineer, Systems Development* > > MBO Partners > > *t:* 703.793.6314 > > *w:*www.mbopartners.com > > > Notice: This email and any files transmitted with it are confidential. > They are intended solely for the use of the individual addressed. If > you have received this email in error please notify > postmaster at mbopartners.com and > permanently delete the e-mail and files. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Felipe Braun Azambuja DBA Tecnologia da Informa??o e Comunica??o (48) 3281 9577 felipe.braun at intelbras.com.br Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. From p.naef at naef-itcom.ch Fri Sep 11 08:46:45 2015 From: p.naef at naef-itcom.ch (=?UTF-8?Q?Patrick_Andreas_N=c3=a4f?=) Date: Fri, 11 Sep 2015 14:46:45 +0200 Subject: [keycloak-user] Can't get roles of user via REST In-Reply-To: <55F2B840.7080201@naef-itcom.ch> References: <55F2B840.7080201@naef-itcom.ch> Message-ID: <55F2CD35.2090707@naef-itcom.ch> Hi everybody Sorry very much... I was too stupid!!! GET /admin/realms/{realm}/users/{id}/role-mappings I set {id} as user NAME, not user ID. Now it's clear. Sorry again to pollute the mailing list with such stupid questions, but maybe someone will find it with google and then he won't make this stupid error! Am 11.09.2015 um 13:17 schrieb Patrick Andreas N?f: > Hi everybody > > Started with the example: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java > > That worked. > > Then tried to get also the other interfaces. > Also that works: > /auth/admin/realms/REALM/users > But i don't get the roles of the user here. > So i think the permissions are there, i can get data. > > If i try this: > /auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings > > i get an 404 error. > my code is: > String url = > "http://localhost:8081/auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings"; > > HttpGet get = new HttpGet(url); > get.addHeader("Authorization", "Bearer " + res.getToken()); > HttpResponse response = client.execute(get); > > > if i open the same url in the browser i see "Bearer", what is logic to > me and it shows that the server is there and the url is correct. > > Keycloak version is 1.3.1.Final > Java: 8 > > Thanks a lot for you help / pointing me to the right place. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- N?f ITCom AG Patrick Andreas N?f CEO / Owner MSc ETH Inf.-Ing. H?henweg 7 4917 Melchnau web: www.naef-itcom.ch -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/afb93067/attachment.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/afb93067/attachment-0001.html From psilva at redhat.com Fri Sep 11 09:05:17 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 11 Sep 2015 09:05:17 -0400 (EDT) Subject: [keycloak-user] UMA Profile for OAuth 2 In-Reply-To: <976410301.261244.1441853436096.JavaMail.yahoo@mail.yahoo.com> References: <614420284.25750679.1441809895608.JavaMail.zimbra@redhat.com> <976410301.261244.1441853436096.JavaMail.yahoo@mail.yahoo.com> Message-ID: <846875483.26887782.1441976717979.JavaMail.zimbra@redhat.com> Hey Raghu, nice to hear you too. What you described is pretty much related with UMA, specially #2 and #3. There you have a specific token type, called RPT (Requesting Party Token), that contains the authorization data obtained from the AS when the client asks for authorization (on behalf of a requesting party) for a given resource and its scopes. Once the client obtains this token it can use it as a bearer token to access a resource on the RS. Here the RS is responsible to act as a PEP (Policy Enforcement Point) in order to introspect the RPT and decide whether the user is granted or not with enough permissions for a given resource. There is also a whole dance to obtain this RPT (and also how you register these protected resources), which introduces additional steps before accessing a resource on a RS. >From the specs, and also from references on the web, most UMA examples and scenarios are user-centric. In other words, where the user wants to share its own resources with others. Where these resources can be located in a single or different RSs. What you described is what I meant about NPE use cases. Where we don't actually manage user-specific resources and their policies, but protect the resources for a specific client/application that is acting as a RS. For instance, protecting a RESTFul API. I'm still evaluating how UMA can be used without too much overhead in this case. >From a policy perspective, UMA does not define how they are defined or managed. It is up to the implementation to decide what to do or use. In our case, we are evaluating Drools to defines policies and evaluate them. We are also considering XACML, but not for now ... Regards. Pedro Igor ----- Original Message ----- From: "Raghu Prabhala" To: "Pedro Igor Silva" , "Bill Burke" Cc: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 11:50:36 PM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Hi Pedro - Nice to hear from you after a long time. Whatever you are planning to implement for an organization is perhaps what we are looking for a resource application within an organization. There are two different scenarios we are trying to handle which may be different from what this spec is about but we are trying to tie everything together. ? 1) A Client application will register with the Auth Server a list of "scopes" or permissions to access certain resource applications. But it doesn't mean that it will be able to gain access to all those resource apps (see the second point) 2) Each of the resource applications will register its own policy (a policy engine will need to be built to evaluate the requests and provide a decision) on what a client application can/cannot access - for example, a client application with client_id "client1" can only have read only access to resource app1 or even a certain part of the app. 3) When the client app uses the client credentials grant to obtain an access token to access resource application, the auth server will check both the policies and then provide the access token. I haven't yet gone through the spec - so not clear whether it addresses the above but just wanted to share our thoughts with you. Thanks,Raghu From: Pedro Igor Silva To: Bill Burke Cc: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 10:44 AM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Hey Raghu, ? ? Fell free to share your requirements around authz and UMA. ? ? We're considering two use cases and scenarios where the subject of a transaction can be an individual or a NPE (Non-person entity).? ? ? ? Right now, I'm focusing on NPE use cases, where an organization is both the resource owner and the authorizing party, acting on its own behalf, protecting its own resources. Which, IMO, helps to address most of the authz requirements for those applications that need to protect their own resources. Regards. Pedro Igor ? ? ----- Original Message ----- From: "Bill Burke" To: keycloak-user at lists.jboss.org Sent: Wednesday, September 9, 2015 9:14:12 AM Subject: Re: [keycloak-user] UMA Profile for OAuth 2 Pedro is working on a permission service on top of UMA, but it will be a separate service and/or an optional addon to keycloak. On 9/9/2015 7:11 AM, Raghu Prabhala wrote: > Bill/Stian, > > Do you have any plans to support the UMA profile for OAuth 2 in the near > future? > > http://tools.ietf.org/html/draft-hardjono-oauth-umacore-13 > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From hermann.hill at optile.net Fri Sep 11 10:05:40 2015 From: hermann.hill at optile.net (Hermann Hill) Date: Fri, 11 Sep 2015 14:05:40 +0000 Subject: [keycloak-user] How to store additional data for the SSO session of an user? Message-ID: Hi everybody, I'm currently working on attaching a company-internal authentication API to Keycloak by implementing an UserFederationProvider. Basically it is working, but when authenticating to our internal API I get back some additional data that should be tied to the lifetime of the SSO session of the authenticating user. Is there any pre-defined place to store such data? As an alternative approach, I stored this data in a HashMap and tried to use the LOGIN and LOGOUT events to keep the contents of the HashMap current. This approach would work for the login (though I'd have to introduce an intermediate storage - the LOGIN event comes some time after the "validatePassword" call), but in my experiments a LOGOUT event was only generated when I was logging myself out, not when my SSO session expired or was removed by an administrator account. Is there a way to be reliably notified at the beginning and the end of a session? By now I'm really out of ideas. I would really appreciate if somebody could be so kind and point me in the right direction... Best regards, Hermann Josef Hill Software Architect optile GmbH Ganghoferstra?e 39 | 80339 M?nchen Mobil +49 (151) 5385 0784 hermann.hill at optile.net | www.optile.net USt.Id.-Nr. DE268847980 Gesch?ftsf?hrer: Daniel Smeds Handelsregister M?nchen HRB 183178 +++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, K?ln, Halle 7.1 Stand F013 +++ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/469d8488/attachment-0001.html From stian at redhat.com Fri Sep 11 10:19:05 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 11 Sep 2015 10:19:05 -0400 (EDT) Subject: [keycloak-user] KeyCloak Server as OpenID provider for AppEngine In-Reply-To: References: Message-ID: <1463941703.30716681.1441981145620.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Andrew Moedinger" > To: keycloak-user at lists.jboss.org > Sent: Friday, 11 September, 2015 11:09:38 AM > Subject: [keycloak-user] KeyCloak Server as OpenID provider for AppEngine > > Hi folks! > > I'd like to use my KeyCloak server to authenticate an AppEngine application. > > I'm currently authenticating using Google accounts as it works out of the > box, but I want to handle account management myself, largely for user > perception issues. > > I see two options: > > 1) Implement a new KeyCloak Adapter for AppEngine - I haven't found an > existing one so far. > -- This seems pretty doable with all the examples to base it on... but I'd > rather not write and maintain another 1000 lines of code if it's not > necessary! > > 2) Use the experimental OpenID Connect-based federated login of AppEngine > -- I'm currently hitting an issue here where AppEngine is looking for an XRDS > document. I'll try returning one pointing to the OpenId service of my > server, but I suspect more issues will come up with this route, and > debugging issues in the internal AppEngine auth flow is a bit tricky. XRDS is an OpenID 2 thing, which we don't support. Keycloak only supports OpenID Connect. > > Is this a crazy approach? Has anyone else tried something similar or have > better ideas? No, as long as there's a standard way to use an OpenID Connect provider in Google AppEngine, that's a decent option. > > Cheers, > Andrew > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri Sep 11 10:21:14 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 11 Sep 2015 10:21:14 -0400 (EDT) Subject: [keycloak-user] Can't get roles of user via REST In-Reply-To: <55F2CD35.2090707@naef-itcom.ch> References: <55F2B840.7080201@naef-itcom.ch> <55F2CD35.2090707@naef-itcom.ch> Message-ID: <988383659.30720835.1441981274617.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Patrick Andreas N?f" > To: keycloak-user at lists.jboss.org > Sent: Friday, 11 September, 2015 2:46:45 PM > Subject: Re: [keycloak-user] Can't get roles of user via REST > > Hi everybody > > Sorry very much... I was too stupid!!! > GET /admin/realms/{realm}/users/{id}/role-mappings > > I set {id} as user NAME, not user ID. Now it's clear. > > Sorry again to pollute the mailing list with such stupid questions, but maybe > someone will find it with google and then he won't make this stupid error! There's no stupid questions - pleased you figured it out though :) > > > > Am 11.09.2015 um 13:17 schrieb Patrick Andreas N?f: > > > > Hi everybody > > Started with the example: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java > That worked. > > Then tried to get also the other interfaces. > Also that works: > /auth/admin/realms/REALM/users > But i don't get the roles of the user here. > So i think the permissions are there, i can get data. > > If i try this: > /auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings > > i get an 404 error. > my code is: > String url = > "http://localhost:8081/auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings" > ; > > HttpGet get = new HttpGet(url); > get.addHeader("Authorization", "Bearer " + res.getToken()); > HttpResponse response = client.execute(get); > > > if i open the same url in the browser i see "Bearer", what is logic to > me and it shows that the server is there and the url is correct. > > Keycloak version is 1.3.1.Final > Java: 8 > > Thanks a lot for you help / pointing me to the right place. > > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > N?f ITCom AG > Patrick Andreas N?f > CEO / Owner > MSc ETH Inf.-Ing. > H?henweg 7 > 4917 Melchnau > > web: www.naef-itcom.ch > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Sep 11 10:52:20 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 10:52:20 -0400 Subject: [keycloak-user] How to store additional data for the SSO session of an user? In-Reply-To: References: Message-ID: <55F2EAA4.5060200@redhat.com> In Keycloak 1.5 we have an authentication flow SPI. That might be the best place to incorporate your authentication plugin. On 9/11/2015 10:05 AM, Hermann Hill wrote: > Hi everybody, > > I?m currently working on attaching a company-internal authentication API > to Keycloak by implementing an UserFederationProvider. > > Basically it is working, but when authenticating to our internal API I > get back some additional data that should be tied to the lifetime of the > SSO session of the authenticating user. Is there any pre-defined place > to store such data? > > As an alternative approach, I stored this data in a HashMap and tried to > use the LOGIN and LOGOUT events to keep the contents of the HashMap > current. This approach would work for the login (though I?d have to > introduce an intermediate storage ? the LOGIN event comes some time > after the ?validatePassword? call), but in my experiments a LOGOUT event > was only generated when I was logging myself out, not when my SSO > session expired or was removed by an administrator account. Is there a > way to be reliably notified at the beginning and the end of a session? > > By now I?m really out of ideas. I would really appreciate if somebody > could be so kind and point me in the right direction? > > Best regards, > > *Hermann Josef Hill* > Software Architect > > *optile GmbH* > Ganghoferstra?e 39 | 80339 M?nchen > Mobil +49 (151) 5385 0784 > > hermann.hill at optile.net | www.optile.net > > USt.Id.-Nr. DE268847980 > Gesch?ftsf?hrer: Daniel Smeds > Handelsregister M?nchen HRB 183178 > > *+++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, K?ln, > Halle 7.1 Stand F013 +++* > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Sep 11 11:00:24 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 11:00:24 -0400 Subject: [keycloak-user] Only Allowing Access To Master Realm From Internal Network In-Reply-To: <55F2C0E8.20005@intelbras.com.br> References: <55F2C0E8.20005@intelbras.com.br> Message-ID: <55F2EC88.3020202@redhat.com> Kenyatta, does that work for you? URL patterns are: /auth/realms/{realm}/* this is all protocol entry points. Through your proxy, control which realms can receive SSO requests by filtering out things by realm name aka {realm} /auth/admin/* All admin consoles and admin REST endpoints On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote: > I have put some rules on my reverse proxy (nginx), at least to stop > access to the admin console: > > location / { > allow 1.2.3.4; > deny all; > > proxy_pass http://keycloak:8080$request_uri; > } > > location /auth/realms > allow all; > proxy_pass http://keycloak:8080$request_uri; > } > > location /auth/resources > allow all; > proxy_pass http://keycloak:8080$request_uri; > } > > > Il 11/09/2015 08:48, Kenyatta Clark ha scritto: >> First of all, I would like to thank your team for doing such a nice job >> on Keycloak. It is a very solid project. >> >> We are getting ready to deploy Keycloak to production and our IT >> director is nervous about having the Master realm accessible from the >> internet. Is there anyway to configure Keycloak to disallow access to >> the Master realm from the open internet? If not, what methods do you >> suggest employing that would mitigate the risk? >> >> >> *Kenyatta Clark* >> >> *Principal Engineer, Systems Development* >> >> MBO Partners >> >> *t:* 703.793.6314 >> >> *w:*www.mbopartners.com >> >> >> Notice: This email and any files transmitted with it are confidential. >> They are intended solely for the use of the individual addressed. If >> you have received this email in error please notify >> postmaster at mbopartners.com and >> permanently delete the e-mail and files. >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Felipe Braun Azambuja > DBA > Tecnologia da Informa??o e Comunica??o > (48) 3281 9577 > felipe.braun at intelbras.com.br > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. > > The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Sep 11 11:03:19 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 11 Sep 2015 11:03:19 -0400 (EDT) Subject: [keycloak-user] Only Allowing Access To Master Realm From Internal Network In-Reply-To: <55F2EC88.3020202@redhat.com> References: <55F2C0E8.20005@intelbras.com.br> <55F2EC88.3020202@redhat.com> Message-ID: <1941789093.30760151.1441983799443.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Friday, 11 September, 2015 5:00:24 PM > Subject: Re: [keycloak-user] Only Allowing Access To Master Realm From Internal Network > > Kenyatta, does that work for you? URL patterns are: > > /auth/realms/{realm}/* this is all protocol entry points. Through your > proxy, control which realms can receive SSO requests by filtering out > things by realm name aka {realm} > > /auth/admin/* All admin consoles and admin REST endpoints Do we not also have the realm specific admin console entry points? > > > On 9/11/2015 7:54 AM, Felipe Braun Azambuja wrote: > > I have put some rules on my reverse proxy (nginx), at least to stop > > access to the admin console: > > > > location / { > > allow 1.2.3.4; > > deny all; > > > > proxy_pass http://keycloak:8080$request_uri; > > } > > > > location /auth/realms > > allow all; > > proxy_pass http://keycloak:8080$request_uri; > > } > > > > location /auth/resources > > allow all; > > proxy_pass http://keycloak:8080$request_uri; > > } > > > > > > Il 11/09/2015 08:48, Kenyatta Clark ha scritto: > >> First of all, I would like to thank your team for doing such a nice job > >> on Keycloak. It is a very solid project. > >> > >> We are getting ready to deploy Keycloak to production and our IT > >> director is nervous about having the Master realm accessible from the > >> internet. Is there anyway to configure Keycloak to disallow access to > >> the Master realm from the open internet? If not, what methods do you > >> suggest employing that would mitigate the risk? > >> > >> > >> *Kenyatta Clark* > >> > >> *Principal Engineer, Systems Development* > >> > >> MBO Partners > >> > >> *t:* 703.793.6314 > >> > >> *w:*www.mbopartners.com > >> > >> > >> Notice: This email and any files transmitted with it are confidential. > >> They are intended solely for the use of the individual addressed. If > >> you have received this email in error please notify > >> postmaster at mbopartners.com and > >> permanently delete the e-mail and files. > >> > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > -- > > Felipe Braun Azambuja > > DBA > > Tecnologia da Informa??o e Comunica??o > > (48) 3281 9577 > > felipe.braun at intelbras.com.br > > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por > > lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser > > retransmitida, arquivada, divulgada ou copiada sem autoriza??o do > > remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu > > trabalho ou em raz?o dele, eximindo esta institui??o de qualquer > > responsabilidade por utiliza??o indevida. Caso tenha recebido esta > > mensagem por engano, por favor informe o remetente respondendo > > imediatamente a este e-mail, e em seguida apague-a do seu computador. > > > > The information contained in this e-mail and its attachments are protected > > by law, subjected to privilege and/or confidentiality and cannot be > > retransmitted, filed, disclosed or copied without authorization from the > > sender. The sender uses the electronic mail in the exercise of his/her > > work or by virtue thereof, and the institution accepts no liability from > > its undue use. If you have received this message by mistake, please notify > > us immediately by returning the e-mail and deleting this message from your > > system. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Fri Sep 11 11:06:31 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 11:06:31 -0400 Subject: [keycloak-user] Only Allowing Access To Master Realm From Internal Network In-Reply-To: <1941789093.30760151.1441983799443.JavaMail.zimbra@redhat.com> References: <55F2C0E8.20005@intelbras.com.br> <55F2EC88.3020202@redhat.com> <1941789093.30760151.1441983799443.JavaMail.zimbra@redhat.com> Message-ID: <55F2EDF7.5000100@redhat.com> On 9/11/2015 11:03 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Friday, 11 September, 2015 5:00:24 PM >> Subject: Re: [keycloak-user] Only Allowing Access To Master Realm From Internal Network >> >> Kenyatta, does that work for you? URL patterns are: >> >> /auth/realms/{realm}/* this is all protocol entry points. Through your >> proxy, control which realms can receive SSO requests by filtering out >> things by realm name aka {realm} >> >> /auth/admin/* All admin consoles and admin REST endpoints > > Do we not also have the realm specific admin console entry points? > Yup: /auth/admin/{realm}/console for per realm admin console UI /auth/admin/realms/{realm} for per realm admin REST API -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Sep 11 11:12:12 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 11 Sep 2015 11:12:12 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.5.0.Final released In-Reply-To: <1860800646.30766081.1441984253168.JavaMail.zimbra@redhat.com> Message-ID: <1897857333.30767241.1441984332815.JavaMail.zimbra@redhat.com> For details check http://blog.keycloak.org/2015/09/keycloak-150final-released.html It's in JBoss Nexus and downloads from keycloak.org right now, but it may take a few hours until it's synced to Maven Central. From juraci at kroehling.de Fri Sep 11 11:23:50 2015 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Fri, 11 Sep 2015 17:23:50 +0200 Subject: [keycloak-user] Keycloak 1.5.0.Final released In-Reply-To: <1897857333.30767241.1441984332815.JavaMail.zimbra@redhat.com> References: <1897857333.30767241.1441984332815.JavaMail.zimbra@redhat.com> Message-ID: <55F2F206.2010407@kroehling.de> Stian, I couldn't find this info in the blog post nor in the release notes (or even in the docs), but I thought I should ask anyway: is the support for offline tokens available on 1.5.0.Final? - Juca. On 09/11/2015 05:12 PM, Stian Thorgersen wrote: > For details check http://blog.keycloak.org/2015/09/keycloak-150final-released.html > > It's in JBoss Nexus and downloads from keycloak.org right now, but it may take a few hours until it's synced to Maven Central. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kclark at mbopartners.com Fri Sep 11 12:21:40 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Fri, 11 Sep 2015 16:21:40 +0000 Subject: [keycloak-user] Password reset link Message-ID: In previous versions of Keycloak we were able to initiate a password reset by using the path /auth/realms/{realm}/login-actions/password-reset. It appears that that endpoint has been replaced with auth/realms/{realm}/login-actions/reset-credentials in 1.5.0.Final, but this requires a code parameter and a null pointer exception is thrown if it is not valid. How do you initiate a forgot password through Keycloak?s web interface without having to direct the user to the login page? Kenyatta Clark Principal Engineer, Systems Development MBO Partners t: 703.793.6314 w: www.mbopartners.com [cid:304317DE-B0C7-4993-86D5-0DFB1ECD43C5] Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster at mbopartners.comand permanently delete the e-mail and files. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/dd7572af/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: qrcode[1][24].png Type: image/png Size: 10866 bytes Desc: qrcode[1][24].png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150911/dd7572af/attachment.png From bburke at redhat.com Fri Sep 11 12:44:11 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 12:44:11 -0400 Subject: [keycloak-user] Password reset link In-Reply-To: References: Message-ID: <55F304DB.8010103@redhat.com> Initiate it how? From admin perspective? or from the user? On 9/11/2015 12:21 PM, Kenyatta Clark wrote: > In previous versions of Keycloak we were able to initiate a password > reset by using the path > /auth/realms/{realm}/login-actions/password-reset. It appears that that > endpoint has been replaced > with auth/realms/{realm}/login-actions/reset-credentials in 1.5.0.Final, > but this requires a code parameter and a null pointer exception is > thrown if it is not valid. How do you initiate a forgot password > through Keycloak?s web interface without having to direct the user to > the login page? > > > *Kenyatta Clark* > > *Principal Engineer, Systems Development* > > MBO Partners > > *t:* 703.793.6314 > > *w:*www.mbopartners.com > > > Notice: This email and any files transmitted with it are confidential. > They are intended solely for the use of the individual addressed. If > you have received this email in error please notify > postmaster at mbopartners.com and > permanently delete the e-mail and files. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Sep 11 13:10:30 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 13:10:30 -0400 Subject: [keycloak-user] Password reset link In-Reply-To: References: Message-ID: <55F30B06.9060001@redhat.com> Is there a reason you link to password-reset outside of a login page? On 9/11/2015 12:21 PM, Kenyatta Clark wrote: > In previous versions of Keycloak we were able to initiate a password > reset by using the path > /auth/realms/{realm}/login-actions/password-reset. It appears that that > endpoint has been replaced > with auth/realms/{realm}/login-actions/reset-credentials in 1.5.0.Final, > but this requires a code parameter and a null pointer exception is > thrown if it is not valid. How do you initiate a forgot password > through Keycloak?s web interface without having to direct the user to > the login page? > > > *Kenyatta Clark* > > *Principal Engineer, Systems Development* > > MBO Partners > > *t:* 703.793.6314 > > *w:*www.mbopartners.com > > > Notice: This email and any files transmitted with it are confidential. > They are intended solely for the use of the individual addressed. If > you have received this email in error please notify > postmaster at mbopartners.com and > permanently delete the e-mail and files. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Fri Sep 11 15:18:39 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 11 Sep 2015 21:18:39 +0200 Subject: [keycloak-user] Keycloak 1.5.0.Final released In-Reply-To: <55F2F206.2010407@kroehling.de> References: <1897857333.30767241.1441984332815.JavaMail.zimbra@redhat.com> <55F2F206.2010407@kroehling.de> Message-ID: <55F3290F.2070007@redhat.com> Not yet, but it will be in 1.6 release and even sooner in master (I hope to have something next week or at least the week after). Will CC you in all the future mails regarding offline tokens. Marek On 11/09/15 17:23, Juraci Paix?o Kr?hling wrote: > Stian, > > I couldn't find this info in the blog post nor in the release notes (or > even in the docs), but I thought I should ask anyway: is the support for > offline tokens available on 1.5.0.Final? > > - Juca. > > On 09/11/2015 05:12 PM, Stian Thorgersen wrote: >> For details check http://blog.keycloak.org/2015/09/keycloak-150final-released.html >> >> It's in JBoss Nexus and downloads from keycloak.org right now, but it may take a few hours until it's synced to Maven Central. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kclark at mbopartners.com Fri Sep 11 15:48:53 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Fri, 11 Sep 2015 19:48:53 +0000 Subject: [keycloak-user] Password reset link Message-ID: Please forgive me if I totally off base, but this is what we were thinking from the user?s perspective. The user wanted to reset their password from a mobile application we open a web view to the forgot password page and use it to change their password. From bburke at redhat.com Fri Sep 11 18:58:34 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Sep 2015 18:58:34 -0400 Subject: [keycloak-user] Password reset link In-Reply-To: References: Message-ID: <55F35C9A.9010508@redhat.com> Ok, i'll fix this in 1.6 On 9/11/2015 3:48 PM, Kenyatta Clark wrote: > > Please forgive me if I totally off base, but this is what we were thinking > from the user?s perspective. The user wanted to reset their password from > a mobile application we open a web view to the forgot password page and > use it to change their password. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From tdudgeon.ml at gmail.com Sat Sep 12 12:05:14 2015 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Sat, 12 Sep 2015 17:05:14 +0100 Subject: [keycloak-user] keycloak with nginx or apache In-Reply-To: <55F1C916.4030803@redhat.com> References: <55F1AF56.7020403@gmail.com> <55F1C916.4030803@redhat.com> Message-ID: <55F44D3A.8080808@gmail.com> So that's just for Apache? Is anything possible with nginx? Tim On 10/09/2015 19:16, Bill Burke wrote: > mod_auth_mellon is a SAML adapter. Works with Keycloak. > > On 9/10/2015 12:27 PM, Tim Dudgeon wrote: >> Hi All, >> >> the docs describe adapters for Java app servers like Jetty and Tomcat, >> but is it also possible to use keycloak for securing apps/pages running >> in app servers like nginx for apache web server? >> >> Tim >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From bburke at redhat.com Sat Sep 12 15:21:16 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 12 Sep 2015 15:21:16 -0400 Subject: [keycloak-user] keycloak with nginx or apache In-Reply-To: <55F44D3A.8080808@gmail.com> References: <55F1AF56.7020403@gmail.com> <55F1C916.4030803@redhat.com> <55F44D3A.8080808@gmail.com> Message-ID: <55F47B2C.7010307@redhat.com> Google SAML nginx. There's your answer. On 9/12/2015 12:05 PM, Tim Dudgeon wrote: > So that's just for Apache? > Is anything possible with nginx? > > Tim > > On 10/09/2015 19:16, Bill Burke wrote: >> mod_auth_mellon is a SAML adapter. Works with Keycloak. >> >> On 9/10/2015 12:27 PM, Tim Dudgeon wrote: >>> Hi All, >>> >>> the docs describe adapters for Java app servers like Jetty and Tomcat, >>> but is it also possible to use keycloak for securing apps/pages running >>> in app servers like nginx for apache web server? >>> >>> Tim >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From b.hansmann at alphaapps.de Sat Sep 12 20:29:00 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Sun, 13 Sep 2015 02:29:00 +0200 Subject: [keycloak-user] Themes Message-ID: <1442104140.11814.3.camel@alphaapps.de> Can someone tell me how I could style the Email verification page to look like HTML from 1995 (just a logo with a message below) and remove the "Back to application" link (because in my case the referred page does not exist). Best regards, Benjamin From amhimobility at gmail.com Mon Sep 14 01:48:11 2015 From: amhimobility at gmail.com (Mastek Amhi) Date: Mon, 14 Sep 2015 11:18:11 +0530 Subject: [keycloak-user] Keycloak - Reverse Proxy Message-ID: Hi, I have keycloak and another wildfly instance(application to be secured) behind a reverse proxy. Application is secured and it asks for username and password when we try to access the application. But when we try to access the admin console via reverse proxy it fails to load the page. Same thing is with the account management screens. Any help will be appreciated. Thanks in advance. Peace. Sanket Raut -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/46c8bbc5/attachment.html From mposolda at redhat.com Mon Sep 14 02:28:47 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Sep 2015 08:28:47 +0200 Subject: [keycloak-user] Occasional NPE while retrieving token In-Reply-To: References: <55E6FD6E.80404@redhat.com> Message-ID: <55F6691F.7070609@redhat.com> Thanks, I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-1842 . We will try to reproduce and fix for 1.6 release. Marek On 10/09/15 11:51, Orestis Tsakiridis wrote: > Hello Marek, > > It looks like we've cornered the issue after all :-) > > I managed to reproduce it on a relatively clean keycloak setup with > the following steps: > > > 1. Create application app-dg that will be used to get tokens > using direct access grants. > Accesstype: Public > Direct Grants Onlye: true > > 2. Create application app-test. > AccessType: Bearer only > > 3. Create application level role 'role-test' in app-test. > > 4. Create user user-test. Assign it application level role > app-test:role-test and set his password to 'password' > > 5. Retrieve a token for user-test using direct access grants: > > $ curl -k -X POST > http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token > -d "grant_type=password" -d "client_id=app-dg" -d "username=user-test" > -d "password=password" > > And the token: > { > "jti": "f68e595e-d612-42a1-b4f2-0af2b32b7dd7", > "exp": 1441881384, > "nbf": 0, > "iat": 1441877784, > "iss": "http://127.0.0.1:8080/auth/realms/restcomm", > "aud": "app-dg", > "sub": "067021e3-0fac-49dd-931b-1d26eb8ceb70", > "azp": "app-dg", > "session_state": "03903e0d-4748-4aba-bf5e-c0529757c13d", > "client_session": > "7f8417c0-9fd0-4e65-a3d8-a9335cb1f704", > "allowed-origins": [], > "resource_access": { > "app-test": { > "roles": [ > "role-test" > ] > }, > "account": { > "roles": [ > "view-profile", > "manage-account" > ] > } > }, > "name": "", > "preferred_username": "user-test" > } > > 6. Remove app-test > > 7. Try to retrieve a token once more and the error appears: > > 12:39:37,260 ERROR [io.undertow.request] (default > task-17) UT005023: Exception handling request to > /auth/realms/restcomm/protocol/openid-connect/token: > java.lang.RuntimeException: request path: > /auth/realms/restcomm/protocol/openid-connect/token > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) > ... 29 more > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) > at > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) > at > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > ... 37 more > > I rule i tried to make up is the following: > > "If for user Alice exists an active token with application roles for > an application and this application is removed, you can't get a token > for this user anymore" > > Also note that in my tests i've increased realm 'Access token > lifespan' to 60 min. Maybe having a short lifespan discards the token > before making any damage and the exception is not thrown. Just > guessing here... > > > I hope this helps > > > Regards > > Orestis > > On Fri, Sep 4, 2015 at 11:54 AM, Orestis Tsakiridis > > wrote: > > Hi Marek, > > Hmmm, indeed, that happens after having deleted clients. But, i > haven't defined any composite roles. The rest of the REST api > operation i've used don't seem to trigger it. > > But wait! i think you rung a bell. The clients i remove have their > own application-level roles created and bound to them. They are > not composite though in the strict sense of the term. Possibly the > user that tries to get a token is also assigned these roles. Btw, > is it proper practice to remove a client without removing its own > application roles first? > > Also, I'm using the default H2 DB setup. > > I will try to reproduce and post my findings to this thread. > > > Thanks Marek > > Orestis > > On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda > wrote: > > It looks you deleted some client, but his composite roles were > not properly deleted. It might be a bug though, but not sure. > It will be cool if you can provide more detailed steps to > reproduce. Are you using default H2 DB or some else? > > Thanks, > Marek > > > On 02/09/15 11:25, Orestis Tsakiridis wrote: >> Hello, >> >> I'm experiencing a strange error while trying to retrieve a >> token. Although initially the application may function >> properly and tokens issued normally, something happens when i >> use the Admin REST api that triggers the error. After that no >> tokens can be issued and an NPE appears in the log. Usually >> this happens after trying to drop some clients. >> >> Btw, i'm using keycloak-1.4.0.Final. >> >> Here is the command i use to get the token: >> >> curl -k -X POST >> https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token >> -d "grant_type=password" -d >> "client_id=restcomm-identity-rest" -d "username=otsakir" -d >> "password=...." >> >> And here is what i get in the logs: >> >> 09:12:36,414 ERROR [io.undertow.request] (default task-4) >> UT005023: Exception handling request to >> /auth/realms/restcomm/protocol/openid-connect/token: >> java.lang.RuntimeException: request path: >> /auth/realms/restcomm/protocol/openid-connect/token >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NullPointerException >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) >> ... 29 more >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) >> at >> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) >> at >> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) >> at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown >> Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) >> ... 37 more >> >> >> Regards >> >> Orestis >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/1dd831f2/attachment-0001.html From mposolda at redhat.com Mon Sep 14 02:36:13 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Sep 2015 08:36:13 +0200 Subject: [keycloak-user] Keycloak - Reverse Proxy In-Reply-To: References: Message-ID: <55F66ADD.10707@redhat.com> What exactly is "fails to load the page" ? Is there some exception in server log? The fact that you don't see even account management could mean that there is some issue with the cookie (just guessing from the info you provided). Do you see KEYCLOAK_IDENTITY cookie in the browser for your host? Could you verify if cookie is propagated from proxy and visible on the keycloak server? Marek On 14/09/15 07:48, Mastek Amhi wrote: > Hi, > I have keycloak and another wildfly instance(application to be > secured) behind a reverse proxy. > Application is secured and it asks for username and password when we > try to access the application. > But when we try to access the admin console via reverse proxy it > fails to load the page. > Same thing is with the account management screens. > Any help will be appreciated. Thanks in advance. > > > Peace. > Sanket Raut > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/df846233/attachment.html From orestis.tsakiridis at telestax.com Mon Sep 14 06:08:05 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Mon, 14 Sep 2015 13:08:05 +0300 Subject: [keycloak-user] Occasional NPE while retrieving token In-Reply-To: <55F6691F.7070609@redhat.com> References: <55E6FD6E.80404@redhat.com> <55F6691F.7070609@redhat.com> Message-ID: Sounds great. Thanks Marek. On Mon, Sep 14, 2015 at 9:28 AM, Marek Posolda wrote: > Thanks, I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-1842 . > We will try to reproduce and fix for 1.6 release. > > Marek > > > On 10/09/15 11:51, Orestis Tsakiridis wrote: > > Hello Marek, > > It looks like we've cornered the issue after all :-) > > I managed to reproduce it on a relatively clean keycloak setup with the > following steps: > > > 1. Create application app-dg that will be used to get tokens > using direct access grants. > Accesstype: Public > Direct Grants Onlye: true > > 2. Create application app-test. > AccessType: Bearer only > > 3. Create application level role 'role-test' in app-test. > > 4. Create user user-test. Assign it application level role > app-test:role-test and set his password to 'password' > > 5. Retrieve a token for user-test using direct access grants: > > $ curl -k -X POST > http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token > -d "grant_type=password" -d "client_id=app-dg" -d "username=user-test" -d > "password=password" > > And the token: > { > "jti": "f68e595e-d612-42a1-b4f2-0af2b32b7dd7", > "exp": 1441881384, > "nbf": 0, > "iat": 1441877784, > "iss": "http://127.0.0.1:8080/auth/realms/restcomm", > "aud": "app-dg", > "sub": "067021e3-0fac-49dd-931b-1d26eb8ceb70", > "azp": "app-dg", > "session_state": "03903e0d-4748-4aba-bf5e-c0529757c13d", > "client_session": "7f8417c0-9fd0-4e65-a3d8-a9335cb1f704", > "allowed-origins": [], > "resource_access": { > "app-test": { > "roles": [ > "role-test" > ] > }, > "account": { > "roles": [ > "view-profile", > "manage-account" > ] > } > }, > "name": "", > "preferred_username": "user-test" > } > > 6. Remove app-test > > 7. Try to retrieve a token once more and the error appears: > > 12:39:37,260 ERROR [io.undertow.request] (default task-17) > UT005023: Exception handling request to > /auth/realms/restcomm/protocol/openid-connect/token: > java.lang.RuntimeException: request path: > /auth/realms/restcomm/protocol/openid-connect/token > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) > ... 29 more > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) > at > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) > at > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > ... 37 more > > I rule i tried to make up is the following: > > "If for user Alice exists an active token with application roles for an > application and this application is removed, you can't get a token for this > user anymore" > > Also note that in my tests i've increased realm 'Access token lifespan' to > 60 min. Maybe having a short lifespan discards the token before making any > damage and the exception is not thrown. Just guessing here... > > > I hope this helps > > > Regards > > Orestis > > On Fri, Sep 4, 2015 at 11:54 AM, Orestis Tsakiridis < > orestis.tsakiridis at telestax.com> wrote: > >> Hi Marek, >> >> Hmmm, indeed, that happens after having deleted clients. But, i haven't >> defined any composite roles. The rest of the REST api operation i've used >> don't seem to trigger it. >> >> But wait! i think you rung a bell. The clients i remove have their own >> application-level roles created and bound to them. They are not composite >> though in the strict sense of the term. Possibly the user that tries to get >> a token is also assigned these roles. Btw, is it proper practice to remove >> a client without removing its own application roles first? >> >> Also, I'm using the default H2 DB setup. >> >> I will try to reproduce and post my findings to this thread. >> >> >> Thanks Marek >> >> Orestis >> >> On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda < >> mposolda at redhat.com> wrote: >> >>> It looks you deleted some client, but his composite roles were not >>> properly deleted. It might be a bug though, but not sure. It will be cool >>> if you can provide more detailed steps to reproduce. Are you using default >>> H2 DB or some else? >>> >>> Thanks, >>> Marek >>> >>> >>> On 02/09/15 11:25, Orestis Tsakiridis wrote: >>> >>> Hello, >>> >>> I'm experiencing a strange error while trying to retrieve a token. >>> Although initially the application may function properly and tokens issued >>> normally, something happens when i use the Admin REST api that triggers the >>> error. After that no tokens can be issued and an NPE appears in the log. >>> Usually this happens after trying to drop some clients. >>> >>> Btw, i'm using keycloak-1.4.0.Final. >>> >>> Here is the command i use to get the token: >>> >>> curl -k -X POST >>> >>> https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token >>> -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d >>> "username=otsakir" -d "password=...." >>> >>> And here is what i get in the logs: >>> >>> 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023: >>> Exception handling request to >>> /auth/realms/restcomm/protocol/openid-connect/token: >>> java.lang.RuntimeException: request path: >>> /auth/realms/restcomm/protocol/openid-connect/token >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) >>> at >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >>> at >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >>> at >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>> at >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>> at >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>> at >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >>> at >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >>> at >>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>> at >>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >>> at >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >>> at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: org.jboss.resteasy.spi.UnhandledException: >>> java.lang.NullPointerException >>> at >>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >>> at >>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) >>> ... 29 more >>> Caused by: java.lang.NullPointerException >>> at >>> org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353) >>> at >>> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193) >>> at >>> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412) >>> at >>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358) >>> at >>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113) >>> at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:606) >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) >>> ... 37 more >>> >>> >>> Regards >>> >>> Orestis >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/b3f2522c/attachment-0001.html From cwalker at sumglobal.com Mon Sep 14 13:21:35 2015 From: cwalker at sumglobal.com (Walker, Charles) Date: Mon, 14 Sep 2015 13:21:35 -0400 Subject: [keycloak-user] Updating database through maven and liquibase Message-ID: I was trying to create the SQL output for the 1.5 update but ran into errors. at it's simplest, creating a new h2 database fails (for me) as such: mvn -f connections/jpa-liquibase/pom.xml -Durl=jdbc:h2:.keycloak ..... [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 12.026 s [INFO] Finished at: 2015-09-14T11:48:31-04:00 [INFO] Final Memory: 15M/245M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.liquibase:liquibase-maven-plugin:3.3.5:update (default-cli) on project keycloak-connections-jpa-liquibase: Error setting up or running Liquibase: Validation Failed: [ERROR] 3 changes have validation errors [ERROR] java.util.ServiceConfigurationError: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail could not be instantiated [ERROR] java.util.ServiceConfigurationError: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail could not be instantiated [ERROR] java.util.ServiceConfigurationError: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail could not be instantiated Has anyone else seen this? Thanks, Charlie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/669115d0/attachment.html From mposolda at redhat.com Mon Sep 14 15:27:42 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Sep 2015 21:27:42 +0200 Subject: [keycloak-user] Updating database through maven and liquibase In-Reply-To: References: Message-ID: <55F71FAE.7060801@redhat.com> Could you please create JIRA for this? Thanks, Marek On 14/09/15 19:21, Walker, Charles wrote: > I was trying to create the SQL output for the 1.5 update but ran into > errors. ? at it's simplest, creating a new h2 database fails (for me) > as such: > > mvn -f connections/jpa-liquibase/pom.xml -Durl=jdbc:h2:.keycloak? > > ..... > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 12.026 s > [INFO] Finished at: 2015-09-14T11:48:31-04:00 > [INFO] Final Memory: 15M/245M > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal > org.liquibase:liquibase-maven-plugin:3.3.5:update (default-cli) on > project keycloak-connections-jpa-liquibase: Error setting up or > running Liquibase: Validation Failed: > [ERROR] 3 changes have validation errors > [ERROR] java.util.ServiceConfigurationError: > org.keycloak.authentication.AuthenticatorFactory: Provider > org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail > could not be instantiated > [ERROR] java.util.ServiceConfigurationError: > org.keycloak.authentication.AuthenticatorFactory: Provider > org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail > could not be instantiated > [ERROR] java.util.ServiceConfigurationError: > org.keycloak.authentication.AuthenticatorFactory: Provider > org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail > could not be instantiated > > > Has anyone else seen this? > > Thanks, > Charlie > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/db479e1c/attachment.html From kclark at mbopartners.com Mon Sep 14 19:47:50 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Mon, 14 Sep 2015 23:47:50 +0000 Subject: [keycloak-user] Password reset link Message-ID: Thanks! From b.hansmann at alphaapps.de Tue Sep 15 08:59:07 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Tue, 15 Sep 2015 14:59:07 +0200 Subject: [keycloak-user] Themes In-Reply-To: References: <1442104140.11814.3.camel@alphaapps.de> Message-ID: <1442321947.3311.4.camel@alphaapps.de> Hi Stian, thanks for your reply. Em Ter, 2015-09-15 ?s 13:16 +0200, Stian Thorgersen escreveu: > By email verification page are you talking about the page that's > displayed after the user has clicked on the link in the email or? Yes, that's what I was talking about. > If so the back to application page should only be displayed if the > client has a base url set on it, so this may be a bug. The base url was set, so this is not a bug. > To change the style of the page and remove elements you can create a > theme and copy the template from the base theme and change it so it > only displays the message and logo you want. I have spent some time experimenting with the templates and got it to work. Best Regards Benjamin > > On 13 September 2015 at 02:29, Benjamin Hansmann [alphaApps] > wrote: > Can someone tell me how I could style the Email verification > page to > look like HTML from 1995 (just a logo with a message below) > and remove > the "Back to application" link (because in my case the > referred page > does not exist). > > Best regards, > Benjamin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From robin1233 at gmail.com Tue Sep 15 14:12:40 2015 From: robin1233 at gmail.com (robinfernandes .) Date: Tue, 15 Sep 2015 14:12:40 -0400 Subject: [keycloak-user] Different token timeouts for clients under the same realm In-Reply-To: <55E68944.9040500@redhat.com> References: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> <55E68944.9040500@redhat.com> Message-ID: Hi Marek, The offline token for particular clients fits our use case perfectly. So is there a way that I can have access to the current developer's version of Keycloak like an alpha/beta version of the 1.6 release with the "Offline tokens" when it is implemented? Also is there a roadmap for the 1.6 release as of yet? Thanks, Robin On Wed, Sep 2, 2015 at 1:29 AM, Marek Posolda wrote: > I am thinking about enable/disable offline tokens per client. So in admin > console in "Client settings" tab there will be on/off switch "Enable > offline tokens" and you will be able to request offline token for > particular client just if switch is enabled. Offline token won't never > timeout, so there won't be any new option in realm timeout settings though. > > Marek > > > On 01/09/15 16:39, robinfernandes . wrote: > > Thank you so much for that information. > So would these offline tokens be at the realm level as well as currently > all token settings are at the realm level? > Is there a roadmap for the 1.6 release? > > Thanks, > Robin > > On Mon, Aug 31, 2015 at 7:27 AM, Stian Thorgersen > wrote: > >> Sounds like what you might want are offline tokens. They will allow >> clients to get a permanent token, which can be revoked by a user or admin, >> but doesn't expire. These should be added to 1.6 release. >> >> ----- Original Message ----- >> > From: "robinfernandes ." < robin1233 at gmail.com> >> > To: keycloak-user at lists.jboss.org >> > Sent: Friday, 28 August, 2015 12:32:07 PM >> > Subject: [keycloak-user] Different token timeouts for clients under the >> same realm >> > >> > Hi All, >> > >> > Is there a possibility where we can set different token timeouts for >> clients >> > under the same realm? >> > >> > The use case why we are trying to achieve this is basically we have 2 >> > applications which require 2 different timeout settings. >> > We want the web client timeouts to be short since there would be human >> > intervention there always, however we want our Agent timeouts to be very >> > large since there might not be anyone to log into it again. >> > >> > Using Keycloak we have seen that the timeout settings can be applied >> only at >> > the realm level though, which forces us to have each application in a >> > different realm. >> > >> > Can we have the timeout settings at the client(application) level >> rather than >> > the realm level so that we can put both the applications in the same >> realm? >> > >> > Thanks & Regards, >> > Robin >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150915/6d1052ec/attachment-0001.html From fadiabdeen at gmail.com Tue Sep 15 14:21:29 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Tue, 15 Sep 2015 14:21:29 -0400 Subject: [keycloak-user] keycloak mysql Message-ID: I'm following the instructions on http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html to setup MySQL instead of the H2. But i cant find how do i initiate the keycloak database . is there ddl file i run on the database before setting up the connections in the standalone.xml Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150915/f8329d36/attachment.html From getbhanu30 at gmail.com Tue Sep 15 14:56:08 2015 From: getbhanu30 at gmail.com (Bhanu Kiran) Date: Tue, 15 Sep 2015 13:56:08 -0500 Subject: [keycloak-user] Customizing themes Message-ID: Hello, Please provide input for below query. 1.We are customizing login, forgot password, registration screens. Let us know how we can override java functionality and pass user entered data to service provider ? Thanks, Bhanu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150915/67c41167/attachment.html From mstrukel at redhat.com Tue Sep 15 15:01:43 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 15 Sep 2015 21:01:43 +0200 Subject: [keycloak-user] keycloak mysql In-Reply-To: References: Message-ID: First, you should always use: http://keycloak.github.io/docs/userguide/html/index.html for the latest documentation. Second, you don't have to change anything in keycloak-server.json file for MySQL setup. What you do is modify the KEYCLOAK_HOME/standalone/configuration/standalone.xml file - which is a Wildfly configuration file, and change the KeycloakDS definition there to use MySQL rather than H2. In order to install mysql driver into Wildfly you have to create a new module for it under KEYCLOAK_HOME/modules directory, and download a .jar file. See this article: http://wildfly.org/news/2014/02/06/GlassFish-to-WildFly-migration I think it goes through all the steps ... On Tue, Sep 15, 2015 at 8:21 PM, Fadi Abdin wrote: > I'm following the instructions on > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html > to setup MySQL instead of the H2. > > But i cant find how do i initiate the keycloak database . is there ddl > file i run on the database before setting up the connections in the > standalone.xml > > Thanks, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150915/1311cbde/attachment.html From orestis.tsakiridis at telestax.com Tue Sep 15 17:54:13 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 16 Sep 2015 00:54:13 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml Message-ID: Hello, Is it possible to apply programmatic access control i.e. retrieve KeycloakSecurityContext, get token, roles etc, when the elements have been removed from web.xml? The reason for that is that when are present the requests get dropped by the keycloak adapter before reaching the REST endpoints implementation in case they are not carrying a token. I'm trying to support an alternative authorization mechanism using a custom API Key parameter in case the Oauth token header is missing. Regards Orestis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/bedbf727/attachment.html From bburke at redhat.com Tue Sep 15 19:39:47 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 15 Sep 2015 19:39:47 -0400 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: References: Message-ID: <55F8AC43.6020805@redhat.com> I'll eventually implement adapter as a filter, but right now security constraints are required. On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: > Hello, > > Is it possible to apply programmatic access control i.e. retrieve > KeycloakSecurityContext, get token, roles etc, when the > elements have been removed from web.xml? > > The reason for that is that when are present the > requests get dropped by the keycloak adapter before reaching the REST > endpoints implementation in case they are not carrying a token. I'm > trying to support an alternative authorization mechanism using a custom > API Key parameter in case the Oauth token header is missing. > > > Regards > > Orestis > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From orestis.tsakiridis at telestax.com Wed Sep 16 03:04:04 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 16 Sep 2015 10:04:04 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: <55F8AC43.6020805@redhat.com> References: <55F8AC43.6020805@redhat.com> Message-ID: Thanks Bill, I think i may tackle the issue for now through the KeycloakConfigResolver. Maybe return an empty deployment if the API Key is in the request. Regards Orestis On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke wrote: > I'll eventually implement adapter as a filter, but right now security > constraints are required. > > On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: > > Hello, > > > > Is it possible to apply programmatic access control i.e. retrieve > > KeycloakSecurityContext, get token, roles etc, when the > > elements have been removed from web.xml? > > > > The reason for that is that when are present the > > requests get dropped by the keycloak adapter before reaching the REST > > endpoints implementation in case they are not carrying a token. I'm > > trying to support an alternative authorization mechanism using a custom > > API Key parameter in case the Oauth token header is missing. > > > > > > Regards > > > > Orestis > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/d69109b9/attachment.html From allen.sandiego at ymail.com Wed Sep 16 03:22:18 2015 From: allen.sandiego at ymail.com (Allen Lester Sandiego) Date: Wed, 16 Sep 2015 00:22:18 -0700 Subject: [keycloak-user] Keycloak and Spring MVC (boot-less) In-Reply-To: <899768754.874644.1441271437754.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1442388138.95914.YahooMailAndroidMobile@web125805.mail.ne1.yahoo.com> Hi, I've been trying to get my Spring web application to work with Keycloak without any luck. I have created a post in stackoverflow.com regarding this. Also posted in one of the keycloak blog but was advised to send an email here. I'll be posting the URL of the stackoverflow thread here as it is quite lengthy. Let me know if you want me to copy and paste the content here instead. How to integrate Keycloak with Spring (boot-less)? ? ? ? ? ? ? ? ? How to integrate Keycloak with Spring (boot-less)? I've been trying to get my Spring web application to work with Keycloak without any luck for days now. I followed the instructions mentioned in their documentation ... View on stackoverflow.com Preview by Yahoo ? Thanks, Allen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/42232fce/attachment-0001.html From sthorger at redhat.com Wed Sep 16 03:48:47 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 09:48:47 +0200 Subject: [keycloak-user] Customizing themes In-Reply-To: References: Message-ID: Beyond modifying the templates to add/remove fields we've also introduced the ability to further customize this in 1.5, please see http://keycloak.github.io/docs/userguide/html/auth_spi.html On 15 September 2015 at 20:56, Bhanu Kiran wrote: > Hello, > > Please provide input for below query. > > 1.We are customizing login, forgot password, registration screens. Let us > know how we can override java functionality and pass user entered data to > service provider ? > > Thanks, > Bhanu > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/d3e25629/attachment.html From sthorger at redhat.com Wed Sep 16 03:50:01 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 09:50:01 +0200 Subject: [keycloak-user] keycloak mysql In-Reply-To: References: Message-ID: Adding to Marko's reponse, the database is automatically initiated by Keycloak (it is also updated on upgrade) On 15 September 2015 at 21:01, Marko Strukelj wrote: > First, you should always use: > http://keycloak.github.io/docs/userguide/html/index.html for the latest > documentation. > > Second, you don't have to change anything in keycloak-server.json file for > MySQL setup. > > What you do is modify the > KEYCLOAK_HOME/standalone/configuration/standalone.xml file - which is a > Wildfly configuration file, and change the KeycloakDS definition there to > use MySQL rather than H2. > > In order to install mysql driver into Wildfly you have to create a new > module for it under KEYCLOAK_HOME/modules directory, and download a .jar > file. > > See this article: > http://wildfly.org/news/2014/02/06/GlassFish-to-WildFly-migration > > I think it goes through all the steps ... > > > On Tue, Sep 15, 2015 at 8:21 PM, Fadi Abdin wrote: > >> I'm following the instructions on >> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html >> to setup MySQL instead of the H2. >> >> But i cant find how do i initiate the keycloak database . is there ddl >> file i run on the database before setting up the connections in the >> standalone.xml >> >> Thanks, >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/bb7c341c/attachment.html From sthorger at redhat.com Wed Sep 16 03:52:41 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 09:52:41 +0200 Subject: [keycloak-user] Different token timeouts for clients under the same realm In-Reply-To: References: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> <55E68944.9040500@redhat.com> Message-ID: It's pretty easy to build dev version of Keycloak, see https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md for more details 1.6 should be available around 9th October, not sure when offline tokens will be ready in developer version. On 15 September 2015 at 20:12, robinfernandes . wrote: > Hi Marek, > > The offline token for particular clients fits our use case perfectly. > So is there a way that I can have access to the current developer's > version of Keycloak like an alpha/beta version of the 1.6 release with the > "Offline tokens" when it is implemented? > Also is there a roadmap for the 1.6 release as of yet? > > Thanks, > Robin > > On Wed, Sep 2, 2015 at 1:29 AM, Marek Posolda wrote: > >> I am thinking about enable/disable offline tokens per client. So in admin >> console in "Client settings" tab there will be on/off switch "Enable >> offline tokens" and you will be able to request offline token for >> particular client just if switch is enabled. Offline token won't never >> timeout, so there won't be any new option in realm timeout settings though. >> >> Marek >> >> >> On 01/09/15 16:39, robinfernandes . wrote: >> >> Thank you so much for that information. >> So would these offline tokens be at the realm level as well as currently >> all token settings are at the realm level? >> Is there a roadmap for the 1.6 release? >> >> Thanks, >> Robin >> >> On Mon, Aug 31, 2015 at 7:27 AM, Stian Thorgersen >> wrote: >> >>> Sounds like what you might want are offline tokens. They will allow >>> clients to get a permanent token, which can be revoked by a user or admin, >>> but doesn't expire. These should be added to 1.6 release. >>> >>> ----- Original Message ----- >>> > From: "robinfernandes ." < robin1233 at gmail.com> >>> > To: keycloak-user at lists.jboss.org >>> > Sent: Friday, 28 August, 2015 12:32:07 PM >>> > Subject: [keycloak-user] Different token timeouts for clients under >>> the same realm >>> > >>> > Hi All, >>> > >>> > Is there a possibility where we can set different token timeouts for >>> clients >>> > under the same realm? >>> > >>> > The use case why we are trying to achieve this is basically we have 2 >>> > applications which require 2 different timeout settings. >>> > We want the web client timeouts to be short since there would be human >>> > intervention there always, however we want our Agent timeouts to be >>> very >>> > large since there might not be anyone to log into it again. >>> > >>> > Using Keycloak we have seen that the timeout settings can be applied >>> only at >>> > the realm level though, which forces us to have each application in a >>> > different realm. >>> > >>> > Can we have the timeout settings at the client(application) level >>> rather than >>> > the realm level so that we can put both the applications in the same >>> realm? >>> > >>> > Thanks & Regards, >>> > Robin >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/d79dcebe/attachment.html From mposolda at redhat.com Wed Sep 16 04:30:11 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 10:30:11 +0200 Subject: [keycloak-user] Different token timeouts for clients under the same realm In-Reply-To: References: <93200600.21989709.1441020438386.JavaMail.zimbra@redhat.com> <55E68944.9040500@redhat.com> Message-ID: <55F92893.1070904@redhat.com> On 16/09/15 09:52, Stian Thorgersen wrote: > It's pretty easy to build dev version of Keycloak, see > https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md > for more details > > 1.6 should be available around 9th October, not sure when offline > tokens will be ready in developer version. I should have something this week and doing more polishing (including example application etc) next week. You can monitor the keycloak-dev ML when I will post some update. Marek > > On 15 September 2015 at 20:12, robinfernandes . > wrote: > > Hi Marek, > > The offline token for particular clients fits our use case perfectly. > So is there a way that I can have access to the current > developer's version of Keycloak like an alpha/beta version of the > 1.6 release with the "Offline tokens" when it is implemented? > Also is there a roadmap for the 1.6 release as of yet? > > Thanks, > Robin > > On Wed, Sep 2, 2015 at 1:29 AM, Marek Posolda > wrote: > > I am thinking about enable/disable offline tokens per client. > So in admin console in "Client settings" tab there will be > on/off switch "Enable offline tokens" and you will be able to > request offline token for particular client just if switch is > enabled. Offline token won't never timeout, so there won't be > any new option in realm timeout settings though. > > Marek > > > On 01/09/15 16:39, robinfernandes . wrote: >> Thank you so much for that information. >> So would these offline tokens be at the realm level as well >> as currently all token settings are at the realm level? >> Is there a roadmap for the 1.6 release? >> >> Thanks, >> Robin >> >> On Mon, Aug 31, 2015 at 7:27 AM, Stian Thorgersen >> > wrote: >> >> Sounds like what you might want are offline tokens. They >> will allow clients to get a permanent token, which can be >> revoked by a user or admin, but doesn't expire. These >> should be added to 1.6 release. >> >> ----- Original Message ----- >> > From: "robinfernandes ." > > >> > To: keycloak-user at lists.jboss.org >> >> > Sent: Friday, 28 August, 2015 12:32:07 PM >> > Subject: [keycloak-user] Different token timeouts for >> clients under the same realm >> > >> > Hi All, >> > >> > Is there a possibility where we can set different token >> timeouts for clients >> > under the same realm? >> > >> > The use case why we are trying to achieve this is >> basically we have 2 >> > applications which require 2 different timeout settings. >> > We want the web client timeouts to be short since there >> would be human >> > intervention there always, however we want our Agent >> timeouts to be very >> > large since there might not be anyone to log into it again. >> > >> > Using Keycloak we have seen that the timeout settings >> can be applied only at >> > the realm level though, which forces us to have each >> application in a >> > different realm. >> > >> > Can we have the timeout settings at the >> client(application) level rather than >> > the realm level so that we can put both the >> applications in the same realm? >> > >> > Thanks & Regards, >> > Robin >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/6bbcfa3b/attachment-0001.html From mposolda at redhat.com Wed Sep 16 04:35:58 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 10:35:58 +0200 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: References: <55F8AC43.6020805@redhat.com> Message-ID: <55F929EE.7050002@redhat.com> If you're focused on security for REST endpoints, I think it is quite easy to do it programaticaly. You may just need to parse the "Authorization" header from request with bearer token and verify it with RSATokenVerifier.verifyToken from which you also retrieve AccessToken . See BearerTokenRequestAuthenticator class for the inspiration. Marek On 16/09/15 09:04, Orestis Tsakiridis wrote: > Thanks Bill, > > I think i may tackle the issue for now through the > KeycloakConfigResolver. Maybe return an empty deployment if the API > Key is in the request. > > > Regards > > Orestis > > On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke > wrote: > > I'll eventually implement adapter as a filter, but right now security > constraints are required. > > On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: > > Hello, > > > > Is it possible to apply programmatic access control i.e. retrieve > > KeycloakSecurityContext, get token, roles etc, when the > > elements have been removed from web.xml? > > > > The reason for that is that when are > present the > > requests get dropped by the keycloak adapter before reaching the > REST > > endpoints implementation in case they are not carrying a token. I'm > > trying to support an alternative authorization mechanism using a > custom > > API Key parameter in case the Oauth token header is missing. > > > > > > Regards > > > > Orestis > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/cc8ecd52/attachment.html From fadiabdeen at gmail.com Wed Sep 16 05:31:07 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Wed, 16 Sep 2015 05:31:07 -0400 Subject: [keycloak-user] keycloak mysql In-Reply-To: References: Message-ID: Thank you guys , I'm gonna give it a try today On Sep 16, 2015 3:50 AM, "Stian Thorgersen" wrote: > Adding to Marko's reponse, the database is automatically initiated by > Keycloak (it is also updated on upgrade) > > On 15 September 2015 at 21:01, Marko Strukelj wrote: > >> First, you should always use: >> http://keycloak.github.io/docs/userguide/html/index.html for the latest >> documentation. >> >> Second, you don't have to change anything in keycloak-server.json file >> for MySQL setup. >> >> What you do is modify the >> KEYCLOAK_HOME/standalone/configuration/standalone.xml file - which is a >> Wildfly configuration file, and change the KeycloakDS definition there to >> use MySQL rather than H2. >> >> In order to install mysql driver into Wildfly you have to create a new >> module for it under KEYCLOAK_HOME/modules directory, and download a .jar >> file. >> >> See this article: >> http://wildfly.org/news/2014/02/06/GlassFish-to-WildFly-migration >> >> I think it goes through all the steps ... >> >> >> On Tue, Sep 15, 2015 at 8:21 PM, Fadi Abdin wrote: >> >>> I'm following the instructions on >>> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html >>> to setup MySQL instead of the H2. >>> >>> But i cant find how do i initiate the keycloak database . is there ddl >>> file i run on the database before setting up the connections in the >>> standalone.xml >>> >>> Thanks, >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/7d562ad4/attachment.html From orestis.tsakiridis at telestax.com Wed Sep 16 05:36:51 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 16 Sep 2015 12:36:51 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: <55F929EE.7050002@redhat.com> References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> Message-ID: Hi Marek, Yes, i'm talking about securing REST endpoints. I saw the BearerTokenRequestAuthenticator code. The problem is how to conditionally authenticate requests using a custom authentication method that does not rely on keycloak users, roles, clients etc. Would a custom MyCustomRequestAuthenticator do the job? Are there any examples on that? Ideally, an authenticator running inside the adapter that would compare against values in the application database wound to the job. The idea is to be compatible with an old security scheme that relies on API Keys stored in the application database. So i imagined some sort of dual authentication for the REST endpoints. On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda wrote: > If you're focused on security for REST endpoints, I think it is quite easy > to do it programaticaly. You may just need to parse the "Authorization" > header from request with bearer token and verify it with RSATokenVerifier.verifyToken > from which you also retrieve AccessToken . See > BearerTokenRequestAuthenticator class for the inspiration. > > Marek > > On 16/09/15 09:04, Orestis Tsakiridis wrote: > > Thanks Bill, > > I think i may tackle the issue for now through the KeycloakConfigResolver. > Maybe return an empty deployment if the API Key is in the request. > > > Regards > > Orestis > > On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke wrote: > >> I'll eventually implement adapter as a filter, but right now security >> constraints are required. >> >> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >> > Hello, >> > >> > Is it possible to apply programmatic access control i.e. retrieve >> > KeycloakSecurityContext, get token, roles etc, when the >> > elements have been removed from web.xml? >> > >> > The reason for that is that when are present the >> > requests get dropped by the keycloak adapter before reaching the REST >> > endpoints implementation in case they are not carrying a token. I'm >> > trying to support an alternative authorization mechanism using a custom >> > API Key parameter in case the Oauth token header is missing. >> > >> > >> > Regards >> > >> > Orestis >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/f30ba664/attachment.html From sebastian.olscher at traveltainment.de Wed Sep 16 06:25:56 2015 From: sebastian.olscher at traveltainment.de (Sebastian Olscher) Date: Wed, 16 Sep 2015 10:25:56 +0000 Subject: [keycloak-user] Use refresh token for authentication Message-ID: <5C3DDBFAC4DBF04084678703EC0AC29425264EC9@EX-TT-AC-02.traveltainment.int> Hello guys, we ?re using the "Direct Grant Access" flow described in chapter 15 in the keycloak users documentation. As we understood, the following steps are necessary: 1.: Do the token request with "username/password" and "grant_type=password" to the token server (keycloak). 2.: The token response from keycloak contains an "access_token" and a "refresh_token". 3.: Normally, the client uses the "access_token" within the HTTP-Header (Authorization Bearer *access_token*) to do the authentication. Everything works as expected. We have found that you can also use the "refresh_token" instead of the "access_token" in step 3 to do the authentication and it will be still successful. From our point of view, this is possible, because the keycloak-wildfly-security-module does not check the token-type. But, from our understanding the "refresh_token" is not intended to do the authentication, so this should not work, right? So my two questions are: 1.: Why is the authentication with the "refresh_token" successful? 2.: The "refresh_token" in the token response is defined as an optional element within the OAUth-2.0 specification, so is there any possibility to prevent keycloak returning it? Thanks, Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/e100374c/attachment-0001.html From sthorger at redhat.com Wed Sep 16 08:23:04 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 14:23:04 +0200 Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.5.0.Final Message-ID: Keycloak OpenShift Cartridge updated to 1.5.0.Final -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/83f7b9cf/attachment.html From segatto at esteco.com Wed Sep 16 08:33:45 2015 From: segatto at esteco.com (Alessandro Segatto) Date: Wed, 16 Sep 2015 14:33:45 +0200 Subject: [keycloak-user] Edit userneme on first time social login Message-ID: Hi, on first login we need to allow the new user to update his username while updating his profile info. Is this achievable by editing the login-update-profile freemarker template? If it's not we'd like to ask for this feature. Thank you in advance, Alessandro -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/c5aad605/attachment.html From sthorger at redhat.com Wed Sep 16 08:44:37 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 14:44:37 +0200 Subject: [keycloak-user] Edit userneme on first time social login In-Reply-To: References: Message-ID: We don't have support for it currently, but we do have an option to let users change their username through the account management console. You've got 3 choices: 1. Use the new required actions SPI to implement this yourself - in this case you can have a separate required action to set the username 2. Create a JIRA and implement this for the UpdateProfile required action when the realm allows usernames to be changed 3. Create the JIRA, but don't send the PR - in this case it may be a while until we get around to adding it On 16 September 2015 at 14:33, Alessandro Segatto wrote: > Hi, on first login we need to allow the new user to update his username > while updating his profile info. Is this achievable by editing the > login-update-profile freemarker template? If it's not we'd like to ask for > this feature. > > Thank you in advance, > > Alessandro > > -- > > Ing. Alessandro Segatto > Software Engineer > Research and Development > > *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY > Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com > > Pursuant to Legislative Decree No. 196/2003, you are hereby informed that > this message contains confidential information intended only for the use of > the addressee. If you are not the addressee, and have received this message > by mistake, please delete it and immediately notify us. You may not copy or > disseminate this message to anyone. Thank you. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/d7f467e4/attachment.html From mposolda at redhat.com Wed Sep 16 08:45:27 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 14:45:27 +0200 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> Message-ID: <55F96467.4040308@redhat.com> I though that's why you want programmatic access because you want to have complete control? In that case you can remove all security constraints from web.xml and at your REST endpoints you would do the authentication/authorization exactly how you want. So at the beginning of REST endpoint you will do something like: if (request.containsHeader("Authorization: Bearer")) { do-keycloak-authentication-with-keycloak-access-token(); } else { do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); } Or maybe I don't understand the usecase? Marek On 16/09/15 11:36, Orestis Tsakiridis wrote: > Hi Marek, > > Yes, i'm talking about securing REST endpoints. I saw the > BearerTokenRequestAuthenticator code. > > The problem is how to conditionally authenticate requests using a > custom authentication method that does not rely on keycloak users, > roles, clients etc. Would a custom MyCustomRequestAuthenticator do the > job? Are there any examples on that? Ideally, an authenticator running > inside the adapter that would compare against values in the > application database wound to the job. > > The idea is to be compatible with an old security scheme that relies > on API Keys stored in the application database. So i imagined some > sort of dual authentication for the REST endpoints. > > > > > > On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda > wrote: > > If you're focused on security for REST endpoints, I think it is > quite easy to do it programaticaly. You may just need to parse the > "Authorization" header from request with bearer token and verify > it with RSATokenVerifier.verifyToken from which you also retrieve > AccessToken . See BearerTokenRequestAuthenticator class for the > inspiration. > > Marek > > On 16/09/15 09:04, Orestis Tsakiridis wrote: >> Thanks Bill, >> >> I think i may tackle the issue for now through the >> KeycloakConfigResolver. Maybe return an empty deployment if the >> API Key is in the request. >> >> >> Regards >> >> Orestis >> >> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke > > wrote: >> >> I'll eventually implement adapter as a filter, but right now >> security >> constraints are required. >> >> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >> > Hello, >> > >> > Is it possible to apply programmatic access control i.e. >> retrieve >> > KeycloakSecurityContext, get token, roles etc, when the >> > elements have been removed from web.xml? >> > >> > The reason for that is that when >> are present the >> > requests get dropped by the keycloak adapter before >> reaching the REST >> > endpoints implementation in case they are not carrying a >> token. I'm >> > trying to support an alternative authorization mechanism >> using a custom >> > API Key parameter in case the Oauth token header is missing. >> > >> > >> > Regards >> > >> > Orestis >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/8e8390ab/attachment-0001.html From sthorger at redhat.com Wed Sep 16 09:39:13 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Sep 2015 15:39:13 +0200 Subject: [keycloak-user] Keycloak Docker images updated to 1.5.0.Final Message-ID: Keycloak Docker images updated to 1.5.0.Final -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/b75cf639/attachment.html From mposolda at redhat.com Wed Sep 16 10:32:47 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 16:32:47 +0200 Subject: [keycloak-user] Use refresh token for authentication In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC29425264EC9@EX-TT-AC-02.traveltainment.int> References: <5C3DDBFAC4DBF04084678703EC0AC29425264EC9@EX-TT-AC-02.traveltainment.int> Message-ID: <55F97D8F.4060902@redhat.com> On 16/09/15 12:25, Sebastian Olscher wrote: > > Hello guys, > > we ?re using the ?Direct Grant Access? flow described in chapter 15 in > the keycloak users documentation. As we understood, the following > steps are necessary: > > 1.: Do the token request with ?username/password? and > ?grant_type=password? to the token server (keycloak). > > 2.: The token response from keycloak contains an ?access_token? and a > ?refresh_token?. > > 3.: Normally, the client uses the ?access_token? within the > HTTP-Header (Authorization Bearer **access_token**) to do the > authentication. > > Everything works as expected. We have found that you can also use the > ?refresh_token? instead of the ?access_token? in step 3 to do the > authentication and it will be still successful. From our point of > view, this is possible, because the keycloak-wildfly-security-module > does not check the token-type. But, from our understanding the > ?refresh_token? is not intended to do the authentication, so this > should not work, right? So my two questions are: > > 1.: Why is the authentication with the ?refresh_token? successful? > Looks like a bug. Could you please create JIRA ? Ideally we can fill "type" field for AccessToken as "ACCESS" and then in RSATokenVerifier allow just type "ACCESS" . Refresh token has type "REFRESH" so it won't be allowed anymore, similarly offline token, which I am adding right now. > > 2.: The ?refresh_token? in the token response is defined as an > optional element within the OAUth-2.0 specification, so is there any > possibility to prevent keycloak returning it? > Right now, we always return it. But when JIRA is fixed, it's not a problem as refresh token can't be used for authentication anymore, just for the refresh. Marek > > Thanks, > > Sebastian > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/02b6f175/attachment.html From orestis.tsakiridis at telestax.com Wed Sep 16 10:38:35 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 16 Sep 2015 17:38:35 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: <55F96467.4040308@redhat.com> References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> <55F96467.4040308@redhat.com> Message-ID: Thanks Marek. Yes, you got the usecase right. Two questions come to my mind if i follow this manual approach: 1. Will this take into account a KeycloakConfigResolver that's in place and the deployment it creates ? RSATokenVerifier.verifyToken() seems to get all info it needs in the parameters so i guess not. 2. Are there any caches involved that won't be taken into account ? 3. What happens with 'enable-basic-auth' adapter option? I suppose it needs further manual operation. This case is probably handles by my custom auth so that doesn't seem like a big problem. On Wed, Sep 16, 2015 at 3:45 PM, Marek Posolda wrote: > I though that's why you want programmatic access because you want to have > complete control? In that case you can remove all security constraints from > web.xml and at your REST endpoints you would do the > authentication/authorization exactly how you want. So at the beginning of > REST endpoint you will do something like: > > if (request.containsHeader("Authorization: Bearer")) { > do-keycloak-authentication-with-keycloak-access-token(); > } else { > do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); > } > > Or maybe I don't understand the usecase? > > Marek > > > On 16/09/15 11:36, Orestis Tsakiridis wrote: > > Hi Marek, > > Yes, i'm talking about securing REST endpoints. I saw the > BearerTokenRequestAuthenticator code. > > The problem is how to conditionally authenticate requests using a custom > authentication method that does not rely on keycloak users, roles, clients > etc. Would a custom MyCustomRequestAuthenticator do the job? Are there any > examples on that? Ideally, an authenticator running inside the adapter that > would compare against values in the application database wound to the job. > > The idea is to be compatible with an old security scheme that relies on > API Keys stored in the application database. So i imagined some sort of > dual authentication for the REST endpoints. > > > > > > On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda > wrote: > >> If you're focused on security for REST endpoints, I think it is quite >> easy to do it programaticaly. You may just need to parse the >> "Authorization" header from request with bearer token and verify it with >> RSATokenVerifier.verifyToken from which you also retrieve AccessToken . >> See BearerTokenRequestAuthenticator class for the inspiration. >> >> Marek >> >> On 16/09/15 09:04, Orestis Tsakiridis wrote: >> >> Thanks Bill, >> >> I think i may tackle the issue for now through the >> KeycloakConfigResolver. Maybe return an empty deployment if the API Key is >> in the request. >> >> >> Regards >> >> Orestis >> >> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke < >> bburke at redhat.com> wrote: >> >>> I'll eventually implement adapter as a filter, but right now security >>> constraints are required. >>> >>> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >>> > Hello, >>> > >>> > Is it possible to apply programmatic access control i.e. retrieve >>> > KeycloakSecurityContext, get token, roles etc, when the >>> > elements have been removed from web.xml? >>> > >>> > The reason for that is that when are present >>> the >>> > requests get dropped by the keycloak adapter before reaching the REST >>> > endpoints implementation in case they are not carrying a token. I'm >>> > trying to support an alternative authorization mechanism using a custom >>> > API Key parameter in case the Oauth token header is missing. >>> > >>> > >>> > Regards >>> > >>> > Orestis >>> > >>> > >>> > >>> > >>> > >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/a7331eb1/attachment-0001.html From mposolda at redhat.com Wed Sep 16 11:06:57 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 17:06:57 +0200 Subject: [keycloak-user] Use refresh token for authentication In-Reply-To: <55F97D8F.4060902@redhat.com> References: <5C3DDBFAC4DBF04084678703EC0AC29425264EC9@EX-TT-AC-02.traveltainment.int> <55F97D8F.4060902@redhat.com> Message-ID: <55F98591.4020103@redhat.com> On 16/09/15 16:32, Marek Posolda wrote: > On 16/09/15 12:25, Sebastian Olscher wrote: >> >> Hello guys, >> >> we ?re using the ?Direct Grant Access? flow described in chapter 15 >> in the keycloak users documentation. As we understood, the following >> steps are necessary: >> >> 1.: Do the token request with ?username/password? and >> ?grant_type=password? to the token server (keycloak). >> >> 2.: The token response from keycloak contains an ?access_token? and a >> ?refresh_token?. >> >> 3.: Normally, the client uses the ?access_token? within the >> HTTP-Header (Authorization Bearer **access_token**) to do the >> authentication. >> >> Everything works as expected. We have found that you can also use the >> ?refresh_token? instead of the ?access_token? in step 3 to do the >> authentication and it will be still successful. From our point of >> view, this is possible, because the keycloak-wildfly-security-module >> does not check the token-type. But, from our understanding the >> ?refresh_token? is not intended to do the authentication, so this >> should not work, right? So my two questions are: >> >> 1.: Why is the authentication with the ?refresh_token? successful? >> > Looks like a bug. Could you please create JIRA ? Ideally we can fill > "type" field for AccessToken as "ACCESS" and then in RSATokenVerifier > allow just type "ACCESS" . Refresh token has type "REFRESH" so it > won't be allowed anymore, similarly offline token, which I am adding > right now. Maybe even better type for access tokens should be "Bearer" . Marek >> >> 2.: The ?refresh_token? in the token response is defined as an >> optional element within the OAUth-2.0 specification, so is there any >> possibility to prevent keycloak returning it? >> > Right now, we always return it. But when JIRA is fixed, it's not a > problem as refresh token can't be used for authentication anymore, > just for the refresh. > > Marek >> >> Thanks, >> >> Sebastian >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/10dc7c31/attachment.html From ivan at akvo.org Wed Sep 16 12:21:53 2015 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Wed, 16 Sep 2015 18:21:53 +0200 Subject: [keycloak-user] token_type "bearer" vs "Bearer" Message-ID: <55F99721.5080007@akvo.org> Hi, We're trying to integrate a Python/Django application using the following module https://github.com/marcanpilami/django-oidc and Keycloak 1.4.0.Final After a successful user login the process fails because a simple check in python: if token.token_type == "Bearer" and method == "GET": Right now Keycloak is returning `token_type` as "bearer" and not "Bearer" Reading the OpenID Connect spec in the section "3.1.3.3. Successful Token Response" (https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) > The OAuth 2.0 token_type response parameter value MUST be Bearer, as > specified in OAuth 2.0 Bearer Token Usage [RFC6750], unless another > Token Type has been negotiated with the Client. I checked and the code sets token_type manually, https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L472 Can this be considered a bug? Thanks, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/b9f186fd/attachment.bin From mposolda at redhat.com Wed Sep 16 13:02:02 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 19:02:02 +0200 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> <55F96467.4040308@redhat.com> Message-ID: <55F9A08A.2080905@redhat.com> On 16/09/15 16:38, Orestis Tsakiridis wrote: > Thanks Marek. > > Yes, you got the usecase right. > > Two questions come to my mind if i follow this manual approach: > > 1. Will this take into account a KeycloakConfigResolver that's in > place and the deployment it creates ? RSATokenVerifier.verifyToken() > seems to get all info it needs in the parameters so i guess not. nope, it won't. This approach is about ignoring the official adapter, which is triggered by security constraints from web.xml and works at servlet layer. So in your case, request will be always passed through servlet layer to REST endpoint when you need to do programmatic authentication by yourself. So you may also need to read the keycloak.json file manually and use KeycloakDeploymentBuilder.build to read KeycloakDeployment and read publicKey and realmInfoUrl from there, so you can do RSATokenVerifier.verifyToken by yourself. > 2. Are there any caches involved that won't be taken into account ? Not sure what you mean. I am not aware of any caches. > 3. What happens with 'enable-basic-auth' adapter option? I suppose it > needs further manual operation. This case is probably handles by my > custom auth so that doesn't seem like a big problem. It will be ignored and you will again need to do Basic Authentication by yourself if you want to support in addition to Bearer authentication. See BasicAuthRequestAuthenticator for inspiration. Marek > > > > On Wed, Sep 16, 2015 at 3:45 PM, Marek Posolda > wrote: > > I though that's why you want programmatic access because you want > to have complete control? In that case you can remove all security > constraints from web.xml and at your REST endpoints you would do > the authentication/authorization exactly how you want. So at the > beginning of REST endpoint you will do something like: > > if (request.containsHeader("Authorization: Bearer")) { > do-keycloak-authentication-with-keycloak-access-token(); > } else { > do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); > } > > Or maybe I don't understand the usecase? > > Marek > > > On 16/09/15 11:36, Orestis Tsakiridis wrote: >> Hi Marek, >> >> Yes, i'm talking about securing REST endpoints. I saw the >> BearerTokenRequestAuthenticator code. >> >> The problem is how to conditionally authenticate requests using a >> custom authentication method that does not rely on keycloak >> users, roles, clients etc. Would a custom >> MyCustomRequestAuthenticator do the job? Are there any examples >> on that? Ideally, an authenticator running inside the adapter >> that would compare against values in the application database >> wound to the job. >> >> The idea is to be compatible with an old security scheme that >> relies on API Keys stored in the application database. So i >> imagined some sort of dual authentication for the REST endpoints. >> >> >> >> >> >> On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda >> > wrote: >> >> If you're focused on security for REST endpoints, I think it >> is quite easy to do it programaticaly. You may just need to >> parse the "Authorization" header from request with bearer >> token and verify it with RSATokenVerifier.verifyToken from >> which you also retrieve AccessToken . See >> BearerTokenRequestAuthenticator class for the inspiration. >> >> Marek >> >> On 16/09/15 09:04, Orestis Tsakiridis wrote: >>> Thanks Bill, >>> >>> I think i may tackle the issue for now through the >>> KeycloakConfigResolver. Maybe return an empty deployment if >>> the API Key is in the request. >>> >>> >>> Regards >>> >>> Orestis >>> >>> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke >>> > wrote: >>> >>> I'll eventually implement adapter as a filter, but right >>> now security >>> constraints are required. >>> >>> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >>> > Hello, >>> > >>> > Is it possible to apply programmatic access control >>> i.e. retrieve >>> > KeycloakSecurityContext, get token, roles etc, when the >>> > elements have been removed from >>> web.xml? >>> > >>> > The reason for that is that when >>> are present the >>> > requests get dropped by the keycloak adapter before >>> reaching the REST >>> > endpoints implementation in case they are not carrying >>> a token. I'm >>> > trying to support an alternative authorization >>> mechanism using a custom >>> > API Key parameter in case the Oauth token header is >>> missing. >>> > >>> > >>> > Regards >>> > >>> > Orestis >>> > >>> > >>> > >>> > >>> > >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/72706ab2/attachment-0001.html From mposolda at redhat.com Wed Sep 16 13:08:03 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 16 Sep 2015 19:08:03 +0200 Subject: [keycloak-user] token_type "bearer" vs "Bearer" In-Reply-To: <55F99721.5080007@akvo.org> References: <55F99721.5080007@akvo.org> Message-ID: <55F9A1F3.9040409@redhat.com> Funny, OIDC specs itself also has one place when it uses "bearer" . See the example: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse . Feel free to create JIRA and we can change to "Bearer" . Still, it looks to me more like a bug in django-oidc, which should ignore cases. Marek On 16/09/15 18:21, Iv?n Perdomo wrote: > Hi, > > We're trying to integrate a Python/Django application using the > following module https://github.com/marcanpilami/django-oidc and > Keycloak 1.4.0.Final > > > After a successful user login the process fails because a simple check > in python: > > if token.token_type == "Bearer" and method == "GET": > > Right now Keycloak is returning `token_type` as "bearer" and not "Bearer" > > Reading the OpenID Connect spec in the section "3.1.3.3. Successful > Token Response" > (https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) > >> The OAuth 2.0 token_type response parameter value MUST be Bearer, as > > specified in OAuth 2.0 Bearer Token Usage [RFC6750], unless another >> Token Type has been negotiated with the Client. > I checked and the code sets token_type manually, > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L472 > > Can this be considered a bug? > > Thanks, > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/a832e981/attachment.html From peter at realityforge.org Thu Sep 17 02:22:31 2015 From: peter at realityforge.org (Peter Donald) Date: Thu, 17 Sep 2015 16:22:31 +1000 Subject: [keycloak-user] Delegating SAML 2.0 Authentication to ADFS on Windows Server 2012 Message-ID: Hi, I am trying to use Keycloak 1.4.0.Final to delegate authentication to ADFS and I am having trouble getting the combination to work. I have tried to locate the information in manuals/docs but can't seem to figure it out. I tried to get keycloak to load the configuration for ADFS by using the "Import External IDP Config" section when creating the identity provider. Keycloak claimed success but populated none of the fields so I manually entered the data. The SSL/communication keys of both sides seem fine. I am assuming that I have populated encryption/signature keys appropriately. Then grabbed the exported data from the export tab. This is not valid according to ADFS but if I add an xmlns to the top level element I can load the file into ADFS and it seems to load most of the file but ultimately the back and forth communication does not seem to work. I had to manually enter a bunch of data into ADFS - mostly to add endpoints that keycloak uses but does not declare? Even then I get problems. Assuming I have "Want AuthnRequests Signed" set to true I get an error like MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile. If I set "Want AuthnRequests Signed" set to false then keycloak will fail with NullPointer exception as ADFS will return a message with no assertions. So is delegating to ADFS supported or expected to work? Is there a manual/blog/mailing list post I should read. Happy to RTFM :) -- Cheers, Peter Donald From ivan at akvo.org Thu Sep 17 04:00:52 2015 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Thu, 17 Sep 2015 10:00:52 +0200 Subject: [keycloak-user] token_type "bearer" vs "Bearer" In-Reply-To: <55F9A1F3.9040409@redhat.com> References: <55F99721.5080007@akvo.org> <55F9A1F3.9040409@redhat.com> Message-ID: <55FA7334.9060107@akvo.org> Hi Marek, On 09/16/2015 07:08 PM, Marek Posolda wrote: > Funny, OIDC specs itself also has one place when it uses "bearer" . See > the example: > http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse . You're right. The example uses "bearer" but also does not follow the RFC 6750, right? > > Feel free to create JIRA and we can change to "Bearer" . Still, it looks > to me more like a bug in django-oidc, which should ignore cases. Issue created: https://issues.jboss.org/browse/KEYCLOAK-1855 > > Marek Thanks for your support, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/656b0b15/attachment.bin From segatto at esteco.com Thu Sep 17 07:00:27 2015 From: segatto at esteco.com (Alessandro Segatto) Date: Thu, 17 Sep 2015 13:00:27 +0200 Subject: [keycloak-user] Edit userneme on first time social login In-Reply-To: References: Message-ID: Jira issue opened (KEYCLOAK-1849) and pull request sent On Wed, Sep 16, 2015 at 2:44 PM, Stian Thorgersen wrote: > We don't have support for it currently, but we do have an option to let > users change their username through the account management console. You've > got 3 choices: > > 1. Use the new required actions SPI to implement this yourself - in this > case you can have a separate required action to set the username > 2. Create a JIRA and implement this for the UpdateProfile required action > when the realm allows usernames to be changed > 3. Create the JIRA, but don't send the PR - in this case it may be a while > until we get around to adding it > > On 16 September 2015 at 14:33, Alessandro Segatto > wrote: > >> Hi, on first login we need to allow the new user to update his username >> while updating his profile info. Is this achievable by editing the >> login-update-profile freemarker template? If it's not we'd like to ask for >> this feature. >> >> Thank you in advance, >> >> Alessandro >> >> -- >> >> Ing. Alessandro Segatto >> Software Engineer >> Research and Development >> >> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - >> ITALY >> Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com >> >> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that >> this message contains confidential information intended only for the use of >> the addressee. If you are not the addressee, and have received this message >> by mistake, please delete it and immediately notify us. You may not copy or >> disseminate this message to anyone. Thank you. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/cd9e9148/attachment.html From ah at tradeworks.io Thu Sep 17 10:13:32 2015 From: ah at tradeworks.io (Anton Hughes) Date: Thu, 17 Sep 2015 16:13:32 +0200 Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.5.0.Final In-Reply-To: References: Message-ID: Thanks. Is it possible to get some documentation for this - such as how to login to the keycloak web console? On 16 September 2015 at 14:23, Stian Thorgersen wrote: > Keycloak OpenShift Cartridge updated to 1.5.0.Final > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/ab7d22ea/attachment.html From sthorger at redhat.com Thu Sep 17 10:16:20 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 17 Sep 2015 16:16:20 +0200 Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.5.0.Final In-Reply-To: References: Message-ID: http://keycloak.github.io/docs/userguide/html/openshift.html On 17 September 2015 at 16:13, Anton Hughes wrote: > Thanks. Is it possible to get some documentation for this - such as how to > login to the keycloak web console? > > On 16 September 2015 at 14:23, Stian Thorgersen > wrote: > >> Keycloak OpenShift Cartridge updated to 1.5.0.Final >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/5fac3297/attachment-0001.html From orestis.tsakiridis at telestax.com Thu Sep 17 10:25:19 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Thu, 17 Sep 2015 17:25:19 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: <55F9A08A.2080905@redhat.com> References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> <55F96467.4040308@redhat.com> <55F9A08A.2080905@redhat.com> Message-ID: Marek, you 're a life saviour! The concept worked perfect. Btw, digging into BasicAuthRequestAuthenticator i noticed that whenever authenticate() is called, a request to the keycloak auth server is made to retrieve a token using username/password pair. So, it seems that in order to authenticate ANY request with Basic authentication credentials auth server need to be contacted. Is my assumption correct ? If that's the case it seems that the 'enable-basic-auth' lays a heavy burden on the auth server with this per-request operation. It's of no value to me since i handle Basic authentication locally with a custom mechanism. I'm just asking for the record. Best regards Orestis On Wed, Sep 16, 2015 at 8:02 PM, Marek Posolda wrote: > On 16/09/15 16:38, Orestis Tsakiridis wrote: > > Thanks Marek. > > Yes, you got the usecase right. > > Two questions come to my mind if i follow this manual approach: > > 1. Will this take into account a KeycloakConfigResolver that's in place > and the deployment it creates ? RSATokenVerifier.verifyToken() seems to get > all info it needs in the parameters so i guess not. > > nope, it won't. This approach is about ignoring the official adapter, > which is triggered by security constraints from web.xml and works at > servlet layer. So in your case, request will be always passed through > servlet layer to REST endpoint when you need to do programmatic > authentication by yourself. > > So you may also need to read the keycloak.json file manually and use > KeycloakDeploymentBuilder.build to read KeycloakDeployment and read > publicKey and realmInfoUrl from there, so you can do > RSATokenVerifier.verifyToken by yourself. > > 2. Are there any caches involved that won't be taken into account ? > > Not sure what you mean. I am not aware of any caches. > > 3. What happens with 'enable-basic-auth' adapter option? I suppose it > needs further manual operation. This case is probably handles by my custom > auth so that doesn't seem like a big problem. > > It will be ignored and you will again need to do Basic Authentication by > yourself if you want to support in addition to Bearer authentication. See > BasicAuthRequestAuthenticator for inspiration. > > Marek > > > > > On Wed, Sep 16, 2015 at 3:45 PM, Marek Posolda > wrote: > >> I though that's why you want programmatic access because you want to have >> complete control? In that case you can remove all security constraints from >> web.xml and at your REST endpoints you would do the >> authentication/authorization exactly how you want. So at the beginning of >> REST endpoint you will do something like: >> >> if (request.containsHeader("Authorization: Bearer")) { >> do-keycloak-authentication-with-keycloak-access-token(); >> } else { >> do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); >> } >> >> Or maybe I don't understand the usecase? >> >> Marek >> >> >> On 16/09/15 11:36, Orestis Tsakiridis wrote: >> >> Hi Marek, >> >> Yes, i'm talking about securing REST endpoints. I saw the >> BearerTokenRequestAuthenticator code. >> >> The problem is how to conditionally authenticate requests using a custom >> authentication method that does not rely on keycloak users, roles, clients >> etc. Would a custom MyCustomRequestAuthenticator do the job? Are there any >> examples on that? Ideally, an authenticator running inside the adapter that >> would compare against values in the application database wound to the job. >> >> The idea is to be compatible with an old security scheme that relies on >> API Keys stored in the application database. So i imagined some sort of >> dual authentication for the REST endpoints. >> >> >> >> >> >> On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda < >> mposolda at redhat.com> wrote: >> >>> If you're focused on security for REST endpoints, I think it is quite >>> easy to do it programaticaly. You may just need to parse the >>> "Authorization" header from request with bearer token and verify it with >>> RSATokenVerifier.verifyToken from which you also retrieve AccessToken . >>> See BearerTokenRequestAuthenticator class for the inspiration. >>> >>> Marek >>> >>> On 16/09/15 09:04, Orestis Tsakiridis wrote: >>> >>> Thanks Bill, >>> >>> I think i may tackle the issue for now through the >>> KeycloakConfigResolver. Maybe return an empty deployment if the API Key is >>> in the request. >>> >>> >>> Regards >>> >>> Orestis >>> >>> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke < >>> bburke at redhat.com> wrote: >>> >>>> I'll eventually implement adapter as a filter, but right now security >>>> constraints are required. >>>> >>>> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >>>> > Hello, >>>> > >>>> > Is it possible to apply programmatic access control i.e. retrieve >>>> > KeycloakSecurityContext, get token, roles etc, when the >>>> > elements have been removed from web.xml? >>>> > >>>> > The reason for that is that when are present >>>> the >>>> > requests get dropped by the keycloak adapter before reaching the REST >>>> > endpoints implementation in case they are not carrying a token. I'm >>>> > trying to support an alternative authorization mechanism using a >>>> custom >>>> > API Key parameter in case the Oauth token header is missing. >>>> > >>>> > >>>> > Regards >>>> > >>>> > Orestis >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/7cdf8cca/attachment.html From mposolda at redhat.com Thu Sep 17 12:54:54 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 17 Sep 2015 18:54:54 +0200 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> <55F96467.4040308@redhat.com> <55F9A08A.2080905@redhat.com> Message-ID: <55FAF05E.6060002@redhat.com> On 17/09/15 16:25, Orestis Tsakiridis wrote: > Marek, you 're a life saviour! > > The concept worked perfect. Nice :-) > > Btw, digging into BasicAuthRequestAuthenticator i noticed that > whenever authenticate() is called, a request to the keycloak auth > server is made to retrieve a token using username/password pair. So, > it seems that in order to authenticate ANY request with Basic > authentication credentials auth server need to be contacted. > > Is my assumption correct ? Yes, it works how you described. The Basic authentication support was added just for legacy applications support. It's not something recommended. Marek > > If that's the case it seems that the 'enable-basic-auth' lays a heavy > burden on the auth server with this per-request operation. > > It's of no value to me since i handle Basic authentication locally > with a custom mechanism. I'm just asking for the record. > > > Best regards > > Orestis > > On Wed, Sep 16, 2015 at 8:02 PM, Marek Posolda > wrote: > > On 16/09/15 16:38, Orestis Tsakiridis wrote: >> Thanks Marek. >> >> Yes, you got the usecase right. >> >> Two questions come to my mind if i follow this manual approach: >> >> 1. Will this take into account a KeycloakConfigResolver that's in >> place and the deployment it creates ? >> RSATokenVerifier.verifyToken() seems to get all info it needs in >> the parameters so i guess not. > nope, it won't. This approach is about ignoring the official > adapter, which is triggered by security constraints from web.xml > and works at servlet layer. So in your case, request will be > always passed through servlet layer to REST endpoint when you need > to do programmatic authentication by yourself. > > So you may also need to read the keycloak.json file manually and > use KeycloakDeploymentBuilder.build to read KeycloakDeployment and > read publicKey and realmInfoUrl from there, so you can do > RSATokenVerifier.verifyToken by yourself. >> 2. Are there any caches involved that won't be taken into account ? > Not sure what you mean. I am not aware of any caches. >> 3. What happens with 'enable-basic-auth' adapter option? I >> suppose it needs further manual operation. This case is probably >> handles by my custom auth so that doesn't seem like a big problem. > It will be ignored and you will again need to do Basic > Authentication by yourself if you want to support in addition to > Bearer authentication. See BasicAuthRequestAuthenticator for > inspiration. > > Marek > >> >> >> >> On Wed, Sep 16, 2015 at 3:45 PM, Marek Posolda >> > wrote: >> >> I though that's why you want programmatic access because you >> want to have complete control? In that case you can remove >> all security constraints from web.xml and at your REST >> endpoints you would do the authentication/authorization >> exactly how you want. So at the beginning of REST endpoint >> you will do something like: >> >> if (request.containsHeader("Authorization: Bearer")) { >> do-keycloak-authentication-with-keycloak-access-token(); >> } else { >> do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); >> } >> >> Or maybe I don't understand the usecase? >> >> Marek >> >> >> On 16/09/15 11:36, Orestis Tsakiridis wrote: >>> Hi Marek, >>> >>> Yes, i'm talking about securing REST endpoints. I saw the >>> BearerTokenRequestAuthenticator code. >>> >>> The problem is how to conditionally authenticate requests >>> using a custom authentication method that does not rely on >>> keycloak users, roles, clients etc. Would a custom >>> MyCustomRequestAuthenticator do the job? Are there any >>> examples on that? Ideally, an authenticator running inside >>> the adapter that would compare against values in the >>> application database wound to the job. >>> >>> The idea is to be compatible with an old security scheme >>> that relies on API Keys stored in the application database. >>> So i imagined some sort of dual authentication for the REST >>> endpoints. >>> >>> >>> >>> >>> >>> On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda >>> > wrote: >>> >>> If you're focused on security for REST endpoints, I >>> think it is quite easy to do it programaticaly. You may >>> just need to parse the "Authorization" header from >>> request with bearer token and verify it with >>> RSATokenVerifier.verifyToken from which you also >>> retrieve AccessToken . See >>> BearerTokenRequestAuthenticator class for the inspiration. >>> >>> Marek >>> >>> On 16/09/15 09:04, Orestis Tsakiridis wrote: >>>> Thanks Bill, >>>> >>>> I think i may tackle the issue for now through the >>>> KeycloakConfigResolver. Maybe return an empty >>>> deployment if the API Key is in the request. >>>> >>>> >>>> Regards >>>> >>>> Orestis >>>> >>>> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke >>>> > wrote: >>>> >>>> I'll eventually implement adapter as a filter, but >>>> right now security >>>> constraints are required. >>>> >>>> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >>>> > Hello, >>>> > >>>> > Is it possible to apply programmatic access >>>> control i.e. retrieve >>>> > KeycloakSecurityContext, get token, roles etc, >>>> when the >>>> > elements have been removed >>>> from web.xml? >>>> > >>>> > The reason for that is that when >>>> are present the >>>> > requests get dropped by the keycloak adapter >>>> before reaching the REST >>>> > endpoints implementation in case they are not >>>> carrying a token. I'm >>>> > trying to support an alternative authorization >>>> mechanism using a custom >>>> > API Key parameter in case the Oauth token header >>>> is missing. >>>> > >>>> > >>>> > Regards >>>> > >>>> > Orestis >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/fccea98e/attachment-0001.html From ah at tradeworks.io Thu Sep 17 13:01:31 2015 From: ah at tradeworks.io (Anton Hughes) Date: Thu, 17 Sep 2015 19:01:31 +0200 Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.5.0.Final In-Reply-To: References: Message-ID: Thanks Stian. On 17 September 2015 at 16:16, Stian Thorgersen wrote: > http://keycloak.github.io/docs/userguide/html/openshift.html > > On 17 September 2015 at 16:13, Anton Hughes wrote: > >> Thanks. Is it possible to get some documentation for this - such as how >> to login to the keycloak web console? >> >> On 16 September 2015 at 14:23, Stian Thorgersen >> wrote: >> >>> Keycloak OpenShift Cartridge updated to 1.5.0.Final >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150917/a7f22e84/attachment.html From orestis.tsakiridis at telestax.com Fri Sep 18 04:15:01 2015 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Fri, 18 Sep 2015 11:15:01 +0300 Subject: [keycloak-user] Programmatic access control with no in web.xml In-Reply-To: <55FAF05E.6060002@redhat.com> References: <55F8AC43.6020805@redhat.com> <55F929EE.7050002@redhat.com> <55F96467.4040308@redhat.com> <55F9A08A.2080905@redhat.com> <55FAF05E.6060002@redhat.com> Message-ID: It makes sense. Thanks for your help. On Thu, Sep 17, 2015 at 7:54 PM, Marek Posolda wrote: > On 17/09/15 16:25, Orestis Tsakiridis wrote: > > Marek, you 're a life saviour! > > The concept worked perfect. > > Nice :-) > > > Btw, digging into BasicAuthRequestAuthenticator i noticed that whenever > authenticate() is called, a request to the keycloak auth server is made to > retrieve a token using username/password pair. So, it seems that in order > to authenticate ANY request with Basic authentication credentials auth > server need to be contacted. > > Is my assumption correct ? > > Yes, it works how you described. The Basic authentication support was > added just for legacy applications support. It's not something recommended. > > Marek > > > If that's the case it seems that the 'enable-basic-auth' lays a heavy > burden on the auth server with this per-request operation. > > It's of no value to me since i handle Basic authentication locally with a > custom mechanism. I'm just asking for the record. > > > Best regards > > Orestis > > On Wed, Sep 16, 2015 at 8:02 PM, Marek Posolda > wrote: > >> On 16/09/15 16:38, Orestis Tsakiridis wrote: >> >> Thanks Marek. >> >> Yes, you got the usecase right. >> >> Two questions come to my mind if i follow this manual approach: >> >> 1. Will this take into account a KeycloakConfigResolver that's in place >> and the deployment it creates ? RSATokenVerifier.verifyToken() seems to get >> all info it needs in the parameters so i guess not. >> >> nope, it won't. This approach is about ignoring the official adapter, >> which is triggered by security constraints from web.xml and works at >> servlet layer. So in your case, request will be always passed through >> servlet layer to REST endpoint when you need to do programmatic >> authentication by yourself. >> >> So you may also need to read the keycloak.json file manually and use >> KeycloakDeploymentBuilder.build to read KeycloakDeployment and read >> publicKey and realmInfoUrl from there, so you can do >> RSATokenVerifier.verifyToken by yourself. >> >> 2. Are there any caches involved that won't be taken into account ? >> >> Not sure what you mean. I am not aware of any caches. >> >> 3. What happens with 'enable-basic-auth' adapter option? I suppose it >> needs further manual operation. This case is probably handles by my custom >> auth so that doesn't seem like a big problem. >> >> It will be ignored and you will again need to do Basic Authentication by >> yourself if you want to support in addition to Bearer authentication. See >> BasicAuthRequestAuthenticator for inspiration. >> >> Marek >> >> >> >> >> On Wed, Sep 16, 2015 at 3:45 PM, Marek Posolda < >> mposolda at redhat.com> wrote: >> >>> I though that's why you want programmatic access because you want to >>> have complete control? In that case you can remove all security constraints >>> from web.xml and at your REST endpoints you would do the >>> authentication/authorization exactly how you want. So at the beginning of >>> REST endpoint you will do something like: >>> >>> if (request.containsHeader("Authorization: Bearer")) { >>> do-keycloak-authentication-with-keycloak-access-token(); >>> } else { >>> do-legacy-authentication-or-whatever-based-on-yourAPI-keys-stuff(); >>> } >>> >>> Or maybe I don't understand the usecase? >>> >>> Marek >>> >>> >>> On 16/09/15 11:36, Orestis Tsakiridis wrote: >>> >>> Hi Marek, >>> >>> Yes, i'm talking about securing REST endpoints. I saw the >>> BearerTokenRequestAuthenticator code. >>> >>> The problem is how to conditionally authenticate requests using a custom >>> authentication method that does not rely on keycloak users, roles, clients >>> etc. Would a custom MyCustomRequestAuthenticator do the job? Are there any >>> examples on that? Ideally, an authenticator running inside the adapter that >>> would compare against values in the application database wound to the job. >>> >>> The idea is to be compatible with an old security scheme that relies on >>> API Keys stored in the application database. So i imagined some sort of >>> dual authentication for the REST endpoints. >>> >>> >>> >>> >>> >>> On Wed, Sep 16, 2015 at 11:35 AM, Marek Posolda < >>> mposolda at redhat.com> wrote: >>> >>>> If you're focused on security for REST endpoints, I think it is quite >>>> easy to do it programaticaly. You may just need to parse the >>>> "Authorization" header from request with bearer token and verify it with >>>> RSATokenVerifier.verifyToken from which you also retrieve AccessToken >>>> . See BearerTokenRequestAuthenticator class for the inspiration. >>>> >>>> Marek >>>> >>>> On 16/09/15 09:04, Orestis Tsakiridis wrote: >>>> >>>> Thanks Bill, >>>> >>>> I think i may tackle the issue for now through the >>>> KeycloakConfigResolver. Maybe return an empty deployment if the API Key is >>>> in the request. >>>> >>>> >>>> Regards >>>> >>>> Orestis >>>> >>>> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke < >>>> bburke at redhat.com> wrote: >>>> >>>>> I'll eventually implement adapter as a filter, but right now security >>>>> constraints are required. >>>>> >>>>> On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote: >>>>> > Hello, >>>>> > >>>>> > Is it possible to apply programmatic access control i.e. retrieve >>>>> > KeycloakSecurityContext, get token, roles etc, when the >>>>> > elements have been removed from web.xml? >>>>> > >>>>> > The reason for that is that when are present >>>>> the >>>>> > requests get dropped by the keycloak adapter before reaching the REST >>>>> > endpoints implementation in case they are not carrying a token. I'm >>>>> > trying to support an alternative authorization mechanism using a >>>>> custom >>>>> > API Key parameter in case the Oauth token header is missing. >>>>> > >>>>> > >>>>> > Regards >>>>> > >>>>> > Orestis >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/0162b62d/attachment-0001.html From kevin.thorpe at p-i.net Fri Sep 18 06:42:52 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Fri, 18 Sep 2015 11:42:52 +0100 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems Message-ID: Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to avoid the invalid parameter: redirect_uri problem. Website is https://my-client.pibenchmark.com In nginx: location /auth { proxy_pass https://auth-service; } upstream auth-service { server my-keycloak:8443; } Then in Keycloak I have valid redirect URIs set to https://*. pibenchmark.com/* ie my whole domain. Still getting invalid parameter: redirect_uri though. What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons. *Kevin Thorpe* CTO, PI Limited -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/1159b923/attachment.html From sthorger at redhat.com Fri Sep 18 06:59:55 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Sep 2015 12:59:55 +0200 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: References: Message-ID: The * can only be on the end of the valid redirect uri. So you need to specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter not being a good idea obviously. On 18 September 2015 at 12:42, Kevin Thorpe wrote: > Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work > out how to > avoid the invalid parameter: redirect_uri problem. > > Website is https://my-client.pibenchmark.com > > In nginx: > location /auth { > proxy_pass https://auth-service; > } > > upstream auth-service { > server my-keycloak:8443; > } > > Then in Keycloak I have valid redirect URIs set to https://*. > pibenchmark.com/* ie my whole domain. Still getting invalid parameter: > redirect_uri though. > > What am I doing wrong? Can I do this this way? I like to have one point of > contact with the internet for security reasons. > > > *Kevin Thorpe* > CTO, PI Limited > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/100d482a/attachment.html From DSzeto at investlab.com Fri Sep 18 07:00:08 2015 From: DSzeto at investlab.com (Doug Szeto) Date: Fri, 18 Sep 2015 11:00:08 +0000 Subject: [keycloak-user] Creating Users from admin url and user passwords In-Reply-To: Message-ID: Hi, I've update from version 1.4.0.Final to 1.5.0.Final. Was able to use to create users with a script from the admin url api in 1.4.0. But after the update to 1.5.0.Final, it doesn't seem to accept the credentials anymore. Here is my request that used to work: POST /auth/admin/realms/{realm}/users body={"username":"burke","enabled":true,"credentials":[{"type":"password","value":"password"]} I'm dumping the realm information and the user is created, but the credentials field is a blank json array. Uploading a realm with one of the test configs, it seems like it automatically changes the password value to some hashed value. What actually changed in 1.5.0 with creating users using the admin api with a temporary password so that it can be scripted again? -Doug -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/7e2cf46d/attachment.html From kevin.thorpe at p-i.net Fri Sep 18 07:21:33 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Fri, 18 Sep 2015 12:21:33 +0100 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: References: Message-ID: oh I see. I was copying the style of config from the developer who set up the test Keycloak (assuming wrongly that he knew what he was doing). Setting it to the actual site worked........ but now I have another problem :-( *Kevin Thorpe* CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 18 September 2015 at 11:59, Stian Thorgersen wrote: > The * can only be on the end of the valid redirect uri. So you need to > specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter > not being a good idea obviously. > > On 18 September 2015 at 12:42, Kevin Thorpe wrote: > >> Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't >> work out how to >> avoid the invalid parameter: redirect_uri problem. >> >> Website is https://my-client.pibenchmark.com >> >> In nginx: >> location /auth { >> proxy_pass https://auth-service; >> } >> >> upstream auth-service { >> server my-keycloak:8443; >> } >> >> Then in Keycloak I have valid redirect URIs set to https://*. >> pibenchmark.com/* ie my whole domain. Still getting invalid parameter: >> redirect_uri though. >> >> What am I doing wrong? Can I do this this way? I like to have one point >> of contact with the internet for security reasons. >> >> >> *Kevin Thorpe* >> CTO, PI Limited >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/315ca21a/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: twitter.jpg Type: image/jpeg Size: 1204 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/315ca21a/attachment-0002.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: pi_icon.jpg Type: image/jpeg Size: 3053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/315ca21a/attachment-0003.jpg From kevin.thorpe at p-i.net Fri Sep 18 09:25:53 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Fri, 18 Sep 2015 14:25:53 +0100 Subject: [keycloak-user] Proxying and changing port. Message-ID: Still struggling with wrapping Keycloak under nginx. Keycloak runs on our internal infrastructure on port 8443 because it's a right pain to get it on port 443. Now some of our clients have restrictive firewalls that only allow 80 and 443 so I'm trying to proxy it on port 443 in Nginx so we have a single pont of contact. It doesn't work. Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure why. Redirect is happening properly as shown from an AWS client: 52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com "GET / HTTP/1.1" 009 7 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36" "10.20.13.184:8443" Can Keycloak not handle the difference in ports? I'm really struggling to understand here. nginx config: # login-uat server server { listen 10.20.13.11:443; server_name xxxx.pibenchmark.com; ssl on; # ssl key bits client_max_body_size 10G; location / { proxy_pass http://login-uat-cluster; } } # only one of these will be working but nginx should be able to work out which upstream login-uat-cluster { server keycloak.pibenchmark.com:8443; } *Kevin Thorpe* CTO -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/24c4eac6/attachment.html From kevin.thorpe at p-i.net Fri Sep 18 09:33:29 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Fri, 18 Sep 2015 14:33:29 +0100 Subject: [keycloak-user] Proxying and changing port. In-Reply-To: References: Message-ID: Yeah it's definitely the port. I can use exactly the same config proxying port 8443 -> 8443 and it works. *Kevin Thorpe* CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 18 September 2015 at 14:25, Kevin Thorpe wrote: > Still struggling with wrapping Keycloak under nginx. Keycloak runs on our > internal infrastructure > on port 8443 because it's a right pain to get it on port 443. > > Now some of our clients have restrictive firewalls that only allow 80 and > 443 so I'm trying to > proxy it on port 443 in Nginx so we have a single pont of contact. It > doesn't work. > > Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure why. > Redirect is happening properly as shown from an AWS client: > > 52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com "GET > / HTTP/1.1" 009 7 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36" " > 10.20.13.184:8443" > > Can Keycloak not handle the difference in ports? I'm really struggling to > understand here. > > nginx config: > > # login-uat server > > server { > listen 10.20.13.11:443; > > server_name xxxx.pibenchmark.com; > > ssl on; > # ssl key bits > client_max_body_size 10G; > > location / { > proxy_pass http://login-uat-cluster; > } > } > > # only one of these will be working but nginx should be able to work out > which > upstream login-uat-cluster { > server keycloak.pibenchmark.com:8443; > } > > > > > *Kevin Thorpe* > CTO > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/0dece0c6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pi_icon.jpg Type: image/jpeg Size: 3053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/0dece0c6/attachment.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: twitter.jpg Type: image/jpeg Size: 1204 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/0dece0c6/attachment-0001.jpg From felipe.braun at intelbras.com.br Fri Sep 18 09:44:04 2015 From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja) Date: Fri, 18 Sep 2015 10:44:04 -0300 Subject: [keycloak-user] Proxying and changing port. In-Reply-To: References: Message-ID: <55FC1524.60209@intelbras.com.br> I don't agree. I proxy 443 -> 8080 :) Mine looks like this: server { listen 443 ssl spdy; (lots of ssl options) location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_pass http://keycloack:8080$request_uri; } } (I think that $request_uri on the end should not be there) And, of course, setting up wildfly so it knows it's behind a reverse proxy. Proxy address forwarding, if I'm not mistaken. Il 18/09/2015 10:33, Kevin Thorpe ha scritto: > Yeah it's definitely the port. I can use exactly the same config > proxying port 8443 -> 8443 and > it works. > > *Kevin Thorpe > * > CTO > > > > www.p-i.net | @PI_150 > > M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 > 150 Buckingham Palace Road, London, SW1W 9TR, UK > > ** > _____________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. If you are > not the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > > *"SAVE PAPER - THINK BEFORE YOU PRINT!" * > > > On 18 September 2015 at 14:25, Kevin Thorpe > wrote: > > Still struggling with wrapping Keycloak under nginx. Keycloak runs > on our internal infrastructure > on port 8443 because it's a right pain to get it on port 443. > > Now some of our clients have restrictive firewalls that only allow > 80 and 443 so I'm trying to > proxy it on port 443 in Nginx so we have a single pont of contact. > It doesn't work. > > Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure > why. Redirect is happening properly as shown from an AWS client: > > 52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com > "GET / HTTP/1.1" 009 7 "-" > "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/45.0.2454.93 Safari/537.36" "10.20.13.184:8443 > " > > Can Keycloak not handle the difference in ports? I'm really > struggling to understand here. > > nginx config: > > # login-uat server > > server { > listen 10.20.13.11:443 ; > > server_name xxxx.pibenchmark.com ; > > ssl on; > # ssl key bits > client_max_body_size 10G; > > location / { > proxy_pass http://login-uat-cluster; > } > } > > # only one of these will be working but nginx should be able to work > out which > upstream login-uat-cluster { > server keycloak.pibenchmark.com:8443 > ; > } > > > > *Kevin Thorpe > * > CTO > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Felipe Braun Azambuja DBA Tecnologia da Informa??o e Comunica??o (48) 3281 9577 felipe.braun at intelbras.com.br Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. From kevin.thorpe at p-i.net Fri Sep 18 10:55:08 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Fri, 18 Sep 2015 15:55:08 +0100 Subject: [keycloak-user] Proxying and changing port. In-Reply-To: <55FC1524.60209@intelbras.com.br> References: <55FC1524.60209@intelbras.com.br> Message-ID: Ah, possibly the Wildfly part. I know nothing about that since I'm an elder geek not a Java guy. *Kevin Thorpe* CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 18 September 2015 at 14:44, Felipe Braun Azambuja < felipe.braun at intelbras.com.br> wrote: > I don't agree. I proxy 443 -> 8080 :) > > Mine looks like this: > > server { > listen 443 ssl spdy; > > (lots of ssl options) > > location / { > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Forwarded-Port 443; > proxy_pass http://keycloack:8080$request_uri; > } > } > > (I think that $request_uri on the end should not be there) > > And, of course, setting up wildfly so it knows it's behind a reverse > proxy. Proxy address forwarding, if I'm not mistaken. > > > Il 18/09/2015 10:33, Kevin Thorpe ha scritto: > >> Yeah it's definitely the port. I can use exactly the same config >> proxying port 8443 -> 8443 and >> it works. >> >> *Kevin Thorpe >> * >> CTO >> >> >> >> www.p-i.net | @PI_150 >> >> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 >> 150 Buckingham Palace Road, London, SW1W 9TR, UK >> >> ** >> _____________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received this >> e-mail by mistake and delete this e-mail from your system. If you are >> not the intended recipient you are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of this >> information is strictly prohibited. >> >> *"SAVE PAPER - THINK BEFORE YOU PRINT!" * >> >> >> On 18 September 2015 at 14:25, Kevin Thorpe > > wrote: >> >> Still struggling with wrapping Keycloak under nginx. Keycloak runs >> on our internal infrastructure >> on port 8443 because it's a right pain to get it on port 443. >> >> Now some of our clients have restrictive firewalls that only allow >> 80 and 443 so I'm trying to >> proxy it on port 443 in Nginx so we have a single pont of contact. >> It doesn't work. >> >> Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure >> why. Redirect is happening properly as shown from an AWS client: >> >> 52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com >> "GET / HTTP/1.1" 009 7 "-" >> "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/45.0.2454.93 Safari/537.36" "10.20.13.184:8443 >> " >> >> Can Keycloak not handle the difference in ports? I'm really >> struggling to understand here. >> >> nginx config: >> >> # login-uat server >> >> server { >> listen 10.20.13.11:443 ; >> >> server_name xxxx.pibenchmark.com ; >> >> ssl on; >> # ssl key bits >> client_max_body_size 10G; >> >> location / { >> proxy_pass http://login-uat-cluster; >> } >> } >> >> # only one of these will be working but nginx should be able to work >> out which >> upstream login-uat-cluster { >> server keycloak.pibenchmark.com:8443 >> ; >> } >> >> >> >> *Kevin Thorpe >> * >> CTO >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- > Felipe Braun Azambuja > DBA > Tecnologia da Informa??o e Comunica??o > (48) 3281 9577 > felipe.braun at intelbras.com.br > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por > lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser > retransmitida, arquivada, divulgada ou copiada sem autoriza??o do > remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu > trabalho ou em raz?o dele, eximindo esta institui??o de qualquer > responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem > por engano, por favor informe o remetente respondendo imediatamente a este > e-mail, e em seguida apague-a do seu computador. > > The information contained in this e-mail and its attachments are protected > by law, subjected to privilege and/or confidentiality and cannot be > retransmitted, filed, disclosed or copied without authorization from the > sender. The sender uses the electronic mail in the exercise of his/her work > or by virtue thereof, and the institution accepts no liability from its > undue use. If you have received this message by mistake, please notify us > immediately by returning the e-mail and deleting this message from your > system. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/89aeb7b1/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pi_icon.jpg Type: image/jpeg Size: 3053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/89aeb7b1/attachment.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: twitter.jpg Type: image/jpeg Size: 1204 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150918/89aeb7b1/attachment-0001.jpg From nikos at petalidis.gr Sat Sep 19 04:56:14 2015 From: nikos at petalidis.gr (Nicholaos Petalidis) Date: Sat, 19 Sep 2015 11:56:14 +0300 Subject: [keycloak-user] Validating keycloak access tokens Message-ID: Hi, I would like to ask what is the recommended way for validating a token I received from a keycloak server. Specifically, I have the following. 1. A keycloak server running v. 1.0.4Final. 2. A javascript client using the js adapter provided for 1.0.4Final 3. REST services on a wildfly server using 1.4.0 adapter for wildfly 9. I use the JS adapter to receive a token from keycloak server. The token seems to be a JWT, but when it is included in the Authorization header for the REST request I make to the REST service that is on wildfly I get back an 'invalid signature' response. I also fail to verify the token if I enter the relevant info on jwt.io (token and public key). So my question is 1. Does the 1.0.4Final version sign the tokens? 2. What is the recommended way for the REST service to validate the token present on the Authorization/Bearer header of a REST request? Thanks in advance for any answers -- Nikos -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150919/ef1cbf51/attachment-0001.html From kclark at mbopartners.com Sun Sep 20 16:27:21 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Sun, 20 Sep 2015 20:27:21 +0000 Subject: [keycloak-user] Appending Domain To Username At Login Message-ID: Is there a way to append the domain to the username when logging in? Our usernames are look like ?username?@example.com. In our other authentication system we append the domain to whatever the user enters in for look up in AD and we were wondering if there was a setting in Keycloak that allowed this functionality. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150920/4ad019c2/attachment.html From sthorger at redhat.com Mon Sep 21 02:29:43 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Sep 2015 08:29:43 +0200 Subject: [keycloak-user] Validating keycloak access tokens In-Reply-To: References: Message-ID: jwt.io is a bit sensitive you need to select rs256 and paste in the realm public key before passing in the token. Are you actually using both 1.0.4 and 1.4.0? If so it's quite likely that's the reason why the token is failing. The recommended way of verifying the token would be to use the adapters like what you're already doing in your REST service. On 19 September 2015 at 10:56, Nicholaos Petalidis wrote: > Hi, > > I would like to ask what is the recommended way for validating a token I > received from a keycloak server. > > Specifically, I have the following. > > 1. A keycloak server running v. 1.0.4Final. > > 2. A javascript client using the js adapter provided for 1.0.4Final > > 3. REST services on a wildfly server using 1.4.0 adapter for wildfly 9. > > I use the JS adapter to receive a token from keycloak server. > > The token seems to be a JWT, but when it is included in the Authorization > header for the REST request I make to the REST service that is on wildfly I > get back an 'invalid signature' response. > > I also fail to verify the token if I enter the relevant info on jwt.io > (token and public key). > > So my question is > 1. Does the 1.0.4Final version sign the tokens? > 2. What is the recommended way for the REST service to validate the token > present on the Authorization/Bearer header of a REST request? > > Thanks in advance for any answers > > > -- > Nikos > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/71bad50e/attachment.html From sthorger at redhat.com Mon Sep 21 02:43:35 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Sep 2015 08:43:35 +0200 Subject: [keycloak-user] Appending Domain To Username At Login In-Reply-To: References: Message-ID: We don't have a built in feature for this, but you should be able to create your own custom authenticator that does this. Have a look at http://keycloak.github.io/docs/userguide/html/auth_spi.html On 20 September 2015 at 22:27, Kenyatta Clark wrote: > > Is there a way to append the domain to the username when logging in? Our > usernames are look like ?username?@example.com. In our other > authentication system we append the domain to whatever the user enters in > for look up in AD and we were wondering if there was a setting in Keycloak > that allowed this functionality. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/ec906618/attachment.html From DSzeto at investlab.com Mon Sep 21 05:36:39 2015 From: DSzeto at investlab.com (Doug Szeto) Date: Mon, 21 Sep 2015 09:36:39 +0000 Subject: [keycloak-user] Creating Users from admin url and user passwords In-Reply-To: Message-ID: Solved by making a second call to: PUT /auth/admin/realms/{realm}/users/{userId}/reset-password Should make a note in the release notes for 1.5.0. -Doug From: doug > Date: Fri, 18 Sep 2015 11:00:08 +0000 To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] Creating Users from admin url and user passwords Hi, I've update from version 1.4.0.Final to 1.5.0.Final. Was able to use to create users with a script from the admin url api in 1.4.0. But after the update to 1.5.0.Final, it doesn't seem to accept the credentials anymore. Here is my request that used to work: POST /auth/admin/realms/{realm}/users body={"username":"burke","enabled":true,"credentials":[{"type":"password","value":"password"]} I'm dumping the realm information and the user is created, but the credentials field is a blank json array. Uploading a realm with one of the test configs, it seems like it automatically changes the password value to some hashed value. What actually changed in 1.5.0 with creating users using the admin api with a temporary password so that it can be scripted again? -Doug _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/9970c706/attachment.html From sthorger at redhat.com Mon Sep 21 06:34:50 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Sep 2015 12:34:50 +0200 Subject: [keycloak-user] Creating Users from admin url and user passwords In-Reply-To: References: Message-ID: This has always been the case and not something we've just recently changed On 21 September 2015 at 11:36, Doug Szeto wrote: > Solved by making a second call to: > PUT /auth/admin/realms/{realm}/users/{userId}/reset-password > > Should make a note in the release notes for 1.5.0. > ?Doug > > From: doug > Date: Fri, 18 Sep 2015 11:00:08 +0000 > To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] Creating Users from admin url and user passwords > > Hi, > I?ve update from version 1.4.0.Final to 1.5.0.Final. > Was able to use to create users with a script from the admin url api in > 1.4.0. > But after the update to 1.5.0.Final, it doesn?t seem to accept the > credentials anymore. > > Here is my request that used to work: > POST /auth/admin/realms/{realm}/users > > body={"username?:"burke","enabled":true,"credentials":[{"type":?password?,?value?:"password?]} > > I?m dumping the realm information and the user is created, but the > credentials field is a blank json array. > Uploading a realm with one of the test configs, it seems like it > automatically changes the password value to some hashed value. > > What actually changed in 1.5.0 with creating users using the admin api > with a temporary password so that it can be scripted again? > ?Doug > _______________________________________________ keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/5b40ac9e/attachment-0001.html From sascha.skorupa at traveltainment.de Mon Sep 21 05:52:32 2015 From: sascha.skorupa at traveltainment.de (Sascha Skorupa) Date: Mon, 21 Sep 2015 09:52:32 +0000 Subject: [keycloak-user] Multivalued user attributes mapping Message-ID: Hi, we are currently evaluating Keycloak as IDM solution for our company. In doing so we encountered the following questions according to storing authorization data: 1) In the "Mapper" section it is possible to configure how user attributes are mapped to tokens/claims. It is also possible to turn on "Multivalued" mapping, so that every value of one attribute is set as claim. But, how you can configure multiple values for one attribute? If you save another value with the same key the existing one is overwritten. 2) One of requirements is to persist custom authorization data hierarchically and to map this data into access tokens. Is there any recommendation how to realize this in keycloak or is the only way to use flat user attributes (key/value). Thanks, Sascha -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/2b54fa99/attachment.html From mposolda at redhat.com Mon Sep 21 08:32:09 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 21 Sep 2015 14:32:09 +0200 Subject: [keycloak-user] Multivalued user attributes mapping In-Reply-To: References: Message-ID: <55FFF8C9.1000300@redhat.com> On 21/09/15 11:52, Sascha Skorupa wrote: > > Hi, > > we are currently evaluating Keycloak as IDM solution for our company. > In doing so we encountered the following questions according to > storing authorization data: > > 1)In the ?Mapper? section it is possible to configure how user > attributes are mapped to tokens/claims. It is also possible to turn > on ?Multivalued? mapping, so that every value of one attribute is set > as claim. But, how you can configure multiple values for one > attribute? If you save another value with the same key the existing > one is overwritten. > You mean to map multiple different attributes from User into one attribute of AccessToken? That's not possible with the existing mappers . The thing is that you can write your own protocol mapper implementation and map the claims exactly how you want. > > 2)One of requirements is to persist custom authorization data > hierarchically and to map this data into access tokens. Is there any > recommendation how to realize this in keycloak or is the only way to > use flat user attributes (key/value). > The accessToken has "otherClaims" map on it. You can use any hierarchy you want to map your stuff into the access token. The best is again to write your own protocol mapper to achieve exactly what you want. Marek > > Thanks, Sascha > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/a20042ff/attachment.html From juraci at kroehling.de Mon Sep 21 11:52:08 2015 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Mon, 21 Sep 2015 17:52:08 +0200 Subject: [keycloak-user] Token Verification - issuer IP vs. hostname Message-ID: <560027A8.8090808@kroehling.de> Hello, If I try to call the TokenVerification endpoint at http://127.0.0.1:8080/auth with a token generated via http://localhost:8080/auth, the server indicates that the token is invalid. Is that appropriate? Is there an option somewhere that would allow me to list all the names that my auth server is known? - Juca. From getbhanu30 at gmail.com Mon Sep 21 17:34:11 2015 From: getbhanu30 at gmail.com (Bhanu Kiran) Date: Mon, 21 Sep 2015 16:34:11 -0500 Subject: [keycloak-user] Keycloak is FLIPS compliant (Federal Information Processing Standard) ? Message-ID: Hi Team, 1.According to our company standards Identity provider which we are going to us should be of FLIPS compliant. Let us know if Keycloak is FLIPS compliant or not. If 'NO' let us know if we can pass encrypted token between service provider and Keycloak and how we can implement this. Thanks, Bhanu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/2c825390/attachment.html From getbhanu30 at gmail.com Mon Sep 21 18:22:08 2015 From: getbhanu30 at gmail.com (Bhanu Kiran) Date: Mon, 21 Sep 2015 17:22:08 -0500 Subject: [keycloak-user] Keycloak is FIPS compliant (Federal Information Processing Standard) ? Message-ID: Hi Team, 1.According to our company standards Identity provider which we are going to us should be of FIPS compliant. Let us know if Keycloak is FIPS compliant or not. If 'NO' let us know if we can pass encrypted token between service provider and Keycloak and how we can implement this. Thanks, Bhanu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150921/2bade065/attachment.html From kclark at mbopartners.com Tue Sep 22 06:22:01 2015 From: kclark at mbopartners.com (Kenyatta Clark) Date: Tue, 22 Sep 2015 10:22:01 +0000 Subject: [keycloak-user] Appending Domain To Username At Login In-Reply-To: References: Message-ID: Stian, I was able to accomplish what I needed using the link you provided. Thanks! From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, September 21, 2015 at 1:43 AM To: Kenyatta Clark > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Appending Domain To Username At Login We don't have a built in feature for this, but you should be able to create your own custom authenticator that does this. Have a look at http://keycloak.github.io/docs/userguide/html/auth_spi.html On 20 September 2015 at 22:27, Kenyatta Clark > wrote: Is there a way to append the domain to the username when logging in? Our usernames are look like ?username?@example.com. In our other authentication system we append the domain to whatever the user enters in for look up in AD and we were wondering if there was a setting in Keycloak that allowed this functionality. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150922/3ecbb581/attachment-0001.html From kevin.thorpe at p-i.net Tue Sep 22 07:52:36 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Tue, 22 Sep 2015 12:52:36 +0100 Subject: [keycloak-user] Proxying and changing port. In-Reply-To: <55FC1524.60209@intelbras.com.br> References: <55FC1524.60209@intelbras.com.br> Message-ID: It appears that this works fine. Proxying 443 => 8443 over https has issues. *Kevin Thorpe* CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 18 September 2015 at 14:44, Felipe Braun Azambuja < felipe.braun at intelbras.com.br> wrote: > I don't agree. I proxy 443 -> 8080 :) > > Mine looks like this: > > server { > listen 443 ssl spdy; > > (lots of ssl options) > > location / { > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Forwarded-Port 443; > proxy_pass http://keycloack:8080$request_uri; > } > } > > (I think that $request_uri on the end should not be there) > > And, of course, setting up wildfly so it knows it's behind a reverse > proxy. Proxy address forwarding, if I'm not mistaken. > > > Il 18/09/2015 10:33, Kevin Thorpe ha scritto: > >> Yeah it's definitely the port. I can use exactly the same config >> proxying port 8443 -> 8443 and >> it works. >> >> *Kevin Thorpe >> * >> CTO >> >> >> >> www.p-i.net | @PI_150 >> >> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 >> 150 Buckingham Palace Road, London, SW1W 9TR, UK >> >> ** >> _____________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received this >> e-mail by mistake and delete this e-mail from your system. If you are >> not the intended recipient you are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of this >> information is strictly prohibited. >> >> *"SAVE PAPER - THINK BEFORE YOU PRINT!" * >> >> >> On 18 September 2015 at 14:25, Kevin Thorpe > > wrote: >> >> Still struggling with wrapping Keycloak under nginx. Keycloak runs >> on our internal infrastructure >> on port 8443 because it's a right pain to get it on port 443. >> >> Now some of our clients have restrictive firewalls that only allow >> 80 and 443 so I'm trying to >> proxy it on port 443 in Nginx so we have a single pont of contact. >> It doesn't work. >> >> Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure >> why. Redirect is happening properly as shown from an AWS client: >> >> 52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com >> "GET / HTTP/1.1" 009 7 "-" >> "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/45.0.2454.93 Safari/537.36" "10.20.13.184:8443 >> " >> >> Can Keycloak not handle the difference in ports? I'm really >> struggling to understand here. >> >> nginx config: >> >> # login-uat server >> >> server { >> listen 10.20.13.11:443 ; >> >> server_name xxxx.pibenchmark.com ; >> >> ssl on; >> # ssl key bits >> client_max_body_size 10G; >> >> location / { >> proxy_pass http://login-uat-cluster; >> } >> } >> >> # only one of these will be working but nginx should be able to work >> out which >> upstream login-uat-cluster { >> server keycloak.pibenchmark.com:8443 >> ; >> } >> >> >> >> *Kevin Thorpe >> * >> CTO >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- > Felipe Braun Azambuja > DBA > Tecnologia da Informa??o e Comunica??o > (48) 3281 9577 > felipe.braun at intelbras.com.br > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por > lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser > retransmitida, arquivada, divulgada ou copiada sem autoriza??o do > remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu > trabalho ou em raz?o dele, eximindo esta institui??o de qualquer > responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem > por engano, por favor informe o remetente respondendo imediatamente a este > e-mail, e em seguida apague-a do seu computador. > > The information contained in this e-mail and its attachments are protected > by law, subjected to privilege and/or confidentiality and cannot be > retransmitted, filed, disclosed or copied without authorization from the > sender. The sender uses the electronic mail in the exercise of his/her work > or by virtue thereof, and the institution accepts no liability from its > undue use. If you have received this message by mistake, please notify us > immediately by returning the e-mail and deleting this message from your > system. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150922/f5344df0/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pi_icon.jpg Type: image/jpeg Size: 3053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150922/f5344df0/attachment.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: twitter.jpg Type: image/jpeg Size: 1204 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150922/f5344df0/attachment-0001.jpg From christopher.james.davies at gmail.com Tue Sep 22 11:24:07 2015 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 22 Sep 2015 15:24:07 +0000 Subject: [keycloak-user] Session time out Message-ID: I using an openid-connect call to get a set of tokens from KeyCloak. The expiry time of the access_token is based upon the "Access Token Lifespan" which I understand. However is there any way to pass the SSO Session Max, and SSO Session Idle inside the access token. Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150922/2a472e8d/attachment-0001.html From gerbermichi at me.com Wed Sep 23 01:42:32 2015 From: gerbermichi at me.com (Michael Gerber) Date: Wed, 23 Sep 2015 05:42:32 +0000 (GMT) Subject: [keycloak-user] propagate user credential from fat client to browser Message-ID: Hi all, I have got a fat client and a web application. The fat client uses the keycloak login in a build in browser. After that I am using the access token to get data from rest services from the web application.? Is it possible to open the web application from the fat client in a new browser and propagate the user credentials, so that the user does not have to reauthenticate? kind regards Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/b74af3de/attachment.html From sthorger at redhat.com Wed Sep 23 02:39:59 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Sep 2015 08:39:59 +0200 Subject: [keycloak-user] propagate user credential from fat client to browser In-Reply-To: References: Message-ID: If you are happy to do the login to the fat client from the browser this is possible. Take a look at our customer-app-cli example. In summary the way it works is: * Native client starts a http server on localhost with any port (for example 10789) * Native client opens the login link in the external desktop web browser * Keycloak redirects to "http://localhost:10789" * The native client can now read the code query param from the request sent to the http server it started * SSO done ;) On 23 September 2015 at 07:42, Michael Gerber wrote: > Hi all, > > I have got a fat client and a web application. The fat client uses the > keycloak login in a build in browser. After that I am using the access > token to get data from rest services from the web application. > > Is it possible to open the web application from the fat client in a new > browser and propagate the user credentials, so that the user does not have > to reauthenticate? > > kind regards > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/e7a75d4c/attachment.html From eugene.chow.ct at gmail.com Wed Sep 23 02:47:01 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 23 Sep 2015 14:47:01 +0800 Subject: [keycloak-user] Set Keycloak as root context of Wildfly Message-ID: <56024AE5.4060504@gmail.com> Hi, I tried following the instructions at the following URL to set the root context of Keycloak but it still defaults to the welcome page. http://keycloak.github.io/docs/userguide/html/server-installation.html#d4e423 Is the documentation outdated? Thanks, Eugene From gerbermichi at me.com Wed Sep 23 02:48:22 2015 From: gerbermichi at me.com (Michael Gerber) Date: Wed, 23 Sep 2015 06:48:22 +0000 (GMT) Subject: [keycloak-user] =?utf-8?q?_Re=3A__propagate_user_credential_from_?= =?utf-8?q?fat_client_to_browser?= In-Reply-To: Message-ID: Thank you for your quick answer.? I would like to open a new desktop web browser from the native client without re login to the web app. Is it possible to?propagate the access token, which I previously received from keycloak from the native client to a new desktop web browser? Am 23. September 2015 um 08:40 schrieb Stian Thorgersen : If you are happy to do the login to the fat client from the browser this is possible. Take a look at our?customer-app-cli example. In summary the way it works is: * Native client starts a http server on localhost with any port (for example 10789) * Native client opens the login link in the external desktop web browser * Keycloak redirects to "http://localhost:10789" * The native client can now read the code query param from the request sent to the http server it started * SSO done ;) On 23 September 2015 at 07:42, Michael Gerber wrote: Hi all, I have got a fat client and a web application. The fat client uses the keycloak login in a build in browser. After that I am using the access token to get data from rest services from the web application.? Is it possible to open the web application from the fat client in a new browser and propagate the user credentials, so that the user does not have to reauthenticate? kind regards Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/c211f1e2/attachment.html From eugene.chow.ct at gmail.com Wed Sep 23 03:33:20 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 23 Sep 2015 15:33:20 +0800 Subject: [keycloak-user] Set Keycloak as root context of Wildfly In-Reply-To: <56024AE5.4060504@gmail.com> References: <56024AE5.4060504@gmail.com> Message-ID: <560255C0.1090403@gmail.com> I found the answer after reading the logs... Keycloak has no WARfile but its alias is keycloak-server.war. Instead of *main-auth-server.war* for the *default-web-module* param, it should be *keycloak-server.war* On 23/9/2015 2:47 PM, Eugene Chow wrote: > Hi, > > I tried following the instructions at the following URL to set the > root context of Keycloak but it still defaults to the welcome page. > > http://keycloak.github.io/docs/userguide/html/server-installation.html#d4e423 > > > Is the documentation outdated? > > Thanks, > Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/6b5341cc/attachment.html From sthorger at redhat.com Wed Sep 23 04:26:24 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Sep 2015 10:26:24 +0200 Subject: [keycloak-user] propagate user credential from fat client to browser In-Reply-To: References: Message-ID: Not sure what you mean about new desktop web browser, but as long as the user is already logged in to Keycloak from the web browser that is opened (already open, or remember me is selected) the user won't be asked to log in again On 23 September 2015 at 08:48, Michael Gerber wrote: > Thank you for your quick answer. > > I would like to open a new desktop web browser from the native client > without re login to the web app. > > Is it possible to propagate the access token, which I previously received > from keycloak from the native client to a new desktop web browser? > > Am 23. September 2015 um 08:40 schrieb Stian Thorgersen < > sthorger at redhat.com>: > > If you are happy to do the login to the fat client from the browser this > is possible. Take a look at our customer-app-cli example. In summary the > way it works is: > > * Native client starts a http server on localhost with any port (for > example 10789) > * Native client opens the login link in the external desktop web browser > * Keycloak redirects to "http://localhost:10789" > * The native client can now read the code query param from the request > sent to the http server it started > * SSO done ;) > > On 23 September 2015 at 07:42, Michael Gerber wrote: > >> Hi all, >> >> I have got a fat client and a web application. The fat client uses the >> keycloak login in a build in browser. After that I am using the access >> token to get data from rest services from the web application. >> >> Is it possible to open the web application from the fat client in a new >> browser and propagate the user credentials, so that the user does not have >> to reauthenticate? >> >> kind regards >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/966f957b/attachment-0001.html From sthorger at redhat.com Wed Sep 23 04:27:51 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Sep 2015 10:27:51 +0200 Subject: [keycloak-user] Set Keycloak as root context of Wildfly In-Reply-To: <560255C0.1090403@gmail.com> References: <56024AE5.4060504@gmail.com> <560255C0.1090403@gmail.com> Message-ID: Good that it's sorted - feel free to do a PR with the fix ;) On 23 September 2015 at 09:33, Eugene Chow wrote: > I found the answer after reading the logs... Keycloak has no WARfile but > its alias is keycloak-server.war. > > Instead of *main-auth-server.war* for the *default-web-module* param, it > should be *keycloak-server.war* > > > > > > > > > On 23/9/2015 2:47 PM, Eugene Chow wrote: > > Hi, > > I tried following the instructions at the following URL to set the root > context of Keycloak but it still defaults to the welcome page. > > > http://keycloak.github.io/docs/userguide/html/server-installation.html#d4e423 > > Is the documentation outdated? > > Thanks, > Eugene > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150923/3c26b5cf/attachment.html From DSzeto at investlab.com Wed Sep 23 21:38:51 2015 From: DSzeto at investlab.com (Doug Szeto) Date: Thu, 24 Sep 2015 01:38:51 +0000 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: References: , Message-ID: Did you ever get the correct settings? When I put nginx in front of keycloak, it generates access tokens tied to the nginx server's IP instead of the browser's IP. This is apparent in the admin management pages when you look up the active sessions. The problem I'm having is there is a resource server that accepts bearer only tokens. It uses a different server, and now fails the token validation check. Remove the nginx servers and things work fine. Any suggestions? --Doug ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Kevin Thorpe Sent: Friday, September 18, 2015 19:21 To: stian at redhat.com Cc: keycloak-user Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems oh I see. I was copying the style of config from the developer who set up the test Keycloak (assuming wrongly that he knew what he was doing). Setting it to the actual site worked........ but now I have another problem :-( Kevin Thorpe CTO [X] [X] www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000] _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. "SAVE PAPER - THINK BEFORE YOU PRINT!" On 18 September 2015 at 11:59, Stian Thorgersen > wrote: The * can only be on the end of the valid redirect uri. So you need to specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter not being a good idea obviously. On 18 September 2015 at 12:42, Kevin Thorpe > wrote: Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to avoid the invalid parameter: redirect_uri problem. Website is https://my-client.pibenchmark.com In nginx: location /auth { proxy_pass https://auth-service; } upstream auth-service { server my-keycloak:8443; } Then in Keycloak I have valid redirect URIs set to https://*.pibenchmark.com/* ie my whole domain. Still getting invalid parameter: redirect_uri though. What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons. Kevin Thorpe CTO, PI Limited _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/d60f1bc4/attachment.html From kevin.thorpe at p-i.net Thu Sep 24 05:13:04 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Thu, 24 Sep 2015 10:13:04 +0100 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: References: Message-ID: I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end servers contact Keycloak directly then the validation fails because the token was issued by 'a different server'. I want to do the same thing as well. I want the front-end of our application to authenticate against the public address then all the back end servers running in Docker contact the Keycloak docker container directly. The way I have it now I'm generating a lot of traffic between the Docker (actually Rancher) LAN and the external LAN. I think we need a concept of service aliases so that a token issued by https:my-public-name:443 would still be accepted by http://keycloak:8080 (as long as it was indeed issued by that server under a different alias) *Kevin Thorpe* CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 24 September 2015 at 02:38, Doug Szeto wrote: > > Did you ever get the correct settings? > > When I put nginx in front of keycloak, it generates access tokens tied to > the nginx server's IP instead of the browser's IP. This is apparent in the > admin management pages when you look up the active sessions. > > The problem I'm having is there is a resource server that accepts bearer > only tokens. It uses a different server, and now fails the token validation > check. Remove the nginx servers and things work fine. > > Any suggestions? > --Doug > > > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Kevin Thorpe < > kevin.thorpe at p-i.net> > *Sent:* Friday, September 18, 2015 19:21 > *To:* stian at redhat.com > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Wrapping Keycloak under Nginx - > redirect_uri problems > > oh I see. I was copying the style of config from the developer who set up > the test > Keycloak (assuming wrongly that he knew what he was doing). Setting it to > the > actual site worked........ but now I have another problem :-( > > > > > *Kevin Thorpe * > CTO > > > > www.p-i.net | @PI_150 > > M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 > 150 Buckingham Palace Road, London, SW1W 9TR, UK > > > _____________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > *"SAVE PAPER - THINK BEFORE YOU PRINT!" * > > On 18 September 2015 at 11:59, Stian Thorgersen > wrote: > >> The * can only be on the end of the valid redirect uri. So you need to >> specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter >> not being a good idea obviously. >> >> On 18 September 2015 at 12:42, Kevin Thorpe wrote: >> >>> Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't >>> work out how to >>> avoid the invalid parameter: redirect_uri problem. >>> >>> Website is https://my-client.pibenchmark.com >>> >>> In nginx: >>> location /auth { >>> proxy_pass https://auth-service; >>> } >>> >>> upstream auth-service { >>> server my-keycloak:8443; >>> } >>> >>> Then in Keycloak I have valid redirect URIs set to https://*. >>> pibenchmark.com/* ie my whole domain. Still getting invalid parameter: >>> redirect_uri though. >>> >>> What am I doing wrong? Can I do this this way? I like to have one point >>> of contact with the internet for security reasons. >>> >>> >>> *Kevin Thorpe * >>> CTO, PI Limited >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/ed85b9d1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pi_icon.jpg Type: image/jpeg Size: 3053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/ed85b9d1/attachment-0002.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: twitter.jpg Type: image/jpeg Size: 1204 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/ed85b9d1/attachment-0003.jpg From kevin.thorpe at p-i.net Thu Sep 24 05:54:08 2015 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Thu, 24 Sep 2015 10:54:08 +0100 Subject: [keycloak-user] Having a public and a private 'face' to Keycloak Message-ID: I, and others are having problems using this in the real world because of the 'identity' of Keycloak. I'm running Keycloak in a Docker(Rancher) container. Alongside it are my backend containers holding the internal components of the application. On top of the application is an nginx container containing an AngularJS application and proxying Angular's service calls to the backend container. The problem comes when I sit an external load balancer/SSL layer in front of the application. The user is now contacting the application on its external hostname in our DMZ. Authentication then has to be performed against Keycloak on a DMZ IP/URL. Easy enough to arrange, just use Nginx again as a proxy for Keycloak. This all works for the frontend and the user can log in. The problem occurs when the backend service containers try and validate the user token. They cannot do this directly to Keycloak inside the Docker ecosystem. All I get in that case is this token was issued by and you are presenting it to (can't remember the exact wording). I can get this to work by getting my backend containers to authenticate against but that is creating traffic out of the docker LAN and back in again, not the most efficient way to do things. Would this be a good use case for Keycloak aliases? Then I can present a token issued by to and Keycloak will understand that it was actually issued by itself under a different identity. Better still I could proxy Keycloak within the URL of the front-end application which would place the whole application; website, service and authentication under the one hostname. *Kevin Thorpe* CTO -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/b40003b6/attachment.html From ornot2008 at yahoo.com Thu Sep 24 06:06:48 2015 From: ornot2008 at yahoo.com (Mai Zi) Date: Thu, 24 Sep 2015 10:06:48 +0000 (UTC) Subject: [keycloak-user] Help understanding Bearer-only Message-ID: <1488460060.270578.1443089208176.JavaMail.yahoo@mail.yahoo.com> Hi, there,??Here is the metaphor ?about we are working on. Suppose we are a primary school. ?We'd like to offer a sports club card for our teachers so ?they can go to excise ?in weekend. ?The workflow is simple,?1) we apply a card from the club.2) we give the card to the teacher.3) The teacher takes the card to the club to do whatever.? With keycloak , we think? 1)The card is the token2) We, the school, are the oauth ?client?3) ?The teacher and the club go with bearer-only . Based on the understanding above,? 1) By admin restful endpoints, we( the school) create a user account , reset a whatever ?password, set the role for the user , and finally acquire this user's access token . ? In this step. the user is not involved at all.? 2) ?We transfer this ?access token to the user . 3) ? The user now visits the ?club 's restful endpoints with this token carrying on.? Unfortunately, ?we can not reach the club's resource . The code is 403 forbidden.? I am not sure whether we get the right idea on bearer-only model or not. Or we missed something Any help will be appreciated.? Mai ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/2a02c987/attachment.html From sthorger at redhat.com Thu Sep 24 06:18:35 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 24 Sep 2015 12:18:35 +0200 Subject: [keycloak-user] Having a public and a private 'face' to Keycloak In-Reply-To: References: Message-ID: In your backend services you should use "auth-server-url-for-backend-requests" to specify the internal url of Keycloak, and "auth-server-url" should be set to the external url. For more details take a look at: http://keycloak.github.io/docs/userguide/html/applicationClustering.html#relative-uri-optimization On 24 September 2015 at 11:54, Kevin Thorpe wrote: > I, and others are having problems using this in the real world because of > the 'identity' of Keycloak. > > I'm running Keycloak in a Docker(Rancher) container. Alongside it are my > backend containers holding > the internal components of the application. On top of the application is > an nginx container containing > an AngularJS application and proxying Angular's service calls to the > backend container. > > The problem comes when I sit an external load balancer/SSL layer in front > of the application. The > user is now contacting the application on its external hostname in our > DMZ. Authentication then has > to be performed against Keycloak on a DMZ IP/URL. Easy enough to arrange, > just use Nginx again > as a proxy for Keycloak. This all works for the frontend and the user can > log in. > > The problem occurs when the backend service containers try and validate > the user token. They > cannot do this directly to Keycloak inside the Docker ecosystem. All I get > in that case is this > token was issued by and you are presenting it to > > (can't remember the exact wording). > > I can get this to work by getting my backend containers to authenticate > against > but that is creating traffic out of the docker LAN and back in again, not > the most efficient way to > do things. > > Would this be a good use case for Keycloak aliases? Then I can present a > token issued by > to and Keycloak will understand that it was > actually issued by > itself under a different identity. Better still I could proxy Keycloak > within the URL of the front-end > application which would place the whole application; website, service and > authentication under the > one hostname. > > > *Kevin Thorpe* > CTO > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/323640c8/attachment.html From srossillo at smartling.com Thu Sep 24 12:25:06 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 24 Sep 2015 12:25:06 -0400 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: References: Message-ID: <75AA1728-713C-4A4B-8F11-8F6E1EBA21A9@smartling.com> Here?s a working configuration with NGINX listening on 443 (https) and Keycloak / Wildfly on 8080 (http). Note the proxy_set_header calls. The rest of the config is just for completeness: upstream keycloak { server localhost:8080; } server { listen 443; server_name localhost; ssl on; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://keycloak; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Sep 24, 2015, at 5:13 AM, Kevin Thorpe wrote: > > I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end > servers contact Keycloak directly then the validation fails because the token was issued > by 'a different server'. > > I want to do the same thing as well. I want the front-end of our application to authenticate > against the public address then all the back end servers running in Docker contact the > Keycloak docker container directly. The way I have it now I'm generating a lot of traffic > between the Docker (actually Rancher) LAN and the external LAN. > > I think we need a concept of service aliases so that a token issued by > https:my-public-name:443 would still be accepted by http://keycloak:8080 (as long as it > was indeed issued by that server under a different alias) > > > > Kevin Thorpe > CTO > > > > www.p-i.net | @PI_150 > > M: +44 (0)7425 160 368 <> | T: +44 (0)203 005 6750 <> | F: +44(0)207 730 2635 <> > 150 Buckingham Palace Road, London, SW1W 9TR, UK > > > _____________________________ > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > > "SAVE PAPER - THINK BEFORE YOU PRINT!" > > > On 24 September 2015 at 02:38, Doug Szeto > wrote: > > Did you ever get the correct settings? > > When I put nginx in front of keycloak, it generates access tokens tied to the nginx server's IP instead of the browser's IP. This is apparent in the admin management pages when you look up the active sessions. > > The problem I'm having is there is a resource server that accepts bearer only tokens. It uses a different server, and now fails the token validation check. Remove the nginx servers and things work fine. > > Any suggestions? > --Doug > > > From: keycloak-user-bounces at lists.jboss.org > on behalf of Kevin Thorpe > > Sent: Friday, September 18, 2015 19:21 > To: stian at redhat.com > Cc: keycloak-user > Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems > > oh I see. I was copying the style of config from the developer who set up the test > Keycloak (assuming wrongly that he knew what he was doing). Setting it to the > actual site worked........ but now I have another problem :-( > > > > Kevin Thorpe > CTO > > > > www.p-i.net | @PI_150 > > M: +44 (0)7425 160 368 <> | T: +44 (0)203 005 6750 <> | F: +44(0)207 730 2635 <> > 150 Buckingham Palace Road, London, SW1W 9TR, UK > > > _____________________________ > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > > "SAVE PAPER - THINK BEFORE YOU PRINT!" > > > On 18 September 2015 at 11:59, Stian Thorgersen > wrote: > The * can only be on the end of the valid redirect uri. So you need to specify 'https://my-client.pibenchmark.com/* ' or simply '*'. The latter not being a good idea obviously. > > On 18 September 2015 at 12:42, Kevin Thorpe > wrote: > Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to > avoid the invalid parameter: redirect_uri problem. > > Website is https://my-client.pibenchmark.com > > In nginx: > location /auth { > proxy_pass https://auth-service ; > } > > upstream auth-service { > server my-keycloak:8443; > } > > Then in Keycloak I have valid redirect URIs set to https://*.pibenchmark.com/* ie my whole domain. Still getting invalid parameter: redirect_uri though. > > What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons. > > Kevin Thorpe > CTO, PI Limited > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/6517488a/attachment-0001.html From cwalker at sumglobal.com Thu Sep 24 13:47:40 2015 From: cwalker at sumglobal.com (Walker, Charles) Date: Thu, 24 Sep 2015 13:47:40 -0400 Subject: [keycloak-user] Keycloak Demo Application Message-ID: I see a lot of folks struggling with some of the same things I've encountered. I've been working on a more complete app while testing keycloaks capabilities. It is currently: * an ubuntu vagrant vm * ansible setup * keycloak 1.5 * separate wildfly 9 server * openldap server used for user federation * jee rest application showing both url protection and programatic ejb authorization * angularjs web app * nginx ssl reverse proxy I'll keep improving it as I go along but I thought I would share and it might help others. It's at "https://github.com/cwalker67/keycloak_demo" thanks, charlie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/47fbc8fd/attachment.html From bburke at redhat.com Thu Sep 24 14:19:47 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Sep 2015 14:19:47 -0400 Subject: [keycloak-user] Keycloak Demo Application In-Reply-To: References: Message-ID: <56043EC3.8080607@redhat.com> Any suggestions for making things easier? (Other than "your documentation sucks!") ;) On 9/24/2015 1:47 PM, Walker, Charles wrote: > I see a lot of folks struggling with some of the same things I've > encountered. I've been working on a more complete app while testing > keycloaks capabilities. It is currently: > * an ubuntu vagrant vm > * ansible setup > * keycloak 1.5 > * separate wildfly 9 server > * openldap server used for user federation > * jee rest application showing both url protection and programatic ejb > authorization > * angularjs web app > * nginx ssl reverse proxy > > I'll keep improving it as I go along but I thought I would share and it > might help others. > > It's at "https://github.com/cwalker67/keycloak_demo" > > thanks, > charlie > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From cwalker at sumglobal.com Thu Sep 24 14:58:49 2015 From: cwalker at sumglobal.com (Walker, Charles) Date: Thu, 24 Sep 2015 14:58:49 -0400 Subject: [keycloak-user] Keycloak Demo Application Message-ID: It's not that the docs are bad, this is just a complex app with a lot of different touch points. but.... * More details on individual options would be nice though, I scoured the examples and read through a ton of source for answers to different things * updated video tutorials. what's out there is helpful but dated * move away from liquibase to manage the database schema. it's a nice tool but i haven't ran into many dba's that allow an application to "alter" the database. that meant i just had to go figure out another technology just to tease the sql out of it * better realm management tools. the current import and export tools work but are crude. some type of jboss-cli support would be nice (i guess the wildfly folks have spoiled me) but things get better every single release! thanks and keep up the good work. On Thu, Sep 24, 2015 at 2:19 PM, Bill Burke wrote: > Any suggestions for making things easier? (Other than "your > documentation sucks!") ;) > > > On 9/24/2015 1:47 PM, Walker, Charles wrote: > > I see a lot of folks struggling with some of the same things I've > > encountered. I've been working on a more complete app while testing > > keycloaks capabilities. It is currently: > > * an ubuntu vagrant vm > > * ansible setup > > * keycloak 1.5 > > * separate wildfly 9 server > > * openldap server used for user federation > > * jee rest application showing both url protection and programatic ejb > > authorization > > * angularjs web app > > * nginx ssl reverse proxy > > > > I'll keep improving it as I go along but I thought I would share and it > > might help others. > > > > It's at "https://github.com/cwalker67/keycloak_demo" > > > > thanks, > > charlie > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/d739e535/attachment.html From bburke at redhat.com Thu Sep 24 15:07:27 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Sep 2015 15:07:27 -0400 Subject: [keycloak-user] Keycloak Demo Application In-Reply-To: References: Message-ID: <560449EF.90600@redhat.com> Don't think we can move away from liquibase. We're highly dependent on it. The rest though is in the works and is scheduled to happen prior to productization. On 9/24/2015 2:58 PM, Walker, Charles wrote: > It's not that the docs are bad, this is just a complex app with a lot of > different touch points. > but.... > * More details on individual options would be nice though, I scoured the > examples and read through a ton of source for answers to different things > * updated video tutorials. what's out there is helpful but dated > * move away from liquibase to manage the database schema. it's a nice > tool but i haven't ran into many dba's that allow an application to > "alter" the database. that meant i just had to go figure out another > technology just to tease the sql out of it > * better realm management tools. the current import and export tools > work but are crude. some type of jboss-cli support would be nice (i > guess the wildfly folks have spoiled me) > > but things get better every single release! thanks and keep up the good > work. > > On Thu, Sep 24, 2015 at 2:19 PM, Bill Burke > wrote: > > Any suggestions for making things easier? (Other than "your > documentation sucks!") ;) > > > On 9/24/2015 1:47 PM, Walker, Charles wrote: > > I see a lot of folks struggling with some of the same things I've > > encountered. I've been working on a more complete app while testing > > keycloaks capabilities. It is currently: > > * an ubuntu vagrant vm > > * ansible setup > > * keycloak 1.5 > > * separate wildfly 9 server > > * openldap server used for user federation > > * jee rest application showing both url protection and > programatic ejb > > authorization > > * angularjs web app > > * nginx ssl reverse proxy > > > > I'll keep improving it as I go along but I thought I would share > and it > > might help others. > > > > It's at "https://github.com/cwalker67/keycloak_demo" > > > > thanks, > > charlie > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From eduard.matuszak at atos.net Fri Sep 25 01:36:42 2015 From: eduard.matuszak at atos.net (Matuszak, Eduard) Date: Fri, 25 Sep 2015 05:36:42 +0000 Subject: [keycloak-user] association of application user an keycloak user Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723D23118@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello, Is there any concept or standard way on how to link/associate users residing in an applications own DB to the users registered in the keycloak database (residing in keycloaks USRR_ENTITY table), e.g. something like the good old JDBC-realm? Best regards, Eduard Matuszak Dr. Eduard Matuszak Worldline, an atos company T +49 (211)399 398 63 M +49 (163)166 23 67 F +49(211) 399 22 430 eduard.matuszak at atos.net Max-Stromeyer-Stra?e 116 78467 Konstanz Germany de.worldline.com worldline.jobs.de facebook.com/WorldlineKarriere Worldline GmbH Gesch?ftsf?hrer: Wolf Kunisch Aufsichtsratsvorsitzender: Christophe Duquenne Sitz der Gesellschaft: Frankfurt/Main Handelsregister: Frankfurt/Main HRB 40 417 * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted. * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/4082def7/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture (Device Independent Bitmap) 1.jpg Type: image/jpeg Size: 1226 bytes Desc: Picture (Device Independent Bitmap) 1.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/4082def7/attachment-0002.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture (Device Independent Bitmap) 2.jpg Type: image/jpeg Size: 2886 bytes Desc: Picture (Device Independent Bitmap) 2.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/4082def7/attachment-0003.jpg From harshmahey at msn.com Fri Sep 25 02:34:08 2015 From: harshmahey at msn.com (H Mahey) Date: Fri, 25 Sep 2015 00:34:08 -0600 Subject: [keycloak-user] Can not create using API Message-ID: Hi all,I am trying to create a user in keycloak via api and getting 401.Can you please help in finding what am i doing wrong. ThanksHarsh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/93f77b20/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: KeyCloakAdminAdapter.java Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/93f77b20/attachment.asc From anunay.sinha at arvindinternet.com Fri Sep 25 03:59:04 2015 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Fri, 25 Sep 2015 13:29:04 +0530 Subject: [keycloak-user] "Invalid_grant" error when trying to login with the user created from Rest API Message-ID: Hi I am using keycloak 1.4 When am trying to create a new user using rest api, I am getting 201 User shows under the list of users on the Keycloak admin panel as well as when I query it from the API I have reset the password of the user using the following call http://127.0.0.1:8080/auth/admin/realms/TAHITI/users/29e18054-2fc6-41fc-a492-01f117444f05/reset-password {"type":"password","value":"asdf123","temporary":false} Am getting 204 for this request. When am trying to login with this user, am getting the erro Status Code 401 { "error_description": "Invalid user credentials", "error": "invalid_grant" } If however I go and edit my user from admin console, it starts working. Can you help me with this issue -- - Anunay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/2b1cf3b5/attachment.html From anunay.sinha at arvindinternet.com Fri Sep 25 04:20:12 2015 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Fri, 25 Sep 2015 13:50:12 +0530 Subject: [keycloak-user] "Invalid_grant" error when trying to login with the user created from Rest API In-Reply-To: References: Message-ID: Please Ignore this My code had a flaw. There was a space that got sneaked in just before the username and that was causing the error. Thanks On Fri, Sep 25, 2015 at 1:29 PM, Anunay Sinha < anunay.sinha at arvindinternet.com> wrote: > > Hi > I am using keycloak 1.4 > When am trying to create a new user using rest api, I am getting 201 > User shows under the list of users on the Keycloak admin panel as well as > when I query it from the API > > I have reset the password of the user using the following call > > > http://127.0.0.1:8080/auth/admin/realms/TAHITI/users/29e18054-2fc6-41fc-a492-01f117444f05/reset-password > {"type":"password","value":"asdf123","temporary":false} > > Am getting 204 for this request. > When am trying to login with this user, am getting the erro > Status Code 401 > { > "error_description": "Invalid user credentials", > "error": "invalid_grant" > } > > If however I go and edit my user from admin console, it starts working. > Can you help me with this issue > > -- > - Anunay > -- - Anunay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/3aca0518/attachment.html From anunay.sinha at arvindinternet.com Fri Sep 25 07:44:20 2015 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Fri, 25 Sep 2015 17:14:20 +0530 Subject: [keycloak-user] Performance numbers for Keycloak Message-ID: Hi I am interested in some performance numbers for keycloak I am setting it up to test locally and just wondering is some has done this already. I would like to know how well it will scale up How many request it can handle and if it becomes the bottle neck for our application. Thnaks -- - Anunay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/60da5ee7/attachment.html From sthorger at redhat.com Fri Sep 25 07:48:16 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 25 Sep 2015 13:48:16 +0200 Subject: [keycloak-user] Performance numbers for Keycloak In-Reply-To: References: Message-ID: Problem is that's very subjective. Depends on how many logins there are, how many request per-login, what your token time outs are set to, etc, etc. Keycloak should scale fairly well as we use a distributed Infinispan cache for sessions, which is what has the most effect on performance, as well as we heavily cache things like realm config and users. On 25 September 2015 at 13:44, Anunay Sinha wrote: > Hi > I am interested in some performance numbers for keycloak > I am setting it up to test locally and just wondering is some has done > this already. > > I would like to know how well it will scale up > How many request it can handle and if it becomes the bottle neck for our > application. > > Thnaks > > -- > - Anunay > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/9f688b8f/attachment-0001.html From jorsol at gmail.com Fri Sep 25 15:49:19 2015 From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=) Date: Fri, 25 Sep 2015 13:49:19 -0600 Subject: [keycloak-user] Commercial/Enterprise/Stable support Message-ID: Hi Keycloak community... Keycloak looks as a really promising project, but what it worry me, is that as a community project, it takes a ultra-fast development cycle. >From a commercial stand point, it feels that it never finish to stabilize, if for example I implement in production the version 1.5 and found a bug, it will be fixed until 1.6 is released with probably more new features and changes in database schema wich can introduce more bugs... How can be handled an enviroment that need a more slow but stable approach, will there be a a "JBoss Keycloak EAP"?, what are the chances that the project is discontinued (somewhat like Picketlink)? Is this project apropiate for "Enterprise" use? cheers, Jorge Sol?rzano http://www.jorsol.com From christian_hebert at hotmail.com Fri Sep 25 16:40:16 2015 From: christian_hebert at hotmail.com (Christian Hebert) Date: Fri, 25 Sep 2015 16:40:16 -0400 Subject: [keycloak-user] Commercial/Enterprise/Stable support In-Reply-To: References: Message-ID: Hi ! I also would like to hear you guys on that question. We are currently in the process of redesigning the infrastructure supporting our web applications (coming from Glassfish + OpenAM) since Oracle announced that Glassfish would no longer be commercially supported. JBoss EAP + Keycloak is our best solutions so far but we are also a bit worried about the stability / maturity of Keycloak. About Keycloak vs Picketlink, I thought that Keycloak was built on PickletLink like an "out-of-box" production ready product. Am i mistaken ? Thanks ! > From: jorsol at gmail.com > Date: Fri, 25 Sep 2015 13:49:19 -0600 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Commercial/Enterprise/Stable support > > Hi Keycloak community... > > Keycloak looks as a really promising project, but what it worry me, is > that as a community project, it takes a ultra-fast development cycle. > From a commercial stand point, it feels that it never finish to > stabilize, if for example I implement in production the version 1.5 > and found a bug, it will be fixed until 1.6 is released with probably > more new features and changes in database schema wich can introduce > more bugs... > > How can be handled an enviroment that need a more slow but stable > approach, will there be a a "JBoss Keycloak EAP"?, what are the > chances that the project is discontinued (somewhat like Picketlink)? > Is this project apropiate for "Enterprise" use? > > cheers, > > > Jorge Sol?rzano > http://www.jorsol.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/a60d908f/attachment.html From bburke at redhat.com Fri Sep 25 18:01:59 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 25 Sep 2015 18:01:59 -0400 Subject: [keycloak-user] Commercial/Enterprise/Stable support In-Reply-To: References: Message-ID: <5605C457.6030205@redhat.com> The Keycloak project started in June 2013 and has over 3000+ downloads per month. Keycloak's SAML support was derived from Picketlink, but this PL code was forked and refactored. Feature development will start to slow down later this year and we'll start focusing on productization. Commercial support will be available sometime in 2016 shortly after EAP 7 is released. I can't give you any exact dates. I believe PL will still be included and supported in EAP 7, but it will be the same version that is in EAP 6 and it will be deprecated. Don't quote me on that though. On 9/25/2015 4:40 PM, Christian Hebert wrote: > Hi ! > > I also would like to hear you guys on that question. We are currently in > the process of redesigning the infrastructure supporting our web > applications (coming from Glassfish + OpenAM) since Oracle announced > that Glassfish would no longer be commercially supported. > > JBoss EAP + Keycloak is our best solutions so far but we are also a bit > worried about the stability / maturity of Keycloak. > > About Keycloak vs Picketlink, I thought that Keycloak was built on > PickletLink like an "out-of-box" production ready product. Am i mistaken ? > > Thanks ! > > > From: jorsol at gmail.com > > Date: Fri, 25 Sep 2015 13:49:19 -0600 > > To: keycloak-user at lists.jboss.org > > Subject: [keycloak-user] Commercial/Enterprise/Stable support > > > > Hi Keycloak community... > > > > Keycloak looks as a really promising project, but what it worry me, is > > that as a community project, it takes a ultra-fast development cycle. > > From a commercial stand point, it feels that it never finish to > > stabilize, if for example I implement in production the version 1.5 > > and found a bug, it will be fixed until 1.6 is released with probably > > more new features and changes in database schema wich can introduce > > more bugs... > > > > How can be handled an enviroment that need a more slow but stable > > approach, will there be a a "JBoss Keycloak EAP"?, what are the > > chances that the project is discontinued (somewhat like Picketlink)? > > Is this project apropiate for "Enterprise" use? > > > > cheers, > > > > > > Jorge Sol?rzano > > http://www.jorsol.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From hr.stoyanov at peruncs.com Fri Sep 25 18:10:57 2015 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Fri, 25 Sep 2015 15:10:57 -0700 Subject: [keycloak-user] UT010039: Unknown authentication mechanism KEYCLOAK Message-ID: Hi all I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay installation. My configuration file looks exactly the same as the stock one, e.g: ... ... ... ... auth The module jars are properly put in the WF folders My web.xml also seems right too: ========================================= index.jsp 404 / ErraiLoginRedirectFilter redirectLocation /index_draft.jsp javax.ws.rs.core.Application /rest/* ErraiUserCookieFilter /index_draft.jsp ErraiLoginRedirectFilter /app-login Login /app-login * KEYCLOAK whatever user admin I can access the KC admin console and configure realms/users/roles no problem in the WF 9.0.1 server, np. I am out of ideas of what could be causing it. Any hints? Thanks ========================================================================================================== 11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) MSC000001: Failed to start service jboss.undertow.deployment.default-server.de fault-host./draft: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: jav a.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326) at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200) ... 8 more 11:47:54,471 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - address: ([("deploy ment" => "draft.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./draft" => "org.jboss. msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: java.lang.RuntimeException: UT01 0039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} 11:47:54,478 ERROR [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0021: Deploy of deployment "draft.war" was rolled back with the following failur e message: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./draft" => "org.jboss.msc.service.StartException in service jboss.und ertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} 11:47:54,488 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 79) WFLYJPA0011: Stopping Persistence Unit (phase 2 of 2) Service 'draft.war#s4g' /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/49447dad/attachment.html From jorsol at gmail.com Fri Sep 25 18:20:30 2015 From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=) Date: Fri, 25 Sep 2015 16:20:30 -0600 Subject: [keycloak-user] Commercial/Enterprise/Stable support In-Reply-To: <5605C457.6030205@redhat.com> References: <5605C457.6030205@redhat.com> Message-ID: Thank you for your comment Bill, now I'm confident in learning how this project fits my company needs... Jorge Sol?rzano http://www.jorsol.com On Fri, Sep 25, 2015 at 4:01 PM, Bill Burke wrote: > The Keycloak project started in June 2013 and has over 3000+ downloads > per month. Keycloak's SAML support was derived from Picketlink, but > this PL code was forked and refactored. Feature development will start > to slow down later this year and we'll start focusing on productization. > > Commercial support will be available sometime in 2016 shortly after EAP > 7 is released. I can't give you any exact dates. > > I believe PL will still be included and supported in EAP 7, but it will > be the same version that is in EAP 6 and it will be deprecated. Don't > quote me on that though. > > On 9/25/2015 4:40 PM, Christian Hebert wrote: >> Hi ! >> >> I also would like to hear you guys on that question. We are currently in >> the process of redesigning the infrastructure supporting our web >> applications (coming from Glassfish + OpenAM) since Oracle announced >> that Glassfish would no longer be commercially supported. >> >> JBoss EAP + Keycloak is our best solutions so far but we are also a bit >> worried about the stability / maturity of Keycloak. >> >> About Keycloak vs Picketlink, I thought that Keycloak was built on >> PickletLink like an "out-of-box" production ready product. Am i mistaken ? >> >> Thanks ! >> >> > From: jorsol at gmail.com >> > Date: Fri, 25 Sep 2015 13:49:19 -0600 >> > To: keycloak-user at lists.jboss.org >> > Subject: [keycloak-user] Commercial/Enterprise/Stable support >> > >> > Hi Keycloak community... >> > >> > Keycloak looks as a really promising project, but what it worry me, is >> > that as a community project, it takes a ultra-fast development cycle. >> > From a commercial stand point, it feels that it never finish to >> > stabilize, if for example I implement in production the version 1.5 >> > and found a bug, it will be fixed until 1.6 is released with probably >> > more new features and changes in database schema wich can introduce >> > more bugs... >> > >> > How can be handled an enviroment that need a more slow but stable >> > approach, will there be a a "JBoss Keycloak EAP"?, what are the >> > chances that the project is discontinued (somewhat like Picketlink)? >> > Is this project apropiate for "Enterprise" use? >> > >> > cheers, >> > >> > >> > Jorge Sol?rzano >> > http://www.jorsol.com >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hr.stoyanov at peruncs.com Sat Sep 26 02:57:51 2015 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Fri, 25 Sep 2015 23:57:51 -0700 Subject: [keycloak-user] UT010039: Unknown authentication mechanism KEYCLOAK Message-ID: Hi all I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay installation. My configuration file looks exactly the same as the stock one, e.g: ... ... ... ... auth The module jars are properly put in the WF folders My web.xml also seems right too: ========================================= index.jsp 404 / ErraiLoginRedirectFilter redirectLocation /index_draft.jsp javax.ws.rs.core.Application /rest/* ErraiUserCookieFilter /index_draft.jsp ErraiLoginRedirectFilter /app-login Login /app-login * KEYCLOAK whatever user admin I can access the KC admin console and configure realms/users/roles no problem in the WF 9.0.1 server.* I am out of ideas of what could be causing it. Any hints? Thanks* ============================= 11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) MSC000001: Failed to start service jboss.undertow.deployment.default-server.de fault-host./draft: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: jav a.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326) at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200) ... 8 more 11:47:54,471 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - address: ([("deploy ment" => "draft.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./draft" => "org.jboss. msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: java.lang.RuntimeException: UT01 0039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} 11:47:54,478 ERROR [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0021: Deploy of deployment "draft.war" was rolled back with the following failur e message: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./draft" => "org.jboss.msc.service.StartException in service jboss.und ertow.deployment.default-server.default-host./draft: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} 11:47:54,488 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 79) WFLYJPA0011: Stopping Persistence Unit (phase 2 of 2) Service 'draft.war#s4g' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150925/784f0b69/attachment.html From tdudgeon.ml at gmail.com Sat Sep 26 05:04:20 2015 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Sat, 26 Sep 2015 10:04:20 +0100 Subject: [keycloak-user] ports confusion Message-ID: <56065F94.5040005@gmail.com> I'm having problems getting keycloak running on AWS using the docker files on docker hub. I'm using this docker compose configuration: postgres: image: postgres ports: - "5432:5432" environment: - POSTGRES_DATABASE=keycloak - POSTGRES_USER=keycloak - POSTGRES_PASSWORD=keycloak keycloak: image: jboss/keycloak-postgres ports: - "8080:8080" links: - postgres:postgres environment: - POSTGRES_DATABASE=keycloak - POSTGRES_USER=keycloak - POSTGRES_PASSWORD=keycloak This works fine when I'm running on a local machine, but when I run on AWS I can get a response from the default http://:8080/ address but when I try to connect to the Admin console it give error saying HTTPS is required. Probably some required port is not open but I'm not sure what. What is strange is that the dockerfile for the base keycloak image (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only port 8080 is exposed, not any ports for SSL. Any suggestions for what's going on here? Tim From vvessia at katamail.com Sat Sep 26 22:32:57 2015 From: vvessia at katamail.com (Vito Vessia) Date: Sun, 27 Sep 2015 04:32:57 +0200 Subject: [keycloak-user] Multi-tenant REST api Message-ID: Hi all, I have to create some multi-tenant rest apis secured by keycloak, following the multi-tenant example provided by the keycloak documentation. So, in the same way the example shows, I have some rest api like: /rest/api1/name/{id} and I wold like to let these api to be multi tenant using urls like this one: /tenant1/rest/api1/name/{id} or /tenant2/rest/api1/name/{id} I am using Jersey as Jax-RS implementation and the AS is Wildfly 9. My KeycloakConfigResolver derived implementation seems to work well, because it receives the requests from KC and returns the correct KeycloakDeployment instance, but the rest service is never called. If I temporary disable the resolver and I define a fixed realm, everything is ok calling the url without the tenant name part. Please. do you have some idea? Where do I can get a complete example? --Vito -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150927/df7749f6/attachment.html From giovanni.baruzzi at syntlogo.de Mon Sep 28 03:49:32 2015 From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi) Date: Mon, 28 Sep 2015 09:49:32 +0200 Subject: [keycloak-user] Use Case and Roadmap Message-ID: Dear KeyCloak team, In the last days I worked intensively with KeyCloak, trying to check if it fits as a solution in a current project and I was suddenly aware of the big potential still hidden in the software. The problem is, that these capabilities can be understood only after hours of experimenting and I was able to appreciate the vision behind it. There is not too much trace of the vision in the documentation, which is not bad, but it does not tell you why some feature are there and how to better make use of them. So, a kind request: can you publish some document telling why you decided to implement a feature? These contributions don?t need to be extensive, it gives just us a glimpse of the gold buried in the project. A road map or a list of features under evaluation could be very useful too. Thank you, Giovanni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150928/f998881b/attachment-0001.html From mstrukel at redhat.com Mon Sep 28 10:04:28 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 28 Sep 2015 16:04:28 +0200 Subject: [keycloak-user] UT010039: Unknown authentication mechanism KEYCLOAK In-Reply-To: References: Message-ID: Keycloak server overlay installation only contains Keycloak server support, and accompanying keycloak-standalone.xml only contains server configuration. What you need to secure your web app in the same container is Keycloak adapter download for WF9 to get the necessary adapter modules (that's the 'client' part that talks to the server). Then you also need to add: and to standalone.xml On Sep 26, 2015 8:58 AM, "Hristo Stoyanov" wrote: > Hi all > I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay > installation. My configuration file looks exactly the same as the stock > one, e.g: > > > ... > > ... > > ... > > > ... > > auth > > > > The module jars are properly put in the WF folders > > My web.xml also seems right too: > ========================================= > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee > http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" > version="3.1"> > > > > index.jsp > > > > > 404 > / > > > > > > ErraiLoginRedirectFilter > > redirectLocation > /index_draft.jsp > > > > > > javax.ws.rs.core.Application > /rest/* > > > > ErraiUserCookieFilter > /index_draft.jsp > > > > ErraiLoginRedirectFilter > /app-login > > > > > Login > /app-login > > > * > > > > > KEYCLOAK > whatever > > > > user > > > > admin > > > > > I can access the KC admin console and configure realms/users/roles no > problem in the WF 9.0.1 server.* I am out of ideas of what could be > causing it. Any hints? Thanks* > > ============================= > 11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 78) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.de > fault-host./draft: org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./draft: > java.lang.RuntimeException: jav > a.lang.RuntimeException: UT010039: Unknown authentication mechanism > KEYCLOAK > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown > Source) > at java.util.concurrent.FutureTask.run(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: java.lang.RuntimeException: > UT010039: Unknown authentication mechanism KEYCLOAK > at > io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: java.lang.RuntimeException: UT010039: Unknown authentication > mechanism KEYCLOAK > at > io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326) > at > io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200) > ... 8 more > > 11:47:54,471 ERROR [org.jboss.as.controller.management-operation] > (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - > address: ([("deploy > ment" => "draft.war")]) - failure description: {"WFLYCTL0080: Failed > services" => > {"jboss.undertow.deployment.default-server.default-host./draft" => > "org.jboss. > msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./draft: > java.lang.RuntimeException: java.lang.RuntimeException: UT01 > 0039: Unknown authentication mechanism KEYCLOAK > Caused by: java.lang.RuntimeException: java.lang.RuntimeException: > UT010039: Unknown authentication mechanism KEYCLOAK > Caused by: java.lang.RuntimeException: UT010039: Unknown > authentication mechanism KEYCLOAK"}} > 11:47:54,478 ERROR [org.jboss.as.server] (management-handler-thread - 2) > WFLYSRV0021: Deploy of deployment "draft.war" was rolled back with the > following failur > e message: > {"WFLYCTL0080: Failed services" => > {"jboss.undertow.deployment.default-server.default-host./draft" => > "org.jboss.msc.service.StartException in service jboss.und > ertow.deployment.default-server.default-host./draft: > java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown > authentication mechanism KEYCLOAK > > Caused by: java.lang.RuntimeException: java.lang.RuntimeException: > UT010039: Unknown authentication mechanism KEYCLOAK > Caused by: java.lang.RuntimeException: UT010039: Unknown > authentication mechanism KEYCLOAK"}} > 11:47:54,488 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 79) > WFLYJPA0011: Stopping Persistence Unit (phase 2 of 2) Service > 'draft.war#s4g' > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150928/a64ee657/attachment.html From bshaw at mainstream-engr.com Mon Sep 28 16:07:14 2015 From: bshaw at mainstream-engr.com (Bruce Shaw) Date: Mon, 28 Sep 2015 20:07:14 +0000 Subject: [keycloak-user] OpenID Connect discovery with Play Framework Message-ID: <74A4CC15-8679-4F48-AF96-AC80E01C11EA@mainstream-engr.com> Hello, I?m evaluating Keycloak as an identity provider for a few Play Framework projects using pac4j-play as the OpenID Connect client. There isn?t an adapter for Play so I thought I could leverage the discovery endpoint with my client to authenticate. I wasn?t able to find any details on this in the documentation but after a little bit of digging I found the "well-known" uri that I configured with our client to authenticate successfully with our Keycloak instance. So because I couldn?t find much on this I was curious if this approach for authentication is recommended or supported. Also, what is the difference in action between logging out with the ?end_session_endpoint? provided by the discovery metadata versus the logout url in the documentation: ?http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri? ? thanks, Bruce ***NOTICE*** This e-mail and/or the attached documents may contain technical data within the definition of the International Traffic in Arms Regulations and/or Export Administration Regulations, and are subject to the export control laws of the U.S. Government. Transfer of this data by any means to a foreign person, whether in the United States or abroad, without an export license or other approval from the U.S. Department of State or Commerce, as applicable, is prohibited. No portion of this e-mail and/or correspondence its attachment(s) may be reproduced without written consent of Mainstream Engineering Corporation. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This electronic message (including any attachments) contains information that is privileged, confidential, and proprietary. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this electronic message in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Although Mainstream Engineering Corporation has taken reasonable precautions to ensure no viruses are present in this email, Mainstream accepts no responsibility for any loss or damage arising from the use of this email or attachments. From bburke at redhat.com Mon Sep 28 16:10:50 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 28 Sep 2015 16:10:50 -0400 Subject: [keycloak-user] OpenID Connect discovery with Play Framework In-Reply-To: <74A4CC15-8679-4F48-AF96-AC80E01C11EA@mainstream-engr.com> References: <74A4CC15-8679-4F48-AF96-AC80E01C11EA@mainstream-engr.com> Message-ID: <56099ECA.7080807@redhat.com> We still need to make sure we're following the standard. I think Stian is working on that. Also, you need to make sure you're using SSL/HTTPS and that your client has a truststore set up for the .well-known endpoint. Otherwise, you can't be guaranteed that the information you are getting (keys, endpoints, etc.) is valid. On 9/28/2015 4:07 PM, Bruce Shaw wrote: > Hello, > > I?m evaluating Keycloak as an identity provider for a few Play Framework projects using pac4j-play as the OpenID Connect client. > > There isn?t an adapter for Play so I thought I could leverage the discovery endpoint with my client to authenticate. I wasn?t able to find any details on this in the documentation but after a little bit of digging I found the "well-known" uri that I configured with our client to authenticate successfully with our Keycloak instance. > > So because I couldn?t find much on this I was curious if this approach for authentication is recommended or supported. Also, what is the difference in action between logging out with the ?end_session_endpoint? provided by the discovery metadata versus the logout url in the documentation: ?http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri? ? > > thanks, > Bruce > > ***NOTICE*** This e-mail and/or the attached documents may contain technical data within the definition of the International Traffic in Arms Regulations and/or Export Administration Regulations, and are subject to the export control laws of the U.S. Government. Transfer of this data by any means to a foreign person, whether in the United States or abroad, without an export license or other approval from the U.S. Department of State or Commerce, as applicable, is prohibited. No portion of this e-mail and/or correspondence its attachment(s) may be reproduced without written consent of Mainstream Engineering Corporation. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. > This electronic message (including any attachments) contains information that is privileged, confidential, and proprietary. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this electronic message in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Although Mainstream Engineering Corporation has taken reasonable precautions to ensure no viruses are present in this email, Mainstream accepts no responsibility for any loss or damage arising from the use of this email or attachments. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From getbhanu30 at gmail.com Mon Sep 28 17:27:55 2015 From: getbhanu30 at gmail.com (Bhanu Kiran) Date: Mon, 28 Sep 2015 16:27:55 -0500 Subject: [keycloak-user] FIPS compliant Message-ID: Team, Please let us know if Keycloak is FIPS complained or how we can implement FIPS in keycloak ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150928/9efecc7b/attachment.html From sthorger at redhat.com Tue Sep 29 03:08:29 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:08:29 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/875a8b2f/attachment.html From sthorger at redhat.com Tue Sep 29 03:09:20 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:09:20 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/b76a5b5a/attachment.html From sthorger at redhat.com Tue Sep 29 03:09:50 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:09:50 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/a60098a2/attachment.html From sthorger at redhat.com Tue Sep 29 03:10:38 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:10:38 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/2749af79/attachment.html From sthorger at redhat.com Tue Sep 29 03:11:23 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:11:23 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/add5d48e/attachment-0001.html From sthorger at redhat.com Tue Sep 29 03:12:04 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:12:04 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/ec41c5b5/attachment.html From sthorger at redhat.com Tue Sep 29 03:12:54 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:12:54 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/05fc8d9c/attachment.html From sthorger at redhat.com Tue Sep 29 03:13:39 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Sep 2015 09:13:39 +0200 Subject: [keycloak-user] ports confusion In-Reply-To: <56065F94.5040005@gmail.com> References: <56065F94.5040005@gmail.com> Message-ID: Are you using https:// when accessing the server? That's what it's complaining about. By default https is required for non internal ip addresses On 26 September 2015 at 11:04, Tim Dudgeon wrote: > I'm having problems getting keycloak running on AWS using the docker > files on docker hub. > I'm using this docker compose configuration: > > postgres: > image: postgres > ports: > - "5432:5432" > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > keycloak: > image: jboss/keycloak-postgres > ports: > - "8080:8080" > links: > - postgres:postgres > environment: > - POSTGRES_DATABASE=keycloak > - POSTGRES_USER=keycloak > - POSTGRES_PASSWORD=keycloak > > This works fine when I'm running on a local machine, but when I run on > AWS I can get a response from the default http://:8080/ address > but when I try to connect to the Admin console it give error saying > HTTPS is required. > Probably some required port is not open but I'm not sure what. > What is strange is that the dockerfile for the base keycloak image > (https://hub.docker.com/r/jboss/keycloak/~/dockerfile/) shows that only > port 8080 is exposed, not any ports for SSL. > > Any suggestions for what's going on here? > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/16383e46/attachment.html From kalinga at leapset.com Tue Sep 29 09:45:33 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Tue, 29 Sep 2015 19:15:33 +0530 (IST) Subject: [keycloak-user] Implementing central logout Message-ID: <1443534333.637225003@apps.rackspace.com> My scenario is this; I have two clients configured on keycloak and I have two client applications relying on keycloak for SSO and user management. Both of my client applications are using the tomcat adapter. Currently if the user signs out from the first client the second client is not notified. I need this to be fixed, so that when a user signs out from one client, the other client is notified, so the latter can forcefully logout the user. How can I handle this on keycloak? I tried the Admin Url configuration given on the docs [ http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ]( http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ) but I did not see a way forward. My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its required. Regards, Kalinga -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/f65f92cf/attachment.html From bmcwhirt at redhat.com Tue Sep 29 09:55:47 2015 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Tue, 29 Sep 2015 09:55:47 -0400 Subject: [keycloak-user] Implementing central logout In-Reply-To: <1443534333.637225003@apps.rackspace.com> References: <1443534333.637225003@apps.rackspace.com> Message-ID: All registered admin URLs should be notified, if I recall. Does each client have an admin URL configured in the Keycloak console? On Tue, Sep 29, 2015 at 9:45 AM, Kalinga Dissanayake wrote: > My scenario is this; > > I have two clients configured on keycloak and I have two client > applications relying on keycloak for SSO and user management. > > Both of my client applications are using the tomcat adapter. > > > > Currently if the user signs out from the first client the second client is > not notified. I need this to be fixed, so that when a user signs out from > one client, the other client is notified, so the latter can forcefully > logout the user. How can I handle this on keycloak? > > > > I tried the Admin Url configuration given on the docs > > > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration > > but I did not see a way forward. > > > > My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its > required. > > > > Regards, > > Kalinga > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/b799e7a1/attachment-0001.html From kalinga at leapset.com Tue Sep 29 12:20:18 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Tue, 29 Sep 2015 21:50:18 +0530 (IST) Subject: [keycloak-user] Implementing central logout In-Reply-To: References: <1443534333.637225003@apps.rackspace.com> Message-ID: <1443543618.418112794@apps.rackspace.com> Yes. Is that all I should do? I have done that but I receive no notification. Regards, Kalinga -----Original Message----- From: "Bob McWhirter" Sent: Tuesday, September 29, 2015 7:25pm To: "Kalinga Dissanayake" Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Implementing central logout All registered admin URLs should be notified, if I recall. Does each client have an admin URL configured in the Keycloak console? On Tue, Sep 29, 2015 at 9:45 AM, Kalinga Dissanayake <[ kalinga at leapset.com ]( mailto:kalinga at leapset.com )> wrote: My scenario is this; I have two clients configured on keycloak and I have two client applications relying on keycloak for SSO and user management. Both of my client applications are using the tomcat adapter. Currently if the user signs out from the first client the second client is not notified. I need this to be fixed, so that when a user signs out from one client, the other client is notified, so the latter can forcefully logout the user. How can I handle this on keycloak? I tried the Admin Url configuration given on the docs [ http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ]( http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ) but I did not see a way forward. My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its required. Regards, Kalinga _______________________________________________ keycloak-user mailing list [ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org ) [ https://lists.jboss.org/mailman/listinfo/keycloak-user ]( https://lists.jboss.org/mailman/listinfo/keycloak-user ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/37d78a13/attachment.html From lopez.m.gonzalo at gmail.com Tue Sep 29 15:42:21 2015 From: lopez.m.gonzalo at gmail.com (=?UTF-8?Q?Gonzalo_L=C3=B3pez?=) Date: Tue, 29 Sep 2015 16:42:21 -0300 Subject: [keycloak-user] Role to claim mapping Message-ID: I'm trying to test the Identity broker to achieve cross domain sso, this is what I have done: 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A 2 - Installed jboss 6.4 eap + keycloak in host B 3 - In host A, I added an oidc Identity Provider (importing host B openid connect configuration). 4 - In host A, I created an application (appa.war) that will try to use the broker to authenticate. I added security to the app (only user with role "user" will be able to access some parts) 5 - In host B, I added 2 oidc clients (the broker from host A and appb, appb (appb.war) is a simple application developed to log in using oidc) 6 - In host B, I created a role "testrole" inside appb and a user "testuser", then I added that role to the user. I couldn't find out how to map the role "testrole" to a claim that will be sent to the broker once the user has authenticated. Is there a way to do that? After I accomplish that I plan to map that claim to the role appa.user. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/0f16e063/attachment.html From robin1233 at gmail.com Tue Sep 29 16:06:09 2015 From: robin1233 at gmail.com (robinfernandes .) Date: Tue, 29 Sep 2015 16:06:09 -0400 Subject: [keycloak-user] Login page for external IDP using SAML Message-ID: Hi All, I was trying to setup Keycloak to use SAML and configure an external IDP in the admin console of Keycloak. I had a couple of questions : 1. What is the keycloak API we need to hit to access the landing page for the external IDP? 2. I was trying to call the /realm/{realm-name}/broker/{provider-id}/login API The problem that I was facing when I used the above API was that it expects "code" as the Query parameter and I did not find any example on how to generate that code. Any help would be appreciated. Thanks, Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150929/db3bb446/attachment.html From bburke at redhat.com Tue Sep 29 16:48:06 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 29 Sep 2015 16:48:06 -0400 Subject: [keycloak-user] Login page for external IDP using SAML In-Reply-To: References: Message-ID: <560AF906.7020402@redhat.com> Brokering is all browser based. Point the browser to Keycloak, Keycloak will allow you to choose an external IDP, or you can set one up as the default. I'm not sure what you're trying to do though. On 9/29/2015 4:06 PM, robinfernandes . wrote: > Hi All, > > I was trying to setup Keycloak to use SAML and configure an external IDP > in the admin console of Keycloak. > I had a couple of questions : > 1. What is the keycloak API we need to hit to access the landing page > for the external IDP? > 2. I was trying to call the > /realm/{realm-name}/broker/{provider-id}/login API > > The problem that I was facing when I used the above API was that it > expects "code" as the Query parameter and I did not find any example on > how to generate that code. > > Any help would be appreciated. > > Thanks, > Robin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Tue Sep 29 16:53:07 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 29 Sep 2015 16:53:07 -0400 Subject: [keycloak-user] Role to claim mapping In-Reply-To: References: Message-ID: <560AFA33.4020000@redhat.com> On 9/29/2015 3:42 PM, Gonzalo L?pez wrote: > I'm trying to test the Identity broker to achieve cross domain sso, this > is what I have done: > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A > 2 - Installed jboss 6.4 eap + keycloak in host B > 3 - In host A, I added an oidc Identity Provider (importing host B > openid connect configuration). > 4 - In host A, I created an application (appa.war) that will try to use > the broker to authenticate. I added security to the app (only user with > role "user" will be able to access some parts) > 5 - In host B, I added 2 oidc clients (the broker from host A and appb, > appb (appb.war) is a simple application developed to log in using oidc) > 6 - In host B, I created a role "testrole" inside appb and a user > "testuser", then I added that role to the user. > > I couldn't find out how to map the role "testrole" to a claim that will > be sent to the broker once the user has authenticated. Is there a way to > do that? > > After I accomplish that I plan to map that claim to the role appa.user. > OIDC and SAML Identity Providers have mappers. Host A broker will receive the token from Host B. You can map the testrole to whatever claim you want. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From DSzeto at investlab.com Tue Sep 29 22:12:36 2015 From: DSzeto at investlab.com (Doug Szeto) Date: Wed, 30 Sep 2015 02:12:36 +0000 Subject: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems In-Reply-To: <75AA1728-713C-4A4B-8F11-8F6E1EBA21A9@smartling.com> Message-ID: Thanks for the config but had to make a few more changes for my setup. First problem was that the if there is a url instead of an IP as the keycloak server, it seemed to cause problems. Solution: Had to replace the nginx config setting: proxy_set_header Host $host; With proxy_set_header Host [auth-server-url in the keycloak.json file]; Second problem is that the keycloak/wildfly server kept using the nginx proxy?s IP in the session management. Solution: Need a combination of nginx settings and wildfly settings. Nginx needs to insert the forwarded for headers proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Wildfly?s standalone/configuration/standalone.xml needs to read the forwarded for header with proxy-address-forwarding=?true" ? ? The second solution is sort of mentioned in the docs, but applicable to both http and https and the xml seems out of date. ?Doug From: Scott Rossillo > Date: Thu, 24 Sep 2015 12:25:06 -0400 To: Kevin Thorpe > Cc: doug >, keycloak-user > Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems Here?s a working configuration with NGINX listening on 443 (https) and Keycloak / Wildfly on 8080 (http). Note the proxy_set_header calls. The rest of the config is just for completeness: upstream keycloak { server localhost:8080; } server { listen 443; server_name localhost; ssl on; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://keycloak; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Powered by Sigstr] On Sep 24, 2015, at 5:13 AM, Kevin Thorpe > wrote: I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end servers contact Keycloak directly then the validation fails because the token was issued by 'a different server'. I want to do the same thing as well. I want the front-end of our application to authenticate against the public address then all the back end servers running in Docker contact the Keycloak docker container directly. The way I have it now I'm generating a lot of traffic between the Docker (actually Rancher) LAN and the external LAN. I think we need a concept of service aliases so that a token issued by https:my-public-name:443 would still be accepted by http://keycloak:8080 (as long as it was indeed issued by that server under a different alias) Kevin Thorpe CTO www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000] _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. "SAVE PAPER - THINK BEFORE YOU PRINT!" On 24 September 2015 at 02:38, Doug Szeto > wrote: Did you ever get the correct settings? When I put nginx in front of keycloak, it generates access tokens tied to the nginx server's IP instead of the browser's IP. This is apparent in the admin management pages when you look up the active sessions. The problem I'm having is there is a resource server that accepts bearer only tokens. It uses a different server, and now fails the token validation check. Remove the nginx servers and things work fine. Any suggestions? --Doug ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Kevin Thorpe > Sent: Friday, September 18, 2015 19:21 To: stian at redhat.com Cc: keycloak-user Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems oh I see. I was copying the style of config from the developer who set up the test Keycloak (assuming wrongly that he knew what he was doing). Setting it to the actual site worked........ but now I have another problem :-( Kevin Thorpe CTO [http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1iYzBmLWYwNDI0MTE5MmVjYwBGAAAAAAA%2F4bdKygj1QJSA616jntzABwAl%2FbE8zyj0T7dK0ot6a0ytAAAAAAEPAAAl%2FbE8zyj0T7dK0ot6a0ytAABm1lBtAAABEgAQAJlVflMenDVNqr8Xkk3dqvU%3D&X-OWA-CANARY=vpd7MF4UF02fGXygyRPIMkDAkk5_xNIYUwzrL32mQChn_0lziostcsaRPWIzvSWhnfk5T2JGB5U.] [http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1iYzBmLWYwNDI0MTE5MmVjYwBGAAAAAAA%2F4bdKygj1QJSA616jntzABwAl%2FbE8zyj0T7dK0ot6a0ytAAAAAAEPAAAl%2FbE8zyj0T7dK0ot6a0ytAABm1lBtAAABEgAQAGGp4TV86TdMgXrTPATB9VA%3D&X-OWA-CANARY=vpd7MF4UF02fGXygyRPIMkDAkk5_xNIYUwzrL32mQChn_0lziostcsaRPWIzvSWhnfk5T2JGB5U.] www.p-i.net | @PI_150 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000] [https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000] _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. "SAVE PAPER - THINK BEFORE YOU PRINT!" On 18 September 2015 at 11:59, Stian Thorgersen > wrote: The * can only be on the end of the valid redirect uri. So you need to specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter not being a good idea obviously. On 18 September 2015 at 12:42, Kevin Thorpe > wrote: Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to avoid the invalid parameter: redirect_uri problem. Website is https://my-client.pibenchmark.com In nginx: location /auth { proxy_pass https://auth-service; } upstream auth-service { server my-keycloak:8443; } Then in Keycloak I have valid redirect URIs set to https://*.pibenchmark.com/* ie my whole domain. Still getting invalid parameter: redirect_uri though. What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons. Kevin Thorpe CTO, PI Limited _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/422ae256/attachment-0001.html From sthorger at redhat.com Wed Sep 30 03:48:00 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:48:00 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/9d2ff236/attachment.html From sthorger at redhat.com Wed Sep 30 03:48:40 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:48:40 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/89aff86e/attachment.html From sthorger at redhat.com Wed Sep 30 03:51:14 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:51:14 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/b7af645d/attachment.html From sthorger at redhat.com Wed Sep 30 03:51:57 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:51:57 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/c31786db/attachment.html From sthorger at redhat.com Wed Sep 30 03:54:00 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:54:00 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/94a46678/attachment-0001.html From sthorger at redhat.com Wed Sep 30 03:54:41 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:54:41 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/4133fdb9/attachment.html From sthorger at redhat.com Wed Sep 30 03:56:56 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:56:56 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/08bf38cb/attachment.html From sthorger at redhat.com Wed Sep 30 03:57:49 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:57:49 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/95aef962/attachment.html From sthorger at redhat.com Wed Sep 30 03:59:29 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 09:59:29 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/04beba07/attachment-0001.html From sthorger at redhat.com Wed Sep 30 04:00:09 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 10:00:09 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/11f30b3f/attachment-0001.html From sthorger at redhat.com Wed Sep 30 04:03:32 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 10:03:32 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/18a04a87/attachment.html From sthorger at redhat.com Wed Sep 30 04:04:15 2015 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Sep 2015 10:04:15 +0200 Subject: [keycloak-user] Use Case and Roadmap In-Reply-To: References: Message-ID: Hi, We plan to write an overview doc outlining the main features and benefits of using Keycloak. This will be posted on the website and we should probably also include it in the documentation. With regards to road map details around that can be found in JIRA, but we don't maintain a detailed long term road map as we like to be more flexible than that. If there are specific features you're after feel free to use the mailing list to ask about them. The more demand something gets the quicker we'll add it! On 28 September 2015 at 09:49, Giovanni Baruzzi < giovanni.baruzzi at syntlogo.de> wrote: > Dear KeyCloak team, > In the last days I worked intensively with KeyCloak, trying to check if it > fits as a solution in a current project and I was suddenly aware of the big > potential still hidden in the software. > The problem is, that these capabilities can be understood only after hours > of experimenting and I was able to appreciate the vision behind it. > There is not too much trace of the vision in the documentation, which is > not bad, but it does not tell you why some feature are there and how to > better make use of them. > > So, a kind request: can you publish some document telling why you decided > to implement a feature? > These contributions don?t need to be extensive, it gives just us a glimpse > of the gold buried in the project. > > A road map or a list of features under evaluation could be very useful too. > > Thank you, > Giovanni > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/7743b4a9/attachment.html From tair.sabirgaliev at bee.kz Wed Sep 30 04:08:41 2015 From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev) Date: Wed, 30 Sep 2015 14:08:41 +0600 Subject: [keycloak-user] update token: CORS error after session timeout Message-ID: Hi,? I?m integrating a web application using angularjs 1.4.6 and keycloak 1.5.0.?? The application and keycloak app-servers are on different ports.? The application works ok when the session is not expired.?? After session expiration keycloak.updateToken() fails with? 400 Bad Request. Chrome shows the following in the console:? XMLHttpRequest cannot load?http://localhost:8080/auth/realms/demo/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9080'?is therefore not allowed access. The response had HTTP status code 400.? The behavior is same with Safari and Firefox.? If I get it right, this 400 response from keycloak shouldn?t be?? interpreted as CORS failure by browsers??? This is keycloak response when session is alive:? ? ? ? ? ? ? ? ? ? ? ? ? ?--> HTTP/1.1 200 OK? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?X-Powered-By: Undertow/1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Server: WildFly/9? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Expose-Headers: Access-Control-Allow-Methods? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Date:?Tue, 29 Sep 2015 04:54:52 GMT? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Connection: keep-alive? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Allow-Origin:?http://localhost:9080? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Allow-Credentials: true? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Transfer-Encoding: chunked? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Content-Type: application/json? And this one with session expired:? ? ? ? ? ? ? ? ? ? ? ? ? --> HTTP/1.1 400 Bad Request? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Connection: keep-alive? ? ? ? ? ? ? ? ? ? ? ? ? ? ? X-Powered-By: Undertow/1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Server: WildFly/9? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Transfer-Encoding: chunked? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Content-Type: application/json? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Date:?Tue, 29 Sep 2015 04:55:03 GMT? So my concerns are:? 1. Why CORS headers depend on session validity? This caused much confusion for me,?? because I thought there is a problem?with CORS, until I understood this was session problem.?? 2. I think it would also be great to have some more context?on error responses?? (like returning some json with error description), because HTTP responses are too generic.? --? Tair Sabirgaliev Bee Software, LLP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/59bc90f5/attachment-0001.html From mposolda at redhat.com Wed Sep 30 06:15:21 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Sep 2015 12:15:21 +0200 Subject: [keycloak-user] update token: CORS error after session timeout In-Reply-To: References: Message-ID: <560BB639.7070300@redhat.com> Hi, it seems we are not adding CORS headers to error responses. Could you create JIRA for it? We are returning JSON with error descriptions and details, the only issue is that you were not able to read those error details due to the CORS headers. Marek On 30/09/15 10:08, Tair Sabirgaliev wrote: > Hi, > > I?m integrating a web application using angularjs 1.4.6 and keycloak > 1.5.0. > The application and keycloak app-servers are on different ports. > The application works ok when the session is not expired. > After session expiration keycloak.updateToken() fails with > 400 Bad Request. Chrome shows the following in the console: > > XMLHttpRequest cannot load > http://localhost:8080/auth/realms/demo/protocol/openid-connect/token. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://localhost:9080' is > therefore not allowed access. The response had HTTP status code 400. > > The behavior is same with Safari and Firefox. > > If I get it right, this 400 response from keycloak shouldn?t be > interpreted as CORS failure by browsers? > > This is keycloak response when session is alive: > > --> HTTP/1.1 200 OK > X-Powered-By: Undertow/1 > Server: WildFly/9 > Access-Control-Expose-Headers: > Access-Control-Allow-Methods > Date: Tue, 29 Sep 2015 04:54:52 GMT > > Connection: keep-alive > Access-Control-Allow-Origin: > http://localhost:9080 > Access-Control-Allow-Credentials: true > Transfer-Encoding: chunked > Content-Type: application/json > > And this one with session expired: > > --> HTTP/1.1 400 Bad Request > Connection: keep-alive > X-Powered-By: Undertow/1 > Server: WildFly/9 > Transfer-Encoding: chunked > Content-Type: application/json > Date: Tue, 29 Sep 2015 04:55:03 GMT > > > So my concerns are: > > 1. Why CORS headers depend on session validity? This caused much > confusion for me, > because I thought there is a problem with CORS, until I understood > this was session problem. > > 2. I think it would also be great to have some more context on error > responses > (like returning some json with error description), because HTTP > responses are too generic. > > -- > Tair Sabirgaliev > Bee Software, LLP > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/2c8c710d/attachment.html From tair.sabirgaliev at bee.kz Wed Sep 30 06:25:29 2015 From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev) Date: Wed, 30 Sep 2015 16:25:29 +0600 Subject: [keycloak-user] update token: CORS error after session timeout In-Reply-To: <560BB639.7070300@redhat.com> References: <560BB639.7070300@redhat.com> Message-ID: https://issues.jboss.org/browse/KEYCLOAK-1886 --? Tair Sabirgaliev Bee Software, LLP On September 30, 2015 at 16:15:26, Marek Posolda (mposolda at redhat.com) wrote: Hi, it seems we are not adding CORS headers to error responses. Could you create JIRA for it? We are returning JSON with error descriptions and details, the only issue is that you were not able to read those error details due to the CORS headers. Marek On 30/09/15 10:08, Tair Sabirgaliev wrote: Hi,? I?m integrating a web application using angularjs 1.4.6 and keycloak 1.5.0.?? The application and keycloak app-servers are on different ports.? The application works ok when the session is not expired.?? After session expiration keycloak.updateToken() fails with? 400 Bad Request. Chrome shows the following in the console:? XMLHttpRequest cannot load?http://localhost:8080/auth/realms/demo/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9080'?is therefore not allowed access. The response had HTTP status code 400.? The behavior is same with Safari and Firefox.? If I get it right, this 400 response from keycloak shouldn?t be?? interpreted as CORS failure by browsers??? This is keycloak response when session is alive:? ? ? ? ? ? ? ? ? ? ? ? ? ?--> HTTP/1.1 200 OK? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?X-Powered-By: Undertow/1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Server: WildFly/9? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Expose-Headers: Access-Control-Allow-Methods? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Date:?Tue, 29 Sep 2015 04:54:52 GMT? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Connection: keep-alive? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Allow-Origin:?http://localhost:9080? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Access-Control-Allow-Credentials: true? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Transfer-Encoding: chunked? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Content-Type: application/json? And this one with session expired:? ? ? ? ? ? ? ? ? ? ? ? ? --> HTTP/1.1 400 Bad Request? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Connection: keep-alive? ? ? ? ? ? ? ? ? ? ? ? ? ? ? X-Powered-By: Undertow/1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Server: WildFly/9? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Transfer-Encoding: chunked? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Content-Type: application/json? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Date:?Tue, 29 Sep 2015 04:55:03 GMT? So my concerns are:? 1. Why CORS headers depend on session validity? This caused much confusion for me,?? because I thought there is a problem?with CORS, until I understood this was session problem.?? 2. I think it would also be great to have some more context?on error responses?? (like returning some json with error description), because HTTP responses are too generic.? --? Tair Sabirgaliev Bee Software, LLP _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/c9277393/attachment-0001.html From prabhalar at yahoo.com Wed Sep 30 06:32:53 2015 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Wed, 30 Sep 2015 10:32:53 +0000 (UTC) Subject: [keycloak-user] Support for Implicit Flow Message-ID: <264882050.3277333.1443609173763.JavaMail.yahoo@mail.yahoo.com> Hi Keycloak Dev team, When can we expect support for Implicit flow and OpenID Connect certification for keycloak?? Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/ca10e13a/attachment.html From Martin.Hipfinger at oebb.at Wed Sep 30 08:33:41 2015 From: Martin.Hipfinger at oebb.at (=?iso-8859-1?Q?Hipfinger_Martin_=28BCC=2E=D6BB=2ETicketShop=2EMA=29?=) Date: Wed, 30 Sep 2015 12:33:41 +0000 Subject: [keycloak-user] deletion execution schedule EVENT_ENTITY Message-ID: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C4D7@LAXEX004.oebb.at> Hi, we've enabled event logging in Realm -> Events -> Config: Save Events ON, Expiration: 365 days KC executes the following statement every 15 minutes: delete from EVENT_ENTITY where REALM_ID=:1 and EVENT_TIME<:2 As the table event_entity is quite big, we'd like to reduce the frequency of deletion - so I'd like to ask if there is any possibility to change the execution schedule of deletion? Thx & br, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/5b6d4805/attachment.html From revanth at arvindinternet.com Wed Sep 30 08:57:40 2015 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Wed, 30 Sep 2015 18:27:40 +0530 Subject: [keycloak-user] Unable to get required user data from facebook and store the data in keycloak Message-ID: Hi, I am using keycloak 1.5.0 and want to use login via facebook. So i created a facebook app and provided all the details in the keycloak facebook identity provider settings. When i login from facebook, the user is created if not existing in keycloak and is authenticated. But the created user details are all null and in the server log, the response from facebook contains only the name and id but not the email but the default scope of my application is email. Also, when trying to store the returned details using mappers is not happening. Could anyone please help me on how to return more details from facebook and also store those details using mappers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/1bf8f9d1/attachment.html From mstrukel at redhat.com Wed Sep 30 08:59:32 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 30 Sep 2015 14:59:32 +0200 Subject: [keycloak-user] deletion execution schedule EVENT_ENTITY In-Reply-To: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C4D7@LAXEX004.oebb.at> References: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C4D7@LAXEX004.oebb.at> Message-ID: I suppose in this case the problem is that query to identify records to delete takes a long time, but number of actual records to delete is small. In that case it makes sense to prolong the 'garbage collection' period. If the number of records to delete is big, and that causes a long table lock then the situation with bigger timeout may make things even worse. Did you maybe check what indexes are set on this table if any? Depending on the database, creating a different index or changing an index type can make a huge difference. Another way to maybe address this would be to only delete small number of records at a time: delete from EVENT_ENTITY where EVENT_ID in (select EVENT_ID from EVENT_ENTITY where REALM_ID=:1 and EVENT_TIME<:2 limit 100) On Wed, Sep 30, 2015 at 2:33 PM, Hipfinger Martin (BCC.?BB.TicketShop.MA ) wrote: > Hi, > > > > we?ve enabled event logging in Realm -> Events -> Config: Save Events ON, > Expiration: 365 days > > > > KC executes the following statement every 15 minutes: *delete* *from* > EVENT_ENTITY *where* REALM_ID=:1 *and* EVENT_TIME<:2 > > > > As the table event_entity is quite big, we?d like to reduce the frequency > of deletion ? so I?d like to ask if there is any possibility to change the > execution schedule of deletion? > > > > Thx & br, > > Martin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/0bce69ba/attachment-0001.html From Martin.Hipfinger at oebb.at Wed Sep 30 09:12:47 2015 From: Martin.Hipfinger at oebb.at (=?utf-8?B?SGlwZmluZ2VyIE1hcnRpbiAoQkNDLsOWQkIuVGlja2V0U2hvcC5NQSk=?=) Date: Wed, 30 Sep 2015 13:12:47 +0000 Subject: [keycloak-user] deletion execution schedule EVENT_ENTITY In-Reply-To: References: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C4D7@LAXEX004.oebb.at> Message-ID: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C546@LAXEX004.oebb.at> Hi, Thank you for your quick response. I?d like to change the behaviour of keycloak, so that the deletion isn?t done every 15 minutes, but instead e.g. once daily. There are currenty 10 mio+ records in the table (and KC isn?t running since a year, which is our configured expiration ? so it will grow even more), so a deletion every 15 minutes doesn?t make much sense Br, Martin Von: Marko Strukelj [mailto:mstrukel at redhat.com] Gesendet: Mittwoch, 30. September 2015 15:00 An: Hipfinger Martin (BCC.?BB.TicketShop.MA) Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] deletion execution schedule EVENT_ENTITY I suppose in this case the problem is that query to identify records to delete takes a long time, but number of actual records to delete is small. In that case it makes sense to prolong the 'garbage collection' period. If the number of records to delete is big, and that causes a long table lock then the situation with bigger timeout may make things even worse. Did you maybe check what indexes are set on this table if any? Depending on the database, creating a different index or changing an index type can make a huge difference. Another way to maybe address this would be to only delete small number of records at a time: delete from EVENT_ENTITY where EVENT_ID in (select EVENT_ID from EVENT_ENTITY where REALM_ID=:1 and EVENT_TIME<:2 limit 100) On Wed, Sep 30, 2015 at 2:33 PM, Hipfinger Martin (BCC.?BB.TicketShop.MA) > wrote: Hi, we?ve enabled event logging in Realm -> Events -> Config: Save Events ON, Expiration: 365 days KC executes the following statement every 15 minutes: delete from EVENT_ENTITY where REALM_ID=:1 and EVENT_TIME<:2 As the table event_entity is quite big, we?d like to reduce the frequency of deletion ? so I?d like to ask if there is any possibility to change the execution schedule of deletion? Thx & br, Martin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/97042784/attachment.html From lopez.m.gonzalo at gmail.com Wed Sep 30 09:23:59 2015 From: lopez.m.gonzalo at gmail.com (=?UTF-8?Q?Gonzalo_L=C3=B3pez?=) Date: Wed, 30 Sep 2015 10:23:59 -0300 Subject: [keycloak-user] Role to claim mapping Message-ID: testuser has some roles in host B (testrole in this example), I want to put the roles as a claim in the token so when host A receives the token it maps the claim to roles in host A I already did the second part (mapping in host A), but I still can't find out how to put the roles in a claim. > > > > On 9/29/2015 3:42 PM, Gonzalo L?pez wrote: > > I'm trying to test the Identity broker to achieve cross domain sso, this > > is what I have done: > > > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A > > 2 - Installed jboss 6.4 eap + keycloak in host B > > 3 - In host A, I added an oidc Identity Provider (importing host B > > openid connect configuration). > > 4 - In host A, I created an application (appa.war) that will try to use > > the broker to authenticate. I added security to the app (only user with > > role "user" will be able to access some parts) > > 5 - In host B, I added 2 oidc clients (the broker from host A and appb, > > appb (appb.war) is a simple application developed to log in using oidc) > > 6 - In host B, I created a role "testrole" inside appb and a user > > "testuser", then I added that role to the user. > > > > I couldn't find out how to map the role "testrole" to a claim that will > > be sent to the broker once the user has authenticated. Is there a way to > > do that? > > > > After I accomplish that I plan to map that claim to the role appa.user. > > > > OIDC and SAML Identity Providers have mappers. Host A broker will > receive the token from Host B. You can map the testrole to whatever > claim you want. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/cc717a21/attachment-0001.html From kalinga at leapset.com Wed Sep 30 09:29:59 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Wed, 30 Sep 2015 18:59:59 +0530 (IST) Subject: [keycloak-user] Implementing central logout In-Reply-To: <1443543618.418112794@apps.rackspace.com> References: <1443534333.637225003@apps.rackspace.com> <1443543618.418112794@apps.rackspace.com> Message-ID: <1443619799.762427469@apps.rackspace.com> I cant get this to work. Any one who implemented central logout via keycloak? Regards, Kalinga -----Original Message----- From: "Kalinga Dissanayake" Sent: Tuesday, September 29, 2015 9:50pm To: "Bob McWhirter" Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Implementing central logout Yes. Is that all I should do? I have done that but I receive no notification. Regards, Kalinga -----Original Message----- From: "Bob McWhirter" Sent: Tuesday, September 29, 2015 7:25pm To: "Kalinga Dissanayake" Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Implementing central logout All registered admin URLs should be notified, if I recall. Does each client have an admin URL configured in the Keycloak console? On Tue, Sep 29, 2015 at 9:45 AM, Kalinga Dissanayake <[ kalinga at leapset.com ]( mailto:kalinga at leapset.com )> wrote: My scenario is this; I have two clients configured on keycloak and I have two client applications relying on keycloak for SSO and user management. Both of my client applications are using the tomcat adapter. Currently if the user signs out from the first client the second client is not notified. I need this to be fixed, so that when a user signs out from one client, the other client is notified, so the latter can forcefully logout the user. How can I handle this on keycloak? I tried the Admin Url configuration given on the docs [ http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ]( http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration ) but I did not see a way forward. My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its required. Regards, Kalinga _______________________________________________ keycloak-user mailing list [ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org ) [ https://lists.jboss.org/mailman/listinfo/keycloak-user ]( https://lists.jboss.org/mailman/listinfo/keycloak-user ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/3b30e05e/attachment.html From revanth at arvindinternet.com Wed Sep 30 09:34:52 2015 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Wed, 30 Sep 2015 19:04:52 +0530 Subject: [keycloak-user] Login by mobile number. Message-ID: Hi all, I have an application that is secured by Keycloak. I am able to login using username/email and password. I also want to implement login via phone number. Could anybody help me how to store the phone number for a user and also how to use it to login the user. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/ce2e0ad7/attachment.html From mstrukel at redhat.com Wed Sep 30 09:40:45 2015 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 30 Sep 2015 15:40:45 +0200 Subject: [keycloak-user] deletion execution schedule EVENT_ENTITY In-Reply-To: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C546@LAXEX004.oebb.at> References: <1CBE59D9C302B841A9562E1A3A6F5B7338F0C4D7@LAXEX004.oebb.at> <1CBE59D9C302B841A9562E1A3A6F5B7338F0C546@LAXEX004.oebb.at> Message-ID: In keycloak-server.json there is "scheduled" / "interval" setting which controls this. The same interval setting is used to clear both expired events, and expired user sessions. I'm guessing here, but significantly increasing this setting might be a problem since user sessions are stored in memory or infinispan caches, and not cleaning them continuously might lead to cache not performing as effectively as it otherwise would. On Wed, Sep 30, 2015 at 3:12 PM, Hipfinger Martin (BCC.?BB.TicketShop.MA ) wrote: > Hi, > > > > Thank you for your quick response. I?d like to change the behaviour of > keycloak, so that the deletion isn?t done every 15 minutes, but instead > e.g. once daily. There are currenty 10 mio+ records in the table (and KC > isn?t running since a year, which is our configured expiration ? so it will > grow even more), so a deletion every 15 minutes doesn?t make much sense > > > > Br, > > Martin > > > > *Von:* Marko Strukelj [mailto:mstrukel at redhat.com] > *Gesendet:* Mittwoch, 30. September 2015 15:00 > *An:* Hipfinger Martin (BCC.?BB.TicketShop.MA > ) > *Cc:* keycloak-user at lists.jboss.org > *Betreff:* Re: [keycloak-user] deletion execution schedule EVENT_ENTITY > > > > I suppose in this case the problem is that query to identify records to > delete takes a long time, but number of actual records to delete is small. > In that case it makes sense to prolong the 'garbage collection' period. If > the number of records to delete is big, and that causes a long table lock > then the situation with bigger timeout may make things even worse. > > > > Did you maybe check what indexes are set on this table if any? Depending > on the database, creating a different index or changing an index type can > make a huge difference. > > > > Another way to maybe address this would be to only delete small number of > records at a time: > > > > delete from EVENT_ENTITY where EVENT_ID in (select EVENT_ID from > EVENT_ENTITY where REALM_ID=:1 and EVENT_TIME<:2 limit 100) > > > > > > On Wed, Sep 30, 2015 at 2:33 PM, Hipfinger Martin (BCC.?BB.TicketShop.MA > ) wrote: > > Hi, > > > > we?ve enabled event logging in Realm -> Events -> Config: Save Events ON, > Expiration: 365 days > > > > KC executes the following statement every 15 minutes: *delete* *from* > EVENT_ENTITY *where* REALM_ID=:1 *and* EVENT_TIME<:2 > > > > As the table event_entity is quite big, we?d like to reduce the frequency > of deletion ? so I?d like to ask if there is any possibility to change the > execution schedule of deletion? > > > > Thx & br, > > Martin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/9b23137d/attachment.html From bburke at redhat.com Wed Sep 30 10:26:43 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 30 Sep 2015 10:26:43 -0400 Subject: [keycloak-user] Role to claim mapping In-Reply-To: References: Message-ID: <560BF123.2080204@redhat.com> I am confused on what you want to do. Please talk in terms of Keycloak A, Keycloak B, App C, App D. On 9/30/2015 9:23 AM, Gonzalo L?pez wrote: > testuser has some roles in host B (testrole in this example), I want to > put the roles as a claim in the token so when host A receives the token > it maps the claim to roles in host A > > I already did the second part (mapping in host A), but I still can't > find out how to put the roles in a claim. > > > > > > > On 9/29/2015 3:42 PM, Gonzalo L?pez wrote: > > I'm trying to test the Identity broker to achieve cross domain > sso, this > > is what I have done: > > > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in > host A > > 2 - Installed jboss 6.4 eap + keycloak in host B > > 3 - In host A, I added an oidc Identity Provider (importing host B > > openid connect configuration). > > 4 - In host A, I created an application (appa.war) that will try > to use > > the broker to authenticate. I added security to the app (only > user with > > role "user" will be able to access some parts) > > 5 - In host B, I added 2 oidc clients (the broker from host A and > appb, > > appb (appb.war) is a simple application developed to log in using > oidc) > > 6 - In host B, I created a role "testrole" inside appb and a user > > "testuser", then I added that role to the user. > > > > I couldn't find out how to map the role "testrole" to a claim > that will > > be sent to the broker once the user has authenticated. Is there a > way to > > do that? > > > > After I accomplish that I plan to map that claim to the role > appa.user. > > > > OIDC and SAML Identity Providers have mappers. Host A broker will > receive the token from Host B. You can map the testrole to whatever > claim you want. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From a.lamers at first8.nl Wed Sep 30 11:12:14 2015 From: a.lamers at first8.nl (Arjan Lamers) Date: Wed, 30 Sep 2015 18:12:14 +0300 Subject: [keycloak-user] retrieving custom user attributes Message-ID: Hi, I am trying to find an easy way to access custom attributes as defined for a client. For a Keycloak client, I?ve defined a new Mapper for a *user attribute* to store some additional authorisation data. This then is managed by some user domain that uses the keycloak-admin-client to write that property. The problem arises when I want to access that property in an JEE application.The way I do it right now to use the KeycloakPrincipal found in the javax.ejb.SessionContext. From there, I get the JWT token as a String, deserialize the JSON and access the custom attribute from there. This feels like a very roundabout way to get to the token but somehow I am not able to find an easier way. Is it a missing feature or is it simply too close to the weekend for me ;)? See http://www.first8.nl/blog/security-with-microservices-programmatic-security-with-keycloak/ for a blog post with more details. Thanks and kind regards, Arjan Lamers -- Met vriendelijke groet, Arjan Lamers --------------------------------------------------------------------------------------- ?God in his wisdom made the fly / And then forgot to tell us why. ? - Ogden Nash First Eight BV KvK dossiernr: 30.17.95.44 Gemeente Utrecht Kerkenbos 10-59b 6546 BB Nijmegen T: 024-3483570 F: 024-3483571 E: a.lamers at first8.nl W: www.first8.nl Op alle offertes, aanbiedingen of overeenkomsten van First Eight BV zijn, tenzij expliciet anders overeengekomen, de Algemene Voorwaarden van Conclusion B.V. van toepassing, welke zijn te vinden op www.conclusion.nl. Tevens zijn deze gedeponeerd bij de Kamer van Koophandel Midden-Nederland onder nummer 16059253. Op schriftelijk verzoek zullen de Algemene Voorwaarden u kosteloos worden toegezonden. De inhoud van dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Gebruik van de inhoud daarvan door anderen of verzending aan anderen is zonder toestemming van de afzender of geadresseerde(n) onrechtmatig. Mocht dit e-mailbericht ten onrechte bij u terechtgekomen zijn, dan verzoeken wij u onmiddellijk contact met ons op te nemen. First Eight BV betracht de grootst mogelijke zorgvuldigheid bij het voorkomen van virussen in de bijlage(n) bij dit bericht. Desondanks dient u zelf de bijlage(n) te controleren op de aanwezigheid van virussen en kan First Eight BV niet aansprakelijk worden gehouden indien bijlage(n) schade, waaronder schade aan computer(systeem), veroorzaken. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/47353444/attachment.html From bburke at redhat.com Wed Sep 30 11:30:13 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 30 Sep 2015 11:30:13 -0400 Subject: [keycloak-user] retrieving custom user attributes In-Reply-To: References: Message-ID: <560C0005.5070902@redhat.com> What do you want for an interface? KeycloakSecurityContext has the unmarshalled IDToken and AccessToken. KeycloakPrincipal.getKeycloakSecurityContext().getToken() On 9/30/2015 11:12 AM, Arjan Lamers wrote: > Hi, > > I am trying to find an easy way to access custom attributes as defined > for a client. For a Keycloak client, I?ve defined a new Mapper for a > /user attribute/ to store some additional authorisation data. This then > is managed by some user domain that uses the keycloak-admin-client to > write that property. > > The problem arises when I want to access that property in an JEE > application.The way I do it right now to use the KeycloakPrincipal found > in the javax.ejb.SessionContext. From there, I get the JWT token as a > String, deserialize the JSON and access the custom attribute from there. > This feels like a very roundabout way to get to the token but somehow I > am not able to find an easier way. Is it a missing feature or is it > simply too close to the weekend for me ;)? > > See > http://www.first8.nl/blog/security-with-microservices-programmatic-security-with-keycloak/ for > a blog post with more details. > > Thanks and kind regards, > Arjan Lamers > > -- > Met vriendelijke groet, > > Arjan Lamers > --------------------------------------------------------------------------------------- > ?God in his wisdom made the fly / And then forgot to tell us why. ? > - Ogden Nash > > First Eight BV > KvK dossiernr: 30.17.95.44 > Gemeente Utrecht > Kerkenbos 10-59b > 6546 BB Nijmegen > > T: 024-3483570 > F: 024-3483571 > E: a.lamers at first8.nl > W: www.first8.nl > > Op alle offertes, aanbiedingen of overeenkomsten van First Eight BV > zijn, tenzij expliciet anders overeengekomen, de Algemene Voorwaarden > van Conclusion B.V. van toepassing, welke zijn te vinden op > www.conclusion.nl . Tevens zijn deze > gedeponeerd bij de Kamer van Koophandel Midden-Nederland onder nummer > 16059253. Op schriftelijk verzoek zullen de Algemene Voorwaarden u > kosteloos worden toegezonden. > > De inhoud van dit e-mailbericht is uitsluitend bestemd voor de > geadresseerde(n). Gebruik van de inhoud daarvan door anderen of > verzending aan anderen is zonder toestemming van de afzender of > geadresseerde(n) onrechtmatig. Mocht dit e-mailbericht ten onrechte bij > u terechtgekomen zijn, dan verzoeken wij u onmiddellijk contact met ons > op te nemen. First Eight BV betracht de grootst mogelijke zorgvuldigheid > bij het voorkomen van virussen in de bijlage(n) bij dit bericht. > Desondanks dient u zelf de bijlage(n) te controleren op de aanwezigheid > van virussen en kan First Eight BV niet aansprakelijk worden gehouden > indien bijlage(n) schade, waaronder schade aan computer(systeem), > veroorzaken. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From lopez.m.gonzalo at gmail.com Wed Sep 30 11:33:45 2015 From: lopez.m.gonzalo at gmail.com (=?UTF-8?Q?Gonzalo_L=C3=B3pez?=) Date: Wed, 30 Sep 2015 12:33:45 -0300 Subject: [keycloak-user] Role to claim mapping In-Reply-To: <560BF123.2080204@redhat.com> References: <560BF123.2080204@redhat.com> Message-ID: Keycloak A is the idp using oidc "testuser" and "testrole" are defined in Keycloak A. Keycloak B is the broker, it has Keycloak A as identity provider App B authenticates using the broker, choosing Keycloak A as the provider I want Keycloak B to receive (from Keycloak A) a calaim saying something like "roles": "testuser" 2015-09-30 11:26 GMT-03:00 Bill Burke : > I am confused on what you want to do. Please talk in terms of Keycloak > A, Keycloak B, App C, App D. > > On 9/30/2015 9:23 AM, Gonzalo L?pez wrote: > > testuser has some roles in host B (testrole in this example), I want to > > put the roles as a claim in the token so when host A receives the token > > it maps the claim to roles in host A > > > > I already did the second part (mapping in host A), but I still can't > > find out how to put the roles in a claim. > > > > > > > > > > > > > > On 9/29/2015 3:42 PM, Gonzalo L?pez wrote: > > > I'm trying to test the Identity broker to achieve cross domain > > sso, this > > > is what I have done: > > > > > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in > > host A > > > 2 - Installed jboss 6.4 eap + keycloak in host B > > > 3 - In host A, I added an oidc Identity Provider (importing host B > > > openid connect configuration). > > > 4 - In host A, I created an application (appa.war) that will try > > to use > > > the broker to authenticate. I added security to the app (only > > user with > > > role "user" will be able to access some parts) > > > 5 - In host B, I added 2 oidc clients (the broker from host A and > > appb, > > > appb (appb.war) is a simple application developed to log in using > > oidc) > > > 6 - In host B, I created a role "testrole" inside appb and a user > > > "testuser", then I added that role to the user. > > > > > > I couldn't find out how to map the role "testrole" to a claim > > that will > > > be sent to the broker once the user has authenticated. Is there a > > way to > > > do that? > > > > > > After I accomplish that I plan to map that claim to the role > > appa.user. > > > > > > > OIDC and SAML Identity Providers have mappers. Host A broker will > > receive the token from Host B. You can map the testrole to whatever > > claim you want. > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/06fb89cf/attachment.html From bburke at redhat.com Wed Sep 30 11:45:34 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 30 Sep 2015 11:45:34 -0400 Subject: [keycloak-user] Role to claim mapping In-Reply-To: References: <560BF123.2080204@redhat.com> Message-ID: <560C039E.6060603@redhat.com> On 9/30/2015 11:33 AM, Gonzalo L?pez wrote: > Keycloak A is the idp using oidc > "testuser" and "testrole" are defined in Keycloak A. > The client that is registered on Keycloak A for Keycloak B must have the appropriate scope settings so that the Access token it gets contains the "testrole" for "testuser". Then, you can create a Identity Provider mapper in Keycloak B for the external Keycloak A provider that maps "testrole" to a role in Keycloak B. Or, you can use the Attribute Importer. You can reference the testrole via "realm_access.roles.testrole" or "resource_access..roles.testrole". Then, finally, you have to make sure your apps registered on Keycloak B have the appropriate mappers to pull in the testrole attribute/role into their specific claim. > > Keycloak B is the broker, it has Keycloak A as identity provider > App B authenticates using the broker, choosing Keycloak A as the provider > > I want Keycloak B to receive (from Keycloak A) a calaim saying something > like "roles": "testuser" > > > > > > > > 2015-09-30 11:26 GMT-03:00 Bill Burke >: > > I am confused on what you want to do. Please talk in terms of Keycloak > A, Keycloak B, App C, App D. > > On 9/30/2015 9:23 AM, Gonzalo L?pez wrote: > > testuser has some roles in host B (testrole in this example), I > want to > > put the roles as a claim in the token so when host A receives the > token > > it maps the claim to roles in host A > > > > I already did the second part (mapping in host A), but I still can't > > find out how to put the roles in a claim. > > > > > > > > > > > > > > On 9/29/2015 3:42 PM, Gonzalo L?pez wrote: > > > I'm trying to test the Identity broker to achieve cross domain > > sso, this > > > is what I have done: > > > > > > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 > adapter in > > host A > > > 2 - Installed jboss 6.4 eap + keycloak in host B > > > 3 - In host A, I added an oidc Identity Provider > (importing host B > > > openid connect configuration). > > > 4 - In host A, I created an application (appa.war) that > will try > > to use > > > the broker to authenticate. I added security to the app (only > > user with > > > role "user" will be able to access some parts) > > > 5 - In host B, I added 2 oidc clients (the broker from > host A and > > appb, > > > appb (appb.war) is a simple application developed to log > in using > > oidc) > > > 6 - In host B, I created a role "testrole" inside appb and > a user > > > "testuser", then I added that role to the user. > > > > > > I couldn't find out how to map the role "testrole" to a claim > > that will > > > be sent to the broker once the user has authenticated. Is > there a > > way to > > > do that? > > > > > > After I accomplish that I plan to map that claim to the role > > appa.user. > > > > > > > OIDC and SAML Identity Providers have mappers. Host A broker > will > > receive the token from Host B. You can map the testrole to > whatever > > claim you want. > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Wed Sep 30 11:48:28 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 30 Sep 2015 11:48:28 -0400 Subject: [keycloak-user] Role to claim mapping In-Reply-To: <560C039E.6060603@redhat.com> References: <560BF123.2080204@redhat.com> <560C039E.6060603@redhat.com> Message-ID: <560C044C.1010908@redhat.com> On 9/30/2015 11:45 AM, Bill Burke wrote: > Or, you can use the Attribute Importer. You can reference the > testrole via "realm_access.roles.testrole" or > "resource_access..roles.testrole". > Actually, this won't work. You have to map testrole to a role in Keycloak B. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From sebastian.rose at aoe.com Wed Sep 30 12:29:47 2015 From: sebastian.rose at aoe.com (Sebastian Rose) Date: Wed, 30 Sep 2015 16:29:47 +0000 Subject: [keycloak-user] Implementing central logout In-Reply-To: <1443619799.762427469@apps.rackspace.com> References: <1443534333.637225003@apps.rackspace.com> <1443543618.418112794@apps.rackspace.com> <1443619799.762427469@apps.rackspace.com> Message-ID: Yes, we have, everything works fine with the admin url (we do not use the tomcat adapter, but this should not change a thing). There are calls to the configured admin URL with k_logout. Maybe check your admin-url again, or have a look at the wire? Regards, Sebastian Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Kalinga Dissanayake Gesendet: Mittwoch, 30. September 2015 15:30 An: Bob McWhirter; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Implementing central logout I cant get this to work. Any one who implemented central logout via keycloak? Regards, Kalinga -----Original Message----- From: "Kalinga Dissanayake" > Sent: Tuesday, September 29, 2015 9:50pm To: "Bob McWhirter" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Implementing central logout Yes. Is that all I should do? I have done that but I receive no notification. Regards, Kalinga -----Original Message----- From: "Bob McWhirter" > Sent: Tuesday, September 29, 2015 7:25pm To: "Kalinga Dissanayake" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Implementing central logout All registered admin URLs should be notified, if I recall. Does each client have an admin URL configured in the Keycloak console? On Tue, Sep 29, 2015 at 9:45 AM, Kalinga Dissanayake > wrote: My scenario is this; I have two clients configured on keycloak and I have two client applications relying on keycloak for SSO and user management. Both of my client applications are using the tomcat adapter. Currently if the user signs out from the first client the second client is not notified. I need this to be fixed, so that when a user signs out from one client, the other client is notified, so the latter can forcefully logout the user. How can I handle this on keycloak? I tried the Admin Url configuration given on the docs http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html#admin-url-configuration but I did not see a way forward. My current version of keycloak is 1.2.0. But I can upgrade to 1.5.0 if its required. Regards, Kalinga _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/a1f65c10/attachment.html From alex_orl1079 at yahoo.it Wed Sep 30 19:04:28 2015 From: alex_orl1079 at yahoo.it (alex orl) Date: Wed, 30 Sep 2015 23:04:28 +0000 (UTC) Subject: [keycloak-user] CORS REST request blocked by browser Message-ID: <1294386887.5022041.1443654268483.JavaMail.yahoo@mail.yahoo.com> Hi to all,in my use case i have a typical web application made up on a frontend layer written completely with Angular js and a ?REST server layer wirtten with jersey 2.0.Till now i made my test simply securing the REST layer using web.xml descriptor and registering it as webapplication client into keycloak realm. The security type was confidential.Simply invoking a service REST url i was redirected to the keycloak login page where i could insert my credential and so on....Now i want to go further... it's the turn of the angular js application.?It invokes obviously the rest services and it has to be secured. The keycloak CORS example shows a use case similar to the mine one, so i choose to follow it. I realize that it adds a javascript adapter to the Angular level without registering the service webapplication inside the CORS realm.On keycloak guidelines i read that this is not the best way to follow as securing the application this way makes to loose the confidential data transport between client and server.By the way... i try 2 approaches to the problem: 1)following exactly the CORS example: i added the js adapter to the angular js application; i configured only the client inside my realm as public, and eventually imported the keycloak.js. Result: when i run the application i'm redirected to the keycloak login page; i filled out the form but after the login i'm blocked by the browser because it does'nt find ?the access-control-allow-origin header in the get token request. The keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true 2)i left the REST layer secured expecting that at the first angular REST request i should be redirected to the keycloak login page. But even in this case browser blocks me because it misses access control allow origin header. Even in this case the keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true So where am i wrong?What is the right approach for securing my web application?Why browser continues blocking my request? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/3e87df26/attachment-0001.html