[keycloak-user] keycloak configuration
Guus der Kinderen
guus.der.kinderen at gmail.com
Thu Mar 24 09:58:06 EDT 2016
Instant follow-up: the Keycloak JAAS documentation refers to Login Module
"configuration properties" while in JAAS terminology, those are named
"options". It'd be good to use the same terms.
$0.01 (barely)
On 24 March 2016 at 14:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
wrote:
> I signed up to the mailinglist at a time that this thread was already
> underway. I didn't read back to find out what the original question was,
> and given the tone of the responses I am not going to either, but, as for
> for the call for specific improvements: I've got two:
>
> - It would be helpful if the section on JAAS integration would contain
> a very short example of a configuration file, and a java snippet that shows
> how to instantiate a LoginContext based on that. I was unfamiliar with JAAS
> and was struggling to put one and one together. I think the above could be
> done in ten lines or so, so it's relatively small, but would be a good
> illustrative example for the likes of me.
> - The REST endpoint documentation lacks structure (grouping), which
> makes it hard to navigate. Improving on that would be a simple as grouping
> each piece of documentation by its resource path.
>
> $0.02
>
> - Guus
>
> On 24 March 2016 at 14:25, Bill Burke <bburke at redhat.com> wrote:
>
>> documentation hasn't received any love for more than a year. Screencasts
>> are even more out of date. The good news is that myself and the red hat
>> documentation team is scheduled to focus on docs and screencasts the month
>> of April. Up until a few months ago, we were just an open source
>> community. Now that the Red Hat machine is getting behind us, areas like
>> documentation should start to be improved.
>>
>> BTW, If you want help, we need more than just "it doesn't work, your
>> documentation sucks". Walking us through the problem helps us improve
>> error messages, general usability, and documentation. Threatening us
>> doesn't really help as you are just as likely to get ignored.
>>
>> On 3/24/2016 4:56 AM, Stian Thorgersen wrote:
>>
>> Firstly, that's not FreeIPA (community project) documentation, but Red
>> Hat Identity Management documentation (product). The FreeIPA documentation
>> is <https://www.freeipa.org/page/Documentation>
>> https://www.freeipa.org/page/Documentation.
>>
>> Secondly, just stating that our documentation is bad and pointing to some
>> better documentation doesn't give us anything to go on. We would like to
>> give a good experience and I would be very interested in knowing exactly
>> what documentation you are lacking, hard to understand or whatever other
>> issues you may have with the documentation. Help us to help you ;)
>>
>> Finally we know the documentation is not as good as it could be and are
>> planning to improve it in the not to distant future. So input from users
>> would be valuable.
>>
>> On 23 March 2016 at 11:32, Pavlos Kleanthous <parsectix at gmail.com> wrote:
>>
>>> Just compare the documentation from another redhat product FreeIPA
>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html>
>>>
>>> I have read this documentation and setup/configure IPA server very easy.
>>>
>>> Keycloak's current documentation looks like more as a developers manual
>>> to me.
>>>
>>>
>>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen <
>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>
>>>> Could you elaborate on what is missing from the documentation? That
>>>> would be helpful.
>>>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < <parsectix at gmail.com>
>>>> parsectix at gmail.com> wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> I dropped the project at the moment. The lack of documentation is too
>>>>> time consuming.
>>>>>
>>>>> Hope that soon keycloak will have it.
>>>>>
>>>>>
>>>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen <
>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>
>>>>>> What adapter? Is the server and client adapter both 1.9.1? We did
>>>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it
>>>>>> should be ../auth. So if you are using an old adapter that may be the issue.
>>>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < <parsectix at gmail.com>
>>>>>> parsectix at gmail.com> wrote:
>>>>>>
>>>>>>> Yours.
>>>>>>>
>>>>>>> I configured the realm with the same settings on both versions
>>>>>>> 1.9.1 and 1.8.1.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen <
>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> Client ID has nothing to do with this issue as it would show an
>>>>>>>> login error page not a not found. So must be either realm name or another
>>>>>>>> part of URL is wrong.
>>>>>>>>
>>>>>>>> Are you using our adapters or another library atm?
>>>>>>>>
>>>>>>>> I'm answering on my phone on the plane so can't look into it more
>>>>>>>> atm.
>>>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < <parsectix at gmail.com>
>>>>>>>> parsectix at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found
>>>>>>>>> inside "Installation" tab.
>>>>>>>>>
>>>>>>>>> Instead of using keycloak client plugins, can I use a generic
>>>>>>>>> oauth plugin in my apps? How can I configure my keycloak for this?
>>>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to
>>>>>>>>> keycloak.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj <
>>>>>>>>> <mstrukel at redhat.com>mstrukel at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> In your jenkins realm - under Clients do you have a client called
>>>>>>>>>> 'ci'? That's the client_id used in your request.
>>>>>>>>>>
>>>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1.
>>>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" <
>>>>>>>>>> <parsectix at gmail.com>parsectix at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> yes I can.
>>>>>>>>>>>
>>>>>>>>>>> Please note that this is a problem of version 1.9.1.
>>>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak.
>>>>>>>>>>>
>>>>>>>>>>> p.s. I'm using the official containers from docker hub.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj <
>>>>>>>>>>> <mstrukel at redhat.com>mstrukel at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Are you able to login into admin console at:
>>>>>>>>>>>> <http://192.168.99.100:32786/auth>
>>>>>>>>>>>> http://192.168.99.100:32786/auth
>>>>>>>>>>>>
>>>>>>>>>>>> And you see the realm called 'jenkins' there?
>>>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" <
>>>>>>>>>>>> <parsectix at gmail.com>parsectix at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and
>>>>>>>>>>>>> responses.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. Request URL:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F
>>>>>>>>>>>>> 2. Request Method:
>>>>>>>>>>>>> GET
>>>>>>>>>>>>> 3. Status Code:
>>>>>>>>>>>>> 302 Found
>>>>>>>>>>>>> 4. Remote Address:
>>>>>>>>>>>>> 192.168.99.100:32769
>>>>>>>>>>>>> 1. Response Headersview source
>>>>>>>>>>>>> 1. Content-Length:
>>>>>>>>>>>>> 0
>>>>>>>>>>>>> 2. Location:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>>>>>>>>>>>>> 3. Server:
>>>>>>>>>>>>> Jetty(winstone-2.9)
>>>>>>>>>>>>> 4. X-Content-Type-Options:
>>>>>>>>>>>>> nosniff
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. Request URL:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>>>>>>>>>>>>> 2. Request Method:
>>>>>>>>>>>>> GET
>>>>>>>>>>>>> 3. Status Code:
>>>>>>>>>>>>> *404 Not Found*
>>>>>>>>>>>>> 4. Remote Address:
>>>>>>>>>>>>> 192.168.99.100:32786
>>>>>>>>>>>>> 1. Response Headersview source
>>>>>>>>>>>>> 1. Connection:
>>>>>>>>>>>>> keep-alive
>>>>>>>>>>>>> 2. Content-Length:
>>>>>>>>>>>>> 0
>>>>>>>>>>>>> 3. Date:
>>>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT
>>>>>>>>>>>>> 4. Server:
>>>>>>>>>>>>> WildFly/10
>>>>>>>>>>>>> 5. X-Powered-By:
>>>>>>>>>>>>> Undertow/1
>>>>>>>>>>>>> 2. Request Headersview source
>>>>>>>>>>>>> 1. Accept:
>>>>>>>>>>>>>
>>>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>>>>>>>>> 2. Accept-Encoding:
>>>>>>>>>>>>> gzip, deflate, sdch
>>>>>>>>>>>>> 3. Accept-Language:
>>>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6
>>>>>>>>>>>>> 4. Connection:
>>>>>>>>>>>>> keep-alive
>>>>>>>>>>>>> 5. Cookie:
>>>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic;
>>>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni!
>>>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo;
>>>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg;
>>>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae;
>>>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080
>>>>>>>>>>>>> 6. DNT:
>>>>>>>>>>>>> 1
>>>>>>>>>>>>> 7. Host:
>>>>>>>>>>>>> 192.168.99.100:32786
>>>>>>>>>>>>> 8. Referer:
>>>>>>>>>>>>> http://192.168.99.100:32769/
>>>>>>>>>>>>> 9. Save-Data:
>>>>>>>>>>>>> on
>>>>>>>>>>>>> 10. Upgrade-Insecure-Requests:
>>>>>>>>>>>>> 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous <
>>>>>>>>>>>>> <parsectix at gmail.com>parsectix at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as
>>>>>>>>>>>>>> the same name can be found in "Installation" tab where
>>>>>>>>>>>>>> I copied the configuration.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj <
>>>>>>>>>>>>>> <mstrukel at redhat.com>mstrukel at redhat.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'.
>>>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" <
>>>>>>>>>>>>>>> <parsectix at gmail.com>parsectix at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup
>>>>>>>>>>>>>>>> has 2 containers keycloak and jenkins.
>>>>>>>>>>>>>>>> Following the example how to integrate those two, I created
>>>>>>>>>>>>>>>> a realm and a client called "jenkins".
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I
>>>>>>>>>>>>>>>> get the following debug error.
>>>>>>>>>>>>>>>> "15:47:55,791 ERROR
>>>>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010:
>>>>>>>>>>>>>>>> Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not
>>>>>>>>>>>>>>>> find resource for full path:
>>>>>>>>>>>>>>>> <http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261>
>>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261
>>>>>>>>>>>>>>>> "
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I noticed that "
>>>>>>>>>>>>>>>> <http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect>
>>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect"
>>>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it
>>>>>>>>>>>>>>>> works.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> if I access the URL:
>>>>>>>>>>>>>>>> <http://192.168.99.100:32786/auth/realms/ci>
>>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0}
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Can you help how to find the problem ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters?
>>>>>>>>>>>>>>>> Tried IRC but nobody is replying there...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thank you
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>> <keycloak-user at lists.jboss.org>
>>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/fea7d6d7/attachment-0001.html
More information about the keycloak-user
mailing list