From bburke at redhat.com  Sat Apr  1 09:56:17 2017
From: bburke at redhat.com (Bill Burke)
Date: Sat, 1 Apr 2017 09:56:17 -0400
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAJrcDBfUz_vG=7DE4S4sAaEQ+1QHX+5Xzeh0AbHMHq5Bd9WgpA@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAJrcDBfUz_vG=7DE4S4sAaEQ+1QHX+5Xzeh0AbHMHq5Bd9WgpA@mail.gmail.com>
Message-ID: <bb34b8a6-c577-479b-c01d-030935f58835@redhat.com>

Maybe define a resource for each country then a scope each for "report", 
"status" and "history"?   You'd have to handle authorization yourself in 
your app by looking at the RPT though.


On 3/31/17 10:17 AM, Pedro Igor Silva wrote:
> What about using patterns in your paths. Something like:
>
>      /api/report/{country}
>
>
> On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:
>
>> HI there,
>>
>> We've integrated Keycloak auth and authz to an existing REST service which
>> serves endpoints like this:
>>
>> GET /api/report?country={country}
>> GET /api/status?country={country}
>> GET /api/history?country={country}
>>
>> As far as I understand, the only way to protect these resources is to
>> create "global" resources (/api/report, /api/status etc.), but then we
>> can't validate if the current user is authorized to make requests for a
>> given "country":
>>
>> The other alternative would be to include the country name in the URI, but
>> this would lead to duplication of resource definitions:
>>
>> /api/report/country1
>> /api/report/country2
>> /api/status/country1
>> /api/status/country2
>> ...
>>
>> We considered including a list of the countries the user has access to as
>> an attribute in the access_token but that would require manually
>> maintaining said attribute
>>
>> Is there another way that would accommodate this kind of authentication
>> requirements?
>>
>> Thanks in advance!
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Sat Apr  1 10:13:05 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Sat, 1 Apr 2017 11:13:05 -0300
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAKGeQCNV2kgTUo-wbJOPFZEnYZ3OpRjffWixcLQUqbL5PZFkgA@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAJrcDBfUz_vG=7DE4S4sAaEQ+1QHX+5Xzeh0AbHMHq5Bd9WgpA@mail.gmail.com>
	<CAKGeQCNV2kgTUo-wbJOPFZEnYZ3OpRjffWixcLQUqbL5PZFkgA@mail.gmail.com>
Message-ID: <CAJrcDBfwoJDqWQEPk=EQ1=aRv=Oigq0kmMJAAxmiR0ukVYazEg@mail.gmail.com>

On Fri, Mar 31, 2017 at 4:01 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:

> Hi Pedro,
>
> Thanks for your reply.
>
> Adding the country to the URI would that mean that I have to create all of
> the resources again for every new country that I add, correct?
>

> Is there any way to avoid duplicating resources where the only thing that
> changes in the URI is the {country}?
>

If what you mean is that you would need to create those resource instances
(e.g.: country 1, country 2, etc) in Keycloak. Yes. Because you want to
protect individual countries, right ?

Maybe a different approach to your API is use a patter like this:

/api/{country}/report
/api/{country}/status
/api/{country}/history

Actually, isn't above more meaningful than use /api/status|report|history ?


>
> Thanks!
>
> On Fri, Mar 31, 2017 at 10:17 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> What about using patterns in your paths. Something like:
>>
>>     /api/report/{country}
>>
>>
>> On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
>> wrote:
>>
>>> HI there,
>>>
>>> We've integrated Keycloak auth and authz to an existing REST service
>>> which
>>> serves endpoints like this:
>>>
>>> GET /api/report?country={country}
>>> GET /api/status?country={country}
>>> GET /api/history?country={country}
>>>
>>> As far as I understand, the only way to protect these resources is to
>>> create "global" resources (/api/report, /api/status etc.), but then we
>>> can't validate if the current user is authorized to make requests for a
>>> given "country":
>>>
>>> The other alternative would be to include the country name in the URI,
>>> but
>>> this would lead to duplication of resource definitions:
>>>
>>> /api/report/country1
>>> /api/report/country2
>>> /api/status/country1
>>> /api/status/country2
>>> ...
>>>
>>> We considered including a list of the countries the user has access to as
>>> an attribute in the access_token but that would require manually
>>> maintaining said attribute
>>>
>>> Is there another way that would accommodate this kind of authentication
>>> requirements?
>>>
>>> Thanks in advance!
>>>
>>> --
>>> *Gabriel Trisca, Software Developer*
>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> P: +1 857-209-2685 <(857)%20209-2685> ? M: +1 301-433-2221
> <(301)%20433-2221> | www.cignifi.com
>

From psilva at redhat.com  Sat Apr  1 11:19:44 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Sat, 1 Apr 2017 12:19:44 -0300
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <bb34b8a6-c577-479b-c01d-030935f58835@redhat.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAJrcDBfUz_vG=7DE4S4sAaEQ+1QHX+5Xzeh0AbHMHq5Bd9WgpA@mail.gmail.com>
	<bb34b8a6-c577-479b-c01d-030935f58835@redhat.com>
Message-ID: <CAJrcDBcQa188+J1Xvh8Qi6MVt7y=z7jm97ZuvHSurd7QbTR_hw@mail.gmail.com>

I need to check this out, but I think you can configure your enforcer as
follows:

{
  "name" : "Country Resource",
  "path" : "/api/{country}/report",
  "methods" : [
    {
      "method": "GET",
      "scopes" : ["report"]
    }
  ]
},
{
  "name" : "Country Resource",
  "path" : "/api/{country}/status",
  "methods" : [
    {
      "method": "GET",
      "scopes" : ["status"]
    }
  ]
}

You are basically defining in the enforcer config specific paths in the
application and the scopes for each HTTP verb. In the case above, all paths
are protected by permissions applied to "Country Resource" but the scope
depends on the sub-path.


On Sat, Apr 1, 2017 at 10:56 AM, Bill Burke <bburke at redhat.com> wrote:

> Maybe define a resource for each country then a scope each for "report",
> "status" and "history"?   You'd have to handle authorization yourself in
> your app by looking at the RPT though.
>
>
> On 3/31/17 10:17 AM, Pedro Igor Silva wrote:
> > What about using patterns in your paths. Something like:
> >
> >      /api/report/{country}
> >
> >
> > On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
> >
> >> HI there,
> >>
> >> We've integrated Keycloak auth and authz to an existing REST service
> which
> >> serves endpoints like this:
> >>
> >> GET /api/report?country={country}
> >> GET /api/status?country={country}
> >> GET /api/history?country={country}
> >>
> >> As far as I understand, the only way to protect these resources is to
> >> create "global" resources (/api/report, /api/status etc.), but then we
> >> can't validate if the current user is authorized to make requests for a
> >> given "country":
> >>
> >> The other alternative would be to include the country name in the URI,
> but
> >> this would lead to duplication of resource definitions:
> >>
> >> /api/report/country1
> >> /api/report/country2
> >> /api/status/country1
> >> /api/status/country2
> >> ...
> >>
> >> We considered including a list of the countries the user has access to
> as
> >> an attribute in the access_token but that would require manually
> >> maintaining said attribute
> >>
> >> Is there another way that would accommodate this kind of authentication
> >> requirements?
> >>
> >> Thanks in advance!
> >>
> >> --
> >> *Gabriel Trisca, Software Developer*
> >> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From shishir.misra at gmail.com  Mon Apr  3 02:49:04 2017
From: shishir.misra at gmail.com (Shishir Misra)
Date: Mon, 3 Apr 2017 12:19:04 +0530
Subject: [keycloak-user] Is there any public Keycloak endpoint to get a
	code?
In-Reply-To: <CAK-7U1jHotejE3vwQN=o=RO93sPD85QevEaa96TL4wVwyqCTBg@mail.gmail.com>
References: <CAOb1TNKDcwoiS=o9dC8Kzrk-94otmiNUD5RyVpuXnxaOeVtn6A@mail.gmail.com>
	<CAOb1TNJx+gVCjFEwAwnRusVTUSWFxyNRJd86kqb3R=xVw7xg0Q@mail.gmail.com>
	<CAOb1TN+i3AdxYET13_dabWiYn+cce=LRgs7fZPFN7yq00VOQMg@mail.gmail.com>
	<CAOb1TNJyWc-hSB8=PUROMjyWi570b6foM1QGMs2oq9RAGsLMEg@mail.gmail.com>
	<CAOb1TNLDbdhwSEpxVPrByzah0=0WVf4TnH9vG8_pD-QhxU5jYA@mail.gmail.com>
	<CAOb1TNL3FjERJTAW1ZmHxWaPMn-fJ+933_NRxc4ptk3ei55D-g@mail.gmail.com>
	<CAK-7U1jHotejE3vwQN=o=RO93sPD85QevEaa96TL4wVwyqCTBg@mail.gmail.com>
Message-ID: <CAOb1TNL_c+avSrhNOdFCF2CAro1crrqtYOHAL=Q6rQhBt0m-OQ@mail.gmail.com>

Thanks Thomas. I checked the code and tried to follow the flow of
execution. However, it looks like Keycloak expects either a cookie or a
user-login to generate a code. Ideally, what I'd like to do is to use
either the username/password of my realm user, or an access token issued
for that user, to get a code. I have a native client which will handle this
part of the workflow to generate a code, and pass that to a web-app to
retrieve new tokens for further processing, without user intervention. This
is proving very hard to nail down, and I'm not even sure if it's possible
out of the box with Keycloak. Can you or someone else confirm/deny this?
Thanks!
Shishir

On Thu, Mar 30, 2017 at 5:26 PM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello,
>
> try having a look at:
> org.keycloak.adapters.installed.KeycloakInstalled
>
> in:
> https://github.com/keycloak/keycloak/blob/a743600b344763ce2e7f70a625f590
> a8425fc5f3/adapters/oidc/installed/src/main/java/org/
> keycloak/adapters/installed/KeycloakInstalled.java
>
> Cheers,
> Thomas
>
> 2017-03-30 13:35 GMT+02:00 Shishir Misra <shishir.misra at gmail.com>:
>
>> Hi Bernardo.
>>      Did you ever find out the solution to your question? I have the same
>> requirement in KC 1.9.8 (no version upgrade possible for some time) but
>> can't get things to work on the basis of whatever has already been
>> discussed in the thread.
>> Thanks,
>> Shishir
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From mposolda at redhat.com  Mon Apr  3 03:12:17 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 3 Apr 2017 09:12:17 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak on active MQ
In-Reply-To: <bc06583e75ea44a2a2bcde9c1efce953@CHNSHLMBX33.ad.infosys.com>
References: <a57e7653-d9ed-a1a1-6ea3-2eebcd67e163@psynd.net>
	<1485941179202.13544@infosys.com>
	<aa7b4591-62cb-cbc3-92a7-0da7759e91e4@redhat.com>
	<bc06583e75ea44a2a2bcde9c1efce953@CHNSHLMBX33.ad.infosys.com>
Message-ID: <9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com>

Yes, I think that for that case the second login module 
(BearerTokenLoginModule) is better choice. Your webapp has accessToken 
already, so you just need to send it as "password" to JAAS. Probably 
something like this should work:

connectionFactory.createConnection(username , accessTokenString);


Marek

On 02/04/17 21:20, Shankar_Bhaskaran wrote:
> Hi ,
>
> I was able to secure activemq behind keycloak using the direct access login module, but I specifically have to pass the username and password while getting a connection from active mq. The SSO aspect of keycloak is not fulfilled since I have to pass username , password from the webapplication. The activemq and my application share the same security domain also.
> connection = (ActiveMQConnection) connectionFactory.createConnection(username , password);
> Is there a way to get authenticated in ActiveMQ in the same user session as the web application that is calling the connection
>
> Regards,
> Shankar
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Wednesday, February 1, 2017 5:21 PM
> To: Shankar_Bhaskaran <Shankar_Bhaskaran at infosys.com>; keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-dev] Keycloak on active MQ
>
> I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/latest/topics/oidc/java/jaas.html
> .
>
> Marek
>
> On 01/02/17 10:26, Shankar_Bhaskaran wrote:
>> Hi ,
>>
>> We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic?
>>
>> Regards,
>> Shankar
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


From teoreste at gmail.com  Mon Apr  3 03:14:40 2017
From: teoreste at gmail.com (matteo restelli)
Date: Mon, 3 Apr 2017 09:14:40 +0200
Subject: [keycloak-user] Mobile App, native login
In-Reply-To: <CABZhS3xWhfEdssK8S3F3x-J4bfh+Bw2D5EhxTj=o4inVVNynTA@mail.gmail.com>
References: <CABZhS3xWhfEdssK8S3F3x-J4bfh+Bw2D5EhxTj=o4inVVNynTA@mail.gmail.com>
Message-ID: <CABZhS3yoyy1paK2BDSY+e1w_v8xsETDNfTVM9zRpUasjOczxRA@mail.gmail.com>

Hi all,
has anyone solved this problem?

Thank you,
Matteo

2017-03-27 17:37 GMT+02:00 matteo restelli <teoreste at gmail.com>:

> Hi all,
> we're planning to use Keycloak for a project and we're really excited
> about that. The only thing that makes us thinking a little bit is the
> authentication flow via native mobile app. I've already read that the
> authentication via Webview or External Browser, using the Keycloak login
> page, is the best practice. But we think that our mobile app designers
> might prefer a native login form with some buttons for social login. How
> can we do that?
>
> 1) For "direct" authentication via username & password we can use the
> direct access grants mode, is it right?
>
> 2) What about the social login part? How can we authenticate users when we
> receive the access token from an external identity providers such as
> Facebook? We need to implement our custom Authenticators and then deploy
> them with Keycloak?
>
> I apologize because i know that this question has been asked a lot of
> times, but we haven't been able to figure it out.
>
> Thank you very much, have a nice day,
> Matteo
>

From mposolda at redhat.com  Mon Apr  3 03:24:29 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 3 Apr 2017 09:24:29 +0200
Subject: [keycloak-user] How to retrieve Organiational Unit from LDAP?
In-Reply-To: <CAOFYJDv763_ExYm9VpOXN_zsfqerJO-J6+tS_HW=ZBbzvOWBLw@mail.gmail.com>
References: <CAOFYJDuFbY7OGwnNDoFznbeCjW83rLgFnSY9+bq9_Yf2WmkX9w@mail.gmail.com>
	<0b5c5c59-c57b-d372-4fe6-22c7928a92d3@redhat.com>
	<CAOFYJDt75qRixx1-ieMHbukqnfb-ms7B4kuW6vsNh2vjGELpTA@mail.gmail.com>
	<CAOFYJDtGjFCb1xNQd52TZFumXfCqQoQvBr8WdDpPpmSk_Vsxrw@mail.gmail.com>
	<5c42c7ed-0166-be7f-3d08-489a886ff15a@redhat.com>
	<CAOFYJDv763_ExYm9VpOXN_zsfqerJO-J6+tS_HW=ZBbzvOWBLw@mail.gmail.com>
Message-ID: <e1073eb3-0111-836d-4c50-cca98ba12278@redhat.com>

Hi,

it looks that new option "Read from base DN" is not needed as LDAP 
vendors usually has attribute with DN available on the LDAP object. For 
MSAD it is "distinguishedName" attribute, for some others like OpenLDAP 
it is "entryDN" . So you can just configure OOTB UserAttribute mapper 
with this attribute mapped?

TBH this usecase seems to be quite specific for your needs, so not sure 
if it's good to have this OOTB as every feature and new option adds some 
complexity. Idea is that people can use OOTB mappers for the more common 
functionalities and create their own mapper if they need something 
advanced and domain specific. And this looks to me like the second case 
TBH. At least never saw anyone else asking for this.

Marek

On 31/03/17 12:35, Celso Agra wrote:
> I was thinking to create a PR for class UserAttributeLDAPStorageMapper 
> =. would be possible to do that?
> I created a fork for that --> 
> https://github.com/keycloak/keycloak/compare/3.0.x...celsoagra:master
>
> and here i the attached file with an idea (just a simple idea!! ).
>
> 2017-03-31 3:44 GMT-03:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     Yes, I would likely create subclass of this one and override some
>     method, so the attribute value is just your ou and not full DN.
>     Just a note that LDAP Mapper SPI is unsupported and some method
>     signatures can change in the future etc.
>
>     Marek
>
>
>     On 31/03/17 02:44, Celso Agra wrote:
>>     Maybe this class could help me to create a new Mapper:
>>
>>     https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c536747cc33796e/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java
>>     <https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c536747cc33796e/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java>
>>
>>     2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra at gmail.com
>>     <mailto:celso.agra at gmail.com>>:
>>
>>         Thanks Marek! For now, I'm using the (a) option!
>>
>>         But I think would be possible to implement an LDAP Mapper in
>>         the future. just to get the "ou" info.
>>         I'll take a look in the code and try to add a new Mapper Type.
>>
>>         Thanks again! This is a really great tool!
>>
>>         2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda at redhat.com
>>         <mailto:mposolda at redhat.com>>:
>>
>>             There is no built-in support for this. However you can
>>             achieve it by doing any of:
>>
>>             a) Map the LDAP_ENTRY_DN as attribute in your token and
>>             then have some logic in your application (or whenever it
>>             is needed) that will just parse name of the OU from the
>>             full DN.
>>             b) Create the custom LDAP mapper, which will do the
>>             above. Then it will be available in user attributes
>>             c) Create protocol mapper, which will do the above. User
>>             attribute will still contain just LDAP_ENTRY_DN, but you
>>             will have claim in the token with the value of your OU.
>>
>>             I would personally go with (a) and handle it in your app
>>             if possible. That's the easiest path IMO.
>>
>>             Marek
>>
>>
>>             On 30/03/17 20:20, Celso Agra wrote:
>>
>>                 Hi all,
>>
>>                 I'd like to retrieve the organizational unit (ou)
>>                 from LDAP Mapper and set
>>                 this in the User Attributes.
>>
>>                 When I get a user from LDAP, it set an attribute
>>                 called LDAP_ENTRY_DN, with
>>                 value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
>>
>>                 So, I'd like to retrieve just the ou info "group",
>>                 and set this to the user
>>                 attribute.
>>                 Would be possible to do that? Is there some mapper
>>                 type just to retrieve
>>                 this information?
>>
>>                 Best Regards,
>>
>>
>>
>>
>>
>>         -- 
>>         ---
>>         *Celso Agra*
>>
>>
>>
>>
>>     -- 
>>     ---
>>     *Celso Agra*
>
>
>
>
>
> -- 
> ---
> *Celso Agra*



From mposolda at redhat.com  Mon Apr  3 03:32:13 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 3 Apr 2017 09:32:13 +0200
Subject: [keycloak-user] Unable to Store and Retrieve Group-Role
 relationship in LDAP
In-Reply-To: <CAJmz6fsv8t8isnukFeyWbbP2QdToSi3bv1mccNpup+eC_tjEAw@mail.gmail.com>
References: <CAJmz6ftfVdPSj1ae2zhxun=WAamZJJraBi13unycDupnjjGkrA@mail.gmail.com>
	<462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com>
	<CAJmz6fsnAXs9fAM72s-+nQ4bW+RzKBf6bTKM4Et5CXjnfF1hEw@mail.gmail.com>
	<ca8dabb5-7ed8-55c6-afa5-007f4fd17dbf@redhat.com>
	<CAJmz6fsv8t8isnukFeyWbbP2QdToSi3bv1mccNpup+eC_tjEAw@mail.gmail.com>
Message-ID: <ce944ed1-afb6-4384-2118-926159a9d651@redhat.com>

On 23/03/17 15:09, abhishek raghav wrote:
> Hi,
>
> We are completely blocked because of this particular use case of not 
> syncing role-group relationship to LDAP, as we are not assigning role 
> directly to the users, we are assigning the roles via group.
>
> I could see an "Admin event" of type CREATE and DELETE for any change 
> in role assignment to a group. Here the Event Resource Type is 
> "CLIENT_ROLE_MAPPING". Role details are also available here.
> Is it possible to write this info to LDAP, by writing a custom event 
> listener, which gets triggered on when any role is assigned to a group.
Yes, that would be possible as workaround. Note that it will work just 
in case that you always assign group-role relationship in Keycloak. Any 
changes done directly in LDAP (not via Keycloak) won't work. Also you 
would need to handle deletion (removal) of relationship if you need it.

Other possibilities (I already mentioned some in previous email, so just 
repeating):
- Use just LDAP directly to manage assign relationships for roles-groups
- "User Roles Retrieve Strategy" to 
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper to 
ensure that LDAP will retrieve also the transitive membership mappings. 
This works just for MSAD

Marek
>
> I know this approach sound a little off but i would like to know your 
> thoughts on it.
>
> Could someone please suggest any workaround to solve this use case, as 
> it seems to be not easily solvable by using LDAP mapper SPI given the 
> fact that Keycloak doesn't support federation for groups or roles.
>
>
> We really appreciate any help in this regard.
>
>
>
>
> *- Best Regards*
>    Abhishek Raghav
>
>
>
>
>
>
>
> On Mon, Mar 13, 2017 at 3:15 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 10/03/17 12:15, abhishek raghav wrote:
>>     Thanks Marek.
>>
>>     Is it possible by writing a *custom ldap mapper* and deploy in
>>     Keycloak for this scenario.
>>     We am using *MSAD *as our LDAP provider.
>     The usecase you pointed, won't be easily solvable with LDAP mapper
>     SPI. We don't have federation for groups or roles. So once you
>     assign new role to some group in KC admin console, there is
>     currently not a way to propagate this info and being visible by
>     LDAP mappers.
>
>     What would work is the opposite though. If you assign some LDAP
>     group "foo-group" as "member" of LDAP role "bar-role", then you
>     won't see membership between this group and role in KC admin
>     console. However your users in Keycloak, which are members of
>     "foo-group" will be automatically treated as members of "bar-role"
>     in Keycloak as well. Note that you may need to switch "User Roles
>     Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY"
>     for your role mapper here.
>
>     Marek
>
>>
>>     If yes, do you have any example implementation for the same.
>>     I also found that there is some SPI for User Federation Mapper SPI.
>>     https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html
>>     <https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html>
>>
>>
>>
>>
>>
>>     *- Best Regards*
>>      Abhishek Raghav
>>
>>
>>
>>
>>
>>
>>
>>     On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         Yes, you're right. This is not available ATM. What is
>>         available is the support for Keycloak group inheritance to be
>>         mapped for LDAP groups. But mapping for:
>>         - Groups-roles membership mappings
>>         - Roles to composite roles membership mappings
>>         is not available now.
>>
>>         Feel free to create JIRA. But not sure if we ever go into it...
>>
>>         Marek
>>
>>
>>         On 10/03/17 11:31, abhishek raghav wrote:
>>
>>             Hi
>>
>>             I have a set of* Realm Roles* that is mapped to an
>>             certain *OU=Roles* in an
>>             *MSAD*. Similar is the case for a set of *Groups*.
>>
>>             But when I *assign a group with a certain role, the
>>             assignment is visible
>>             in Keycloak. But the same is not reflected on the AD.*
>>             I mean, this mapping of role and group is *not stored in
>>             the "member" or
>>             "memberof" attributes of either the respective group or
>>             the role*.
>>
>>             Please suggest is this functionality available using any
>>             mapper from
>>             Keycloak to AD? Or do we need to create our own Custom
>>             Mapper? If yes, how?
>>
>>
>>             *- Best Regards*
>>                 Abhishek Raghav
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>


From andipansa at gmail.com  Mon Apr  3 03:53:16 2017
From: andipansa at gmail.com (=?UTF-8?Q?Andrzej_Go=C5=82awski?=)
Date: Mon, 3 Apr 2017 09:53:16 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak on active MQ
In-Reply-To: <9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com>
References: <a57e7653-d9ed-a1a1-6ea3-2eebcd67e163@psynd.net>
	<1485941179202.13544@infosys.com>
	<aa7b4591-62cb-cbc3-92a7-0da7759e91e4@redhat.com>
	<bc06583e75ea44a2a2bcde9c1efce953@CHNSHLMBX33.ad.infosys.com>
	<9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com>
Message-ID: <CAA0ckM5FjHLEeMUJQuHhY59T4guExYYk8AV4=h08hS3gws6t7A@mail.gmail.com>

I did it in one project by adding plugin to activeMQ configuration :

       <plugins>
            <jaasAuthenticationPlugin configuration="KeycloakModule" />
            <authorizationPlugin>
                <map>
                    <authorizationMap>
                        <authorizationEntries>
                            <authorizationEntry topic=">"
                                                read="SOME_ROLE, OTHER_ROLE"
                                                write="SOME_ROLE,
OTHER_ROLE"
                                                admin="SOME_ROLE,
OTHER_ROLE"/>
                        </authorizationEntries>
                    </authorizationMap>
                </map>
            </authorizationPlugin>
        </plugins>

Keycloak module definition:

KeycloakModule {
    org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule required
    keycloak-config-file="classpath:keycloak.json"
    role-principal-class=org.apache.activemq.jaas.GroupPrincipal;
};

best regards
 Andi

2017-04-03 9:12 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> Yes, I think that for that case the second login module
> (BearerTokenLoginModule) is better choice. Your webapp has accessToken
> already, so you just need to send it as "password" to JAAS. Probably
> something like this should work:
>
> connectionFactory.createConnection(username , accessTokenString);
>
>
> Marek
>
> On 02/04/17 21:20, Shankar_Bhaskaran wrote:
> > Hi ,
> >
> > I was able to secure activemq behind keycloak using the direct access
> login module, but I specifically have to pass the username and password
> while getting a connection from active mq. The SSO aspect of keycloak is
> not fulfilled since I have to pass username , password from the
> webapplication. The activemq and my application share the same security
> domain also.
> > connection = (ActiveMQConnection) connectionFactory.createConnection(username
> , password);
> > Is there a way to get authenticated in ActiveMQ in the same user session
> as the web application that is calling the connection
> >
> > Regards,
> > Shankar
> >
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: Wednesday, February 1, 2017 5:21 PM
> > To: Shankar_Bhaskaran <Shankar_Bhaskaran at infosys.com>;
> keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-dev] Keycloak on active MQ
> >
> > I didn't try that yet. However I think it should work as ActiveMQ has
> some support for JAAS. We have some JAAS login modules, which can be used
> to secure those kind of services. See docs for details
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/v/latest/topics/oidc/java/jaas.html
> > .
> >
> > Marek
> >
> > On 01/02/17 10:26, Shankar_Bhaskaran wrote:
> >> Hi ,
> >>
> >> We are using keycloak as SSO in our organization. I would like to know
> if securing activemq using keycloak is a valid use case. Does keycloak
> allow us to validate jms requests to the queue or topic?
> >>
> >> Regards,
> >> Shankar
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From n.heldmaier at gmail.com  Mon Apr  3 03:59:24 2017
From: n.heldmaier at gmail.com (nicolas heldmaier)
Date: Mon, 3 Apr 2017 09:59:24 +0200
Subject: [keycloak-user] Disable Authenticator menu in user account service
Message-ID: <CAC-p1RVGx5ujNET2SOkk_Q-Nm2zp659oGRzHTtnC-hZDef1WXQ@mail.gmail.com>

Hello,

I'm currently configuring keycloak, and i wont use OTP authenticator. But i
cant make the authenticator menu not to show in user account service.

i saw this sentence in the doc :

"The Authenticator menu item allows the user to set up OTP if they desire.
This will only show up if OTP is a valid authentication mechanism for your
realm"

But i dont find where to declare that OTP is not a valid authentication
mechanism.

Best Regards.

Nicolas.

From john.bartko at drillinginfo.com  Mon Apr  3 08:45:25 2017
From: john.bartko at drillinginfo.com (John Bartko)
Date: Mon, 3 Apr 2017 07:45:25 -0500
Subject: [keycloak-user] Unable to Store and Retrieve Group-Role
 relationship in LDAP
In-Reply-To: <ce944ed1-afb6-4384-2118-926159a9d651@redhat.com>
References: <CAJmz6ftfVdPSj1ae2zhxun=WAamZJJraBi13unycDupnjjGkrA@mail.gmail.com>
	<462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com>
	<CAJmz6fsnAXs9fAM72s-+nQ4bW+RzKBf6bTKM4Et5CXjnfF1hEw@mail.gmail.com>
	<ca8dabb5-7ed8-55c6-afa5-007f4fd17dbf@redhat.com>
	<CAJmz6fsv8t8isnukFeyWbbP2QdToSi3bv1mccNpup+eC_tjEAw@mail.gmail.com>
	<ce944ed1-afb6-4384-2118-926159a9d651@redhat.com>
Message-ID: <CABk1SXmB7L=_jNtOXceG_FM4+rED-5m1EqiU9ud+48CBRRAWmg@mail.gmail.com>

Semi-related to the discussion, there is an open ticket for 389ds LDAP to
allow the memberOf attribute in groupOfNames objects via an auxiliary
object class: https://pagure.io/389-ds-base/issue/48985

On Mon, Apr 3, 2017 at 2:32 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 23/03/17 15:09, abhishek raghav wrote:
> > Hi,
> >
> > We are completely blocked because of this particular use case of not
> > syncing role-group relationship to LDAP, as we are not assigning role
> > directly to the users, we are assigning the roles via group.
> >
> > I could see an "Admin event" of type CREATE and DELETE for any change
> > in role assignment to a group. Here the Event Resource Type is
> > "CLIENT_ROLE_MAPPING". Role details are also available here.
> > Is it possible to write this info to LDAP, by writing a custom event
> > listener, which gets triggered on when any role is assigned to a group.
> Yes, that would be possible as workaround. Note that it will work just
> in case that you always assign group-role relationship in Keycloak. Any
> changes done directly in LDAP (not via Keycloak) won't work. Also you
> would need to handle deletion (removal) of relationship if you need it.
>
> Other possibilities (I already mentioned some in previous email, so just
> repeating):
> - Use just LDAP directly to manage assign relationships for roles-groups
> - "User Roles Retrieve Strategy" to
> "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper to
> ensure that LDAP will retrieve also the transitive membership mappings.
> This works just for MSAD
>
> Marek
> >
> > I know this approach sound a little off but i would like to know your
> > thoughts on it.
> >
> > Could someone please suggest any workaround to solve this use case, as
> > it seems to be not easily solvable by using LDAP mapper SPI given the
> > fact that Keycloak doesn't support federation for groups or roles.
> >
> >
> > We really appreciate any help in this regard.
> >
> >
> >
> >
> > *- Best Regards*
> >    Abhishek Raghav
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Mar 13, 2017 at 3:15 PM, Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     On 10/03/17 12:15, abhishek raghav wrote:
> >>     Thanks Marek.
> >>
> >>     Is it possible by writing a *custom ldap mapper* and deploy in
> >>     Keycloak for this scenario.
> >>     We am using *MSAD *as our LDAP provider.
> >     The usecase you pointed, won't be easily solvable with LDAP mapper
> >     SPI. We don't have federation for groups or roles. So once you
> >     assign new role to some group in KC admin console, there is
> >     currently not a way to propagate this info and being visible by
> >     LDAP mappers.
> >
> >     What would work is the opposite though. If you assign some LDAP
> >     group "foo-group" as "member" of LDAP role "bar-role", then you
> >     won't see membership between this group and role in KC admin
> >     console. However your users in Keycloak, which are members of
> >     "foo-group" will be automatically treated as members of "bar-role"
> >     in Keycloak as well. Note that you may need to switch "User Roles
> >     Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY"
> >     for your role mapper here.
> >
> >     Marek
> >
> >>
> >>     If yes, do you have any example implementation for the same.
> >>     I also found that there is some SPI for User Federation Mapper SPI.
> >>     https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/user-federation-mapper.html
> >>     <https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/user-federation-mapper.html>
> >>
> >>
> >>
> >>
> >>
> >>     *- Best Regards*
> >>      Abhishek Raghav
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>     On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda
> >>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> >>
> >>         Yes, you're right. This is not available ATM. What is
> >>         available is the support for Keycloak group inheritance to be
> >>         mapped for LDAP groups. But mapping for:
> >>         - Groups-roles membership mappings
> >>         - Roles to composite roles membership mappings
> >>         is not available now.
> >>
> >>         Feel free to create JIRA. But not sure if we ever go into it...
> >>
> >>         Marek
> >>
> >>
> >>         On 10/03/17 11:31, abhishek raghav wrote:
> >>
> >>             Hi
> >>
> >>             I have a set of* Realm Roles* that is mapped to an
> >>             certain *OU=Roles* in an
> >>             *MSAD*. Similar is the case for a set of *Groups*.
> >>
> >>             But when I *assign a group with a certain role, the
> >>             assignment is visible
> >>             in Keycloak. But the same is not reflected on the AD.*
> >>             I mean, this mapping of role and group is *not stored in
> >>             the "member" or
> >>             "memberof" attributes of either the respective group or
> >>             the role*.
> >>
> >>             Please suggest is this functionality available using any
> >>             mapper from
> >>             Keycloak to AD? Or do we need to create our own Custom
> >>             Mapper? If yes, how?
> >>
> >>
> >>             *- Best Regards*
> >>                 Abhishek Raghav
> >>             _______________________________________________
> >>             keycloak-user mailing list
> >>             keycloak-user at lists.jboss.org
> >>             <mailto:keycloak-user at lists.jboss.org>
> >>             https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >>
> >>
> >>
> >>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Gregor.Tudan at cofinpro.de  Mon Apr  3 10:03:51 2017
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Mon, 3 Apr 2017 14:03:51 +0000
Subject: [keycloak-user] additional realm properties in theme
Message-ID: <etPan.58e25646.303f5eb9.1c8c@cofinpro.de>

Hi,

I would like to design a theme that has dynamic properties depending on the realm. Each customer would get their own realm but still use the same theme.

Is it possible to add additional fields to the realm (i.e. the customer address) and use them in the templates? For example, emails should contain a footer with the customers address and contact details.
Or is it possible to load an external properties file from the filesystem? Like ?/opt/keycloak/themes/mytheme/common/customer1.properties??

Thanks in advance!
Gregor



From chris.savory at edlogics.com  Mon Apr  3 10:59:59 2017
From: chris.savory at edlogics.com (Chris Savory)
Date: Mon, 3 Apr 2017 14:59:59 +0000
Subject: [keycloak-user] Mobile App, native login
In-Reply-To: <CABZhS3yoyy1paK2BDSY+e1w_v8xsETDNfTVM9zRpUasjOczxRA@mail.gmail.com>
References: <CABZhS3xWhfEdssK8S3F3x-J4bfh+Bw2D5EhxTj=o4inVVNynTA@mail.gmail.com>
	<CABZhS3yoyy1paK2BDSY+e1w_v8xsETDNfTVM9zRpUasjOczxRA@mail.gmail.com>
Message-ID: <4761BAC5-7F97-4F4B-A3DE-089A70531EE5@edlogics.com>

I?m not 100% sure on this, but if you don?t? care about users of your app receiving a SSO token, I believe you can just do a direct access grant token and have them logged into only the client your app using.   

--
Christopher Savory
www.edlogics.com <http://www.edlogics.com/>
 
 <http://www.edlogics.com/>
 <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 4/3/17, 2:14 AM, "keycloak-user-bounces at lists.jboss.org on behalf of matteo restelli" <keycloak-user-bounces at lists.jboss.org on behalf of teoreste at gmail.com> wrote:

    Hi all,
    has anyone solved this problem?
    
    Thank you,
    Matteo
    
    2017-03-27 17:37 GMT+02:00 matteo restelli <teoreste at gmail.com>:
    
    > Hi all,
    > we're planning to use Keycloak for a project and we're really excited
    > about that. The only thing that makes us thinking a little bit is the
    > authentication flow via native mobile app. I've already read that the
    > authentication via Webview or External Browser, using the Keycloak login
    > page, is the best practice. But we think that our mobile app designers
    > might prefer a native login form with some buttons for social login. How
    > can we do that?
    >
    > 1) For "direct" authentication via username & password we can use the
    > direct access grants mode, is it right?
    >
    > 2) What about the social login part? How can we authenticate users when we
    > receive the access token from an external identity providers such as
    > Facebook? We need to implement our custom Authenticators and then deploy
    > them with Keycloak?
    >
    > I apologize because i know that this question has been asked a lot of
    > times, but we haven't been able to figure it out.
    >
    > Thank you very much, have a nice day,
    > Matteo
    >
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From teoreste at gmail.com  Mon Apr  3 12:08:19 2017
From: teoreste at gmail.com (matteo restelli)
Date: Mon, 3 Apr 2017 18:08:19 +0200
Subject: [keycloak-user] Mobile App, native login
In-Reply-To: <4761BAC5-7F97-4F4B-A3DE-089A70531EE5@edlogics.com>
References: <CABZhS3xWhfEdssK8S3F3x-J4bfh+Bw2D5EhxTj=o4inVVNynTA@mail.gmail.com>
	<CABZhS3yoyy1paK2BDSY+e1w_v8xsETDNfTVM9zRpUasjOczxRA@mail.gmail.com>
	<4761BAC5-7F97-4F4B-A3DE-089A70531EE5@edlogics.com>
Message-ID: <CABZhS3w=bRf0haUBNVojYg__WsDsr84=LXvfmEgfzZWiujEXFA@mail.gmail.com>

Thank you for the reply, Chris,
Yes, i know that i can use direct access grants. But what about Social
Login? Is it possible to have a direct access grant supplying a Facebook
token, or a Google+ token?

For example, please see this image of Spotify login:

https://s-media-cache-ak0.pinimg.com/736x/b5/be/e1/b5bee1835e50f11ccfeca0b76c340600.jpg

How can i achieve a result similar like this with native UI and Keycloak?

Thank you in advance,
Matteo

2017-04-03 16:59 GMT+02:00 Chris Savory <chris.savory at edlogics.com>:

> I?m not 100% sure on this, but if you don?t? care about users of your app
> receiving a SSO token, I believe you can just do a direct access grant
> token and have them logged into only the client your app using.
>
> --
> Christopher Savory
> www.edlogics.com <http://www.edlogics.com/>
>
>  <http://www.edlogics.com/>
>  <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics
> >
>
> On 4/3/17, 2:14 AM, "keycloak-user-bounces at lists.jboss.org on behalf of
> matteo restelli" <keycloak-user-bounces at lists.jboss.org on behalf of
> teoreste at gmail.com> wrote:
>
>     Hi all,
>     has anyone solved this problem?
>
>     Thank you,
>     Matteo
>
>     2017-03-27 17:37 GMT+02:00 matteo restelli <teoreste at gmail.com>:
>
>     > Hi all,
>     > we're planning to use Keycloak for a project and we're really excited
>     > about that. The only thing that makes us thinking a little bit is the
>     > authentication flow via native mobile app. I've already read that the
>     > authentication via Webview or External Browser, using the Keycloak
> login
>     > page, is the best practice. But we think that our mobile app
> designers
>     > might prefer a native login form with some buttons for social login.
> How
>     > can we do that?
>     >
>     > 1) For "direct" authentication via username & password we can use the
>     > direct access grants mode, is it right?
>     >
>     > 2) What about the social login part? How can we authenticate users
> when we
>     > receive the access token from an external identity providers such as
>     > Facebook? We need to implement our custom Authenticators and then
> deploy
>     > them with Keycloak?
>     >
>     > I apologize because i know that this question has been asked a lot of
>     > times, but we haven't been able to figure it out.
>     >
>     > Thank you very much, have a nice day,
>     > Matteo
>     >
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From michael.anthon at infoview.com.au  Mon Apr  3 21:00:39 2017
From: michael.anthon at infoview.com.au (Michael Anthon)
Date: Tue, 4 Apr 2017 01:00:39 +0000
Subject: [keycloak-user] Exposing federatedIdentity object in other locations
Message-ID: <ME1PR01MB1345479F89CDFF5EB160E629D70B0@ME1PR01MB1345.ausprd01.prod.outlook.com>

I have a need to do some template manipulation based on the state of the federatedIdentity object for the user.

For example, if the user had a federated identity then we don't want them to be able to reset their password within Keycloak.  In this case I want to alter the password.ftl to remove the password fields and display instead a message telling them to go to their IdP to update their password.

An extra property against the IdP to store a URL that we could use inside the template to provide a link to the right address to go to for resetting the password would also be awesome but a generic message would suffice in most cases (or we could store extra message strings including those URLs keyed on the IdP alias maybe)

It would also be useful in the main account template.ftl to show or hide the identity tab depending on whether they have any federations or not ( we have already modified federatedIdentity to hide any IdP that is not already linked to that user)


So, would this be possible or desirable, or is there another way to achieve what I want?

Thanks,
Michael


From marc.tempelmeier at flane.de  Tue Apr  4 05:01:35 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 4 Apr 2017 09:01:35 +0000
Subject: [keycloak-user] Generate and set the cluster slave secret and other
	options
Message-ID: <4e0493ef4ffd455c87feecc315a5897e@dehamex2013.europe.flane.local>

Hi,

I want to build and setup the Domain Clustered Mode in Docker. Is there a possibility to set the secret and options in the master myself and not use "add-user.sh"?

Best regards

Marc

From unm at greenbyte.dk  Tue Apr  4 07:52:56 2017
From: unm at greenbyte.dk (Ulrik Nejsum Madsen)
Date: Tue, 04 Apr 2017 13:52:56 +0200
Subject: [keycloak-user] Securing an EAR file with Wildfly adapter subsystem
Message-ID: <1491306776479.3307.55076@webmail9>

Hi,

We are trying to secure our application using the Wildfly adapter for Keycloak.

In the standalone.xml we have a subsystem configuration which works well when referencing a WAR file but we can't figure out how to reference a specific WAR file contained in an EAR file.

<secure-deployment name="vanilla.war">
...
</secure-deployment>

Is this even possible? Could we do something like this:

<secure-deployment name="vanilla.ear.vanilla.war">
...
</secure-deployment>

Thanks,
Anders and Ulrik


From martin.hardselius at gmail.com  Tue Apr  4 08:57:15 2017
From: martin.hardselius at gmail.com (Martin Hardselius)
Date: Tue, 04 Apr 2017 12:57:15 +0000
Subject: [keycloak-user] Building and testing keycloak custom modules/SPIs
Message-ID: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>

Hi,

I would like to know more on how people are approaching building and
testing of custom modules / installations.

In our current setup we have a repo where we develop all our custom code.
We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
wildfly modules from that code. Then we create a new custom docker image
from the keycloak base image and those built modules. After we've built our
custom image, a separate repo with integration tests / security tests /
etc. is built, targeting the newly created image. If everything checks out,
the image is deployed in our kubernetes cluster. Every step of the process
is automated and works kind of ok.

What I really don't like is the separation of our "module/SPI repo" and our
test suite. Ideally, I would like to write all my integration tests in the
same repo as the code that I'm testing and be able to fire them against a
running keycloak server (with my code deployed) from within my IDE. Does
this make sense? Has anyone done something like this? Is there an
alternative way to build our custom images that is better suited?

Looking forward to a discussion on this.

Regards,
Martin

From sthorger at redhat.com  Tue Apr  4 09:54:45 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 4 Apr 2017 15:54:45 +0200
Subject: [keycloak-user] Building and testing keycloak custom
	modules/SPIs
In-Reply-To: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
References: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
Message-ID: <CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>

Use the new JEE deployer approach. Then you can deploy and re-reploy
providers live to the server with simply running "mvn wildfly:deploy".

On 4 April 2017 at 14:57, Martin Hardselius <martin.hardselius at gmail.com>
wrote:

> Hi,
>
> I would like to know more on how people are approaching building and
> testing of custom modules / installations.
>
> In our current setup we have a repo where we develop all our custom code.
> We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
> wildfly modules from that code. Then we create a new custom docker image
> from the keycloak base image and those built modules. After we've built our
> custom image, a separate repo with integration tests / security tests /
> etc. is built, targeting the newly created image. If everything checks out,
> the image is deployed in our kubernetes cluster. Every step of the process
> is automated and works kind of ok.
>
> What I really don't like is the separation of our "module/SPI repo" and our
> test suite. Ideally, I would like to write all my integration tests in the
> same repo as the code that I'm testing and be able to fire them against a
> running keycloak server (with my code deployed) from within my IDE. Does
> this make sense? Has anyone done something like this? Is there an
> alternative way to build our custom images that is better suited?
>
> Looking forward to a discussion on this.
>
> Regards,
> Martin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From martin.hardselius at gmail.com  Tue Apr  4 10:32:21 2017
From: martin.hardselius at gmail.com (Martin Hardselius)
Date: Tue, 04 Apr 2017 14:32:21 +0000
Subject: [keycloak-user] Building and testing keycloak custom
	modules/SPIs
In-Reply-To: <CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>
References: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
	<CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>
Message-ID: <CAPJq0L-1Cxe6972cHKxjXm9AES4NE9Ab9bujo3Bhe0w9xMhqSw@mail.gmail.com>

Is this documented somewhere (I can't seem to find it)?

How would that work for completely custom SPIs with their own
configuration? We make heavy use of standalone-ha.xml to configure
providers with environment variables, which in turn are injected into the
containers by Kubernetes.

On Tue, 4 Apr 2017 at 15:54 Stian Thorgersen <sthorger at redhat.com> wrote:

> Use the new JEE deployer approach. Then you can deploy and re-reploy
> providers live to the server with simply running "mvn wildfly:deploy".
>
> On 4 April 2017 at 14:57, Martin Hardselius <martin.hardselius at gmail.com>
> wrote:
>
> Hi,
>
> I would like to know more on how people are approaching building and
> testing of custom modules / installations.
>
> In our current setup we have a repo where we develop all our custom code.
> We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
> wildfly modules from that code. Then we create a new custom docker image
> from the keycloak base image and those built modules. After we've built our
> custom image, a separate repo with integration tests / security tests /
> etc. is built, targeting the newly created image. If everything checks out,
> the image is deployed in our kubernetes cluster. Every step of the process
> is automated and works kind of ok.
>
> What I really don't like is the separation of our "module/SPI repo" and our
> test suite. Ideally, I would like to write all my integration tests in the
> same repo as the code that I'm testing and be able to fire them against a
> running keycloak server (with my code deployed) from within my IDE. Does
> this make sense? Has anyone done something like this? Is there an
> alternative way to build our custom images that is better suited?
>
> Looking forward to a discussion on this.
>
> Regards,
> Martin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From mariusz at info.nl  Tue Apr  4 12:08:50 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Tue, 4 Apr 2017 16:08:50 +0000
Subject: [keycloak-user] How to authenticate using offline refresh_token
Message-ID: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi,

We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :

grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}

to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:

Authorization: bearer {access_token}

But in Keycloak itself, when we try to check if token  is valid:

private final AuthenticationManager.AuthResult auth;

public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
        this.session = session;
        this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.XXXXXXX));
}

this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?

What is even more interesting, this works between first login using credentials and time configured as SSO Session Idle (so in our case for 30 minutes)

I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?


Kind Regards,

Mariusz Chru?cielewski

software engineer

mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>

info.nl <http://www.info.nl>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From mstrukel at redhat.com  Tue Apr  4 13:10:32 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 4 Apr 2017 19:10:32 +0200
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>

Maybe try:

Authorization: Bearer {access_token}

(uppercase Bearer)


On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl>
wrote:

Hi,

We are using scope=offline_token param to get refresh_token that is valid
for long time, then we do call :

grant_type=refresh_token&client_id=xxxx&scope=offline_
access&refresh_token={refresh_token}

to get access_token, and that call returns access_token with status 200.
Next step is to call our custom REST Endpoint using authorization header:

Authorization: bearer {access_token}

But in Keycloak itself, when we try to check if token  is valid:

private final AuthenticationManager.AuthResult auth;

public EntitlementResourceProvider(KeycloakSession session, String abosUrl,
String abosUsername, String abosPassword) {
        this.session = session;
        this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}

this.auth is null, when I was debugging this, I found that Keycloak
reports: Token invalid. How can it be invalid, if it was just issued?

What is even more interesting, this works between first login using
credentials and time configured as SSO Session Idle (so in our case for 30
minutes)

I understand that session is closed after some Idle time, but if we have
valid refresh_token, and we get new access_token, why doesn't it validate?
Am I using wrong method?


Kind Regards,

Mariusz Chru?cielewski

software engineer

mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.
com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>

info.nl <http://www.info.nl>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:
+31205309100>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From gtrisca at cignifi.com  Tue Apr  4 13:17:48 2017
From: gtrisca at cignifi.com (Gabriel Trisca)
Date: Tue, 4 Apr 2017 13:17:48 -0400
Subject: [keycloak-user] Integration Tests
Message-ID: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>

Hi all,

What is the best way to run integration tests with Keycloak? I would like
to have an embedded Keycloak server that can be brought up as a @ClassRule
or something along those lines, and then I can validate that different
users have or don't have access to resources/scopes.

I found that there is a testsuite path in Git that contains many useful
classes, like a KeycloakServer that can be initialized with a realm
exported as JSON, but this module (keycloak-testsuite-integration) is not
deployed to Maven central.

I tried to clone the repository and install that artifact locally, but I
face different errors that hint at mismatched versions in dependencies:

Caused by: java.lang.NoSuchMethodError:
org.hibernate.engine.spi.SessionFactoryImplementor.getProperties()Ljava/util/Properties;
at
org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:124)
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:890)
at
org.keycloak.connections.jpa.util.JpaUtils.createEntityManagerFactory(JpaUtils.java:63)
...

Thanks in advance.

-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com

From mariusz at info.nl  Tue Apr  4 13:24:29 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Tue, 4 Apr 2017 17:24:29 +0000
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
Message-ID: <VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi Marko, it isn?t the problem. It works with lowercase as long as SSO Session Idle time isn?t over.

I think there has to be some different method to check if you are using access_token issued by using offline_refresh_token

When I do authorization call using offline refresh_token, I don?t see new session open in keycloak admin console.

Any other ideas?

Regards
Mariusz

From: Marko Strukelj [mailto:mstrukel at redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token

Maybe try:

Authorization: Bearer {access_token}

(uppercase Bearer)


On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
Hi,

We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :

grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}

to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:

Authorization: bearer {access_token}

But in Keycloak itself, when we try to check if token  is valid:

private final AuthenticationManager.AuthResult auth;

public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
        this.session = session;
        this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.XXXXXXX));
}

this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?

What is even more interesting, this works between first login using credentials and time configured as SSO Session Idle (so in our case for 30 minutes)

I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?


Kind Regards,

Mariusz Chru?cielewski

software engineer

mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:mariusz at info.nl>>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>

info.nl<http://info.nl> <http://www.info.nl>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205309100>>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Tue Apr  4 15:48:19 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 4 Apr 2017 21:48:19 +0200
Subject: [keycloak-user] Integration Tests
In-Reply-To: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>
References: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>
Message-ID: <f91fdb13-b171-f10f-2311-83abdd6f9e6b@redhat.com>

Hi,

there is some docs here 
https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md and 
here 
https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md

Marek
On 04/04/17 19:17, Gabriel Trisca wrote:
> Hi all,
>
> What is the best way to run integration tests with Keycloak? I would like
> to have an embedded Keycloak server that can be brought up as a @ClassRule
> or something along those lines, and then I can validate that different
> users have or don't have access to resources/scopes.
>
> I found that there is a testsuite path in Git that contains many useful
> classes, like a KeycloakServer that can be initialized with a realm
> exported as JSON, but this module (keycloak-testsuite-integration) is not
> deployed to Maven central.
>
> I tried to clone the repository and install that artifact locally, but I
> face different errors that hint at mismatched versions in dependencies:
>
> Caused by: java.lang.NoSuchMethodError:
> org.hibernate.engine.spi.SessionFactoryImplementor.getProperties()Ljava/util/Properties;
> at
> org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:124)
> at
> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:890)
> at
> org.keycloak.connections.jpa.util.JpaUtils.createEntityManagerFactory(JpaUtils.java:63)
> ...
>
> Thanks in advance.
>


From mposolda at redhat.com  Tue Apr  4 15:53:14 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 4 Apr 2017 21:53:14 +0200
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
	<VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>

Access token itself is valid just for few minutes. When access token is 
expired, you need offline token to send request for refreshing of access 
token (retrieve new access token).

I suggest to look at our example in keycloak-examples distribution under 
"preconfigured-demo/offline-access-app" directory.

Marek

On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
> Hi Marko, it isn?t the problem. It works with lowercase as long as SSO Session Idle time isn?t over.
>
> I think there has to be some different method to check if you are using access_token issued by using offline_refresh_token
>
> When I do authorization call using offline refresh_token, I don?t see new session open in keycloak admin console.
>
> Any other ideas?
>
> Regards
> Mariusz
>
> From: Marko Strukelj [mailto:mstrukel at redhat.com]
> Sent: dinsdag 4 april 2017 19:11
> To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
>
> Maybe try:
>
> Authorization: Bearer {access_token}
>
> (uppercase Bearer)
>
>
> On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
> Hi,
>
> We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
>
> grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}
>
> to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
>
> Authorization: bearer {access_token}
>
> But in Keycloak itself, when we try to check if token  is valid:
>
> private final AuthenticationManager.AuthResult auth;
>
> public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
>          this.session = session;
>          this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.XXXXXXX));
> }
>
> this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
>
> What is even more interesting, this works between first login using credentials and time configured as SSO Session Idle (so in our case for 30 minutes)
>
> I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
>
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:mariusz at info.nl>>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
>
> info.nl<http://info.nl> <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205309100>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Michael.Jacobs at nuance.com  Tue Apr  4 18:07:04 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Tue, 4 Apr 2017 22:07:04 +0000
Subject: [keycloak-user] Overriding AssertionConsumerServiceURL in
Message-ID: <BN6PR05MB2964667FF9C824AE2EC37BC3F80B0@BN6PR05MB2964.namprd05.prod.outlook.com>

For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.

We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.

MJ

From Michael.Jacobs at nuance.com  Tue Apr  4 18:27:07 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Tue, 4 Apr 2017 22:27:07 +0000
Subject: [keycloak-user] Overriding AssertionConsumerServiceURL in
Message-ID: <BN6PR05MB29649DE9ED988D6E28FF47B6F80B0@BN6PR05MB2964.namprd05.prod.outlook.com>

I should add we are running 2 nodes in Standalone Clustered Mode

From: Jacobs, Michael
Sent: Tuesday, April 04, 2017 3:07 PM
To: keycloak-user at lists.jboss.org
Subject: Overriding AssertionConsumerServiceURL in

For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.

We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.

MJ

From gtrisca at cignifi.com  Tue Apr  4 19:15:11 2017
From: gtrisca at cignifi.com (Gabriel Trisca)
Date: Tue, 4 Apr 2017 19:15:11 -0400
Subject: [keycloak-user] Integration Tests
In-Reply-To: <f91fdb13-b171-f10f-2311-83abdd6f9e6b@redhat.com>
References: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>
	<f91fdb13-b171-f10f-2311-83abdd6f9e6b@redhat.com>
Message-ID: <CAKGeQCPZSnei8Vm8t_5EkW7EXtb0Q2cAie=6k9s50D2BaD=3tQ@mail.gmail.com>

Hi Marek,

Thanks for your response. If I understood correctly, those links explain
how to run Keycloak's testsuit (if I modified any of the Keycloak source).
What I'm looking for is something that I can run from my own code.

Doing some more googling, I found this thread from October:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008031.html
that mentions exactly what I'm looking for: a way for me to use the
KeycloakServer class in my tests to programatically start and configure the
server, instead of using a full "distribution" version of Keycloak.

Are there any plans to make KeycloakServer available for these types of
scenarios?

Thanks in advance!



On Tue, Apr 4, 2017 at 3:48 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> there is some docs here https://github.com/keycloak/ke
> ycloak/blob/master/misc/Testsuite.md and here
> https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
>
> Marek
>
> On 04/04/17 19:17, Gabriel Trisca wrote:
>
>> Hi all,
>>
>> What is the best way to run integration tests with Keycloak? I would like
>> to have an embedded Keycloak server that can be brought up as a @ClassRule
>> or something along those lines, and then I can validate that different
>> users have or don't have access to resources/scopes.
>>
>> I found that there is a testsuite path in Git that contains many useful
>> classes, like a KeycloakServer that can be initialized with a realm
>> exported as JSON, but this module (keycloak-testsuite-integration) is not
>> deployed to Maven central.
>>
>> I tried to clone the repository and install that artifact locally, but I
>> face different errors that hint at mismatched versions in dependencies:
>>
>> Caused by: java.lang.NoSuchMethodError:
>> org.hibernate.engine.spi.SessionFactoryImplementor.getProper
>> ties()Ljava/util/Properties;
>> at
>> org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(E
>> ntityManagerFactoryImpl.java:124)
>> at
>> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderI
>> mpl.build(EntityManagerFactoryBuilderImpl.java:890)
>> at
>> org.keycloak.connections.jpa.util.JpaUtils.createEntityManag
>> erFactory(JpaUtils.java:63)
>> ...
>>
>> Thanks in advance.
>>
>>
>


-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com

From mposolda at redhat.com  Wed Apr  5 02:29:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 5 Apr 2017 08:29:42 +0200
Subject: [keycloak-user] Integration Tests
In-Reply-To: <CAKGeQCPZSnei8Vm8t_5EkW7EXtb0Q2cAie=6k9s50D2BaD=3tQ@mail.gmail.com>
References: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>
	<f91fdb13-b171-f10f-2311-83abdd6f9e6b@redhat.com>
	<CAKGeQCPZSnei8Vm8t_5EkW7EXtb0Q2cAie=6k9s50D2BaD=3tQ@mail.gmail.com>
Message-ID: <191a5036-4b38-cc36-d98c-49c62c139f56@redhat.com>

On 05/04/17 01:15, Gabriel Trisca wrote:
> Hi Marek,
>
> Thanks for your response. If I understood correctly, those links 
> explain how to run Keycloak's testsuit (if I modified any of the 
> Keycloak source). What I'm looking for is something that I can run 
> from my own code.
>
> Doing some more googling, I found this thread from October: 
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/008031.html 
> that mentions exactly what I'm looking for: a way for me to use the 
> KeycloakServer class in my tests to programatically start and 
> configure the server, instead of using a full "distribution" version 
> of Keycloak.
>
> Are there any plans to make KeycloakServer available for these types 
> of scenarios?
Nope, I think that we don't plan to officially support the "embedded" 
variant of Keycloak server. The preferred way is to use our distribution.

However there is nothing, which prevents you to use it in your project 
though. KeycloakServer is just a helper, which allows to run keycloak 
auth-server deployed on undertow. You can likely fork some code you need 
from it and use it in your own project. Just make sure that some 
functionalities, which require real Wildfly server won't work. For 
example JTA, provider deployers, datasources etc.

In shortcut: you can use it, but it's not officially recommended and 
supported distribution.

Marek
>
> Thanks in advance!
>
>
>
> On Tue, Apr 4, 2017 at 3:48 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     there is some docs here
>     https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md
>     <https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md>
>     and here
>     https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
>     <https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md>
>
>     Marek
>
>     On 04/04/17 19:17, Gabriel Trisca wrote:
>
>         Hi all,
>
>         What is the best way to run integration tests with Keycloak? I
>         would like
>         to have an embedded Keycloak server that can be brought up as
>         a @ClassRule
>         or something along those lines, and then I can validate that
>         different
>         users have or don't have access to resources/scopes.
>
>         I found that there is a testsuite path in Git that contains
>         many useful
>         classes, like a KeycloakServer that can be initialized with a
>         realm
>         exported as JSON, but this module
>         (keycloak-testsuite-integration) is not
>         deployed to Maven central.
>
>         I tried to clone the repository and install that artifact
>         locally, but I
>         face different errors that hint at mismatched versions in
>         dependencies:
>
>         Caused by: java.lang.NoSuchMethodError:
>         org.hibernate.engine.spi.SessionFactoryImplementor.getProperties()Ljava/util/Properties;
>         at
>         org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:124)
>         at
>         org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:890)
>         at
>         org.keycloak.connections.jpa.util.JpaUtils.createEntityManagerFactory(JpaUtils.java:63)
>         ...
>
>         Thanks in advance.
>
>
>
>
>
> -- 
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com 
> <http://www.cignifi.com/>



From sthorger at redhat.com  Wed Apr  5 02:40:50 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 5 Apr 2017 08:40:50 +0200
Subject: [keycloak-user] Integration Tests
In-Reply-To: <CAKGeQCPZSnei8Vm8t_5EkW7EXtb0Q2cAie=6k9s50D2BaD=3tQ@mail.gmail.com>
References: <CAKGeQCOi5m39eya3ui8PwgF5d=PETLXgLhukYE4+pgBXz8fNJg@mail.gmail.com>
	<f91fdb13-b171-f10f-2311-83abdd6f9e6b@redhat.com>
	<CAKGeQCPZSnei8Vm8t_5EkW7EXtb0Q2cAie=6k9s50D2BaD=3tQ@mail.gmail.com>
Message-ID: <CAJgngAcz9E20bJxF4aJRcsPh=Bv3RNtyvYLy4sieOvWuzbouTQ@mail.gmail.com>

We've moved away from KeycloakServer to our new Arquillian based testsuite.
That has options to run using embedded Undertow or a full server
distribution. For now KeycloakServer remains, but it's only there as a
quick way to start a KeycloakServer for development purposes and is not
aimed at testing anymore.

On 5 April 2017 at 01:15, Gabriel Trisca <gtrisca at cignifi.com> wrote:

> Hi Marek,
>
> Thanks for your response. If I understood correctly, those links explain
> how to run Keycloak's testsuit (if I modified any of the Keycloak source).
> What I'm looking for is something that I can run from my own code.
>
> Doing some more googling, I found this thread from October:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/008031.html
> that mentions exactly what I'm looking for: a way for me to use the
> KeycloakServer class in my tests to programatically start and configure the
> server, instead of using a full "distribution" version of Keycloak.
>
> Are there any plans to make KeycloakServer available for these types of
> scenarios?
>
> Thanks in advance!
>
>
>
> On Tue, Apr 4, 2017 at 3:48 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
> > Hi,
> >
> > there is some docs here https://github.com/keycloak/ke
> > ycloak/blob/master/misc/Testsuite.md and here
> > https://github.com/keycloak/keycloak/blob/master/misc/
> HackingOnKeycloak.md
> >
> > Marek
> >
> > On 04/04/17 19:17, Gabriel Trisca wrote:
> >
> >> Hi all,
> >>
> >> What is the best way to run integration tests with Keycloak? I would
> like
> >> to have an embedded Keycloak server that can be brought up as a
> @ClassRule
> >> or something along those lines, and then I can validate that different
> >> users have or don't have access to resources/scopes.
> >>
> >> I found that there is a testsuite path in Git that contains many useful
> >> classes, like a KeycloakServer that can be initialized with a realm
> >> exported as JSON, but this module (keycloak-testsuite-integration) is
> not
> >> deployed to Maven central.
> >>
> >> I tried to clone the repository and install that artifact locally, but I
> >> face different errors that hint at mismatched versions in dependencies:
> >>
> >> Caused by: java.lang.NoSuchMethodError:
> >> org.hibernate.engine.spi.SessionFactoryImplementor.getProper
> >> ties()Ljava/util/Properties;
> >> at
> >> org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(E
> >> ntityManagerFactoryImpl.java:124)
> >> at
> >> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderI
> >> mpl.build(EntityManagerFactoryBuilderImpl.java:890)
> >> at
> >> org.keycloak.connections.jpa.util.JpaUtils.createEntityManag
> >> erFactory(JpaUtils.java:63)
> >> ...
> >>
> >> Thanks in advance.
> >>
> >>
> >
>
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Apr  5 02:42:34 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 5 Apr 2017 08:42:34 +0200
Subject: [keycloak-user] Building and testing keycloak custom
	modules/SPIs
In-Reply-To: <CAPJq0L-1Cxe6972cHKxjXm9AES4NE9Ab9bujo3Bhe0w9xMhqSw@mail.gmail.com>
References: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
	<CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>
	<CAPJq0L-1Cxe6972cHKxjXm9AES4NE9Ab9bujo3Bhe0w9xMhqSw@mail.gmail.com>
Message-ID: <CAJgngAceE6d4f1_5nJce7co7CdEWEs-oFJ5Cu9PcWmrJ2uQmMg@mail.gmail.com>

The user storage example leverages this approach. It should be documented
in the server developer guide.

You can't deploy custom SPIs this way only providers. For a custom SPI
you'd have to deploy that as a module, restart the server, then you can
deploy your custom providers for your custom SPIs.

On 4 April 2017 at 16:32, Martin Hardselius <martin.hardselius at gmail.com>
wrote:

> Is this documented somewhere (I can't seem to find it)?
>
> How would that work for completely custom SPIs with their own
> configuration? We make heavy use of standalone-ha.xml to configure
> providers with environment variables, which in turn are injected into the
> containers by Kubernetes.
>
> On Tue, 4 Apr 2017 at 15:54 Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Use the new JEE deployer approach. Then you can deploy and re-reploy
>> providers live to the server with simply running "mvn wildfly:deploy".
>>
>> On 4 April 2017 at 14:57, Martin Hardselius <martin.hardselius at gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I would like to know more on how people are approaching building and
>> testing of custom modules / installations.
>>
>> In our current setup we have a repo where we develop all our custom code.
>> We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
>> wildfly modules from that code. Then we create a new custom docker image
>> from the keycloak base image and those built modules. After we've built
>> our
>> custom image, a separate repo with integration tests / security tests /
>> etc. is built, targeting the newly created image. If everything checks
>> out,
>> the image is deployed in our kubernetes cluster. Every step of the process
>> is automated and works kind of ok.
>>
>> What I really don't like is the separation of our "module/SPI repo" and
>> our
>> test suite. Ideally, I would like to write all my integration tests in the
>> same repo as the code that I'm testing and be able to fire them against a
>> running keycloak server (with my code deployed) from within my IDE. Does
>> this make sense? Has anyone done something like this? Is there an
>> alternative way to build our custom images that is better suited?
>>
>> Looking forward to a discussion on this.
>>
>> Regards,
>> Martin
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>

From antoine.vianey at gmail.com  Wed Apr  5 02:59:49 2017
From: antoine.vianey at gmail.com (Antoine Vianey)
Date: Wed, 5 Apr 2017 08:59:49 +0200
Subject: [keycloak-user] How to configure docker-v2 auth from the UI
Message-ID: <CAP9JRtPRCmmoASxe8d6DygrbYKhGBhw=S3rOWZPfYhg0BxNLTw@mail.gmail.com>

Hello,


I'm trying to use the docker-v2 protocol from
https://issues.jboss.org/browse/KEYCLOAK-3592

>From the PR, I manage to have a running KC and I'm able to create a REALM
"docker-registry" with a docker-v2 client but authentication through docker
cli is not working :


The docker cli is making the request right :

GET
/auth/realms/docker/protocol/docker-v2/auth?account=###&client_id=docker&offline_token=true&service=docker-registry
HTTP/1.1
User-Agent: docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e
kernel/4.4.0-71-generic os/linux arch/amd64
UpstreamClient(Docker-Client/17.03.1-ce (linux))
Authorization: Basic ##############
Accept-Encoding: gzip
Connection: close

but Keycloak answer with the HTML login page...
which lead to "Error response from daemon: Get http://registry/v2/: unable
to decode token response: invalid character '<' looking for beginning of
value"

I performed the following actions :

   - add "docker" realm
   - add "docker-registry" client
   - save (after setting * as valid redirect url)

I noticed that "BASIC authentication is configured for you realm. Since
docker auth requires HTTP Basic auth, this should be the only authenticator
configured for the realm hosting the docker registry client." but didn't
get it.

What step should I follow so that the docker cli request succesfully
retrieve a token instead of a login page ?

Can u help so it work with manual setup on clean realm ?

From adrien.voisin.be at gmail.com  Wed Apr  5 03:12:01 2017
From: adrien.voisin.be at gmail.com (Adrien Voisin)
Date: Wed, 5 Apr 2017 09:12:01 +0200
Subject: [keycloak-user] Mapping Azure Ad token_id groups to users roles
Message-ID: <CAH9OOOBG3a9x2WEaJ87tXM_XmQK1ozZ_3QsqdjJ0Y7yVypC7eA@mail.gmail.com>

Hi all,


I have the following configuration :


*My application :*

Front : Angular 2

Backend : Springboot rest api


*Auth:*

Keycloak 3.0.0

Windows Azure AD


The goal is to use Keyloack and Windows Azure for authentication and
permissions management of my web app.

(I followed this tutorial :
http://slackspace.de/articles/authentication-with-spring-boot-angularjs-and-keycloak/
)


*Windows Azure AD* : I registered my webapp into Azure AD

*Keycloak *: I added two clients (front & back) + an identity provider
(Azure).


The authentication part works well. (Each request is redirected to the
Microsoft auth, then a user in Keycloak is added (first login).


Now I would like to use information of the token of Azure (doc :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims)
for permissions management.


A token from azure ad looks like below :


{
 typ: "JWT",
 alg: "RS256",
 x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
 aud: "https://contoso.onmicrosoft.com/scratchservice",
 iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
 iat: 1416968588,
 nbf: 1416968588,
 exp: 1416972488,
 ver: "1.0",
 tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
 amr: [
  "pwd"
 ],
 roles: [
  "Admin"
 ],
 oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
 upn: "sample.user at contoso.onmicrosoft.com",
 unique_name: "sample.user at contoso.onmicrosoft.com",
 sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
 family_name: "User",
 given_name: "Sample",
 *groups: [
  "0e129f6b-6b0a-4944-982d-f776000632af",
  "323b13b3-1851-4b94-947f-9a4dacb595f4",
  "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
  "f3a161a7-9a58-4e8f-9d47-b70022a07424",
  "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
  "1bf80164-ff24-4866-b19c-6212e5b9a847",
  "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
  "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
 ],*
 appid: "b075ddef-0efa-123b-997b-de1337c29185",
 appidacr: "1",
 scp: "user_impersonation",
 acr: "1"
}.



The goal is to map each group item into a user role. And to update this
role assignment for each new token generated.


For example, in the Identity provider / mapper section, I can add a mapper
to add a role regarding a claim in the token ("Claim to role mapper type").
UnfortunatelyI can't see how can I do that with a list of IDs.


Moreover, if the user already exists in the Keycloak database, this kind of
mapping doesn't work.


Can you tell me if


1. If it's possible to do this kind of mapping with Keycloak

2. If I'm in the good direction about the glocal architecture for
authentication.


Thank you in advance,


Best regards,


Adrien

From mstrukel at redhat.com  Wed Apr  5 05:13:18 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 5 Apr 2017 11:13:18 +0200
Subject: [keycloak-user] How to configure docker-v2 auth from the UI
In-Reply-To: <CAP9JRtPRCmmoASxe8d6DygrbYKhGBhw=S3rOWZPfYhg0BxNLTw@mail.gmail.com>
References: <CAP9JRtPRCmmoASxe8d6DygrbYKhGBhw=S3rOWZPfYhg0BxNLTw@mail.gmail.com>
Message-ID: <CA+1OW+i4K56LtT6qGbM2YhhtfLc+ZHp1bt=dxtcN49BLG_1iHA@mail.gmail.com>

See my comment in the docs pull request:
https://github.com/keycloak/keycloak-documentation/pull/55/files#r107408627

There was a slight change since then - the authenticator to use is not
'HTTP Basic Authentication' but'Docker Authenticator'.

On Wed, Apr 5, 2017 at 8:59 AM, Antoine Vianey <antoine.vianey at gmail.com>
wrote:

> Hello,
>
>
> I'm trying to use the docker-v2 protocol from
> https://issues.jboss.org/browse/KEYCLOAK-3592
>
> >From the PR, I manage to have a running KC and I'm able to create a REALM
> "docker-registry" with a docker-v2 client but authentication through docker
> cli is not working :
>
>
> The docker cli is making the request right :
>
> GET
> /auth/realms/docker/protocol/docker-v2/auth?account=###&
> client_id=docker&offline_token=true&service=docker-registry
> HTTP/1.1
> User-Agent: docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e
> kernel/4.4.0-71-generic os/linux arch/amd64
> UpstreamClient(Docker-Client/17.03.1-ce (linux))
> Authorization: Basic ##############
> Accept-Encoding: gzip
> Connection: close
>
> but Keycloak answer with the HTML login page...
> which lead to "Error response from daemon: Get http://registry/v2/: unable
> to decode token response: invalid character '<' looking for beginning of
> value"
>
> I performed the following actions :
>
>    - add "docker" realm
>    - add "docker-registry" client
>    - save (after setting * as valid redirect url)
>
> I noticed that "BASIC authentication is configured for you realm. Since
> docker auth requires HTTP Basic auth, this should be the only authenticator
> configured for the realm hosting the docker registry client." but didn't
> get it.
>
> What step should I follow so that the docker cli request succesfully
> retrieve a token instead of a login page ?
>
> Can u help so it work with manual setup on clean realm ?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From martin.hardselius at gmail.com  Wed Apr  5 06:46:45 2017
From: martin.hardselius at gmail.com (Martin Hardselius)
Date: Wed, 05 Apr 2017 10:46:45 +0000
Subject: [keycloak-user] Building and testing keycloak custom
	modules/SPIs
In-Reply-To: <CAJgngAceE6d4f1_5nJce7co7CdEWEs-oFJ5Cu9PcWmrJ2uQmMg@mail.gmail.com>
References: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
	<CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>
	<CAPJq0L-1Cxe6972cHKxjXm9AES4NE9Ab9bujo3Bhe0w9xMhqSw@mail.gmail.com>
	<CAJgngAceE6d4f1_5nJce7co7CdEWEs-oFJ5Cu9PcWmrJ2uQmMg@mail.gmail.com>
Message-ID: <CAPJq0L9C6RQRLDUYM-jydx=81Xb8hgpCnJfz=iEzHMXyHhpHiQ@mail.gmail.com>

Ok, thanks. Since we do a bit of both, I guess it's easier to continue
deploying everything as modules to keep the build pipeline consistent.

I guess I was looking for something in the lines of what Gabriel asked for
in the "Integration Tests" thread. Maybe
https://github.com/palantir/docker-compose-rule is something worth
exploring in our case.

On Wed, 5 Apr 2017 at 08:42 Stian Thorgersen <sthorger at redhat.com> wrote:

The user storage example leverages this approach. It should be documented
in the server developer guide.

You can't deploy custom SPIs this way only providers. For a custom SPI
you'd have to deploy that as a module, restart the server, then you can
deploy your custom providers for your custom SPIs.

On 4 April 2017 at 16:32, Martin Hardselius <martin.hardselius at gmail.com>
wrote:

Is this documented somewhere (I can't seem to find it)?

How would that work for completely custom SPIs with their own
configuration? We make heavy use of standalone-ha.xml to configure
providers with environment variables, which in turn are injected into the
containers by Kubernetes.

On Tue, 4 Apr 2017 at 15:54 Stian Thorgersen <sthorger at redhat.com> wrote:

Use the new JEE deployer approach. Then you can deploy and re-reploy
providers live to the server with simply running "mvn wildfly:deploy".

On 4 April 2017 at 14:57, Martin Hardselius <martin.hardselius at gmail.com>
wrote:

Hi,

I would like to know more on how people are approaching building and
testing of custom modules / installations.

In our current setup we have a repo where we develop all our custom code.
We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
wildfly modules from that code. Then we create a new custom docker image
from the keycloak base image and those built modules. After we've built our
custom image, a separate repo with integration tests / security tests /
etc. is built, targeting the newly created image. If everything checks out,
the image is deployed in our kubernetes cluster. Every step of the process
is automated and works kind of ok.

What I really don't like is the separation of our "module/SPI repo" and our
test suite. Ideally, I would like to write all my integration tests in the
same repo as the code that I'm testing and be able to fire them against a
running keycloak server (with my code deployed) from within my IDE. Does
this make sense? Has anyone done something like this? Is there an
alternative way to build our custom images that is better suited?

Looking forward to a discussion on this.

Regards,
Martin

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From anders.kabell.kristensen at systematic.com  Wed Apr  5 07:48:44 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Wed, 5 Apr 2017 04:48:44 -0700 (MST)
Subject: [keycloak-user] Securing an EAR file with Wildfly adapter
 subsystem
In-Reply-To: <1491306776479.3307.55076@webmail9>
References: <1491306776479.3307.55076@webmail9>
Message-ID: <1491392924192-3447.post@n6.nabble.com>

We solved our problem by using the JSON config inside the WAR file. Thus, we
don't have to reference the EAR file at all. We removed the adapter
configuration from the keycloak subsystem in standalone.xml.

Ulrik and Anders



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Securing-an-EAR-file-with-Wildfly-adapter-subsystem-tp3425p3447.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From upesh.m at edgeverve.com  Wed Apr  5 08:44:33 2017
From: upesh.m at edgeverve.com (upesh.m)
Date: Wed, 5 Apr 2017 05:44:33 -0700 (MST)
Subject: [keycloak-user] Rollback keycloak user creation transaction when
 event listener fails
Message-ID: <1491396272987-3448.post@n6.nabble.com>

Hi,I have a custom SPI which listens to 
CREATE USER
 admin event and doing some operation in another database. But when the SPI
fails (when unable to insert to the other database) , I have to revert the
user creation in keycloak. I tried by throwing a runtime exception in my
event listener, but event then the user creation was successful in keyclaok.
Can somebody please help? I am in urgent need for this.Any help is greatly
appreciated. ThanksUpesh M.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Rollback-keycloak-user-creation-transaction-when-event-listener-fails-tp3448.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From sthorger at redhat.com  Wed Apr  5 08:50:39 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 5 Apr 2017 14:50:39 +0200
Subject: [keycloak-user] Securing an EAR file with Wildfly adapter
	subsystem
In-Reply-To: <1491392924192-3447.post@n6.nabble.com>
References: <1491306776479.3307.55076@webmail9>
	<1491392924192-3447.post@n6.nabble.com>
Message-ID: <CAJgngAeYLdLR1LYg9GfM_Ht6nFP3O=4CSxPZZv2JmocXAss99g@mail.gmail.com>

Pretty sure you can do it with the subsystem as well, but I don't remember
how.

On 5 April 2017 at 13:48, Anders KK <anders.kabell.kristensen at systematic.com
> wrote:

> We solved our problem by using the JSON config inside the WAR file. Thus,
> we
> don't have to reference the EAR file at all. We removed the adapter
> configuration from the keycloak subsystem in standalone.xml.
>
> Ulrik and Anders
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Securing-an-EAR-file-with-
> Wildfly-adapter-subsystem-tp3425p3447.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Apr  5 08:51:10 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 5 Apr 2017 14:51:10 +0200
Subject: [keycloak-user] Securing an EAR file with Wildfly adapter
	subsystem
In-Reply-To: <CAJgngAeYLdLR1LYg9GfM_Ht6nFP3O=4CSxPZZv2JmocXAss99g@mail.gmail.com>
References: <1491306776479.3307.55076@webmail9>
	<1491392924192-3447.post@n6.nabble.com>
	<CAJgngAeYLdLR1LYg9GfM_Ht6nFP3O=4CSxPZZv2JmocXAss99g@mail.gmail.com>
Message-ID: <CAJgngAcpWwF8PVZNX7q0ab_10wfHekiQUvhF=OH7uwDabg_q3A@mail.gmail.com>

I think it's something along the lines of what you suggested (
name="vanilla.ear.vanilla.war")

On 5 April 2017 at 14:50, Stian Thorgersen <sthorger at redhat.com> wrote:

> Pretty sure you can do it with the subsystem as well, but I don't remember
> how.
>
> On 5 April 2017 at 13:48, Anders KK <anders.kabell.kristensen@
> systematic.com> wrote:
>
>> We solved our problem by using the JSON config inside the WAR file. Thus,
>> we
>> don't have to reference the EAR file at all. We removed the adapter
>> configuration from the keycloak subsystem in standalone.xml.
>>
>> Ulrik and Anders
>>
>>
>>
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/keycloak-user-Securing-an-EAR-file-with-Wildfly-
>> adapter-subsystem-tp3425p3447.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From java at neposoft.com  Wed Apr  5 08:52:07 2017
From: java at neposoft.com (java_os)
Date: Wed, 5 Apr 2017 08:52:07 -0400
Subject: [keycloak-user] Keycloak vs RH SSO  - cluster/load balancer
Message-ID: <39fb71a6b0a7d06cc1f84a849b275a10.squirrel@neposoft.com>

Hi
To jboss devs - wanted to know if latest RH SSO (7.1) ships bundled with
JBoss EAP ?
My req is to domain cluster Keycloak under Apache with mod_cluster and
balance with  http mod_proxy_balancer.
I know this cannot be done with Keycloak and reason why am looking at RH
SSO relating to EAP - I may be wrong.
Please help.
BTW - so quiet in the forum comparing with previous months


From sthorger at redhat.com  Wed Apr  5 08:53:09 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 5 Apr 2017 14:53:09 +0200
Subject: [keycloak-user] Building and testing keycloak custom
	modules/SPIs
In-Reply-To: <CAPJq0L9C6RQRLDUYM-jydx=81Xb8hgpCnJfz=iEzHMXyHhpHiQ@mail.gmail.com>
References: <CAPJq0L9=7-SgZG=Bcc2R2b=C4GEer3fkK6OgrituK6CkhA=QHQ@mail.gmail.com>
	<CAJgngAe0=NHtaKr1jx==o7CN8zxxe4i_WRxypEjK-xtw6JsX6Q@mail.gmail.com>
	<CAPJq0L-1Cxe6972cHKxjXm9AES4NE9Ab9bujo3Bhe0w9xMhqSw@mail.gmail.com>
	<CAJgngAceE6d4f1_5nJce7co7CdEWEs-oFJ5Cu9PcWmrJ2uQmMg@mail.gmail.com>
	<CAPJq0L9C6RQRLDUYM-jydx=81Xb8hgpCnJfz=iEzHMXyHhpHiQ@mail.gmail.com>
Message-ID: <CAJgngAeyy+q31p_BByJKc5hc53bVNrgSqmG+2gO5oMxgr3CUZA@mail.gmail.com>

At some point we'll be moving the providers example to our new quickstarts
repo [1]. When we do they will have integration tests. We haven't shelled
out exactly how that will look like, but I imagine it would be using
Arquillian to deploy the providers before running some tests against the
server.

[1] https://github.com/keycloak/keycloak-quickstarts

On 5 April 2017 at 12:46, Martin Hardselius <martin.hardselius at gmail.com>
wrote:

> Ok, thanks. Since we do a bit of both, I guess it's easier to continue
> deploying everything as modules to keep the build pipeline consistent.
>
> I guess I was looking for something in the lines of what Gabriel asked for
> in the "Integration Tests" thread. Maybe https://github.com/palantir/
> docker-compose-rule is something worth exploring in our case.
>
> On Wed, 5 Apr 2017 at 08:42 Stian Thorgersen <sthorger at redhat.com> wrote:
>
> The user storage example leverages this approach. It should be documented
> in the server developer guide.
>
> You can't deploy custom SPIs this way only providers. For a custom SPI
> you'd have to deploy that as a module, restart the server, then you can
> deploy your custom providers for your custom SPIs.
>
> On 4 April 2017 at 16:32, Martin Hardselius <martin.hardselius at gmail.com>
> wrote:
>
> Is this documented somewhere (I can't seem to find it)?
>
> How would that work for completely custom SPIs with their own
> configuration? We make heavy use of standalone-ha.xml to configure
> providers with environment variables, which in turn are injected into the
> containers by Kubernetes.
>
> On Tue, 4 Apr 2017 at 15:54 Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Use the new JEE deployer approach. Then you can deploy and re-reploy
> providers live to the server with simply running "mvn wildfly:deploy".
>
> On 4 April 2017 at 14:57, Martin Hardselius <martin.hardselius at gmail.com>
> wrote:
>
> Hi,
>
> I would like to know more on how people are approaching building and
> testing of custom modules / installations.
>
> In our current setup we have a repo where we develop all our custom code.
> We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
> wildfly modules from that code. Then we create a new custom docker image
> from the keycloak base image and those built modules. After we've built our
> custom image, a separate repo with integration tests / security tests /
> etc. is built, targeting the newly created image. If everything checks out,
> the image is deployed in our kubernetes cluster. Every step of the process
> is automated and works kind of ok.
>
> What I really don't like is the separation of our "module/SPI repo" and our
> test suite. Ideally, I would like to write all my integration tests in the
> same repo as the code that I'm testing and be able to fire them against a
> running keycloak server (with my code deployed) from within my IDE. Does
> this make sense? Has anyone done something like this? Is there an
> alternative way to build our custom images that is better suited?
>
> Looking forward to a discussion on this.
>
> Regards,
> Martin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From shmuein+keycloak-dev at gmail.com  Wed Apr  5 09:10:59 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Wed, 5 Apr 2017 08:10:59 -0500
Subject: [keycloak-user] Encryption of OIDC client secret
Message-ID: <CACEM6k-QLs+jPEBAQcNdqTi5K9p1VWrcp9_f-fa8FrLXpJyn4Q@mail.gmail.com>

Hi,

I noticed KeyCloak stores OIDC client secret in plain text in Database. Is
there a way to extend Keycloak so that we can encrypt OIDC secret before
storing it in DB?

Thanks,
Muein

From bburke at redhat.com  Wed Apr  5 09:43:58 2017
From: bburke at redhat.com (Bill Burke)
Date: Wed, 5 Apr 2017 09:43:58 -0400
Subject: [keycloak-user] Keycloak vs RH SSO - cluster/load balancer
In-Reply-To: <39fb71a6b0a7d06cc1f84a849b275a10.squirrel@neposoft.com>
References: <39fb71a6b0a7d06cc1f84a849b275a10.squirrel@neposoft.com>
Message-ID: <d1615532-bf72-fe4d-887c-a7ac61397d9b@redhat.com>

RH-SSO is built on top of EAP.  And, why cant you use use mod-cluster 
with Keycloak?


On 4/5/17 8:52 AM, java_os wrote:
> Hi
> To jboss devs - wanted to know if latest RH SSO (7.1) ships bundled with
> JBoss EAP ?
> My req is to domain cluster Keycloak under Apache with mod_cluster and
> balance with  http mod_proxy_balancer.
> I know this cannot be done with Keycloak and reason why am looking at RH
> SSO relating to EAP - I may be wrong.
> Please help.
> BTW - so quiet in the forum comparing with previous months
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Wed Apr  5 10:00:22 2017
From: bburke at redhat.com (Bill Burke)
Date: Wed, 5 Apr 2017 10:00:22 -0400
Subject: [keycloak-user] Overriding AssertionConsumerServiceURL in
In-Reply-To: <BN6PR05MB2964667FF9C824AE2EC37BC3F80B0@BN6PR05MB2964.namprd05.prod.outlook.com>
References: <BN6PR05MB2964667FF9C824AE2EC37BC3F80B0@BN6PR05MB2964.namprd05.prod.outlook.com>
Message-ID: <1eeadcbf-8808-a3d3-8c9b-a03779225f49@redhat.com>

The SP can send ACS URL, this URL will only be used if it is validated 
against the Redirect URI patterns that are registered in the 
configuration of the client.  Does that answer your question?


On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Wed Apr  5 10:11:00 2017
From: bburke at redhat.com (Bill Burke)
Date: Wed, 5 Apr 2017 10:11:00 -0400
Subject: [keycloak-user] Encryption of OIDC client secret
In-Reply-To: <CACEM6k-QLs+jPEBAQcNdqTi5K9p1VWrcp9_f-fa8FrLXpJyn4Q@mail.gmail.com>
References: <CACEM6k-QLs+jPEBAQcNdqTi5K9p1VWrcp9_f-fa8FrLXpJyn4Q@mail.gmail.com>
Message-ID: <107f8f00-e13d-1562-eb36-15eeef4c9197@redhat.com>

Not right now.  We'll eventually be implementing a vault to encrypt 
secrets and private keys.  We were kinda hoping that admins would just 
make sure that their DB is secure.

Just as a general survey question, how would you expect it to work?


On 4/5/17 9:10 AM, Muein Muzamil wrote:
> Hi,
>
> I noticed KeyCloak stores OIDC client secret in plain text in Database. Is
> there a way to extend Keycloak so that we can encrypt OIDC secret before
> storing it in DB?
>
> Thanks,
> Muein
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Michael.Jacobs at nuance.com  Wed Apr  5 11:32:04 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Wed, 5 Apr 2017 15:32:04 +0000
Subject: [keycloak-user] [EXTERNAL] Re: Overriding
 AssertionConsumerServiceURL in
Message-ID: <BN6PR05MB2964BDE4898206FF576AD29FF80A0@BN6PR05MB2964.namprd05.prod.outlook.com>

So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?

Also, re: the second part of my question, can anything be done about the password reset URL, to have those target  our F5?

Thanks for you help with this,

MJ

On Apr 5, 2017 8:01 AM, Bill Burke <bburke at redhat.com> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client.  Does that answer your question?


On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

From shmuein+keycloak-dev at gmail.com  Wed Apr  5 15:12:07 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Wed, 5 Apr 2017 14:12:07 -0500
Subject: [keycloak-user] Encryption of OIDC client secret
In-Reply-To: <107f8f00-e13d-1562-eb36-15eeef4c9197@redhat.com>
References: <CACEM6k-QLs+jPEBAQcNdqTi5K9p1VWrcp9_f-fa8FrLXpJyn4Q@mail.gmail.com>
	<107f8f00-e13d-1562-eb36-15eeef4c9197@redhat.com>
Message-ID: <CACEM6k_Uvw-FyKemG0AWDisSpoQDX1i2kyNS6TJUvinKVava-w@mail.gmail.com>

For the realm keys, we have written a custom key provider to encrypt the
keys before storing them in the database. Basically, we generate some
derived keys based on master key (which we share between multiple instances
using docker volumes) and encrypt/decrypt realm keys using that.

So even if KeyCloak doesn't support encryption of the secrets (and other
sensitive information) out of the box, as long as it let us customize it,
we should be Ok.

Regards,
Muein

On Wed, Apr 5, 2017 at 9:11 AM, Bill Burke <bburke at redhat.com> wrote:

> Not right now.  We'll eventually be implementing a vault to encrypt
> secrets and private keys.  We were kinda hoping that admins would just
> make sure that their DB is secure.
>
> Just as a general survey question, how would you expect it to work?
>
>
> On 4/5/17 9:10 AM, Muein Muzamil wrote:
> > Hi,
> >
> > I noticed KeyCloak stores OIDC client secret in plain text in Database.
> Is
> > there a way to extend Keycloak so that we can encrypt OIDC secret before
> > storing it in DB?
> >
> > Thanks,
> > Muein
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From andrius.karpavicius at opencellsoft.com  Wed Apr  5 16:54:21 2017
From: andrius.karpavicius at opencellsoft.com (=?UTF-8?Q?Andrius_Karpavi=C4=8Dius?=)
Date: Wed, 5 Apr 2017 17:54:21 -0300
Subject: [keycloak-user] Mapping Azure Ad token_id groups to users roles
Message-ID: <CAGa2Vw9w+a3EShxpfBJQqporjMKT-m-vy3M4+oV6N2R=W+KRLg@mail.gmail.com>

Hi,

I have posted a question few weeks ago on similar topic - how to
retrieve Azure AD groups and roles, but nobody has answered.

So maybe you can tell me how you have your AD configured that you get
groups info in the token.

Thanks,
Andrius
>>>

I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.

In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims "roles"
and "groups" should be returned.

But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.

Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns "response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in "claims_supported" don't mention
"groups" nor "roles" claims.

So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?
Andrius Karpavi?ius
tel.: +54 9 3546 482150,
skype: andriuskarpavicius



>
>
> Date: Wed, 5 Apr 2017 09:12:01 +0200
> From: Adrien Voisin <adrien.voisin.be at gmail.com>
> Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
>          roles
> To: keycloak-user at lists.jboss.org
> Message-ID:
>
> Hi all,
>
>
> I have the following configuration :
>
>
> *My application :*
>
> Front : Angular 2
>
> Backend : Springboot rest api
>
>
> *Auth:*
>
> Keycloak 3.0.0
>
> Windows Azure AD
>
>
> The goal is to use Keyloack and Windows Azure for authentication and
> permissions management of my web app.
>
> (I followed this tutorial :
> http://slackspace.de/articles/authentication-with-spring-
boot-angularjs-and-keycloak/
> )
>
>
> *Windows Azure AD* : I registered my webapp into Azure AD
>
> *Keycloak *: I added two clients (front & back) + an identity provider
> (Azure).
>
>
> The authentication part works well. (Each request is redirected to the
> Microsoft auth, then a user in Keycloak is added (first login).
>
>
> Now I would like to use information of the token of Azure (doc :
> https://docs.microsoft.com/en-us/azure/active-directory/
develop/active-directory-token-and-claims)
> for permissions management.
>
>
> A token from azure ad looks like below :
>
>
> {
>   typ: "JWT",
>   alg: "RS256",
>   x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> }.
> {
>   aud: "https://contoso.onmicrosoft.com/scratchservice",
>   iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
>   iat: 1416968588,
>   nbf: 1416968588,
>   exp: 1416972488,
>   ver: "1.0",
>   tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
>   amr: [
>    "pwd"
>   ],
>   roles: [
>    "Admin"
>   ],
>   oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
>   upn: "sample.user at contoso.onmicrosoft.com",
>   unique_name: "sample.user at contoso.onmicrosoft.com",
>   sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
>   family_name: "User",
>   given_name: "Sample",
>   *groups: [
>    "0e129f6b-6b0a-4944-982d-f776000632af",
>    "323b13b3-1851-4b94-947f-9a4dacb595f4",
>    "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
>    "f3a161a7-9a58-4e8f-9d47-b70022a07424",
>    "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
>    "1bf80164-ff24-4866-b19c-6212e5b9a847",
>    "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
>    "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
>   ],*
>   appid: "b075ddef-0efa-123b-997b-de1337c29185",
>   appidacr: "1",
>   scp: "user_impersonation",
>   acr: "1"
> }.

From thomas.darimont at googlemail.com  Wed Apr  5 17:37:50 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 5 Apr 2017 23:37:50 +0200
Subject: [keycloak-user] Encryption of OIDC client secret
In-Reply-To: <CACEM6k_Uvw-FyKemG0AWDisSpoQDX1i2kyNS6TJUvinKVava-w@mail.gmail.com>
References: <CACEM6k-QLs+jPEBAQcNdqTi5K9p1VWrcp9_f-fa8FrLXpJyn4Q@mail.gmail.com>
	<107f8f00-e13d-1562-eb36-15eeef4c9197@redhat.com>
	<CACEM6k_Uvw-FyKemG0AWDisSpoQDX1i2kyNS6TJUvinKVava-w@mail.gmail.com>
Message-ID: <CAK-7U1jiJzC5L7MEg_o8fjUOihTw1iFpMqxKRuH4eiZBEdPxMw@mail.gmail.com>

This sounds interesting, would you mind sharing the code? :)

Cheers,
Thomas

2017-04-05 21:12 GMT+02:00 Muein Muzamil <shmuein+keycloak-dev at gmail.com>:

> For the realm keys, we have written a custom key provider to encrypt the
> keys before storing them in the database. Basically, we generate some
> derived keys based on master key (which we share between multiple instances
> using docker volumes) and encrypt/decrypt realm keys using that.
>
> So even if KeyCloak doesn't support encryption of the secrets (and other
> sensitive information) out of the box, as long as it let us customize it,
> we should be Ok.
>
> Regards,
> Muein
>
> On Wed, Apr 5, 2017 at 9:11 AM, Bill Burke <bburke at redhat.com> wrote:
>
> > Not right now.  We'll eventually be implementing a vault to encrypt
> > secrets and private keys.  We were kinda hoping that admins would just
> > make sure that their DB is secure.
> >
> > Just as a general survey question, how would you expect it to work?
> >
> >
> > On 4/5/17 9:10 AM, Muein Muzamil wrote:
> > > Hi,
> > >
> > > I noticed KeyCloak stores OIDC client secret in plain text in Database.
> > Is
> > > there a way to extend Keycloak so that we can encrypt OIDC secret
> before
> > > storing it in DB?
> > >
> > > Thanks,
> > > Muein
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at zyres.com  Thu Apr  6 03:04:30 2017
From: dt at zyres.com (Danny Trunk)
Date: Thu, 6 Apr 2017 09:04:30 +0200
Subject: [keycloak-user] Themeing: Set Urls + Locale
Message-ID: <78f6f856-a237-8b8f-8321-31c7fcc91db4@zyres.com>

Hello everyone,

is there a clean way to set the registrationUrl, loginUpdateProfileUrl, 
loginResetCredentialsUrl to my own one based on the Redirect URI as well 
as sending a Locale to the Keycloak pages which to be used instead of 
the configured default?
I'm using the Spring Security Adapter and I'm also familiar in creating 
Service Provider.

I need to do the registration, password forgotten and update profile 
processes within my webapp as there are some post-processes to be done 
and I don't want to rewrite them.
That's no problem as I'm using a User Storage Provider.

The Redirect URI looks like https://localhost:8443/de_DE/login.html
The Registration page is accessible through 
https://localhost:8443/de_DE/register.html
The Password forgotten page is accessible through 
https://localhost:8443/de_DE/pwreminder.html
The Update Profile page is accessible through 
https://localhost:8443/de_DE/myaccount.html

The hackish way would be to get the Query Parameter "redirect_uri" in 
the ftl Template and build the base url "https://localhost:8443/de_DE".
But then the Template still uses the default Locale.

Are there any clean ways?

From krishna1shiva at gmail.com  Thu Apr  6 03:07:52 2017
From: krishna1shiva at gmail.com (Shiva Krishna)
Date: Thu, 6 Apr 2017 12:37:52 +0530
Subject: [keycloak-user] Fwd: Retrieve SAMLResponse after login
In-Reply-To: <CAJPC-HErZK1pUkNJqM8DARdJ4tTJt0mEZPxemXVkyQYU_mo8EQ@mail.gmail.com>
References: <CAJPC-HErZK1pUkNJqM8DARdJ4tTJt0mEZPxemXVkyQYU_mo8EQ@mail.gmail.com>
Message-ID: <CAJPC-HEu1KN0=7YQexLG8x9MnvntAS=mcP-Od5=61Z6apP+TzQ@mail.gmail.com>

Hello,

 I need to retrieve SAMLResponse as is which appears on browser after
login using Keycloak. I am able to retrieve SAMLPrincipal and other
variables. But, I am not able to see the parameter "SAMLResponse".

What is the way to get it?

Thanks,
Krishna S

From mariusz at info.nl  Thu Apr  6 03:17:39 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Thu, 6 Apr 2017 07:17:39 +0000
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
	<VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
Message-ID: <VI1PR0701MB1854B0A7BE5AF2FD3D68513CB30D0@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi Marek, I think we are not on the same page.

What I'm trying to do, it to call REST endpoint using access_token. In RestEndpoint I have method to check if token is active (from your examples). It set's auth object in Constructor:


public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
        this.session = session;
        this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.VI_REALM));    }

and then on real REST call there is:

  private void isUserAuthorized() {
        if (auth == null) {
            throw new NotAuthorizedException("Bearer");
        } else if (auth.getToken().getRealmAccess() == null) {
            throw new ForbiddenException("Does not have realm admin role");
        }
    }

The problem is that if I get access_token from:
http://dev.vi.nl:8180/auth/realms/vi/protocol/openid-connect/token

using offline refresh token, it works as long, as first login session is still active:

1. User logs in using credentials, we do call to /token using grant_type=credentials and scope=offline_access
2. We get access_token and refresh_token
3. As long as this logged in session is active, we can get new access_token using refresh_token, and that access_token is used to authenticate REST call - it all works like it should
4. Once session is closed (SSO_Idle_time  past) then I can still get new access_token using the same refresh_token, but when I use this new access_token to call REST endpoint, this part:


this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.VI_REALM));    

returns NULL - so Token is not valid. 

In examples you referred I didn't see anything about validating token.

I hope now it's more clear.

Regards
Mariusz


-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>; Marko Strukelj <mstrukel at redhat.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token

Access token itself is valid just for few minutes. When access token is expired, you need offline token to send request for refreshing of access token (retrieve new access token).

I suggest to look at our example in keycloak-examples distribution under "preconfigured-demo/offline-access-app" directory.

Marek

On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
> Hi Marko, it isn?t the problem. It works with lowercase as long as SSO Session Idle time isn?t over.
>
> I think there has to be some different method to check if you are 
> using access_token issued by using offline_refresh_token
>
> When I do authorization call using offline refresh_token, I don?t see new session open in keycloak admin console.
>
> Any other ideas?
>
> Regards
> Mariusz
>
> From: Marko Strukelj [mailto:mstrukel at redhat.com]
> Sent: dinsdag 4 april 2017 19:11
> To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to authenticate using offline 
> refresh_token
>
> Maybe try:
>
> Authorization: Bearer {access_token}
>
> (uppercase Bearer)
>
>
> On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
> Hi,
>
> We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
>
> grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
> oken={refresh_token}
>
> to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
>
> Authorization: bearer {access_token}
>
> But in Keycloak itself, when we try to check if token  is valid:
>
> private final AuthenticationManager.AuthResult auth;
>
> public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
>          this.session = session;
>          this.auth = new 
> AppAuthManager().authenticateBearerToken(session, 
> session.realms().getRealm(Constants.XXXXXXX));
> }
>
> this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
>
> What is even more interesting, this works between first login using 
> credentials and time configured as SSO Session Idle (so in our case 
> for 30 minutes)
>
> I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
>
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:
> mariusz at info.nl>>  |  
> LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 
> (0)20 530 
> 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
>
> info.nl<http://info.nl> <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 
> 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
> 309100>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From adrien.voisin.be at gmail.com  Thu Apr  6 03:20:34 2017
From: adrien.voisin.be at gmail.com (Adrien Voisin)
Date: Thu, 6 Apr 2017 09:20:34 +0200
Subject: [keycloak-user] Mapping Azure Ad token_id groups to users roles
In-Reply-To: <CAGa2Vw9w+a3EShxpfBJQqporjMKT-m-vy3M4+oV6N2R=W+KRLg@mail.gmail.com>
References: <CAGa2Vw9w+a3EShxpfBJQqporjMKT-m-vy3M4+oV6N2R=W+KRLg@mail.gmail.com>
Message-ID: <CAH9OOODxYPxNTnjcT0Yh_-g7bxCru7LUq7kCPQbiZ53chcUO=g@mail.gmail.com>

Hi Andrius,

To set groups into the token_id, you have to go into your azure portal.
Then in your app registration settings, edit the "manifest" file. And for
the parameter ""groupMembershipClaims":  set "SecurityGroup" or "All".

Doc microsoft :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

Br,

Adrien

2017-04-05 22:54 GMT+02:00 Andrius Karpavi?ius <
andrius.karpavicius at opencellsoft.com>:

> Hi,
>
> I have posted a question few weeks ago on similar topic - how to
> retrieve Azure AD groups and roles, but nobody has answered.
>
> So maybe you can tell me how you have your AD configured that you get
> groups info in the token.
>
> Thanks,
> Andrius
> >>>
>
> I have created OpenId identity provider with Azure Active directory and it
> works. What I am failing is to retrieve any group or role information from
> Azure, so I can assign corresponding roles in Keycloak.
>
> In their documentation, https://docs.microsoft.com/en-
> us/azure/active-directory/develop/active-directory-token-and-claims I see
> that if response_type is specified as "id_token" additional claims "roles"
> and "groups" should be returned.
>
> But Keycloak's redirect to authorization URL in Azure contains parameter
> response_type=code and there is no way to overwrite it.
>
> Azure AD's openId configuration https://login.microsoftonline.
> com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
> returns "response_types_supported":["code","id_token","code
> id_token","token id_token","token"] but in "claims_supported" don't mention
> "groups" nor "roles" claims.
>
> So question - is it possible to change response_type to include id_token,
> so groups or roles claims are retrieved and can be used in mapper to assign
> corresponding roles in Keycloak. If not - what is a suggested approach -
> store the token and retrieve them separately?
> Andrius Karpavi?ius
> tel.: +54 9 3546 482150,
> skype: andriuskarpavicius
>
>
>
> >
> >
> > Date: Wed, 5 Apr 2017 09:12:01 +0200
> > From: Adrien Voisin <adrien.voisin.be at gmail.com>
> > Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
> >          roles
> > To: keycloak-user at lists.jboss.org
> > Message-ID:
> >
> > Hi all,
> >
> >
> > I have the following configuration :
> >
> >
> > *My application :*
> >
> > Front : Angular 2
> >
> > Backend : Springboot rest api
> >
> >
> > *Auth:*
> >
> > Keycloak 3.0.0
> >
> > Windows Azure AD
> >
> >
> > The goal is to use Keyloack and Windows Azure for authentication and
> > permissions management of my web app.
> >
> > (I followed this tutorial :
> > http://slackspace.de/articles/authentication-with-spring-
> boot-angularjs-and-keycloak/
> > )
> >
> >
> > *Windows Azure AD* : I registered my webapp into Azure AD
> >
> > *Keycloak *: I added two clients (front & back) + an identity provider
> > (Azure).
> >
> >
> > The authentication part works well. (Each request is redirected to the
> > Microsoft auth, then a user in Keycloak is added (first login).
> >
> >
> > Now I would like to use information of the token of Azure (doc :
> > https://docs.microsoft.com/en-us/azure/active-directory/
> develop/active-directory-token-and-claims)
> > for permissions management.
> >
> >
> > A token from azure ad looks like below :
> >
> >
> > {
> >   typ: "JWT",
> >   alg: "RS256",
> >   x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> > }.
> > {
> >   aud: "https://contoso.onmicrosoft.com/scratchservice",
> >   iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
> >   iat: 1416968588,
> >   nbf: 1416968588,
> >   exp: 1416972488,
> >   ver: "1.0",
> >   tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
> >   amr: [
> >    "pwd"
> >   ],
> >   roles: [
> >    "Admin"
> >   ],
> >   oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
> >   upn: "sample.user at contoso.onmicrosoft.com",
> >   unique_name: "sample.user at contoso.onmicrosoft.com",
> >   sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
> >   family_name: "User",
> >   given_name: "Sample",
> >   *groups: [
> >    "0e129f6b-6b0a-4944-982d-f776000632af",
> >    "323b13b3-1851-4b94-947f-9a4dacb595f4",
> >    "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
> >    "f3a161a7-9a58-4e8f-9d47-b70022a07424",
> >    "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
> >    "1bf80164-ff24-4866-b19c-6212e5b9a847",
> >    "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
> >    "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
> >   ],*
> >   appid: "b075ddef-0efa-123b-997b-de1337c29185",
> >   appidacr: "1",
> >   scp: "user_impersonation",
> >   acr: "1"
> > }.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mariusz at info.nl  Thu Apr  6 03:48:30 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Thu, 6 Apr 2017 07:48:30 +0000
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
	<VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
Message-ID: <VI1PR0701MB1854DF849FD207F4B4D1D71FB30D0@VI1PR0701MB1854.eurprd07.prod.outlook.com>

I also found this topic from January:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Offline-Tokens-Become-Useless-When-SSO-Session-Max-is-Reached-td2302.html

and Jira issue:
https://issues.jboss.org/browse/KEYCLOAK-4201

I did update to 2.5.5 but it's still the same, looks like this: 
new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.VI_REALM));

requires active session to work, but then what is the way to authenticate REST call using access_token generated by offline refresh_token?

Thanks
Mariusz
-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>; Marko Strukelj <mstrukel at redhat.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token

Access token itself is valid just for few minutes. When access token is expired, you need offline token to send request for refreshing of access token (retrieve new access token).

I suggest to look at our example in keycloak-examples distribution under "preconfigured-demo/offline-access-app" directory.

Marek

On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
> Hi Marko, it isn?t the problem. It works with lowercase as long as SSO Session Idle time isn?t over.
>
> I think there has to be some different method to check if you are 
> using access_token issued by using offline_refresh_token
>
> When I do authorization call using offline refresh_token, I don?t see new session open in keycloak admin console.
>
> Any other ideas?
>
> Regards
> Mariusz
>
> From: Marko Strukelj [mailto:mstrukel at redhat.com]
> Sent: dinsdag 4 april 2017 19:11
> To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to authenticate using offline 
> refresh_token
>
> Maybe try:
>
> Authorization: Bearer {access_token}
>
> (uppercase Bearer)
>
>
> On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
> Hi,
>
> We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
>
> grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
> oken={refresh_token}
>
> to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
>
> Authorization: bearer {access_token}
>
> But in Keycloak itself, when we try to check if token  is valid:
>
> private final AuthenticationManager.AuthResult auth;
>
> public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
>          this.session = session;
>          this.auth = new 
> AppAuthManager().authenticateBearerToken(session, 
> session.realms().getRealm(Constants.XXXXXXX));
> }
>
> this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
>
> What is even more interesting, this works between first login using 
> credentials and time configured as SSO Session Idle (so in our case 
> for 30 minutes)
>
> I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
>
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:
> mariusz at info.nl>>  |  
> LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 
> (0)20 530 
> 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
>
> info.nl<http://info.nl> <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 
> 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
> 309100>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From mariusz at info.nl  Thu Apr  6 03:58:26 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Thu, 6 Apr 2017 07:58:26 +0000
Subject: [keycloak-user] How to authenticate using offline refresh_token
In-Reply-To: <daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
References: <VI1PR0701MB1854F954794819F3FB897A8BB30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<CA+1OW+jB7MFtgM8uOPACe3jjP+A=z=fh9wVxwsoNfWPNuAZv_Q@mail.gmail.com>
	<VI1PR0701MB18545A21132F996908056647B30B0@VI1PR0701MB1854.eurprd07.prod.outlook.com>
	<daa763b8-281c-edff-d5d6-1a18e21f0411@redhat.com>
Message-ID: <VI1PR0701MB18545011598E1E1065FA1A05B30D0@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi Marek, sorry for previous message - it actually works well in 2.5.5. I made a mistake and I was still using 2.5.0 not 2.5.5 - after proper upgrade, it works.

Regards
Mariusz

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>; Marko Strukelj <mstrukel at redhat.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token

Access token itself is valid just for few minutes. When access token is expired, you need offline token to send request for refreshing of access token (retrieve new access token).

I suggest to look at our example in keycloak-examples distribution under "preconfigured-demo/offline-access-app" directory.

Marek

On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
> Hi Marko, it isn?t the problem. It works with lowercase as long as SSO Session Idle time isn?t over.
>
> I think there has to be some different method to check if you are 
> using access_token issued by using offline_refresh_token
>
> When I do authorization call using offline refresh_token, I don?t see new session open in keycloak admin console.
>
> Any other ideas?
>
> Regards
> Mariusz
>
> From: Marko Strukelj [mailto:mstrukel at redhat.com]
> Sent: dinsdag 4 april 2017 19:11
> To: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to authenticate using offline 
> refresh_token
>
> Maybe try:
>
> Authorization: Bearer {access_token}
>
> (uppercase Bearer)
>
>
> On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl" <mariusz at info.nl<mailto:mariusz at info.nl>> wrote:
> Hi,
>
> We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
>
> grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
> oken={refresh_token}
>
> to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
>
> Authorization: bearer {access_token}
>
> But in Keycloak itself, when we try to check if token  is valid:
>
> private final AuthenticationManager.AuthResult auth;
>
> public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
>          this.session = session;
>          this.auth = new 
> AppAuthManager().authenticateBearerToken(session, 
> session.realms().getRealm(Constants.XXXXXXX));
> }
>
> this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
>
> What is even more interesting, this works between first login using 
> credentials and time configured as SSO Session Idle (so in our case 
> for 30 minutes)
>
> I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
>
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl><mailto:mariusz at info.nl<mailto:
> mariusz at info.nl>>  |  
> LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 
> (0)20 530 
> 9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
>
> info.nl<http://info.nl> <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 
> 9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
> 309100>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From dt at zyres.com  Thu Apr  6 06:20:28 2017
From: dt at zyres.com (Danny Trunk)
Date: Thu, 6 Apr 2017 12:20:28 +0200
Subject: [keycloak-user] Themeing: Set Urls + Locale
In-Reply-To: <78f6f856-a237-8b8f-8321-31c7fcc91db4@zyres.com>
References: <78f6f856-a237-8b8f-8321-31c7fcc91db4@zyres.com>
Message-ID: <479db950-1f11-bfdb-40ca-3263adb82456@zyres.com>

Regarding the locale I've found the following code: 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/util/LocaleHelper.java#L67

- kc_locale query parameter: Sounds interesting, how to append it when 
redirecting to the Keycloak Login Page through Spring Security Adapter?

- locale cookie: Not interesting as I cannot save a cookie from my 
Webapp to use in the Keycloak Server

- user profile: Not interesting as the user isn't logged in here

- ui_locales query parameter: Don't know what this is and where/how to set

- Accept-language http header: Not interesting as the user can browse 
the webapp in a different locale


Am 06.04.2017 um 09:04 schrieb Danny Trunk:
> Hello everyone,
>
> is there a clean way to set the registrationUrl, loginUpdateProfileUrl,
> loginResetCredentialsUrl to my own one based on the Redirect URI as well
> as sending a Locale to the Keycloak pages which to be used instead of
> the configured default?
> I'm using the Spring Security Adapter and I'm also familiar in creating
> Service Provider.
>
> I need to do the registration, password forgotten and update profile
> processes within my webapp as there are some post-processes to be done
> and I don't want to rewrite them.
> That's no problem as I'm using a User Storage Provider.
>
> The Redirect URI looks like https://localhost:8443/de_DE/login.html
> The Registration page is accessible through
> https://localhost:8443/de_DE/register.html
> The Password forgotten page is accessible through
> https://localhost:8443/de_DE/pwreminder.html
> The Update Profile page is accessible through
> https://localhost:8443/de_DE/myaccount.html
>
> The hackish way would be to get the Query Parameter "redirect_uri" in
> the ftl Template and build the base url "https://localhost:8443/de_DE".
> But then the Template still uses the default Locale.
>
> Are there any clean ways?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From marc.tempelmeier at flane.de  Thu Apr  6 06:34:13 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Thu, 6 Apr 2017 10:34:13 +0000
Subject: [keycloak-user] Docker and Port 9999
Message-ID: <5b669fe265784c96b818fbe433952467@dehamex2013.europe.flane.local>

Hi,

I am still trying to get the Domain Clustered Mode in Docker working. My Master container runs and is callable from the host, but I have problems to connect the slave.

The port 9999 is needed from the slave, right? I exposed it in the masters dockerfile, but if I do nmap from the slave it is still shown as closed.

What can I do to open it?

Best regards

Marc

From karpenkorn at gmail.com  Thu Apr  6 07:30:06 2017
From: karpenkorn at gmail.com (Roman Nikolaevich)
Date: Thu, 6 Apr 2017 14:30:06 +0300
Subject: [keycloak-user] Jgroups configruation
Message-ID: <CAJ-hww6E-eJ59mjGcqSTmyoTh4o-ApMi0WrFHDBkMrLD-xRGMw@mail.gmail.com>

Hello Guys,

Could you please advise how can I change jgroups protocol stack ?
As I see it is hard coded right now.

if (clustered) {
    gcb.transport().defaultTransport();
}

Is it possible to add some customization here ?

Thanks in advance.

From karpenkorn at gmail.com  Thu Apr  6 07:40:00 2017
From: karpenkorn at gmail.com (Roman Nikolaevich)
Date: Thu, 6 Apr 2017 14:40:00 +0300
Subject: [keycloak-user]  Jgroups configuration
Message-ID: <CAJ-hww7LAeYu2TtBsMqXgCkRbfiOSTwpUVqsVZzzybSsUU6mqg@mail.gmail.com>

Hello Guys,

Could you please advise how can I change jgroups protocol stack ?
As I see it is hard coded right now.

if (clustered) {
    gcb.transport().defaultTransport();
}

Is it possible to add some customization here ?

Thanks in advance.

From kevin.berendsen at pharmapartners.nl  Thu Apr  6 08:37:28 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Thu, 6 Apr 2017 12:37:28 +0000
Subject: [keycloak-user] Disable CORS on realm endpoints?
In-Reply-To: <CAAcZmFzHSh4EwAX9tqmGHQ6g6B28Xyyd3c8_CQA+YdBj9awz1g@mail.gmail.com>
References: <CAAcZmFzHSh4EwAX9tqmGHQ6g6B28Xyyd3c8_CQA+YdBj9awz1g@mail.gmail.com>
Message-ID: <a673af301a904734af154e68f72986d6@FERB.ppg.lan>

Hi Joe,

I may have a solution for your problem but that will get rid off all CORS headers of Keycloak.

In Keycloak_root/standalone/configuration/standalone.xml:
1. Find  '<response-header name="x-powered-by-header" ',
2. Duplicate the line and change the header to whatever you like (each for every CORS header) and leave the value empty.
3. Find '<filter-ref name="x-powered-by-header"/>' 
4. Also duplicate that line and change it to any header you like.
Hopefully that'd override Keycloak's code.

Another solution (recommended), create a proxy server (Netflix Zuul or HAProxy perhaps) and strip away those headers before returning the response. Then you'd be in full control of what headers are returned to the end-user's browser.

Good luck!

Kind regards,
Kevin Berendsen

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Joe Rowe
Verzonden: donderdag 30 maart 2017 9:18
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Disable CORS on realm endpoints?

Hi all,

Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?

CORS is on by default here, but is not needed for our application and causes false positives in pen testing.

Any help would be gratefully received!

Thanks
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Thu Apr  6 09:21:49 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 6 Apr 2017 15:21:49 +0200
Subject: [keycloak-user] Red Hat Single Sign-On 7.1.GA is available
Message-ID: <CAJgngAe6961B5Wm0_14GbPeJk+T+wArmmV07cpwja5RKDGhFww@mail.gmail.com>

RH-SSO 7.1.GA is out! This is based on Keycloak 2.5.5.Final. For more
details check:
http://middlewareblog.redhat.com/2017/04/05/announcing-red-hat-single-sign-on-7-1-ga-is-available/

From josepharowe at gmail.com  Thu Apr  6 10:11:41 2017
From: josepharowe at gmail.com (Joe Rowe)
Date: Thu, 06 Apr 2017 14:11:41 +0000
Subject: [keycloak-user] Disable CORS on realm endpoints?
In-Reply-To: <a673af301a904734af154e68f72986d6@FERB.ppg.lan>
References: <CAAcZmFzHSh4EwAX9tqmGHQ6g6B28Xyyd3c8_CQA+YdBj9awz1g@mail.gmail.com>
	<a673af301a904734af154e68f72986d6@FERB.ppg.lan>
Message-ID: <CAAcZmFyQLHyB7hFrJ5RccwwHOH9j1vJSjOLOLJ5X3RTR8oGcaQ@mail.gmail.com>

Hi Kevin,

Thanks a lot for your reply. I gave your suggestion a shot but
unfortunately the CORS related headers are still present, only duplicated
with the blank ones too.

Thanks again for the suggestion all the same, it seemed very promising !

Joe

On Thu, 6 Apr 2017, 14:27 Kevin Berendsen, <
kevin.berendsen at pharmapartners.nl> wrote:

> Hi Joe,
>
> I may have a solution for your problem but that will get rid off all CORS
> headers of Keycloak.
>
> In Keycloak_root/standalone/configuration/standalone.xml:
> 1. Find  '<response-header name="x-powered-by-header" ',
> 2. Duplicate the line and change the header to whatever you like (each for
> every CORS header) and leave the value empty.
> 3. Find '<filter-ref name="x-powered-by-header"/>'
> 4. Also duplicate that line and change it to any header you like.
> Hopefully that'd override Keycloak's code.
>
> Another solution (recommended), create a proxy server (Netflix Zuul or
> HAProxy perhaps) and strip away those headers before returning the
> response. Then you'd be in full control of what headers are returned to the
> end-user's browser.
>
> Good luck!
>
> Kind regards,
> Kevin Berendsen
>
> -----Oorspronkelijk bericht-----
> Van: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] Namens Joe Rowe
> Verzonden: donderdag 30 maart 2017 9:18
> Aan: keycloak-user at lists.jboss.org
> Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
>
> Hi all,
>
> Is there a configuration setting which will disable CORS at the endpoint
> url:
> <server>/auth/realms/<valid realm>
> ?
>
> CORS is on by default here, but is not needed for our application and
> causes false positives in pen testing.
>
> Any help would be gratefully received!
>
> Thanks
> Joe
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From madaras_adrian at yahoo.com  Thu Apr  6 10:17:51 2017
From: madaras_adrian at yahoo.com (Adrian Madaras)
Date: Thu, 6 Apr 2017 14:17:51 +0000 (UTC)
Subject: [keycloak-user] How to mock LDAP user login with expired password
References: <835449372.1172754.1491488271883.ref@mail.yahoo.com>
Message-ID: <835449372.1172754.1491488271883@mail.yahoo.com>

Hi everyone,
I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
Can someone help me?
Thanks,
Adrian

From amaeztu at tesicnor.com  Thu Apr  6 12:22:43 2017
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Thu, 6 Apr 2017 18:22:43 +0200
Subject: [keycloak-user] 401 for spring security adapter + spring boot +
	long session
Message-ID: <91ce51df-90bf-f9f7-e0ce-30e6013baf8b@tesicnor.com>

I have an application where I want its users to be able to keep logged 
in during long time (about one year before the session ends). I'm using 
Spring Boot + Spring security and the keycloak Spring security adapter 
(2.5.4 final). The keycloak server is 2.2.1. What I've done:

Set up the realm to permit long lived sessions:

Session Idle: 365 days

Session max: 365 days

Offline session idle: 30 days

Access token lifespan: 1 Minute

Lifespan for implicit flow: 365 days

Then, in my application (single server and single keycloak client, 
confidential access type) I set up this environment variable:

server.session-timeout: 525600

Then in my front-end I've got AngularJs integrated, works as a Single 
page application and performs some routing without refreshing the whole 
page.

My problem:

When I leave the application idle (for around 30 minutes), after 
performing some request to any rest endpoint, I get 401 code. The 
application works again when I press F5 and refresh the page. The 
problem is only related when I access the REST endpoints while I don't 
request the whole page again.

Am I missing something?


-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From rationull at gmail.com  Thu Apr  6 14:49:34 2017
From: rationull at gmail.com (Jonathan Little)
Date: Thu, 6 Apr 2017 11:49:34 -0700
Subject: [keycloak-user] Using the nodejs-connect adapter without a logout
	route
Message-ID: <CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw@mail.gmail.com>

The nodejs-connect adapter's middleware() function includes automatic setup
of a logout route which redirects to the keycloak server to logout the
authenticated user. The relative path to the logout route is customizable
via the options object, but there is no specified way to opt out of the
logout route. Looking at logout.js in the source I can see that passing
something which will never resolve as equal to request.url would result in
the logout route always being skipped, which is workable but is a hack.

I'm looking at using this for a backend service which will not do user
login/logout management at all but will only be doing checks for
authorization details. I don't see a need for logout functionality on such
a service. I can see three possibilities:

1) I'm looking at this the wrong way, and I actually do want logout
functionality for some reason.
2) I'm looking at it the right way, and the aforementioned hack is the
"normal" way to do it, but undocumented.
3) There's a feature request hiding here for a config option on
middleware() to opt out of the logout middleware.

(3) seems most plausible to me at this point but I don't want to jump into
feature request mode with an incomplete understanding of the situation. Any
opinions?

From sumitdas66 at gmail.com  Thu Apr  6 15:08:12 2017
From: sumitdas66 at gmail.com (Sumit Das)
Date: Fri, 7 Apr 2017 00:38:12 +0530
Subject: [keycloak-user] Creating group mappers for ldap
Message-ID: <CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw@mail.gmail.com>

Hi

We are using Keycloak 2.5.4. We are trying to create custom group mappers
for ldap by creating a Myfactory.class which extends
AbstractLdapStorageMapperFactory and tge implementation of the mapper as
MyMapperLdapProvider which extends AbstractLdapStorageMapper.

We have followed the documentation provided on the Keycloak for deployment
of jar and implementation of the mapper.

Once done in providers or deploy folder we do not see our custom mapper in
the drop down of the mapper section of user federation provider.

We are not sure whether we are following the right approach or right design
to create the mapper.

Please help us to indentify where we are doing wrong. Any suggestions or
direction is highly appreciated.

Regards
Sumit

From Michael.Jacobs at nuance.com  Thu Apr  6 20:34:05 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Fri, 7 Apr 2017 00:34:05 +0000
Subject: [keycloak-user] [EXTERNAL] Re: Overriding
 AssertionConsumerServiceURL in
In-Reply-To: <BN6PR05MB2964BDE4898206FF576AD29FF80A0@BN6PR05MB2964.namprd05.prod.outlook.com>
References: <BN6PR05MB2964BDE4898206FF576AD29FF80A0@BN6PR05MB2964.namprd05.prod.outlook.com>
Message-ID: <BN6PR05MB2964114EDDF4239B0C29A99BF80C0@BN6PR05MB2964.namprd05.prod.outlook.com>

I solved this by making my own identity provider SPI that extends from SAMLIdentityProvider, but adds this feature, taking the override from the standalone.xml

I will try to do something similar with the Email Template SPI.

From: Jacobs, Michael [mailto:michael_jacobs at nuance.com]
Sent: Wednesday, April 05, 2017 8:32 AM
To: Bill Burke <bburke at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [EXTERNAL] Re: [keycloak-user] Overriding AssertionConsumerServiceURL in


So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?

Also, re: the second part of my question, can anything be done about the password reset URL, to have those target  our F5?

Thanks for you help with this,

MJ
On Apr 5, 2017 8:01 AM, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client.  Does that answer your question?


On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

From teoreste at gmail.com  Fri Apr  7 06:24:01 2017
From: teoreste at gmail.com (matteo restelli)
Date: Fri, 7 Apr 2017 12:24:01 +0200
Subject: [keycloak-user] Parametric Client Configuration
Message-ID: <CABZhS3y4y55-fKbLktUBZUgKmOQ2=K6WdwzESgoBL_z9VQOg3g@mail.gmail.com>

Hi all,
is it possible to make client urls parametric?
I mean, is it possible to set environmental variables and reference them
inside the client configuration panel?

Thank you in advance,
Matteo

From jijeshvu07 at gmail.com  Fri Apr  7 06:38:11 2017
From: jijeshvu07 at gmail.com (JiJesH V U)
Date: Fri, 7 Apr 2017 16:08:11 +0530
Subject: [keycloak-user] (no subject)
Message-ID: <CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g@mail.gmail.com>

I have these 2 keycloak configurations for per app role mapping.I have
configured the role per app and assigned to the user. When I remove a
particular role from app1 it can login. This does not happen.What I'm doing
wrong here.









regards,
jijesh v u
mob: +91 9037329817

From bruno at abstractj.org  Fri Apr  7 06:52:51 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 07 Apr 2017 10:52:51 +0000
Subject: [keycloak-user] Using the nodejs-connect adapter without a
	logout route
In-Reply-To: <CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw@mail.gmail.com>
References: <CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw@mail.gmail.com>
Message-ID: <CAM5SUC6nLBbgSwNDWSrD6u_+SYdVpe5xNby=Y6Mit+34NonGTg@mail.gmail.com>

Hi Jonathan, I believe what you're looking for is for one of
keycloak-connect dependecies
https://github.com/keycloak/keycloak-nodejs-auth-utils which contains only
authorization. On keycloak-connect authorization and authentication are
tied together.

If that's not enough, please file a Jira.

On Thu, Apr 6, 2017 at 5:04 PM Jonathan Little <rationull at gmail.com> wrote:

> The nodejs-connect adapter's middleware() function includes automatic setup
> of a logout route which redirects to the keycloak server to logout the
> authenticated user. The relative path to the logout route is customizable
> via the options object, but there is no specified way to opt out of the
> logout route. Looking at logout.js in the source I can see that passing
> something which will never resolve as equal to request.url would result in
> the logout route always being skipped, which is workable but is a hack.
>
> I'm looking at using this for a backend service which will not do user
> login/logout management at all but will only be doing checks for
> authorization details. I don't see a need for logout functionality on such
> a service. I can see three possibilities:
>
> 1) I'm looking at this the wrong way, and I actually do want logout
> functionality for some reason.
> 2) I'm looking at it the right way, and the aforementioned hack is the
> "normal" way to do it, but undocumented.
> 3) There's a feature request hiding here for a config option on
> middleware() to opt out of the logout middleware.
>
> (3) seems most plausible to me at this point but I don't want to jump into
> feature request mode with an incomplete understanding of the situation. Any
> opinions?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stephane.granger at gmail.com  Fri Apr  7 10:05:30 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Fri, 7 Apr 2017 10:05:30 -0400
Subject: [keycloak-user] Request for ${REALM} support for path field in
	policy enforcer (keycloak, json)
Message-ID: <CAHX=cdUd+=bQEOxfLjuzNOWs0er+9ZR=qiOpkG-+BMZ5P5Tcjw@mail.gmail.com>

Hi,

It would be nice to be able to use ${REALM} in the path field of the policy
enforcer config.

The use case is to simplify (a bit) multi tenant support. I'm working on a
system to support multiple tenants with many applications.  When adding a
tenant, a realm is created in keycloak. Then, the kecyloak clients are
added in that realm based on the tenant application selection.
Some of these clients use the authorization support feature and also use
policy enforcer in their keycloak.config file.

Our system has a small database containing the list of clients for each
application, corresponding basically to the  frontend and a backend of
these applications.  For each client, we have a client representation
template, an optional resource server representation template. These are
used to create the client configuration under the tenant's realm in
keycloak when adding an application to a client.

There is also have an optional policy enforcer field in the db.  This one
is used to create the keycloak configuration corresponding to the
realm/client combination.  We have a component called keycloak
configuration builder.  Its role is to retrieve the client configuration
from keycloak and to add the corresponding policy enforcer. Since, we have
multi tenant application, the realm is part of the url and therefore ends
up in the path.  For example, we have something like this:

{
   "realm":"acme",
   ...
   "policy-enforcer": {
      "paths" : [
          {
             "name" : "Resource name",
             "path" : "/acme/operation/*",
             ""methods": [....]
          }
     ]
}

For this application, the policy enforcer config template would look like
this:

"policy-enforcer": {
      "paths" : [
          {
             "name" : "Resource name",
             "path" : "/${REALM}/operation/*",
             ""methods": [....]
          }...
        ]
}

 It would be a lot simpler if the keycloak policy enforcer could use
${REALM} in the path.  Currently, application developer will have to create
their config using keycloak for their development, then extract the policy
enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
configuration builder then have to substitute ${REALM} with the realm.

Thanks,
Stephane

From psilva at redhat.com  Fri Apr  7 11:00:06 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 7 Apr 2017 12:00:06 -0300
Subject: [keycloak-user] Request for ${REALM} support for path field in
 policy enforcer (keycloak, json)
In-Reply-To: <CAHX=cdUd+=bQEOxfLjuzNOWs0er+9ZR=qiOpkG-+BMZ5P5Tcjw@mail.gmail.com>
References: <CAHX=cdUd+=bQEOxfLjuzNOWs0er+9ZR=qiOpkG-+BMZ5P5Tcjw@mail.gmail.com>
Message-ID: <CAJrcDBfO8H+18E0pR2rbw3AGxkFAeeZ-Xc3W+md5hiURH=a9Yg@mail.gmail.com>

Hi Stephane,

Interesting use case. But we do support patterns in paths ? Or are you
having some issue when including them in your paths ?

In that example, if you send a request to "/acme/operation/echo" it should
match "{REALM}/operation/*".

Regards.
Pedro Igor

On Fri, Apr 7, 2017 at 11:05 AM, Stephane Granger <
stephane.granger at gmail.com> wrote:

> Hi,
>
> It would be nice to be able to use ${REALM} in the path field of the policy
> enforcer config.
>
> The use case is to simplify (a bit) multi tenant support. I'm working on a
> system to support multiple tenants with many applications.  When adding a
> tenant, a realm is created in keycloak. Then, the kecyloak clients are
> added in that realm based on the tenant application selection.
> Some of these clients use the authorization support feature and also use
> policy enforcer in their keycloak.config file.
>
> Our system has a small database containing the list of clients for each
> application, corresponding basically to the  frontend and a backend of
> these applications.  For each client, we have a client representation
> template, an optional resource server representation template. These are
> used to create the client configuration under the tenant's realm in
> keycloak when adding an application to a client.
>
> There is also have an optional policy enforcer field in the db.  This one
> is used to create the keycloak configuration corresponding to the
> realm/client combination.  We have a component called keycloak
> configuration builder.  Its role is to retrieve the client configuration
> from keycloak and to add the corresponding policy enforcer. Since, we have
> multi tenant application, the realm is part of the url and therefore ends
> up in the path.  For example, we have something like this:
>
> {
>    "realm":"acme",
>    ...
>    "policy-enforcer": {
>       "paths" : [
>           {
>              "name" : "Resource name",
>              "path" : "/acme/operation/*",
>              ""methods": [....]
>           }
>      ]
> }
>
> For this application, the policy enforcer config template would look like
> this:
>
> "policy-enforcer": {
>       "paths" : [
>           {
>              "name" : "Resource name",
>              "path" : "/${REALM}/operation/*",
>              ""methods": [....]
>           }...
>         ]
> }
>
>  It would be a lot simpler if the keycloak policy enforcer could use
> ${REALM} in the path.  Currently, application developer will have to create
> their config using keycloak for their development, then extract the policy
> enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
> configuration builder then have to substitute ${REALM} with the realm.
>
> Thanks,
> Stephane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stephane.granger at gmail.com  Fri Apr  7 11:15:35 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Fri, 7 Apr 2017 11:15:35 -0400
Subject: [keycloak-user] Request for ${REALM} support for path field in
 policy enforcer (keycloak, json)
In-Reply-To: <CAJrcDBfO8H+18E0pR2rbw3AGxkFAeeZ-Xc3W+md5hiURH=a9Yg@mail.gmail.com>
Message-ID: <CAHX=cdXNsgUczXU9sOzWRVa3SQ8+BQakpoh+1GsKRYAbujoU8A@mail.gmail.com>

 Thanks a lot for the very quick reply Pedro Igor!

It does work and actually solve the corresponding problem I had when adding
the resource server representation to the client configuration!

2 birds with one stone!

Thanks again,
Stephane



2017-04-07 15:00:06 +0000 Pedro Igor Silva <psilva at redhat.com> :

> Hi Stephane,
>
> Interesting use case. But we do support patterns in paths ? Or are you
> having some issue when including them in your paths ?
>
> In that example, if you send a request to "/acme/operation/echo" it should
> match "{REALM}/operation/*".
>
> Regards.
> Pedro Igor
>
> On Fri, Apr 7, 2017 at 11:05 AM, Stephane Granger <
> stephane.granger at gmail.com> wrote:
>
>> Hi,
>>
>> It would be nice to be able to use ${REALM} in the path field of the
>> policy
>> enforcer config.
>>
>> The use case is to simplify (a bit) multi tenant support. I'm working on a
>> system to support multiple tenants with many applications.  When adding a
>> tenant, a realm is created in keycloak. Then, the kecyloak clients are
>> added in that realm based on the tenant application selection.
>> Some of these clients use the authorization support feature and also use
>> policy enforcer in their keycloak.config file.
>>
>> Our system has a small database containing the list of clients for each
>> application, corresponding basically to the  frontend and a backend of
>> these applications.  For each client, we have a client representation
>> template, an optional resource server representation template. These are
>> used to create the client configuration under the tenant's realm in
>> keycloak when adding an application to a client.
>>
>> There is also have an optional policy enforcer field in the db.  This one
>> is used to create the keycloak configuration corresponding to the
>> realm/client combination.  We have a component called keycloak
>> configuration builder.  Its role is to retrieve the client configuration
>> from keycloak and to add the corresponding policy enforcer. Since, we have
>> multi tenant application, the realm is part of the url and therefore ends
>> up in the path.  For example, we have something like this:
>>
>> {
>>    "realm":"acme",
>>    ...
>>    "policy-enforcer": {
>>       "paths" : [
>>           {
>>              "name" : "Resource name",
>>              "path" : "/acme/operation/*",
>>              ""methods": [....]
>>           }
>>      ]
>> }
>>
>> For this application, the policy enforcer config template would look like
>> this:
>>
>> "policy-enforcer": {
>>       "paths" : [
>>           {
>>              "name" : "Resource name",
>>              "path" : "/${REALM}/operation/*",
>>              ""methods": [....]
>>           }...
>>         ]
>> }
>>
>>  It would be a lot simpler if the keycloak policy enforcer could use
>> ${REALM} in the path.  Currently, application developer will have to
>> create
>> their config using keycloak for their development, then extract the policy
>> enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
>> configuration builder then have to substitute ${REALM} with the realm.
>>
>> Thanks,
>> Stephane
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From hmlnarik at redhat.com  Fri Apr  7 15:07:00 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Fri, 7 Apr 2017 21:07:00 +0200
Subject: [keycloak-user] Fwd: Retrieve SAMLResponse after login
In-Reply-To: <CAJPC-HEu1KN0=7YQexLG8x9MnvntAS=mcP-Od5=61Z6apP+TzQ@mail.gmail.com>
References: <CAJPC-HErZK1pUkNJqM8DARdJ4tTJt0mEZPxemXVkyQYU_mo8EQ@mail.gmail.com>
	<CAJPC-HEu1KN0=7YQexLG8x9MnvntAS=mcP-Od5=61Z6apP+TzQ@mail.gmail.com>
Message-ID: <CAMvXD=GscbuCnr_CLYGz_AO0nWhbKH=7SuYZa3rdrsLEx_3M3w@mail.gmail.com>

Can you elaborate on what you are trying to achieve? Where do you want
to retrieve SAMLResponse and why?

--Hynek

On Thu, Apr 6, 2017 at 9:07 AM, Shiva Krishna <krishna1shiva at gmail.com> wrote:
> Hello,
>
>  I need to retrieve SAMLResponse as is which appears on browser after
> login using Keycloak. I am able to retrieve SAMLPrincipal and other
> variables. But, I am not able to see the parameter "SAMLResponse".
>
> What is the way to get it?
>
> Thanks,
> Krishna S
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From Steven.Ireland at SLSDIST.COM  Fri Apr  7 15:18:01 2017
From: Steven.Ireland at SLSDIST.COM (Steven Ireland)
Date: Fri, 7 Apr 2017 19:18:01 +0000
Subject: [keycloak-user] Installing keycloak behind IIS to secure a WildFly
	app
Message-ID: <FE8DBE3714E3834FA8DB50BB03D4D81E495EDCD2@AUSP01DAG0404.collaborationhost.net>

I had success installing keycloak locally and securing a local WildFly application running locally.   I log in, WildFly hands me off to keycloak and Keycloak passes me back and the app kicks off.

However when I run outside of the local network I can have WildFly pass me to Keycloak but after I provide valid credentials I do not get passed back.  I'm running behind IIS and use URL rerouting (https externally to http internally).  I've installed SSL for IIS but have not installed keycloak to run using SSL.

Is it required that keycloak run under its own SSL configuration (instead of using the SSL I installed for IIS?).  If so can I use the same certificate I installed for IIS?   And does my WildFly app need to run under its own SSL setup in order for Keycloak to be able to handshake with it?

This is new territory for me so I apologize if my questions don't make sense.  But if anyone has this scenario I would appreciate knowing which path I should be going down.

Thanks.
Steve


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of keycloak-user-request at lists.jboss.org
Sent: Friday, April 7, 2017 6:38 AM
To: keycloak-user at lists.jboss.org
Subject: keycloak-user Digest, Vol 40, Issue 10

Send keycloak-user mailing list submissions to
	keycloak-user at lists.jboss.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
	keycloak-user-request at lists.jboss.org

You can reach the person managing the list at
	keycloak-user-owner at lists.jboss.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..."


Today's Topics:

   1. How to mock LDAP user login with expired password (Adrian Madaras)
   2. 401 for spring security adapter + spring boot +	long session
      (Aritz Maeztu)
   3. Using the nodejs-connect adapter without a logout	route
      (Jonathan Little)
   4. Creating group mappers for ldap (Sumit Das)
   5. Re: [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in
      (Jacobs, Michael)
   6. Parametric Client Configuration (matteo restelli)
   7. (no subject) (JiJesH V U)


----------------------------------------------------------------------

Message: 1
Date: Thu, 6 Apr 2017 14:17:51 +0000 (UTC)
From: Adrian Madaras <madaras_adrian at yahoo.com>
Subject: [keycloak-user] How to mock LDAP user login with expired
	password
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID: <835449372.1172754.1491488271883 at mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8

Hi everyone,
I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
Can someone help me?
Thanks,
Adrian

------------------------------

Message: 2
Date: Thu, 6 Apr 2017 18:22:43 +0200
From: Aritz Maeztu <amaeztu at tesicnor.com>
Subject: [keycloak-user] 401 for spring security adapter + spring boot
	+	long session
To: keycloak-user <keycloak-user at lists.jboss.org>
Message-ID: <91ce51df-90bf-f9f7-e0ce-30e6013baf8b at tesicnor.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

I have an application where I want its users to be able to keep logged in during long time (about one year before the session ends). I'm using Spring Boot + Spring security and the keycloak Spring security adapter
(2.5.4 final). The keycloak server is 2.2.1. What I've done:

Set up the realm to permit long lived sessions:

Session Idle: 365 days

Session max: 365 days

Offline session idle: 30 days

Access token lifespan: 1 Minute

Lifespan for implicit flow: 365 days

Then, in my application (single server and single keycloak client, confidential access type) I set up this environment variable:

server.session-timeout: 525600

Then in my front-end I've got AngularJs integrated, works as a Single page application and performs some routing without refreshing the whole page.

My problem:

When I leave the application idle (for around 30 minutes), after performing some request to any rest endpoint, I get 401 code. The application works again when I press F5 and refresh the page. The problem is only related when I access the REST endpoints while I don't request the whole page again.

Am I missing something?


--
Aritz Maeztu Ota?o
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.



------------------------------

Message: 3
Date: Thu, 6 Apr 2017 11:49:34 -0700
From: Jonathan Little <rationull at gmail.com>
Subject: [keycloak-user] Using the nodejs-connect adapter without a
	logout	route
To: keycloak-user at lists.jboss.org
Message-ID:
	<CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

The nodejs-connect adapter's middleware() function includes automatic setup
of a logout route which redirects to the keycloak server to logout the
authenticated user. The relative path to the logout route is customizable
via the options object, but there is no specified way to opt out of the
logout route. Looking at logout.js in the source I can see that passing
something which will never resolve as equal to request.url would result in
the logout route always being skipped, which is workable but is a hack.

I'm looking at using this for a backend service which will not do user
login/logout management at all but will only be doing checks for
authorization details. I don't see a need for logout functionality on such
a service. I can see three possibilities:

1) I'm looking at this the wrong way, and I actually do want logout
functionality for some reason.
2) I'm looking at it the right way, and the aforementioned hack is the
"normal" way to do it, but undocumented.
3) There's a feature request hiding here for a config option on
middleware() to opt out of the logout middleware.

(3) seems most plausible to me at this point but I don't want to jump into
feature request mode with an incomplete understanding of the situation. Any
opinions?


------------------------------

Message: 4
Date: Fri, 7 Apr 2017 00:38:12 +0530
From: Sumit Das <sumitdas66 at gmail.com>
Subject: [keycloak-user] Creating group mappers for ldap
To: keycloak-user at lists.jboss.org
Message-ID:
	<CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Hi

We are using Keycloak 2.5.4. We are trying to create custom group mappers
for ldap by creating a Myfactory.class which extends
AbstractLdapStorageMapperFactory and tge implementation of the mapper as
MyMapperLdapProvider which extends AbstractLdapStorageMapper.

We have followed the documentation provided on the Keycloak for deployment
of jar and implementation of the mapper.

Once done in providers or deploy folder we do not see our custom mapper in
the drop down of the mapper section of user federation provider.

We are not sure whether we are following the right approach or right design
to create the mapper.

Please help us to indentify where we are doing wrong. Any suggestions or
direction is highly appreciated.

Regards
Sumit


------------------------------

Message: 5
Date: Fri, 7 Apr 2017 00:34:05 +0000
From: "Jacobs, Michael" <Michael.Jacobs at nuance.com>
Subject: Re: [keycloak-user] [EXTERNAL] Re: Overriding
	AssertionConsumerServiceURL in
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
	<BN6PR05MB2964114EDDF4239B0C29A99BF80C0 at BN6PR05MB2964.namprd05.prod.outlook.com>
	
Content-Type: text/plain; charset="utf-8"

I solved this by making my own identity provider SPI that extends from SAMLIdentityProvider, but adds this feature, taking the override from the standalone.xml

I will try to do something similar with the Email Template SPI.

From: Jacobs, Michael [mailto:michael_jacobs at nuance.com]
Sent: Wednesday, April 05, 2017 8:32 AM
To: Bill Burke <bburke at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [EXTERNAL] Re: [keycloak-user] Overriding AssertionConsumerServiceURL in


So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?

Also, re: the second part of my question, can anything be done about the password reset URL, to have those target  our F5?

Thanks for you help with this,

MJ
On Apr 5, 2017 8:01 AM, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client.  Does that answer your question?


On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source.  However we need their response to be sent back to a load-balanced URL on our F5.  The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request.  Redirect URI is not editable in the UI.  Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=B5Rzm519tM-Gtr531DC5-SdoVSFKKOvKuG1mnjWUEP0&s=iUK7Hus6wvb5hs9zXzaFQfwbmCv79gDHvrFx3rlVlWE&e=

------------------------------

Message: 6
Date: Fri, 7 Apr 2017 12:24:01 +0200
From: matteo restelli <teoreste at gmail.com>
Subject: [keycloak-user] Parametric Client Configuration
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
	<CABZhS3y4y55-fKbLktUBZUgKmOQ2=K6WdwzESgoBL_z9VQOg3g at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Hi all,
is it possible to make client urls parametric?
I mean, is it possible to set environmental variables and reference them
inside the client configuration panel?

Thank you in advance,
Matteo


------------------------------

Message: 7
Date: Fri, 7 Apr 2017 16:08:11 +0530
From: JiJesH V U <jijeshvu07 at gmail.com>
Subject: [keycloak-user] (no subject)
To: keycloak-user at lists.jboss.org
Message-ID:
	<CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

I have these 2 keycloak configurations for per app role mapping.I have
configured the role per app and assigned to the user. When I remove a
particular role from app1 it can login. This does not happen.What I'm doing
wrong here.









regards,
jijesh v u
mob: +91 9037329817


------------------------------

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

End of keycloak-user Digest, Vol 40, Issue 10
*********************************************


From jim-keycloak at spudsoft.co.uk  Sat Apr  8 02:28:30 2017
From: jim-keycloak at spudsoft.co.uk (jim-keycloak at spudsoft.co.uk)
Date: Sat, 8 Apr 2017 07:28:30 +0100
Subject: [keycloak-user] Keycloak and rfc7523#section-2.1
Message-ID: <332114a0-6e72-b3d2-2c59-b2f8e211e56d@spudsoft.co.uk>

Hi,

I need Keycloak to support something equivalent to 
https://tools.ietf.org/html/rfc7523#section-2.1 (Using JWTs as 
Authorization Grants).

My use case is that we are an SAAS provider with a number of different 
products.
Where we have common functionality between different products we have a 
plugin UI (Angular) that is embedded within the host product and that 
talks to a dedicate REST endpoint (that is independent of the host product).
The plugin UI has to provide authorisation through to its REST endpoint, 
and that authorisation has to identify the specific state of the user (a 
client access token is not sufficient).

My intention is for the host product to ask KeyCloak for an assertion 
(creating a federated user on the fly), then give that assertion to the 
plugin UI, which will ask KeyCloak to exchange it for an access token.

The host product cannot directly request an access token because it will 
be a different client from the plugin UI (quite apart from it being 
'wrong' to pass an access token around) (the host product is a 
confidential client, the plugin UI is not).

In a general implemention of "Using JWTs as Authorization Grants" the 
assertion ought to generatable via any mechanism as long as KeyCloak is 
able to validate the signature.
For my usage it is important that the assertion contains information 
that the client (the plugin UI) cannot access, which would require 
support for JWEs in a general implementation.
By having the assertion generated by KeyCloak I am able to store 
information from the assertion request and not put that information into 
the assertion itself, getting around the need for JWEs.


So I've been doing some playing with SPIs in KeyCloak to see what I can 
achieve without requiring changes to the core.

I have a "GenerateAssertionResource" that is implemented using 
RealmResourceProvider.
This generates a token based on passed in arguments (after 
authenticating the client), and also stores a federated user.

I also have a BearerTokenUserStorageProvider that can validate passwords 
that contain assertions.

This setup works, I can satsify my use case, but it's not exactly RFC 
compliant.

To make this better, what I'd like to have is:

  * Suport for JWEs.
    At the moment the only Java JWE library that I've come across is
    Nimbus JOSE, but I suspect you consider that a competitor :)
    Support for JWEs would also enable opaque access tokens, which would
    be nice to see.
  * Support for a grant_type of
    urn:ietf:params:oauth:grant-type:jwt-bearer in TokenEndpoint.
    This would be easy to add as another hard coded grant type, though
    it might be nice to see an SPI used to validate grant_types enabling
    further extension in future.
  * Somehow the DirectGrant flow would need to support authenticators
    that are not based on passwords.
    It's easy to write another authenticator (that was my first approach
    to this problem) but the Direct Grant flow has Password as Required
    (and it's not possible to set Password as Alternative).
    I need to support password grants as well, so replacing the flow
    doesn't work for me.

This would still require the implementation of SPIs to actually use JWTs 
as Authorization Grants, but there are different approaches that they 
could take.
A generic implementation would have to be quite complex.

I'd be happy to produce a PR for the changes to TokenEndpoint and the 
Password authenticator if that would help.

Jim



From rationull at gmail.com  Sat Apr  8 02:50:31 2017
From: rationull at gmail.com (Jonathan Little)
Date: Fri, 7 Apr 2017 23:50:31 -0700
Subject: [keycloak-user] Using the nodejs-connect adapter without a
	logout route
In-Reply-To: <CAM5SUC6nLBbgSwNDWSrD6u_+SYdVpe5xNby=Y6Mit+34NonGTg@mail.gmail.com>
References: <CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw@mail.gmail.com>
	<CAM5SUC6nLBbgSwNDWSrD6u_+SYdVpe5xNby=Y6Mit+34NonGTg@mail.gmail.com>
Message-ID: <CALLLnfVEqWQi7F4XB8g+PwHq8fe2RifrAorv=XT8v0RjKf4S0w@mail.gmail.com>

I did look at the auth-utils package and it looks like I could use the
Token module in that package, with my own code to pull the token content
out of the request and my own middleware check validating against the
token, but I was hoping to use keycloak-connect's middleware to handle all
interactions with the token. I'm sure I could use some of the other
available JWT middleware as well but since we're using keycloak for our
auth backend and in our web frontend I figured it'd be simplest to use it
on our service backend as well. And the keycloak-connect middleware is
really convenient to use.

Is the recommended way to go to provide custom middleware or find other
(non keycloak) middleware to deal with parsing tokens etc. when securing a
service backend with bearer tokens?

I'm happy to file an issue covering disabling logout and could possibly
submit a PR too but I don't want to push in the wrong direction, and I
realize it's possible there are other things the library is doing as well
that I don't know about yet that are specific to a service that actually
needs to log in and out.

On Fri, Apr 7, 2017 at 3:52 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Jonathan, I believe what you're looking for is for one of
> keycloak-connect dependecies https://github.com/keycloak/keycloak-nodejs-
> auth-utils which contains only authorization. On keycloak-connect
> authorization and authentication are tied together.
>
> If that's not enough, please file a Jira.
>
> On Thu, Apr 6, 2017 at 5:04 PM Jonathan Little <rationull at gmail.com>
> wrote:
>
>> The nodejs-connect adapter's middleware() function includes automatic
>> setup
>> of a logout route which redirects to the keycloak server to logout the
>> authenticated user. The relative path to the logout route is customizable
>> via the options object, but there is no specified way to opt out of the
>> logout route. Looking at logout.js in the source I can see that passing
>> something which will never resolve as equal to request.url would result in
>> the logout route always being skipped, which is workable but is a hack.
>>
>> I'm looking at using this for a backend service which will not do user
>> login/logout management at all but will only be doing checks for
>> authorization details. I don't see a need for logout functionality on such
>> a service. I can see three possibilities:
>>
>> 1) I'm looking at this the wrong way, and I actually do want logout
>> functionality for some reason.
>> 2) I'm looking at it the right way, and the aforementioned hack is the
>> "normal" way to do it, but undocumented.
>> 3) There's a feature request hiding here for a config option on
>> middleware() to opt out of the logout middleware.
>>
>> (3) seems most plausible to me at this point but I don't want to jump into
>> feature request mode with an incomplete understanding of the situation.
>> Any
>> opinions?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From krishna1shiva at gmail.com  Sat Apr  8 05:49:42 2017
From: krishna1shiva at gmail.com (Shiva Krishna)
Date: Sat, 8 Apr 2017 15:19:42 +0530
Subject: [keycloak-user] Fwd: Retrieve SAMLResponse after login
In-Reply-To: <CAMvXD=GscbuCnr_CLYGz_AO0nWhbKH=7SuYZa3rdrsLEx_3M3w@mail.gmail.com>
References: <CAJPC-HErZK1pUkNJqM8DARdJ4tTJt0mEZPxemXVkyQYU_mo8EQ@mail.gmail.com>
	<CAJPC-HEu1KN0=7YQexLG8x9MnvntAS=mcP-Od5=61Z6apP+TzQ@mail.gmail.com>
	<CAMvXD=GscbuCnr_CLYGz_AO0nWhbKH=7SuYZa3rdrsLEx_3M3w@mail.gmail.com>
Message-ID: <CAJPC-HHRn0XAC7DQ_TT4K9HG3sn3Dh0N96Uu0rPkRbnJB3rdcA@mail.gmail.com>

Hello Hynek,

 I need to implement functionality to retrieve and create documents in
"Veeva Vault" from my application using "Veeva Vault API". To connect
a SSO user in Veeva Vault from my application, it requires SSOResponse
as one of the parameters. Please find the link which explains about
it:
http://developer.veevavault.com/docs/authentication/#single_sign_on_sso_authentication

If we cannot get SAMLResponse as a parameter along with SamlPrincipal,
is there a way to create custom SAMLResponse?

Let me know if you need any further information.
Krishna S

On Sat, Apr 8, 2017 at 12:37 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
> Can you elaborate on what you are trying to achieve? Where do you want
> to retrieve SAMLResponse and why?
>
> --Hynek
>
> On Thu, Apr 6, 2017 at 9:07 AM, Shiva Krishna <krishna1shiva at gmail.com> wrote:
>> Hello,
>>
>>  I need to retrieve SAMLResponse as is which appears on browser after
>> login using Keycloak. I am able to retrieve SAMLPrincipal and other
>> variables. But, I am not able to see the parameter "SAMLResponse".
>>
>> What is the way to get it?
>>
>> Thanks,
>> Krishna S
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek



-- 
Kris.....

From celso.agra at gmail.com  Sat Apr  8 10:20:05 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Sat, 8 Apr 2017 11:20:05 -0300
Subject: [keycloak-user] How to retrieve Organiational Unit from LDAP?
In-Reply-To: <e1073eb3-0111-836d-4c50-cca98ba12278@redhat.com>
References: <CAOFYJDuFbY7OGwnNDoFznbeCjW83rLgFnSY9+bq9_Yf2WmkX9w@mail.gmail.com>
	<0b5c5c59-c57b-d372-4fe6-22c7928a92d3@redhat.com>
	<CAOFYJDt75qRixx1-ieMHbukqnfb-ms7B4kuW6vsNh2vjGELpTA@mail.gmail.com>
	<CAOFYJDtGjFCb1xNQd52TZFumXfCqQoQvBr8WdDpPpmSk_Vsxrw@mail.gmail.com>
	<5c42c7ed-0166-be7f-3d08-489a886ff15a@redhat.com>
	<CAOFYJDv763_ExYm9VpOXN_zsfqerJO-J6+tS_HW=ZBbzvOWBLw@mail.gmail.com>
	<e1073eb3-0111-836d-4c50-cca98ba12278@redhat.com>
Message-ID: <CAOFYJDuGFiaiD1FDtXHtd5SCLTkDg2aA7bcEqLwk+bJs0GbZ1g@mail.gmail.com>

Sorry for my late answer...

Got it! In fact, my solution will solve only a particular problem. I'm
using *slapd* here, so I'll take a look on "entryDN".

Thanks Marek!

2017-04-03 4:24 GMT-03:00 Marek Posolda <mposolda at redhat.com>:

> Hi,
>
> it looks that new option "Read from base DN" is not needed as LDAP vendors
> usually has attribute with DN available on the LDAP object. For MSAD it is
> "distinguishedName" attribute, for some others like OpenLDAP it is
> "entryDN" . So you can just configure OOTB UserAttribute mapper with this
> attribute mapped?
>
> TBH this usecase seems to be quite specific for your needs, so not sure if
> it's good to have this OOTB as every feature and new option adds some
> complexity. Idea is that people can use OOTB mappers for the more common
> functionalities and create their own mapper if they need something advanced
> and domain specific. And this looks to me like the second case TBH. At
> least never saw anyone else asking for this.
>
> Marek
>
>
> On 31/03/17 12:35, Celso Agra wrote:
>
> I was thinking to create a PR for class UserAttributeLDAPStorageMapper =.
> would be possible to do that?
> I created a fork for that --> https://github.com/
> keycloak/keycloak/compare/3.0.x...celsoagra:master
>
> and here i the attached file with an idea (just a simple idea!! ).
>
> 2017-03-31 3:44 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>
>> Yes, I would likely create subclass of this one and override some method,
>> so the attribute value is just your ou and not full DN. Just a note that
>> LDAP Mapper SPI is unsupported and some method signatures can change in the
>> future etc.
>>
>> Marek
>>
>>
>> On 31/03/17 02:44, Celso Agra wrote:
>>
>> Maybe this class could help me to create a new Mapper:
>>
>> https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021
>> e036796c536747cc33796e/federation/ldap/src/main/java/
>> org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java
>>
>> 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra at gmail.com>:
>>
>>> Thanks Marek! For now, I'm using the (a) option!
>>>
>>> But I think would be possible to implement an LDAP Mapper in the future.
>>> just to get the "ou" info.
>>> I'll take a look in the code and try to add a new Mapper Type.
>>>
>>> Thanks again! This is a really great tool!
>>>
>>> 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>>>
>>>> There is no built-in support for this. However you can achieve it by
>>>> doing any of:
>>>>
>>>> a) Map the LDAP_ENTRY_DN as attribute in your token and then have some
>>>> logic in your application (or whenever it is needed) that will just parse
>>>> name of the OU from the full DN.
>>>> b) Create the custom LDAP mapper, which will do the above. Then it will
>>>> be available in user attributes
>>>> c) Create protocol mapper, which will do the above. User attribute will
>>>> still contain just LDAP_ENTRY_DN, but you will have claim in the token with
>>>> the value of your OU.
>>>>
>>>> I would personally go with (a) and handle it in your app if possible.
>>>> That's the easiest path IMO.
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 30/03/17 20:20, Celso Agra wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'd like to retrieve the organizational unit (ou) from LDAP Mapper and
>>>>> set
>>>>> this in the User Attributes.
>>>>>
>>>>> When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN,
>>>>> with
>>>>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
>>>>>
>>>>> So, I'd like to retrieve just the ou info "group", and set this to the
>>>>> user
>>>>> attribute.
>>>>> Would be possible to do that? Is there some mapper type just to
>>>>> retrieve
>>>>> this information?
>>>>>
>>>>> Best Regards,
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> ---
>>> *Celso Agra*
>>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>>
>>
>
>
> --
> ---
> *Celso Agra*
>
>
>


-- 
---
*Celso Agra*

From llivezking at gmail.com  Mon Apr 10 03:05:47 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Mon, 10 Apr 2017 17:05:47 +1000
Subject: [keycloak-user] Photoz Authz example DB issue
Message-ID: <03b1c21c-f328-b5f7-e062-8fbf163fffd2@gmail.com>

Hi, i'm trying to realize how does authz work in keycloak, therefore i 
tried to run keycloak/examples/authz/photoz project. I failed to run it 
from git sources (i'm even failed to build or test it!), so i downloaded 
examples.zip from keycloak.org. I successfully built and deployed jars 
to keycloak instance, but when i go to specified in README.md urls 
(http://localhost:8080/photoz-html5-client/#/album/create ...) i see 
NPEs in keycloak logs. This errors refers to any code like:

this.entityManager.createQuery("from Album where name = :name and userId 
= :userId");

I checked persistence.xml:

     <persistence-unit name="primary" transaction-type="RESOURCE_LOCAL">
<provider>org.hibernate.ejb.HibernatePersistence</provider>

<class>org.keycloak.example.photoz.entity.Album</class>
<class>org.keycloak.example.photoz.entity.Photo</class>

         <properties>
             <property name="hibernate.dialect" 
value="org.hibernate.dialect.H2Dialect" />
             <property name="hibernate.connection.driver_class" 
value="org.h2.Driver" />
             <property name="hibernate.connection.url" 
value="jdbc:h2:~/keycloak-photoz-example" />
             <property name="hibernate.connection.user" value="sa" />
             <property name="hibernate.flushMode" value="FLUSH_AUTO" />
             <property name="hibernate.hbm2ddl.auto" value="update" />
             <property name="hibernate.show_sql" value="false" />
         </properties>
     </persistence-unit>


Do i have to make any DB bootstrapping actions or this project should 
work right out of the box?


From marc.tempelmeier at flane.de  Mon Apr 10 04:01:13 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Mon, 10 Apr 2017 08:01:13 +0000
Subject: [keycloak-user] username in host-slave.xml
Message-ID: <180f501645b143b6ba3f768c0d7d9429@dehamex2013.europe.flane.local>

Hi,

I saw that the official documentation does not mention a username in the host-slave.xml, but in the wildfly docu it is present.

How does Keycloak determine the correct user?

Best regard

Marc


From mehdi.alishahi at gmail.com  Mon Apr 10 08:27:14 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Mon, 10 Apr 2017 14:27:14 +0200
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
Message-ID: <CAG_MZYH9SUUBaFoY3SwjqDu+EWEjU4z5dpjD6r0j4yhcXHakBA@mail.gmail.com>

Hi Gabriel,

How do you define your policies? which adapter do you use for your app?

On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
wrote:

> HI there,
>
> We've integrated Keycloak auth and authz to an existing REST service which
> serves endpoints like this:
>
> GET /api/report?country={country}
> GET /api/status?country={country}
> GET /api/history?country={country}
>
> As far as I understand, the only way to protect these resources is to
> create "global" resources (/api/report, /api/status etc.), but then we
> can't validate if the current user is authorized to make requests for a
> given "country":
>
> The other alternative would be to include the country name in the URI, but
> this would lead to duplication of resource definitions:
>
> /api/report/country1
> /api/report/country2
> /api/status/country1
> /api/status/country2
> ...
>
> We considered including a list of the countries the user has access to as
> an attribute in the access_token but that would require manually
> maintaining said attribute
>
> Is there another way that would accommodate this kind of authentication
> requirements?
>
> Thanks in advance!
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Apr 10 08:27:43 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 10 Apr 2017 09:27:43 -0300
Subject: [keycloak-user] Photoz Authz example DB issue
In-Reply-To: <03b1c21c-f328-b5f7-e062-8fbf163fffd2@gmail.com>
References: <03b1c21c-f328-b5f7-e062-8fbf163fffd2@gmail.com>
Message-ID: <CAJrcDBdADg0jNUv-ba_0tJma6C9i4upjb8P1A3K6FYe2UxcBfQ@mail.gmail.com>

Hi Ilya, it should work right OOTB. Can you please fill a JIRA with more
information about the issues you are facing ?

If you are building from upstream/master it should work fine. Also, this
quickstart is mainly targeted for Wildfly/EAP.

Regards.
Pedro Igor

On Mon, Apr 10, 2017 at 4:05 AM, Ilya Korol <llivezking at gmail.com> wrote:

> Hi, i'm trying to realize how does authz work in keycloak, therefore i
> tried to run keycloak/examples/authz/photoz project. I failed to run it
> from git sources (i'm even failed to build or test it!), so i downloaded
> examples.zip from keycloak.org. I successfully built and deployed jars
> to keycloak instance, but when i go to specified in README.md urls
> (http://localhost:8080/photoz-html5-client/#/album/create ...) i see
> NPEs in keycloak logs. This errors refers to any code like:
>
> this.entityManager.createQuery("from Album where name = :name and userId
> = :userId");
>
> I checked persistence.xml:
>
>      <persistence-unit name="primary" transaction-type="RESOURCE_LOCAL">
> <provider>org.hibernate.ejb.HibernatePersistence</provider>
>
> <class>org.keycloak.example.photoz.entity.Album</class>
> <class>org.keycloak.example.photoz.entity.Photo</class>
>
>          <properties>
>              <property name="hibernate.dialect"
> value="org.hibernate.dialect.H2Dialect" />
>              <property name="hibernate.connection.driver_class"
> value="org.h2.Driver" />
>              <property name="hibernate.connection.url"
> value="jdbc:h2:~/keycloak-photoz-example" />
>              <property name="hibernate.connection.user" value="sa" />
>              <property name="hibernate.flushMode" value="FLUSH_AUTO" />
>              <property name="hibernate.hbm2ddl.auto" value="update" />
>              <property name="hibernate.show_sql" value="false" />
>          </properties>
>      </persistence-unit>
>
>
> Do i have to make any DB bootstrapping actions or this project should
> work right out of the box?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From moon3854 at gmail.com  Mon Apr 10 09:18:06 2017
From: moon3854 at gmail.com (Dmitry Korchemkin)
Date: Mon, 10 Apr 2017 16:18:06 +0300
Subject: [keycloak-user] Disabling token Host validation for introspect?
Message-ID: <CAHpfDHO8_OHEtjVnoOz87ToqdHCA7PAMNGheuC9V+4kOS4BZpA@mail.gmail.com>

I have 2 gateway proxies, through which i can access realm and retrieve
oidc token, A and B. Issuer is set in token to either A or B.
When i then send a request to an introspect endpoint with a token A through
gateway B i get {"active": false} as a response.
Through testing i've found that request returns proper data when issuer in
the token equals the gateway i access it from.

Is there a way to disable that Host check for introspect? I do not have
direct control through which gateway introspect will be accessed and
manually fixing Host header proves difficult due to numerous security fixes
in java.

From gtrisca at cignifi.com  Mon Apr 10 09:27:25 2017
From: gtrisca at cignifi.com (Gabriel Trisca)
Date: Mon, 10 Apr 2017 09:27:25 -0400
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAG_MZYH9SUUBaFoY3SwjqDu+EWEjU4z5dpjD6r0j4yhcXHakBA@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAG_MZYH9SUUBaFoY3SwjqDu+EWEjU4z5dpjD6r0j4yhcXHakBA@mail.gmail.com>
Message-ID: <CAKGeQCM=phfkAJes4nK4Q-_6Z3sPS9tQytNGgMtAkPVU07sX5A@mail.gmail.com>

Hi Mehdi,

The policies are defined in the Keycloak admin panel, and we want to try to
avoid defining access control in out application code as much as possible.
The application uses Dropwizard, so we use the Jetty adapter.

Thanks!

On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
mehdi.alishahi at gmail.com> wrote:

> Hi Gabriel,
>
> How do you define your policies? which adapter do you use for your app?
>
> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
>
>> HI there,
>>
>> We've integrated Keycloak auth and authz to an existing REST service which
>> serves endpoints like this:
>>
>> GET /api/report?country={country}
>> GET /api/status?country={country}
>> GET /api/history?country={country}
>>
>> As far as I understand, the only way to protect these resources is to
>> create "global" resources (/api/report, /api/status etc.), but then we
>> can't validate if the current user is authorized to make requests for a
>> given "country":
>>
>> The other alternative would be to include the country name in the URI, but
>> this would lead to duplication of resource definitions:
>>
>> /api/report/country1
>> /api/report/country2
>> /api/status/country1
>> /api/status/country2
>> ...
>>
>> We considered including a list of the countries the user has access to as
>> an attribute in the access_token but that would require manually
>> maintaining said attribute
>>
>> Is there another way that would accommodate this kind of authentication
>> requirements?
>>
>> Thanks in advance!
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com

From tomas at intrahouse.com  Mon Apr 10 09:56:26 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Mon, 10 Apr 2017 13:56:26 +0000
Subject: [keycloak-user] [development] Jumping to another flow from an
	authenticator
Message-ID: <CALgk1PKbGzybu6mC44y1ETmDhmmLVZPZ7LXqdZjEBJ==xy9XgA@mail.gmail.com>

Hi,

I'm doing experiments with authenticators... I've made an authenticator for
the "first broker login" flow and I'm wondering if, under certain condition
I implemented inside the authenticateImpl method of the authenticator, I
can jump to the browser flow to "challenge" the user with the regular login
screen. It looks like it's impossible by design.

If there's another alternative, you can think about, it would be great.

Thanks.

From mehdi.alishahi at gmail.com  Mon Apr 10 10:59:31 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Mon, 10 Apr 2017 16:59:31 +0200
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAKGeQCM=phfkAJes4nK4Q-_6Z3sPS9tQytNGgMtAkPVU07sX5A@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAG_MZYH9SUUBaFoY3SwjqDu+EWEjU4z5dpjD6r0j4yhcXHakBA@mail.gmail.com>
	<CAKGeQCM=phfkAJes4nK4Q-_6Z3sPS9tQytNGgMtAkPVU07sX5A@mail.gmail.com>
Message-ID: <CAG_MZYGi=woCohvz_qOFF=Yov6T6jORbpeRjWiZ69JnKT=HX2w@mail.gmail.com>

Hi Gabriel

Thanks for the note.
I need to secure Orion. Orion is a C++ implementation of the NGSI9/10 REST
API binding developed as a part of the FIWARE platform. I could not find
any adapter in KeyCloak. So how we could secure Orion?

https://github.com/telefonicaid/fiware-orion#api-overview




On Mon, Apr 10, 2017 at 3:27 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:

> Hi Mehdi,
>
> The policies are defined in the Keycloak admin panel, and we want to try
> to avoid defining access control in out application code as much as
> possible. The application uses Dropwizard, so we use the Jetty adapter.
>
> Thanks!
>
> On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
> mehdi.alishahi at gmail.com> wrote:
>
>> Hi Gabriel,
>>
>> How do you define your policies? which adapter do you use for your app?
>>
>> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
>> wrote:
>>
>>> HI there,
>>>
>>> We've integrated Keycloak auth and authz to an existing REST service
>>> which
>>> serves endpoints like this:
>>>
>>> GET /api/report?country={country}
>>> GET /api/status?country={country}
>>> GET /api/history?country={country}
>>>
>>> As far as I understand, the only way to protect these resources is to
>>> create "global" resources (/api/report, /api/status etc.), but then we
>>> can't validate if the current user is authorized to make requests for a
>>> given "country":
>>>
>>> The other alternative would be to include the country name in the URI,
>>> but
>>> this would lead to duplication of resource definitions:
>>>
>>> /api/report/country1
>>> /api/report/country2
>>> /api/status/country1
>>> /api/status/country2
>>> ...
>>>
>>> We considered including a list of the countries the user has access to as
>>> an attribute in the access_token but that would require manually
>>> maintaining said attribute
>>>
>>> Is there another way that would accommodate this kind of authentication
>>> requirements?
>>>
>>> Thanks in advance!
>>>
>>> --
>>> *Gabriel Trisca, Software Developer*
>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> P: +1 857-209-2685 <+1%20857-209-2685> ? M: +1 301-433-2221
> <+1%20301-433-2221> | www.cignifi.com
>

From mposolda at redhat.com  Mon Apr 10 15:42:18 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 10 Apr 2017 21:42:18 +0200
Subject: [keycloak-user] [development] Jumping to another flow from an
 authenticator
In-Reply-To: <CALgk1PKbGzybu6mC44y1ETmDhmmLVZPZ7LXqdZjEBJ==xy9XgA@mail.gmail.com>
References: <CALgk1PKbGzybu6mC44y1ETmDhmmLVZPZ7LXqdZjEBJ==xy9XgA@mail.gmail.com>
Message-ID: <bb13435e-b001-e48c-e380-c9e74acbb0eb@redhat.com>

I think it's possible with current implementation by using:

context.forkWithSuccessMessage("some message, which will displayed on 
the initial login screen");

or also "context.forkWithErrorMessage" . The "context" references 
AuthenticationFlowContext object passed to the authenticator.

Something like this is used at ResetCredentialEmail authenticator, which 
is used during reset-credentials flow (when user press link "Forget my 
password" on the login screen).

Hope this helps,
Marek



On 10/04/17 15:56, Tom?s Garc?a wrote:
> Hi,
>
> I'm doing experiments with authenticators... I've made an authenticator for
> the "first broker login" flow and I'm wondering if, under certain condition
> I implemented inside the authenticateImpl method of the authenticator, I
> can jump to the browser flow to "challenge" the user with the regular login
> screen. It looks like it's impossible by design.
>
> If there's another alternative, you can think about, it would be great.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr 10 15:44:06 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 10 Apr 2017 21:44:06 +0200
Subject: [keycloak-user] username in host-slave.xml
In-Reply-To: <180f501645b143b6ba3f768c0d7d9429@dehamex2013.europe.flane.local>
References: <180f501645b143b6ba3f768c0d7d9429@dehamex2013.europe.flane.local>
Message-ID: <3637e22f-c9e6-4a63-351e-4e62e6932ff1@redhat.com>

Not 100% sure it answers your question, but note, that Keycloak users 
are different than Wildfly users and they are independent on each other. 
See Keycloak documentation for more details.

Marek

On 10/04/17 10:01, Marc Tempelmeier wrote:
> Hi,
>
> I saw that the official documentation does not mention a username in the host-slave.xml, but in the wildfly docu it is present.
>
> How does Keycloak determine the correct user?
>
> Best regard
>
> Marc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr 10 15:46:49 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 10 Apr 2017 21:46:49 +0200
Subject: [keycloak-user] (no subject)
In-Reply-To: <CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g@mail.gmail.com>
References: <CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g@mail.gmail.com>
Message-ID: <9fd147d3-f1c2-ae04-df08-1bd9e7eebff7@redhat.com>

Maybe it will help to use "use-resource-role-mappings" switch in your 
application adapter configuration (in file keycloak.json).

If it won't help, then I would doublecheck if roles are present in the 
access token. It's possible that you need to add those roles as "scope" 
for your client as well. Unless your client has "Full scope allowed" on.

Marek

On 07/04/17 12:38, JiJesH V U wrote:
> I have these 2 keycloak configurations for per app role mapping.I have
> configured the role per app and assigned to the user. When I remove a
> particular role from app1 it can login. This does not happen.What I'm doing
> wrong here.
>
>
>
>
>
>
>
>
>
> regards,
> jijesh v u
> mob: +91 9037329817
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr 10 15:53:52 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 10 Apr 2017 21:53:52 +0200
Subject: [keycloak-user] How to mock LDAP user login with expired
	password
In-Reply-To: <835449372.1172754.1491488271883@mail.yahoo.com>
References: <835449372.1172754.1491488271883.ref@mail.yahoo.com>
	<835449372.1172754.1491488271883@mail.yahoo.com>
Message-ID: <d550e6e9-a858-5aed-3116-694ae612e0a6@redhat.com>

We have some tests, which directly add users to LDAP and then they use 
those users for test something with Keycloak integration.

For inspiration, you can take a look at our existing tests in package 
"org.keycloak.testsuite.federation.storage.ldap". For example 
LDAPProvidersIntegrationTest.

Marek

On 06/04/17 16:17, Adrian Madaras wrote:
> Hi everyone,
> I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
> Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
> Can someone help me?
> Thanks,
> Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr 10 15:59:33 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 10 Apr 2017 21:59:33 +0200
Subject: [keycloak-user] Creating group mappers for ldap
In-Reply-To: <CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw@mail.gmail.com>
References: <CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw@mail.gmail.com>
Message-ID: <7b5a3162-4e48-d08e-4ca8-ceae2f163f0e@redhat.com>

Did you also added the stuff into META-INF/services of your JAR? See our 
documentation and also examples in the keycloak-examples distribution 
under directory "providers" . There is no example for LDAPStorageMapper 
and this SPI is not officially supported, but you can still use the 
examples for inspiration though.

Marek

On 06/04/17 21:08, Sumit Das wrote:
> Hi
>
> We are using Keycloak 2.5.4. We are trying to create custom group mappers
> for ldap by creating a Myfactory.class which extends
> AbstractLdapStorageMapperFactory and tge implementation of the mapper as
> MyMapperLdapProvider which extends AbstractLdapStorageMapper.
>
> We have followed the documentation provided on the Keycloak for deployment
> of jar and implementation of the mapper.
>
> Once done in providers or deploy folder we do not see our custom mapper in
> the drop down of the mapper section of user federation provider.
>
> We are not sure whether we are following the right approach or right design
> to create the mapper.
>
> Please help us to indentify where we are doing wrong. Any suggestions or
> direction is highly appreciated.
>
> Regards
> Sumit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From llivezking at gmail.com  Mon Apr 10 22:23:11 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Tue, 11 Apr 2017 12:23:11 +1000
Subject: [keycloak-user] Photoz Authz example DB issue
In-Reply-To: <CAJrcDBdADg0jNUv-ba_0tJma6C9i4upjb8P1A3K6FYe2UxcBfQ@mail.gmail.com>
References: <03b1c21c-f328-b5f7-e062-8fbf163fffd2@gmail.com>
	<CAJrcDBdADg0jNUv-ba_0tJma6C9i4upjb8P1A3K6FYe2UxcBfQ@mail.gmail.com>
Message-ID: <90aad8b7-f776-1de4-9e3c-e9a906516bab@gmail.com>

Oh, i wrongly put it. I failed to build or test keycloak itself, not the 
example (I'm talking about guide at github/keycloak/keycloak/README.md). 
So, i downloaded standalone keycloak distribution (2.5.5) and 
appropriate archive with examples, and after deploy i got mentioned NPE 
errors (that refers to DB issues).


P.S. I've just run:

     mvn clean

     mvn install

And tests failed somewhere at BaseTestSuite, so then i run following 
command to create log file for posting it in JIRA:

     mvn clean

     mvn install | tee mvn_install.log.txt

And all builds and tests passes!!!111 WTF?. Then i successfully run

     mvn install -Pdistribution

Then i wanted to run created distribution. README.md says that i should run

     tar xfz 
distribution/appliance-dist/target/keycloak-appliance-dist-all-<VERSION>.tar.gz
     cd keycloak-appliance-dist-all-<VERSION>/keycloak
     bin/standalone.sh

but i didn't find any anything like 'appliance-dist'. Then i found 
distribution/demo-dist directory and run distribution in 
keycloak-demo-3.0.1.Final-SNAPSHOT.tar.gz. I successfully deployed 
/examples/authz/photoz from this archive to keycloak and everything is 
working right now! Cool.


P.P.S I also faced mini issue with rule policy from this example:

After importing Authorization settings to photoz-restful-api client i 
went to authorization->policies->only owner policy. This policy based on 
org.keycloak:photoz-authz-policy:${project.version} maven artifact with 
Drools rules. But resolving of this artifact were failing until i 
manually specify 3.0.1.Final-SNAPSHOT version (i also checked Server 
Info entry in server-info Keycloak page: it is 3.0.1.Final-SNAPSHOT, so 
is it a bug?).


Anyway thanks for help!


On 10.04.2017 22:27, Pedro Igor Silva wrote:
> Hi Ilya, it should work right OOTB. Can you please fill a JIRA with 
> more information about the issues you are facing ?
>
> If you are building from upstream/master it should work fine. Also, 
> this quickstart is mainly targeted for Wildfly/EAP.
>
> Regards.
> Pedro Igor
>
> On Mon, Apr 10, 2017 at 4:05 AM, Ilya Korol <llivezking at gmail.com 
> <mailto:llivezking at gmail.com>> wrote:
>
>     Hi, i'm trying to realize how does authz work in keycloak, therefore i
>     tried to run keycloak/examples/authz/photoz project. I failed to
>     run it
>     from git sources (i'm even failed to build or test it!), so i
>     downloaded
>     examples.zip from keycloak.org <http://keycloak.org>. I
>     successfully built and deployed jars
>     to keycloak instance, but when i go to specified in README.md urls
>     (http://localhost:8080/photoz-html5-client/#/album/create
>     <http://localhost:8080/photoz-html5-client/#/album/create> ...) i see
>     NPEs in keycloak logs. This errors refers to any code like:
>
>     this.entityManager.createQuery("from Album where name = :name and
>     userId
>     = :userId");
>
>     I checked persistence.xml:
>
>          <persistence-unit name="primary"
>     transaction-type="RESOURCE_LOCAL">
>     <provider>org.hibernate.ejb.HibernatePersistence</provider>
>
>     <class>org.keycloak.example.photoz.entity.Album</class>
>     <class>org.keycloak.example.photoz.entity.Photo</class>
>
>              <properties>
>                  <property name="hibernate.dialect"
>     value="org.hibernate.dialect.H2Dialect" />
>                  <property name="hibernate.connection.driver_class"
>     value="org.h2.Driver" />
>                  <property name="hibernate.connection.url"
>     value="jdbc:h2:~/keycloak-photoz-example" />
>                  <property name="hibernate.connection.user" value="sa" />
>                  <property name="hibernate.flushMode"
>     value="FLUSH_AUTO" />
>                  <property name="hibernate.hbm2ddl.auto" value="update" />
>                  <property name="hibernate.show_sql" value="false" />
>              </properties>
>          </persistence-unit>
>
>
>     Do i have to make any DB bootstrapping actions or this project should
>     work right out of the box?
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From gtrisca at cignifi.com  Mon Apr 10 22:57:41 2017
From: gtrisca at cignifi.com (Gabriel Trisca)
Date: Mon, 10 Apr 2017 22:57:41 -0400
Subject: [keycloak-user] Authorization on resources that belong to
 different "groups"
In-Reply-To: <CAG_MZYGi=woCohvz_qOFF=Yov6T6jORbpeRjWiZ69JnKT=HX2w@mail.gmail.com>
References: <CAKGeQCM3sgDZ1x+VpfvtBv=LCqkfcfS74qJ080bHHwGH6KifjQ@mail.gmail.com>
	<CAG_MZYH9SUUBaFoY3SwjqDu+EWEjU4z5dpjD6r0j4yhcXHakBA@mail.gmail.com>
	<CAKGeQCM=phfkAJes4nK4Q-_6Z3sPS9tQytNGgMtAkPVU07sX5A@mail.gmail.com>
	<CAG_MZYGi=woCohvz_qOFF=Yov6T6jORbpeRjWiZ69JnKT=HX2w@mail.gmail.com>
Message-ID: <CAKGeQCP_p9wza4YahhoMDuXHcLytzpUSZF25787gwQce_q+p5w@mail.gmail.com>

You will have more luck creating a new thread in the mailing list with this
issue in the mailing list, but what you have to look for is which web
server is used behind the scenes in that application.

On Mon, Apr 10, 2017 at 10:59 AM, Mehdi Sheikhalishahi <
mehdi.alishahi at gmail.com> wrote:

> Hi Gabriel
>
> Thanks for the note.
> I need to secure Orion. Orion is a C++ implementation of the NGSI9/10
> REST API binding developed as a part of the FIWARE platform. I could not
> find any adapter in KeyCloak. So how we could secure Orion?
>
> https://github.com/telefonicaid/fiware-orion#api-overview
>
>
>
>
> On Mon, Apr 10, 2017 at 3:27 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
>
>> Hi Mehdi,
>>
>> The policies are defined in the Keycloak admin panel, and we want to try
>> to avoid defining access control in out application code as much as
>> possible. The application uses Dropwizard, so we use the Jetty adapter.
>>
>> Thanks!
>>
>> On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
>> mehdi.alishahi at gmail.com> wrote:
>>
>>> Hi Gabriel,
>>>
>>> How do you define your policies? which adapter do you use for your app?
>>>
>>> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
>>> wrote:
>>>
>>>> HI there,
>>>>
>>>> We've integrated Keycloak auth and authz to an existing REST service
>>>> which
>>>> serves endpoints like this:
>>>>
>>>> GET /api/report?country={country}
>>>> GET /api/status?country={country}
>>>> GET /api/history?country={country}
>>>>
>>>> As far as I understand, the only way to protect these resources is to
>>>> create "global" resources (/api/report, /api/status etc.), but then we
>>>> can't validate if the current user is authorized to make requests for a
>>>> given "country":
>>>>
>>>> The other alternative would be to include the country name in the URI,
>>>> but
>>>> this would lead to duplication of resource definitions:
>>>>
>>>> /api/report/country1
>>>> /api/report/country2
>>>> /api/status/country1
>>>> /api/status/country2
>>>> ...
>>>>
>>>> We considered including a list of the countries the user has access to
>>>> as
>>>> an attribute in the access_token but that would require manually
>>>> maintaining said attribute
>>>>
>>>> Is there another way that would accommodate this kind of authentication
>>>> requirements?
>>>>
>>>> Thanks in advance!
>>>>
>>>> --
>>>> *Gabriel Trisca, Software Developer*
>>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>> P: +1 857-209-2685 <+1%20857-209-2685> ? M: +1 301-433-2221
>> <+1%20301-433-2221> | www.cignifi.com
>>
>
>


-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 ? M: +1 301-433-2221 | www.cignifi.com

From dt at zyres.com  Tue Apr 11 02:05:23 2017
From: dt at zyres.com (Danny Trunk)
Date: Tue, 11 Apr 2017 08:05:23 +0200
Subject: [keycloak-user] Themeing: Set Urls + Locale
In-Reply-To: <479db950-1f11-bfdb-40ca-3263adb82456@zyres.com>
References: <78f6f856-a237-8b8f-8321-31c7fcc91db4@zyres.com>
	<479db950-1f11-bfdb-40ca-3263adb82456@zyres.com>
Message-ID: <d6654764-1b38-da57-ebcf-70caeb2572e2@zyres.com>

For the URLs I'm currently using the Base Url you can provide through 
the client configuration in the Keycloak Admin Console. Maybe there's a 
better way as the Base URL isn't a mandatory field and could be empty.

Regarding the locale I still don't have a solution.


Am 06.04.2017 um 12:20 schrieb Danny Trunk:
> Regarding the locale I've found the following code:
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/util/LocaleHelper.java#L67
>
> - kc_locale query parameter: Sounds interesting, how to append it when
> redirecting to the Keycloak Login Page through Spring Security Adapter?
>
> - locale cookie: Not interesting as I cannot save a cookie from my
> Webapp to use in the Keycloak Server
>
> - user profile: Not interesting as the user isn't logged in here
>
> - ui_locales query parameter: Don't know what this is and where/how to set
>
> - Accept-language http header: Not interesting as the user can browse
> the webapp in a different locale
>
>
> Am 06.04.2017 um 09:04 schrieb Danny Trunk:
>> Hello everyone,
>>
>> is there a clean way to set the registrationUrl, loginUpdateProfileUrl,
>> loginResetCredentialsUrl to my own one based on the Redirect URI as well
>> as sending a Locale to the Keycloak pages which to be used instead of
>> the configured default?
>> I'm using the Spring Security Adapter and I'm also familiar in creating
>> Service Provider.
>>
>> I need to do the registration, password forgotten and update profile
>> processes within my webapp as there are some post-processes to be done
>> and I don't want to rewrite them.
>> That's no problem as I'm using a User Storage Provider.
>>
>> The Redirect URI looks like https://localhost:8443/de_DE/login.html
>> The Registration page is accessible through
>> https://localhost:8443/de_DE/register.html
>> The Password forgotten page is accessible through
>> https://localhost:8443/de_DE/pwreminder.html
>> The Update Profile page is accessible through
>> https://localhost:8443/de_DE/myaccount.html
>>
>> The hackish way would be to get the Query Parameter "redirect_uri" in
>> the ftl Template and build the base url "https://localhost:8443/de_DE".
>> But then the Template still uses the default Locale.
>>
>> Are there any clean ways?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From marc.tempelmeier at flane.de  Tue Apr 11 03:29:22 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 11 Apr 2017 07:29:22 +0000
Subject: [keycloak-user] [development] Jumping to another flow from an
 authenticator
In-Reply-To: <bb13435e-b001-e48c-e380-c9e74acbb0eb@redhat.com>
References: <CALgk1PKbGzybu6mC44y1ETmDhmmLVZPZ7LXqdZjEBJ==xy9XgA@mail.gmail.com>
	<bb13435e-b001-e48c-e380-c9e74acbb0eb@redhat.com>
Message-ID: <21bc4779d1fe4dea80d85054954b051c@dehamex2013.europe.flane.local>

Hi,

Thanks for your answer!

Yeah sure, I try to use the add-user.sh which is intended for that:

https://www.keycloak.org/docs/2.4/server_installation_guide/topics/operating-mode/domain.html

But I can?t get the Slave connected to the Master, in the Wildfly Docu a username in domain.xml is mentioned, but if I try to add that attribute I?ll get an "not supported" error in Keycloak. So my question is how does keycloak determine the correct user the slave uses?
The Wildfly docu mentions that if omitted the hostname is used. 

I tried that but still get a not authorized error. What should I do? :)

Greetings

Marc

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marek Posolda
Gesendet: Monday, April 10, 2017 9:42 PM
An: Tom?s Garc?a <tomas at intrahouse.com>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] [development] Jumping to another flow from an authenticator

I think it's possible with current implementation by using:

context.forkWithSuccessMessage("some message, which will displayed on the initial login screen");

or also "context.forkWithErrorMessage" . The "context" references AuthenticationFlowContext object passed to the authenticator.

Something like this is used at ResetCredentialEmail authenticator, which is used during reset-credentials flow (when user press link "Forget my password" on the login screen).

Hope this helps,
Marek



On 10/04/17 15:56, Tom?s Garc?a wrote:
> Hi,
>
> I'm doing experiments with authenticators... I've made an 
> authenticator for the "first broker login" flow and I'm wondering if, 
> under certain condition I implemented inside the authenticateImpl 
> method of the authenticator, I can jump to the browser flow to 
> "challenge" the user with the regular login screen. It looks like it's impossible by design.
>
> If there's another alternative, you can think about, it would be great.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From anders.kabell.kristensen at systematic.com  Tue Apr 11 04:14:11 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Tue, 11 Apr 2017 01:14:11 -0700 (MST)
Subject: [keycloak-user] SAML attribute mapper with processing
Message-ID: <1491898451566-3506.post@n6.nabble.com>

Hi there,

Do you have a guide on how to implement a custom SAML attribute mapper?
Does that involve building KC on our own?

What we need:
Our SAML Idp (a widely used public Danish service) provides a custom
attribute on the SAML assertion. To support a detailed user privileges
profile, a chunk of xml data is base 64 encoded and added as the value of a
single attribute as follows:

<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
	<AttributeValue>PD94bWwg ....based 64 encoded XML data..... 
dmVyc2l==</AttributeValue>
</Attribute>

We want to implement a mapper that will: extract the attribute value, decode
the data, parse the XML and finally map each privilege to a role on the
Keycloak user.

Alternatively, if post-processing of the user is an option, we could map the
attribute on to the user and do the privilege/role processing later? Any
suggestions are appreciated :)

Kind regards,
Ulrik and Anders




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-attribute-mapper-with-processing-tp3506.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From tomas at intrahouse.com  Tue Apr 11 05:03:00 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Tue, 11 Apr 2017 09:03:00 +0000
Subject: [keycloak-user] [development] Jumping to another flow from an
	authenticator
In-Reply-To: <bb13435e-b001-e48c-e380-c9e74acbb0eb@redhat.com>
References: <CALgk1PKbGzybu6mC44y1ETmDhmmLVZPZ7LXqdZjEBJ==xy9XgA@mail.gmail.com>
	<bb13435e-b001-e48c-e380-c9e74acbb0eb@redhat.com>
Message-ID: <CALgk1PJ-QW2oMc5s68qNR0VQrZzv8Zdi6BpHixdArPfKwhJCrg@mail.gmail.com>

Thanks, Marek.

That did the job. I tried with context.fork() and it worked too, without
the need to set a message.

On Mon, Apr 10, 2017 at 8:42 PM Marek Posolda <mposolda at redhat.com> wrote:

> I think it's possible with current implementation by using:
>
> context.forkWithSuccessMessage("some message, which will displayed on the
> initial login screen");
>
> or also "context.forkWithErrorMessage" . The "context" references
> AuthenticationFlowContext object passed to the authenticator.
>
> Something like this is used at ResetCredentialEmail authenticator, which
> is used during reset-credentials flow (when user press link "Forget my
> password" on the login screen).
>
> Hope this helps,
> Marek
>
>
> On 10/04/17 15:56, Tom?s Garc?a wrote:
>
> Hi,
>
> I'm doing experiments with authenticators... I've made an authenticator for
> the "first broker login" flow and I'm wondering if, under certain condition
> I implemented inside the authenticateImpl method of the authenticator, I
> can jump to the browser flow to "challenge" the user with the regular login
> screen. It looks like it's impossible by design.
>
> If there's another alternative, you can think about, it would be great.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From marc.tempelmeier at flane.de  Tue Apr 11 05:23:29 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 11 Apr 2017 09:23:29 +0000
Subject: [keycloak-user] username in host-slave.xml
In-Reply-To: <3637e22f-c9e6-4a63-351e-4e62e6932ff1@redhat.com>
References: <180f501645b143b6ba3f768c0d7d9429@dehamex2013.europe.flane.local>
	<3637e22f-c9e6-4a63-351e-4e62e6932ff1@redhat.com>
Message-ID: <476fa26e955b494b9ac8255dfd2fa71f@dehamex2013.europe.flane.local>

Hi,

Thanks for your answer!

Yeah sure, I try to use the add-user.sh which is intended for that:

https://www.keycloak.org/docs/2.4/server_installation_guide/topics/operating-mode/domain.html

But I can?t get the Slave connected to the Master, in the Wildfly Docu a username in domain.xml is mentioned, but if I try to add that attribute I?ll get an "not supported" error in Keycloak. So my question is how does keycloak determine the correct user the slave uses?
The Wildfly docu mentions that if omitted the hostname is used. 

I tried that but still get a not authorized error. What should I do? :)

Greetings

Marc

P.S.

I posted this under a wrong message, sorry :o

-----Urspr?ngliche Nachricht-----
Von: Marek Posolda [mailto:mposolda at redhat.com] 
Gesendet: Monday, April 10, 2017 9:44 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] username in host-slave.xml

Not 100% sure it answers your question, but note, that Keycloak users are different than Wildfly users and they are independent on each other. 
See Keycloak documentation for more details.

Marek

On 10/04/17 10:01, Marc Tempelmeier wrote:
> Hi,
>
> I saw that the official documentation does not mention a username in the host-slave.xml, but in the wildfly docu it is present.
>
> How does Keycloak determine the correct user?
>
> Best regard
>
> Marc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From mehdi.alishahi at gmail.com  Tue Apr 11 05:38:03 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Tue, 11 Apr 2017 11:38:03 +0200
Subject: [keycloak-user] OAuth Resource Server
Message-ID: <CAG_MZYGvheFuvPCKyxsYWtpD9AGRNfEBSwatu-sB63ThAAFJhQ@mail.gmail.com>

Hi

I need to secure Orion [1]. Orion is a C++ implementation of the NGSI9/10
REST API binding developed as a part of the FIWARE platform. I could not
find any adapter in KeyCloak. It has been proposed to use
https://github.com/pingidentity/mod_auth_openidc for services which don't
provide OAuth2.0 implementation. It is not easy and in some cases feasible
to use mod-auth-openidc.

Any other proposal?

[1] https://github.com/telefonicaid/fiware-orion#api-overview

Thanks and kind regards,
Mehdi

From kevin.berendsen at pharmapartners.nl  Tue Apr 11 06:20:59 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Tue, 11 Apr 2017 10:20:59 +0000
Subject: [keycloak-user] Adapter Token Verification
Message-ID: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>

Hi community!

Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?

In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?

Kind regards,

Kevin

From marc.tempelmeier at flane.de  Tue Apr 11 07:52:00 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 11 Apr 2017 11:52:00 +0000
Subject: [keycloak-user] username in host-slave.xml
In-Reply-To: <476fa26e955b494b9ac8255dfd2fa71f@dehamex2013.europe.flane.local>
References: <180f501645b143b6ba3f768c0d7d9429@dehamex2013.europe.flane.local>
	<3637e22f-c9e6-4a63-351e-4e62e6932ff1@redhat.com>
	<476fa26e955b494b9ac8255dfd2fa71f@dehamex2013.europe.flane.local>
Message-ID: <2ac9c1255f474fd5b9053e58c234ffff@dehamex2013.europe.flane.local>

Ok, we solved that Problem :)

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier
Gesendet: Tuesday, April 11, 2017 11:23 AM
An: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] username in host-slave.xml

Hi,

Thanks for your answer!

Yeah sure, I try to use the add-user.sh which is intended for that:

https://www.keycloak.org/docs/2.4/server_installation_guide/topics/operating-mode/domain.html

But I can?t get the Slave connected to the Master, in the Wildfly Docu a username in domain.xml is mentioned, but if I try to add that attribute I?ll get an "not supported" error in Keycloak. So my question is how does keycloak determine the correct user the slave uses?
The Wildfly docu mentions that if omitted the hostname is used. 

I tried that but still get a not authorized error. What should I do? :)

Greetings

Marc

P.S.

I posted this under a wrong message, sorry :o

-----Urspr?ngliche Nachricht-----
Von: Marek Posolda [mailto:mposolda at redhat.com] 
Gesendet: Monday, April 10, 2017 9:44 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] username in host-slave.xml

Not 100% sure it answers your question, but note, that Keycloak users are different than Wildfly users and they are independent on each other. 
See Keycloak documentation for more details.

Marek

On 10/04/17 10:01, Marc Tempelmeier wrote:
> Hi,
>
> I saw that the official documentation does not mention a username in the host-slave.xml, but in the wildfly docu it is present.
>
> How does Keycloak determine the correct user?
>
> Best regard
>
> Marc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From llivezking at gmail.com  Tue Apr 11 08:19:13 2017
From: llivezking at gmail.com (=?UTF-8?B?0JrQvtGA0L7Qu9GMINCY0LvRjNGP?=)
Date: Tue, 11 Apr 2017 22:19:13 +1000
Subject: [keycloak-user] Adapter Token Verification
In-Reply-To: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>
References: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>
Message-ID: <a86a81b5-0294-fe4a-658d-d145c096f1ff@gmail.com>

Hi. As far is i understanded adapters workflow, adapter wouldn't make 
any additional request to keycloak server. While your application 
started adapter retrieves all required settings from keycloak (pubkeys, 
authorization settings etc.) and then on every request it just verify 
signature of AccessToken (which is JWT), and timestamps of token 
issuring, so your application could be confident that AT comes from 
proper keycloak instance and it isn't obsolete. Proof of that assumtion 
is that if you ask keycloak to generate keycloak.json for you 
bearer-only client it wouldn't put clientSecret to keycloak.json, so it 
excludes any secure communication between your client and keycloak.

Also thats why AT must have small TTL, because if AT has long TTL and 
user signs out, this AT would be still valid for your backend 
bearer-only application.


11.04.2017 20:20, Kevin Berendsen ?????:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From llivezking at gmail.com  Tue Apr 11 08:25:36 2017
From: llivezking at gmail.com (=?UTF-8?B?0JrQvtGA0L7Qu9GMINCY0LvRjNGP?=)
Date: Tue, 11 Apr 2017 22:25:36 +1000
Subject: [keycloak-user] Adapter Token Verification
In-Reply-To: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>
References: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>
Message-ID: <f1aba68d-4a7a-6e0b-7a76-e7a01dc0022e@gmail.com>

I should also notice that despite all that stuff that i wrote in 
previous message you still have an opportunity to manually verify AT, 
which comes to your application. For that purpose there is a 
_introspection_ endpoint to which your could POST signed AT, and if it 
valid keycloak will return its content to you. But for doing this you 
should provide credentials of client which you use for introspecting token.


As you could see perform a backchannel introspection request to keycloak 
everytime you get an AT is overhead, thats why at least Spring Adapter 
by default perform verification by itself without requests to keycloak.


11.04.2017 20:20, Kevin Berendsen ?????:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mariusz at info.nl  Tue Apr 11 09:38:55 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Tue, 11 Apr 2017 13:38:55 +0000
Subject: [keycloak-user] Reset password - direct URL
Message-ID: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi.

Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:

http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e

This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.

Do you know if there is an easy way?

Thanks in advance.

Kind Regards,

Mariusz Chru?cielewski

software engineer

mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>

info.nl <http://www.info.nl>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From marc.tempelmeier at flane.de  Tue Apr 11 09:48:47 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 11 Apr 2017 13:48:47 +0000
Subject: [keycloak-user] Load Balancer and Domain Clustered Mode
Message-ID: <25c59e22eb42440e914a5b8bb15b8670@dehamex2013.europe.flane.local>

Hi,

The docu said we should use our own load balancer. Is nginx a good idea there and how is the general rough setup then?

Nginx in front, Domain controller is admin only and just controls the config, 2 slaves with an open Port (8080, 8081) which the load balancer uses?
Or does the Domain Controller has some another role in this setup?

Not asking for specifics, just the general workflow.

Greetings

Marc

From krishna1shiva at gmail.com  Tue Apr 11 10:53:36 2017
From: krishna1shiva at gmail.com (Shiva Krishna)
Date: Tue, 11 Apr 2017 20:23:36 +0530
Subject: [keycloak-user] Fwd: Retrieve SAMLResponse after login
In-Reply-To: <CAJPC-HHRn0XAC7DQ_TT4K9HG3sn3Dh0N96Uu0rPkRbnJB3rdcA@mail.gmail.com>
References: <CAJPC-HErZK1pUkNJqM8DARdJ4tTJt0mEZPxemXVkyQYU_mo8EQ@mail.gmail.com>
	<CAJPC-HEu1KN0=7YQexLG8x9MnvntAS=mcP-Od5=61Z6apP+TzQ@mail.gmail.com>
	<CAMvXD=GscbuCnr_CLYGz_AO0nWhbKH=7SuYZa3rdrsLEx_3M3w@mail.gmail.com>
	<CAJPC-HHRn0XAC7DQ_TT4K9HG3sn3Dh0N96Uu0rPkRbnJB3rdcA@mail.gmail.com>
Message-ID: <CAJPC-HGrfq=vGVRRDCgt8kOUhdp_6z4D9Y-GKTESaA_cDpsEZA@mail.gmail.com>

Any thoughts on it??

On Sat, Apr 8, 2017 at 3:19 PM, Shiva Krishna <krishna1shiva at gmail.com> wrote:
> Hello Hynek,
>
>  I need to implement functionality to retrieve and create documents in
> "Veeva Vault" from my application using "Veeva Vault API". To connect
> a SSO user in Veeva Vault from my application, it requires SSOResponse
> as one of the parameters. Please find the link which explains about
> it:
> http://developer.veevavault.com/docs/authentication/#single_sign_on_sso_authentication
>
> If we cannot get SAMLResponse as a parameter along with SamlPrincipal,
> is there a way to create custom SAMLResponse?
>
> Let me know if you need any further information.
> Krishna S
>
> On Sat, Apr 8, 2017 at 12:37 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>> Can you elaborate on what you are trying to achieve? Where do you want
>> to retrieve SAMLResponse and why?
>>
>> --Hynek
>>
>> On Thu, Apr 6, 2017 at 9:07 AM, Shiva Krishna <krishna1shiva at gmail.com> wrote:
>>> Hello,
>>>
>>>  I need to retrieve SAMLResponse as is which appears on browser after
>>> login using Keycloak. I am able to retrieve SAMLPrincipal and other
>>> variables. But, I am not able to see the parameter "SAMLResponse".
>>>
>>> What is the way to get it?
>>>
>>> Thanks,
>>> Krishna S
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>
>
>
> --
> Kris.....



-- 
Kris.....

From campbhu at gmail.com  Tue Apr 11 13:20:14 2017
From: campbhu at gmail.com (Hugh Campbell)
Date: Tue, 11 Apr 2017 13:20:14 -0400
Subject: [keycloak-user] Best Practices and Recommendations
Message-ID: <CAKhBeTsm99PWbs6WCwK6xfkyRZJ6u_ssWGjeXQ4RAA8A0p90Tw@mail.gmail.com>

Greetings!

I am involved in a client engagement event upcoming on-site performing a
Best Practices analysis of their environment for Red Hat SSO which Keycloak
is a component of. I have been in the process of reviewing all available
information related to Keycloak as well as setting up my own instances to
get a better feel for the platform.

However, one area I am having little success in is finding a collection of
best practices and recommendations for deploying and securing Keycloak. I
am also having difficulty finding best practices and recommendations for
SAML SSO that would relate to Keycloak.

Does such material exist or is this an instance where we will have to take
the current literature as it exists and adapt it to meet our client's
needs? I'd rather not re-invent the wheel and instead draw from the wisdom
of the crowd for this effort.

Thanks in advance!

V/R
- Hugh

From moon3854 at gmail.com  Tue Apr 11 14:24:19 2017
From: moon3854 at gmail.com (Dmitry Korchemkin)
Date: Tue, 11 Apr 2017 21:24:19 +0300
Subject: [keycloak-user] Host header verification during introspect?
Message-ID: <CAHpfDHN87hTC+jp5c1V2WqJVxYjb-srW+V3m2HVESyUHdC52Lg@mail.gmail.com>

As i wrote a couple of days ago, i have an issue with introspection. When
sending an introspect request through proxy i get a pretty uninformative
{"active" : "false"} as a result.
I have two proxies, private and public and all the requests to keycloak go
through them. When i get a token from private proxy (http://private
.com/../protocol/openid-connect/token) and then try to access introspect
through public proxy (http://public/../
protocol/openid-connect/token/introspect) with this token, it fails with an
error i provided above. Token is issued to private proxy, obviously.
When i receive a token and use it to access introspect through the same
proxy, it works.
I've tried to modify my proxies to hack Host header and replace it with
whatever the token is issued to and it works when i manually do the steps
above with postman, but unfortunately it horribly breaks something else
within my code.

I get that it's more secure this way, but i did not have this issue when i
used 1.9.8.Final. Is there a way to disable this introspect host checking
with the 3.0.0.?

From llivezking at gmail.com  Tue Apr 11 19:49:16 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 12 Apr 2017 09:49:16 +1000
Subject: [keycloak-user] Reset password - direct URL
In-Reply-To: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <048f3e73-21e5-b0e0-b8a6-570112bf8980@gmail.com>

Hi. About month ago i also investigated this issue, and came to 
following solution:

I explored keycloak-github repo, for implementation of sending email 
with reset-password link. Then i slightly modified founded code:


     private String generateResetPasswordLink(UserModel user) {
         // Set params for redirecting after password updating
         // User will be redirected to his Keycloak Account application
         String clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID;
         ClientModel client = realm.getClientByClientId(clientId);
         String redirectUri = client.getBaseUrl();

         // Create user session and set that he have to set password
         ClientSessionModel clientSession = createClientSession(user, 
redirectUri, clientId);
clientSession.addRequiredAction(ClientSessionModel.Action.UPDATE_PASSWORD.name());

         if (redirectUri != null) {
clientSession.setNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, 
"true");
         }

         // Generate token which will be appended to link and will refer 
to created session for changing password
         ClientSessionCode accessCode = new ClientSessionCode(session, 
realm, clientSession);
accessCode.setAction(ClientSessionModel.Action.EXECUTE_ACTIONS.name());

         return Urls.executeActionsBuilder(uriInfo.getBaseUri())
                 .queryParam("key", accessCode.getCode())
                 .build(realm.getName())
                 .toString();
     }



     private ClientSessionModel createClientSession(UserModel user, 
String redirectUri, String clientId) {

         if (!user.isEnabled()) {
             throw new WebApplicationException(
                     ErrorResponse.error("User is disabled", 
Response.Status.BAD_REQUEST));
         }

         if (redirectUri != null && clientId == null) {
             throw new WebApplicationException(
                     ErrorResponse.error("Client id missing", 
Response.Status.BAD_REQUEST));
         }

         if (clientId == null) {
             clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID;
         }

         ClientModel client = realm.getClientByClientId(clientId);
         if (client == null || !client.isEnabled()) {
             throw new WebApplicationException(
                     ErrorResponse.error(clientId + " not enabled", 
Response.Status.BAD_REQUEST));
         }

         String redirect = null;
         if (redirectUri != null) {
             redirect = RedirectUtils.verifyRedirectUri(uriInfo, 
redirectUri, realm, client);
             if (redirect == null) {
                 throw new WebApplicationException(
                         ErrorResponse.error("Invalid redirect uri.", 
Response.Status.BAD_REQUEST));
             }
         }

         UserSessionModel userSession = 
session.sessions().createUserSession(
                 realm,
                 user,
                 user.getUsername(),
                 clientConnection.getRemoteAddr(),
                 "form",
                 false,
                 null,
                 null
         );
         userSession.setState(UserSessionModel.State.LOGGED_IN);

         ClientSessionModel clientSession = 
session.sessions().createClientSession(realm, client);
clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setRedirectUri(redirect);
         clientSession.setUserSession(userSession);

         return clientSession;
     }



If you follow by link returned from generateResetPasswordLink() you will 
be prompted to type new password. But after you set you new password, 
you will not be redirected directly to account (note that we used 
ACCOUNT_CLIENT as redirectUri while constructing link). You'll see a 
link below password form that will lead you to account, but you'll have 
to type you updated credentials (i.e. you will be redirected to login 
page and only then to account page).


But we also interested if there is better solution for password setting. 
In general we interested in flow where after setting new password user 
would be automatically redirected to any specified client bypassing 
login page.

Hope it will help you, and hope my English is not so ugly)




On 11.04.2017 23:38, Mariusz Chruscielewski - Info.nl wrote:
> Hi.
>
> Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:
>
> http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e
>
> This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.
>
> Do you know if there is an easy way?
>
> Thanks in advance.
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>
>
> info.nl <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From llivezking at gmail.com  Tue Apr 11 19:56:58 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 12 Apr 2017 09:56:58 +1000
Subject: [keycloak-user] Reset password - direct URL
In-Reply-To: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <e85ed903-3812-cb5f-230c-b088269f7ed5@gmail.com>

Addition to previous message:

All code that i've posted called from custom Admin REST endpoint (SPI 
extension, check keycloak "Server Development" docs for details), in 
other words it must be executed within keycloak itself, so you have to 
deploy it to keycloak within any keycloak SPI module.


On 11.04.2017 23:38, Mariusz Chruscielewski - Info.nl wrote:
> Hi.
>
> Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:
>
> http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e
>
> This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.
>
> Do you know if there is an easy way?
>
> Thanks in advance.
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>
>
> info.nl <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From kevin.berendsen at pharmapartners.nl  Wed Apr 12 01:31:09 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Wed, 12 Apr 2017 05:31:09 +0000
Subject: [keycloak-user] Adapter Token Verification
In-Reply-To: <f1aba68d-4a7a-6e0b-7a76-e7a01dc0022e@gmail.com>
References: <636615b47f7744f0bea62c259c1274bd@FERB.ppg.lan>
	<f1aba68d-4a7a-6e0b-7a76-e7a01dc0022e@gmail.com>
Message-ID: <1c41a6c74910457c93e06111b0b1e616@FERB.ppg.lan>

Hi!

Thanks for your replies. Yes, I knew there was an introspection endpoint and would also verify if the token is legit and as you mentioned that would cause overhead for each request. 

I'm glad that the client authentication takes place within the adapter and does not cause such overhead. Once again, thank you!

Kind regards,

Kevin
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens ?????? ????
Verzonden: dinsdag 11 april 2017 14:26
Aan: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] Adapter Token Verification

I should also notice that despite all that stuff that i wrote in previous message you still have an opportunity to manually verify AT, which comes to your application. For that purpose there is a _introspection_ endpoint to which your could POST signed AT, and if it valid keycloak will return its content to you. But for doing this you should provide credentials of client which you use for introspecting token.


As you could see perform a backchannel introspection request to keycloak everytime you get an AT is overhead, thats why at least Spring Adapter by default perform verification by itself without requests to keycloak.


11.04.2017 20:20, Kevin Berendsen ?????:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From llivezking at gmail.com  Wed Apr 12 02:55:35 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 12 Apr 2017 16:55:35 +1000
Subject: [keycloak-user] Scoped roles configuration in Keycloak Adapters
Message-ID: <95852c96-4746-30e4-a1a4-12afe1ac71e4@gmail.com>

Hi. How to configure any Keycloak OIDC adapter (particularly we use 
Spring Adapter) to add scope parameters while getting Access Token?

Googling lead me to this Jira ticket: 
https://issues.jboss.org/browse/KEYCLOAK-231, but code from commits 
mentioned in ticket is absent in upstream. Documentation also miss 
anything about scoped roles in adapters.

Am i missed something?


From mposolda at redhat.com  Wed Apr 12 03:05:05 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 12 Apr 2017 09:05:05 +0200
Subject: [keycloak-user] Reset password - direct URL
In-Reply-To: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <ef339966-3270-3ddf-ffe3-1eac9d277685@redhat.com>

One way is, that when application adapter sends the URL to Keycloak, you 
just replace the last "auth" in the path with "forgot-credentials" . So 
the URL will look something like:

http://localhost:8080/auth/realms/example/protocol/openid-connect/forgot-credentials?client_id=js-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fjs-console%2F&state=20490382-8a96-424f-8d9d-001c6577ea75&nonce=26f35054-ae51-462a-89da-d3bbff7f6585&response_mode=fragment&response_type=code&scope=openid

For keycloak.js adapter, we have method "keycloak.createLoginURL", which 
can be used as helper to this. For other adapters, we don't have any 
straightforward way without constructing the URL manually AFAIK...

Marek

On 11/04/17 15:38, Mariusz Chruscielewski - Info.nl wrote:
> Hi.
>
> Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:
>
> http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e
>
> This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.
>
> Do you know if there is an easy way?
>
> Thanks in advance.
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>
>
> info.nl <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Wed Apr 12 08:47:29 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 12 Apr 2017 14:47:29 +0200
Subject: [keycloak-user] Fwd: Error when session expired and ajax
 request execute in Keycloak?
In-Reply-To: <CACKoP8HE4nqNCC=PvVqX0C87WDE8iwv9BrrODeG9iQmAHmnb7w@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
	<CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
	<CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>
	<CACKoP8HE4nqNCC=PvVqX0C87WDE8iwv9BrrODeG9iQmAHmnb7w@mail.gmail.com>
Message-ID: <CAMZCGg_knVB95V4ENU15_Gmy9XxFryomUWUWJai8ndgkeTRkJQ@mail.gmail.com>

Hi Adam,

I started today to look at your ticket. First of all, thank you for the
provided example, it makes it really easier to reproduce.

So Stian is right, it's expecting a token which isn't present and therefore
returning a 401.
Stian suggested that we should maybe support ajax request secured with the
session (to support Richfaces ajax requests).

I would like to have the opinion of everyone here, is that something we
want ? Doesn't we break any specs here (I have no idea just asking) ?

Anyway I will start looking how this change could be implemented.

Seb


On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:

> I created JIRA bug, and add simple example.
> https://issues.jboss.org/browse/KEYCLOAK-4214
>
>
> ??, 13 ???. 2017 ?. ? 9:34, Stian Thorgersen <sthorger at redhat.com>:
>
> > Might be that it's expecting a token in the ajax request rather than
> > checking for a session, not 100% sure though. RichFaces won't work unless
> > we can support securing the requests from the session.
> >
> > Can you create a JIRA bug for this please? If you can attach a simple
> > example we can build and deploy to reproduce the issue that would be
> > extremely helpful and we would be able to look at it sooner.
> >
> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > After login, i get in my app, and for all my ajax request from page to
> > backing bean, i receive response 401 even if the session is still alive.
> > If removed autodetect-bearer-only option, all work fine, but going back
> to
> > the old error.
> >
> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> > realms/azovstal/protocol/openid-connect/auth??ml&state=
> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> > Origin 'http://localhost:8080' is therefore not allowed access.
> >
> > ---------- Forwarded message ---------
> > From: Adam Daduev <daduev.ad at gmail.com>
> > Date: ??, 10 ???. 2017 ?. ? 14:08
> > Subject: Re: [keycloak-user] Error when session expired and ajax request
> > execute in Keycloak?
> > To: <stian at redhat.com>
> >
> >
> > I tried, but does not work.
> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
> wildfly
> > not started, he not know autodetect-bearer-only option, then, i added via
> > json, wildfly started and app was deployed.
> > Secondly, on my ajax request to backing bean, i receive response 401 and
> > does not happend.
> > This is my keycloak.json
> > {
> > "realm": "azovstal",
> > "auth-server-url": "http://dc09-apps-06:8090/auth",
> > "ssl-required": "none",
> > "resource": "web-test",
> > "public-client": true,
> > "use-resource-role-mappings": true,
> > "autodetect-bearer-only": true
> > }
> >
> > ??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:
> >
> > Ok, I try, thanks.
> >
> > 10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com>
> > ???????(?):
> >
> > In that case take a look at the new autodetect-bearer-only option. You'll
> > need 2.5.0.Final for that.
> >
> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
> >
> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
> > 10.1.
> >
> > 9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com>
> > ???????(?):
> >
> > [Adding list back]
> >
> > A web app redirects the user to a login page if not authenticated, while
> a
> > service should return a 401.
> >
> > It sounds like what you have is a JS application with a service backend.
> In
> > Keycloak you should have two separate types of clients for that. The JS
> > application should be a public client, while the services a bearer-only
> > client.
> >
> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > Thanks for the answer.
> > Yes i have confidential client, i have web application, that asks
> > Keycloak server
> > to authenticate a user for them. As I understand, bearer-only is for web
> > services clients.
> > I probably something do not understand?
> >
> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
> >
> > Looks like your services are configured as confidential clients rather
> than
> > bearer-only and hence is sending a login request back rather than a 401.
> > You should either swap your service war to be a bearer-only client or use
> > the new autodetect-bearer-only option in adapters if you have both web
> > pages and services in the same war.
> >
> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > Hi, can you help me!
> > When session expired and ajax request execute in Keycloak, i have error
> in
> > browser console:
> >
> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> > realms/azovstal/protocol/openid-connect/auth??ml&state=
> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> > Origin 'http://localhost:8080' is therefore not allowed access.
> >
> > I add in Keycloak admin console, in the client setting, Web Origins=
> > http://localhost:8080 (or *), and enabled cors in app, but still has
> error
> > in console. I used Keycloak 2.5.0
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mariusz at info.nl  Wed Apr 12 10:13:09 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Wed, 12 Apr 2017 14:13:09 +0000
Subject: [keycloak-user] Reset password - direct URL
In-Reply-To: <ef339966-3270-3ddf-ffe3-1eac9d277685@redhat.com>
References: <VI1PR0701MB18543CA9E7168D5C925CC5B2B3000@VI1PR0701MB1854.eurprd07.prod.outlook.com>,
	<ef339966-3270-3ddf-ffe3-1eac9d277685@redhat.com>
Message-ID: <VI1PR0701MB1854ECF5E22643BBBFD888EEB3030@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi Marek,


thanks a lot, that is exactly what I was looking for.


Regards

Mariusz

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: 12 April 2017 09:05:05
To: Mariusz Chruscielewski - Info.nl; keycloak-user
Subject: Re: [keycloak-user] Reset password - direct URL

One way is, that when application adapter sends the URL to Keycloak, you
just replace the last "auth" in the path with "forgot-credentials" . So
the URL will look something like:

http://localhost:8080/auth/realms/example/protocol/openid-connect/forgot-credentials?client_id=js-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fjs-console%2F&state=20490382-8a96-424f-8d9d-001c6577ea75&nonce=26f35054-ae51-462a-89da-d3bbff7f6585&response_mode=fragment&response_type=code&scope=openid

For keycloak.js adapter, we have method "keycloak.createLoginURL", which
can be used as helper to this. For other adapters, we don't have any
straightforward way without constructing the URL manually AFAIK...

Marek

On 11/04/17 15:38, Mariusz Chruscielewski - Info.nl wrote:
> Hi.
>
> Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:
>
> http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e
>
> This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.
>
> Do you know if there is an easy way?
>
> Thanks in advance.
>
> Kind Regards,
>
> Mariusz Chru?cielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>
>
> info.nl <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From gaalvarez0910 at gmail.com  Wed Apr 12 11:28:40 2017
From: gaalvarez0910 at gmail.com (Gustavo Alvarez)
Date: Wed, 12 Apr 2017 15:28:40 +0000
Subject: [keycloak-user] Android Authentication + backend REST Services
Message-ID: <CAAhLkKNNNQYqZNVW4GCmeBJ3Y6aMNAgzGgHF1GsmOGwCCX-e8g@mail.gmail.com>

Hello.

There a guide for integrate keycloak whit Android app which request rest
service to backend?

Thanks.

From mariusz at info.nl  Wed Apr 12 11:44:50 2017
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Wed, 12 Apr 2017 15:44:50 +0000
Subject: [keycloak-user] Offline token used to get access token - keycloak
	return 400
Message-ID: <VI1PR0701MB1854DC5E61EDD95C41B7007DB3030@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi. We are using offlice refresh tokens in our app. I see strange behaviour that I can't undestand:


Keycloak version: 2.5.5


First we do login request:

http://keycloak/auth/realms/vi/protocol/openid-connect/token

using password grant type, credentials and scope=offline_access


Then we wanted to test what happens when keycloak server is restarted (because of deployment, outage, whatever)


Next we do refresh call using refresh_token (offline token):

http://keycloak/auth/realms/vi/protocol/openid-connect/token

grant_type=refresh_token&client_id=vinl&refresh_token={offline_refresh_token}


We get 200 response with access_token in it


When we try to use it to get user-details:

http://keycloak/auth/realms/vi/protocol/openid-connect/userinfo


using authorization header with access_token generated by using refresh_token

Authorization: Bearer {Access_token}


we get 400:


{
"error": "invalid_request",
"error_description": "User session not found"
}



Can you please tell me if I'm doing something wrong or is it a Keycloak bug.


After restart of KC, there is no active sessions, but I can see that offline tokens are there (in admin console)


Why does it return 400?


Thanks in advance

Mariusz Chru?cielewski


From john.d.ament at gmail.com  Wed Apr 12 11:51:51 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 12 Apr 2017 15:51:51 +0000
Subject: [keycloak-user] CDI Managed KeycloakConfigResolver
Message-ID: <CAOqetn8HysPd19HnYMnH5WWZgXgq2hkJMA4qTG3hY27ZsmphtQ@mail.gmail.com>

Hi,

Was wondering, is it possible to treat KeycloakConfigResolver
implementations as a CDI bean?

John

From sblanc at redhat.com  Wed Apr 12 13:24:08 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 12 Apr 2017 17:24:08 +0000
Subject: [keycloak-user] Offline token used to get access token -
 keycloak return 400
In-Reply-To: <VI1PR0701MB1854DC5E61EDD95C41B7007DB3030@VI1PR0701MB1854.eurprd07.prod.outlook.com>
References: <VI1PR0701MB1854DC5E61EDD95C41B7007DB3030@VI1PR0701MB1854.eurprd07.prod.outlook.com>
Message-ID: <CAMZCGg_Mz7wspcaJ+zgkkWD2nSh+NsseU1yHVMPvSAPMLyPSjA@mail.gmail.com>

This is a bug and there is ticket for it
https://issues.jboss.org/browse/KEYCLOAK-4521
Le mer. 12 avr. 2017 ? 19:16, Mariusz Chruscielewski - Info.nl <
mariusz at info.nl> a ?crit :

> Hi. We are using offlice refresh tokens in our app. I see strange
> behaviour that I can't undestand:
>
>
> Keycloak version: 2.5.5
>
>
> First we do login request:
>
> http://keycloak/auth/realms/vi/protocol/openid-connect/token
>
> using password grant type, credentials and scope=offline_access
>
>
> Then we wanted to test what happens when keycloak server is restarted
> (because of deployment, outage, whatever)
>
>
> Next we do refresh call using refresh_token (offline token):
>
> http://keycloak/auth/realms/vi/protocol/openid-connect/token
>
>
> grant_type=refresh_token&client_id=vinl&refresh_token={offline_refresh_token}
>
>
> We get 200 response with access_token in it
>
>
> When we try to use it to get user-details:
>
> http://keycloak/auth/realms/vi/protocol/openid-connect/userinfo
>
>
> using authorization header with access_token generated by using
> refresh_token
>
> Authorization: Bearer {Access_token}
>
>
> we get 400:
>
>
> {
> "error": "invalid_request",
> "error_description": "User session not found"
> }
>
>
>
> Can you please tell me if I'm doing something wrong or is it a Keycloak
> bug.
>
>
> After restart of KC, there is no active sessions, but I can see that
> offline tokens are there (in admin console)
>
>
> Why does it return 400?
>
>
> Thanks in advance
>
> Mariusz Chru?cielewski
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From csalazar at devsu.com  Wed Apr 12 14:39:44 2017
From: csalazar at devsu.com (Cesar Salazar)
Date: Wed, 12 Apr 2017 13:39:44 -0500
Subject: [keycloak-user] Multi tenancy with realms
Message-ID: <CAJzRJ5+2TC5Cmt-LP=jp31zHOJkbqwZ9QA6uU6_Y5_hWBtZeSQ@mail.gmail.com>

Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html

I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?

Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?

Thanks!

-- 
*Cesar Salazar*
CTO - DEVSU | www.devsu.com

From bruno at abstractj.org  Wed Apr 12 15:18:57 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 12 Apr 2017 19:18:57 +0000
Subject: [keycloak-user] Android Authentication + backend REST Services
In-Reply-To: <CAAhLkKNNNQYqZNVW4GCmeBJ3Y6aMNAgzGgHF1GsmOGwCCX-e8g@mail.gmail.com>
References: <CAAhLkKNNNQYqZNVW4GCmeBJ3Y6aMNAgzGgHF1GsmOGwCCX-e8g@mail.gmail.com>
Message-ID: <CAM5SUC7hSBe1Bzm5cVqtzdrGx6wELxnxiBRKthp1OhA6pAEDbQ@mail.gmail.com>

I don't think we have a guide, but you can try to look at AeroGear
https://aerogear.org/docs/guides/security/oauth2-guide/ and get in touch
with them.

On Wed, Apr 12, 2017 at 1:58 PM Gustavo Alvarez <gaalvarez0910 at gmail.com>
wrote:

> Hello.
>
> There a guide for integrate keycloak whit Android app which request rest
> service to backend?
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at m3b.net  Wed Apr 12 18:04:30 2017
From: lists at m3b.net (Mailing lists)
Date: Wed, 12 Apr 2017 22:04:30 +0000
Subject: [keycloak-user] Loading extra claims from database
Message-ID: <DB6PR0701MB29983624B70E9BB49423A513E6030@DB6PR0701MB2998.eurprd07.prod.outlook.com>

Hi all,

I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:

1 - after successful authentication have keycloak pull extra claims from the application database, somehow. This app database is postgres, for example.

2 - have the application database update the jwt with extra claims using a shared key.

I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.


Many thanks. Mark


From supittma at redhat.com  Wed Apr 12 18:46:28 2017
From: supittma at redhat.com (Summers Pittman)
Date: Wed, 12 Apr 2017 18:46:28 -0400
Subject: [keycloak-user] Android Authentication + backend REST Services
In-Reply-To: <CAEQz2Cv0xkLbBGNMBDBNTRer00VcX4Sh0jf1JG1AzQVq=1tF1Q@mail.gmail.com>
References: <CAAhLkKNNNQYqZNVW4GCmeBJ3Y6aMNAgzGgHF1GsmOGwCCX-e8g@mail.gmail.com>
	<CAEQz2Cv0xkLbBGNMBDBNTRer00VcX4Sh0jf1JG1AzQVq=1tF1Q@mail.gmail.com>
Message-ID: <CAEQz2CumaDdWUC7+djGXrVzSSb-e=inadaPmRSE31QcXmA0v1g@mail.gmail.com>

This code might be old and bit rotten but I wrote an authenticator for
Android a few years ago. The code may be a good reference


https://github.com/secondsun/keycloak-android-authenticator

On Apr 12, 2017 1:00 PM, "Gustavo Alvarez" <gaalvarez0910 at gmail.com> wrote:

Hello.

There a guide for integrate keycloak whit Android app which request rest
service to backend?

Thanks.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From amaeztu at tesicnor.com  Thu Apr 13 03:03:33 2017
From: amaeztu at tesicnor.com (Amaeztu)
Date: Thu, 13 Apr 2017 09:03:33 +0200
Subject: [keycloak-user] Loading extra claims from database
In-Reply-To: <DB6PR0701MB29983624B70E9BB49423A513E6030@DB6PR0701MB2998.eurprd07.prod.outlook.com>
References: <DB6PR0701MB29983624B70E9BB49423A513E6030@DB6PR0701MB2998.eurprd07.prod.outlook.com>
Message-ID: <ggcoqc46li7mkqkonrd14e6m.1492066460265@email.android.com>

Hi! 

I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :

1. User logs in 

2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method 

3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise. 

4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured 

5. Get the info returned by the endpoint and add it as extra claims 

Nire Sony Xperia? telefonotik bidalita

---- Mailing lists igorleak idatzi du ----

>Hi all,
>
>I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
>
>1 - after successful authentication have keycloak pull extra claims from the application database, somehow. This app database is postgres, for example.
>
>2 - have the application database update the jwt with extra claims using a shared key.
>
>I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
>
>
>Many thanks. Mark
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

From amaeztu at tesicnor.com  Thu Apr 13 03:07:55 2017
From: amaeztu at tesicnor.com (Amaeztu)
Date: Thu, 13 Apr 2017 09:07:55 +0200
Subject: [keycloak-user] Loading extra claims from database
In-Reply-To: <ggcoqc46li7mkqkonrd14e6m.1492066460265@email.android.com>
References: <ggcoqc46li7mkqkonrd14e6m.1492066460265@email.android.com>
Message-ID: <mhvblek57sj754fch7jg8vpl.1492067275872@email.android.com>

I forgot to mention that obviously this procedure gets simplified if you access the database directly, just connect to the database from the mapper 

Nire Sony Xperia? telefonotik bidalita

---- Amaeztu igorleak idatzi du ----

>Hi! 
>
>I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :
>
>1. User logs in 
>
>2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method 
>
>3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise. 
>
>4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured 
>
>5. Get the info returned by the endpoint and add it as extra claims 
>
>Nire Sony Xperia? telefonotik bidalita

From antoine at saagie.com  Thu Apr 13 03:25:29 2017
From: antoine at saagie.com (Antoine Carton)
Date: Thu, 13 Apr 2017 09:25:29 +0200
Subject: [keycloak-user] Keycloak ACL for a specific user on a specific
	object
Message-ID: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>

Hello,

Is there a way to manage fine grained authorizations with Keycloak like in
the following scenario:

- A user user1 belongs to a group group1
- group1 has READ access to the REST path: GET /my/entity/{entity_id}
- group1 has not WRITE access to this path: POST /my/entity/{entity_id}

This means that all users of that group can only READ at that path,
whatever the {entity_id} is.

The question is:
Is it possible to allow user1 ONLY of group1, to have WRITE access to a
specific entity_id.

The purpose is to use the Spring Boot/Spring Security Adapter and replace
what Spring security does with @PreAuthorize annotation for example.

Thank you for your help,

Best regards

From martin.johansson at metrical.se  Thu Apr 13 03:54:30 2017
From: martin.johansson at metrical.se (Martin Johansson)
Date: Thu, 13 Apr 2017 09:54:30 +0200
Subject: [keycloak-user] Get magic link for users to login
Message-ID: <CADn3RNVGR=pt=Eem_jnvDnjhd++YFYxbeuBftSprtkiDmYGN3Q@mail.gmail.com>

Is it possible to retrieve the magic link that are sent by e-mail via the Java
API? We have implemented an SPI with a REST interface and would like to get
the link for usage in custom e-mails.
Any hints which provider to be used is much appreciated.

Regards,
Martin

From lists at m3b.net  Thu Apr 13 04:19:15 2017
From: lists at m3b.net (Mailing lists)
Date: Thu, 13 Apr 2017 08:19:15 +0000
Subject: [keycloak-user] Multi tenancy with realms
In-Reply-To: <CAJzRJ5+2TC5Cmt-LP=jp31zHOJkbqwZ9QA6uU6_Y5_hWBtZeSQ@mail.gmail.com>
References: <CAJzRJ5+2TC5Cmt-LP=jp31zHOJkbqwZ9QA6uU6_Y5_hWBtZeSQ@mail.gmail.com>
Message-ID: <DB6PR0701MB2998448960DDA2167BCD6B53E6020@DB6PR0701MB2998.eurprd07.prod.outlook.com>

>From the thread you linked to it looks like someone already laid out some ideas where optimization could work. (Appears to be something with loading reals, caching, and flushing).


Furthermore, it would seem that a slow startup phase is (or should be) an infrequent event. As well as administration. These are not show-stoppers for me.


If anything, perhaps a better work-around would be to architect a deployment where keycloak lives closer to the tenant application instances. Simply treat the keycloak as a microservice that is bundled with your apps, and have it automated to a point where it is more "code as configuration" rather than manually logging into keycloak and clicking around?











________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Cesar Salazar <csalazar at devsu.com>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Multi tenancy with realms

Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html

I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?

Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?

Thanks!

--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com<http://www.devsu.com>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From krishna1shiva at gmail.com  Thu Apr 13 04:27:20 2017
From: krishna1shiva at gmail.com (Shiva Krishna)
Date: Thu, 13 Apr 2017 13:57:20 +0530
Subject: [keycloak-user] Logout Issue with Keycloak
Message-ID: <CAJPC-HF+tvmsgkZMKT9U5rQXThFNUEsDAC5kZRK7=1cdTWgdOA@mail.gmail.com>

Hello,

I am using Keycloak as Identity and Access Management in my
application(ServiceProvider) and  Salesforce as IDP.  I am having a
logout issue when logging out of Salesforce.

1. Login to Salesforce and Open my application.
2. Request is redirected to Keycloak and opens my application in a new tab.
3. Now logout from Salesforce.
4. Go to my application and browse through it.

Expected Scenario:
In ideal scenario, since I have logged out of Salesforce, my
application should return to login page asking to login again.

Current Scenario:
Application is not logging out and I can browse through the application.

I guess, backchannel logout is not working properly. I have "Front
Channel Logout" enabled in my client in keycloak. Do I need to perform
any other configuration to logout completely?

Thanks,
Krishna S

From dt at zyres.com  Thu Apr 13 05:38:13 2017
From: dt at zyres.com (Danny Trunk)
Date: Thu, 13 Apr 2017 11:38:13 +0200
Subject: [keycloak-user] Spring Security Adapter: Set locale on redirect to
 login page + Link back to application from login form
Message-ID: <d6a7bf45-8643-e623-aae6-56a09a3984a4@zyres.com>

Hello everyone,

1. Set locale on redirect:

We have a multilingual application where you can choose your locale.
The login entry point then looks like 
https://localhost:8443/en_US/login.html

Now I need to tell Keycloak which locale to use.
The way I realized it isn't really clean:

I'm extending from KeycloakWebSecurityConfigurerAdapter and overriding 
the keycloakAuthenticationProcessingFilter method in order to 
instantiate my own authentication processing filter implementation:
@Bean
@Override
protected KeycloakAuthenticationProcessingFilter 
keycloakAuthenticationProcessingFilter() throws Exception {
     RequestMatcher requestMatcher = new OrRequestMatcher(new 
AntPathRequestMatcher("/*/login.html"), new 
RequestHeaderRequestMatcher(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER));
     KeycloakAuthenticationProcessingFilter filter = new 
LocaleAwareKeycloakAuthenticationProcessingFilter(keycloakAuthenticationManager(), 
requestMatcher);
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
     return filter;
}

The custom authentication processing filter is the following:
public class LocaleAwareKeycloakAuthenticationProcessingFilter extends 
KeycloakAuthenticationProcessingFilter implements ApplicationContextAware {
     private final Logger log = LogManager.getLogger(getClass());

     private ApplicationContext applicationContext;
     private AdapterDeploymentContext adapterDeploymentContext;
     private AdapterTokenStoreFactory adapterTokenStoreFactory = new 
SpringSecurityAdapterTokenStoreFactory();

     public 
LocaleAwareKeycloakAuthenticationProcessingFilter(AuthenticationManager 
authenticationManager, RequestMatcher 
requiresAuthenticationRequestMatcher) {
         super(authenticationManager, requiresAuthenticationRequestMatcher);
     }

     @Override
     public void afterPropertiesSet() {
         super.afterPropertiesSet();
         adapterDeploymentContext = 
applicationContext.getBean(AdapterDeploymentContext.class);
     }

     @Override
     public Authentication attemptAuthentication(HttpServletRequest 
request, HttpServletResponse response) {
         log.debug("Attempting Keycloak authentication");

         HttpFacade facade = new SimpleHttpFacade(request, response);
         KeycloakDeployment deployment = 
adapterDeploymentContext.resolveDeployment(facade);
         AdapterTokenStore tokenStore = 
adapterTokenStoreFactory.createAdapterTokenStore(deployment, request);
         RequestAuthenticator authenticator = new 
LocaleAwareRequestAuthenticator(facade, request, deployment, tokenStore, 
-1);

         AuthOutcome result = authenticator.authenticate();
         log.debug("Auth outcome: {}", result);

         if (AuthOutcome.FAILED.equals(result)) {
             throw new KeycloakAuthenticationException("Auth outcome: " 
+ result);
         } else if (AuthOutcome.AUTHENTICATED.equals(result)) {
             Authentication authentication = 
SecurityContextHolder.getContext().getAuthentication();
             Assert.notNull(authentication, "Authentication 
SecurityContextHolder was null");
             return getAuthenticationManager().authenticate(authentication);
         } else {
             AuthChallenge challenge = authenticator.getChallenge();
             if (challenge != null) {
                 challenge.challenge(facade);
             }

             return null;
         }
     }

     @Override
     public void setApplicationContext(ApplicationContext 
applicationContext) {
         super.setApplicationContext(applicationContext);
         this.applicationContext = applicationContext;
     }

     @Override
     public void setAdapterTokenStoreFactory(AdapterTokenStoreFactory 
adapterTokenStoreFactory) {
         super.setAdapterTokenStoreFactory(adapterTokenStoreFactory);
         this.adapterTokenStoreFactory = adapterTokenStoreFactory;
     }
}

The custom request authentication is the following:
public class LocaleAwareRequestAuthenticator extends 
SpringSecurityRequestAuthenticator {
     public LocaleAwareRequestAuthenticator(HttpFacade facade, 
HttpServletRequest request, KeycloakDeployment deployment, 
AdapterTokenStore tokenStore, int sslRedirectPort) {
         super(facade, request, deployment, tokenStore, sslRedirectPort);
     }

     @Override
     protected OAuthRequestAuthenticator createOAuthAuthenticator() {
         return new LocaleAwareOAuthRequestAuthenticator(this, facade, 
deployment, sslRedirectPort, tokenStore);
     }
}

And finally the LocaleAwareOAuthRequestAuthenticator is the following:
public class LocaleAwareOAuthRequestAuthenticator extends 
OAuthRequestAuthenticator {
     public LocaleAwareOAuthRequestAuthenticator(RequestAuthenticator 
requestAuthenticator, HttpFacade facade, KeycloakDeployment deployment, 
int sslRedirectPort, AdapterSessionStore tokenStore) {
         super(requestAuthenticator, facade, deployment, 
sslRedirectPort, tokenStore);
     }

     @Override
     protected String getRedirectUri(String state) {
         String redirect = super.getRedirectUri(state);
         if (redirect == null) {
             return null;
         }

         // getting the locale from our relative path and appending to 
the redirect uri
         String url = facade.getRequest().getRelativePath();
         return redirect + "&kc_locale=" + 
ServletUtils.getLocaleFromURL(url).getLanguage();
     }
}

As you can see I had to override many methods and had to duplicate much 
code.

Is there really no other way to set the locale when redirecting to the 
login page?

---
2. Link back to application

And another problem I had to fight with: We only use the login page from 
Keycloak. All other stuff should happen in our application as there are 
some processes we don't want to copy. As we use a custom user storage 
provider which accesses the external db from our application this isn't 
a problem.

I had to make some template in order to set the URLs to link to our 
password reminder and registering pages.
In this case I'm using "${client.baseUrl}/${.locale}" as base URL to 
link back to pwreminder.html and register.html.
As ${client.baseUrl} isn't a mandatory field in the Keycloak Admin 
Console this isn't a clean way as well.
But there's no ${client.rootUrl} to access. So this is the only chance 
to unsafely link back to our application.

Why the client root url isn't accessible in the templates? Any good 
reason not to add it to the template data model?

---
If good solutions for those problems need to be implemented I'll take a 
look at the code, opening issues and providing a pull requests on GitHub.

From psilva at redhat.com  Thu Apr 13 07:11:33 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 13 Apr 2017 08:11:33 -0300
Subject: [keycloak-user] Photoz Authz example DB issue
In-Reply-To: <90aad8b7-f776-1de4-9e3c-e9a906516bab@gmail.com>
References: <03b1c21c-f328-b5f7-e062-8fbf163fffd2@gmail.com>
	<CAJrcDBdADg0jNUv-ba_0tJma6C9i4upjb8P1A3K6FYe2UxcBfQ@mail.gmail.com>
	<90aad8b7-f776-1de4-9e3c-e9a906516bab@gmail.com>
Message-ID: <CAJrcDBeSL-EC7CQBn75z1x-nF75gNG0jEwBkyUzVspy6oMWa-A@mail.gmail.com>

Glad you found a solution.

Regarding the Drools artifact, I think we have also updated the README to
tell people to import the JSON file from target/classes. When building the
example, this file is filtered by Maven and version is updated accordingly.

On Mon, Apr 10, 2017 at 11:23 PM, Ilya Korol <llivezking at gmail.com> wrote:

> Oh, i wrongly put it. I failed to build or test keycloak itself, not the
> example (I'm talking about guide at github/keycloak/keycloak/README.md).
> So, i downloaded standalone keycloak distribution (2.5.5) and
> appropriate archive with examples, and after deploy i got mentioned NPE
> errors (that refers to DB issues).
>
>
> P.S. I've just run:
>
>      mvn clean
>
>      mvn install
>
> And tests failed somewhere at BaseTestSuite, so then i run following
> command to create log file for posting it in JIRA:
>
>      mvn clean
>
>      mvn install | tee mvn_install.log.txt
>
> And all builds and tests passes!!!111 WTF?. Then i successfully run
>
>      mvn install -Pdistribution
>
> Then i wanted to run created distribution. README.md says that i should run
>
>      tar xfz
> distribution/appliance-dist/target/keycloak-appliance-
> dist-all-<VERSION>.tar.gz
>      cd keycloak-appliance-dist-all-<VERSION>/keycloak
>      bin/standalone.sh
>
> but i didn't find any anything like 'appliance-dist'. Then i found
> distribution/demo-dist directory and run distribution in
> keycloak-demo-3.0.1.Final-SNAPSHOT.tar.gz. I successfully deployed
> /examples/authz/photoz from this archive to keycloak and everything is
> working right now! Cool.
>
>
> P.P.S I also faced mini issue with rule policy from this example:
>
> After importing Authorization settings to photoz-restful-api client i
> went to authorization->policies->only owner policy. This policy based on
> org.keycloak:photoz-authz-policy:${project.version} maven artifact with
> Drools rules. But resolving of this artifact were failing until i
> manually specify 3.0.1.Final-SNAPSHOT version (i also checked Server
> Info entry in server-info Keycloak page: it is 3.0.1.Final-SNAPSHOT, so
> is it a bug?).
>
>
> Anyway thanks for help!
>
>
> On 10.04.2017 22:27, Pedro Igor Silva wrote:
> > Hi Ilya, it should work right OOTB. Can you please fill a JIRA with
> > more information about the issues you are facing ?
> >
> > If you are building from upstream/master it should work fine. Also,
> > this quickstart is mainly targeted for Wildfly/EAP.
> >
> > Regards.
> > Pedro Igor
> >
> > On Mon, Apr 10, 2017 at 4:05 AM, Ilya Korol <llivezking at gmail.com
> > <mailto:llivezking at gmail.com>> wrote:
> >
> >     Hi, i'm trying to realize how does authz work in keycloak, therefore
> i
> >     tried to run keycloak/examples/authz/photoz project. I failed to
> >     run it
> >     from git sources (i'm even failed to build or test it!), so i
> >     downloaded
> >     examples.zip from keycloak.org <http://keycloak.org>. I
> >     successfully built and deployed jars
> >     to keycloak instance, but when i go to specified in README.md urls
> >     (http://localhost:8080/photoz-html5-client/#/album/create
> >     <http://localhost:8080/photoz-html5-client/#/album/create> ...) i
> see
> >     NPEs in keycloak logs. This errors refers to any code like:
> >
> >     this.entityManager.createQuery("from Album where name = :name and
> >     userId
> >     = :userId");
> >
> >     I checked persistence.xml:
> >
> >          <persistence-unit name="primary"
> >     transaction-type="RESOURCE_LOCAL">
> >     <provider>org.hibernate.ejb.HibernatePersistence</provider>
> >
> >     <class>org.keycloak.example.photoz.entity.Album</class>
> >     <class>org.keycloak.example.photoz.entity.Photo</class>
> >
> >              <properties>
> >                  <property name="hibernate.dialect"
> >     value="org.hibernate.dialect.H2Dialect" />
> >                  <property name="hibernate.connection.driver_class"
> >     value="org.h2.Driver" />
> >                  <property name="hibernate.connection.url"
> >     value="jdbc:h2:~/keycloak-photoz-example" />
> >                  <property name="hibernate.connection.user" value="sa"
> />
> >                  <property name="hibernate.flushMode"
> >     value="FLUSH_AUTO" />
> >                  <property name="hibernate.hbm2ddl.auto" value="update"
> />
> >                  <property name="hibernate.show_sql" value="false" />
> >              </properties>
> >          </persistence-unit>
> >
> >
> >     Do i have to make any DB bootstrapping actions or this project should
> >     work right out of the box?
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From danny at sigerconsulting.com  Thu Apr 13 09:12:02 2017
From: danny at sigerconsulting.com (Danny Regis)
Date: Thu, 13 Apr 2017 14:12:02 +0100
Subject: [keycloak-user] Identity Brokering
Message-ID: <CAOvb8mW5dgDE5x24kVwSAn=d79nFH1i-GDfD3K=V=tPYNbwR_g@mail.gmail.com>

Hello,

I'm trying to gain clarity on whether there is a subtle difference between
Identity Federation / Identity Brokering / Authentication Brokering.

Looking at the documentation for Identity Providers, it details this as
Identity Brokering, what I can't ascertain (and haven't been able to demo)
is exactly how this works. The documentation implies that the first broker
login flow creates a local user. What happens on the second login? Would
the user always be redirected to the IdP login pages? If so what is the
local user copy for?

Potentially I'm confusing federated Open ID Connect SSO with Identity
Brokering.


My specific use case...

Application A users authenticated and authorised via Identity Provider B
(Open Id Connect)

However application A users should always be authenticated against IdP B,
there should never be local authentication based upon a local KC user.

Would disabling "Create User If Unique" from the First Broker Login flow
fulfil my requirement?

Thanks
Danny

From bburke at redhat.com  Thu Apr 13 09:30:55 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 13 Apr 2017 09:30:55 -0400
Subject: [keycloak-user] Logout Issue with Keycloak
In-Reply-To: <CAJPC-HF+tvmsgkZMKT9U5rQXThFNUEsDAC5kZRK7=1cdTWgdOA@mail.gmail.com>
References: <CAJPC-HF+tvmsgkZMKT9U5rQXThFNUEsDAC5kZRK7=1cdTWgdOA@mail.gmail.com>
Message-ID: <0b945dc7-5162-43c5-da87-bd97b7916469@redhat.com>

I'm pretty sure this is an issue with Salesforce.

google "salesforce SAML logout"


https://success.salesforce.com/ideaView?id=08730000000DjseAAC


On 4/13/17 4:27 AM, Shiva Krishna wrote:
> Hello,
>
> I am using Keycloak as Identity and Access Management in my
> application(ServiceProvider) and  Salesforce as IDP.  I am having a
> logout issue when logging out of Salesforce.
>
> 1. Login to Salesforce and Open my application.
> 2. Request is redirected to Keycloak and opens my application in a new tab.
> 3. Now logout from Salesforce.
> 4. Go to my application and browse through it.
>
> Expected Scenario:
> In ideal scenario, since I have logged out of Salesforce, my
> application should return to login page asking to login again.
>
> Current Scenario:
> Application is not logging out and I can browse through the application.
>
> I guess, backchannel logout is not working properly. I have "Front
> Channel Logout" enabled in my client in keycloak. Do I need to perform
> any other configuration to logout completely?
>
> Thanks,
> Krishna S
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From glavoie at gmail.com  Thu Apr 13 09:51:21 2017
From: glavoie at gmail.com (Gabriel Lavoie)
Date: Thu, 13 Apr 2017 09:51:21 -0400
Subject: [keycloak-user] Multi tenancy with realms
In-Reply-To: <DB6PR0701MB2998448960DDA2167BCD6B53E6020@DB6PR0701MB2998.eurprd07.prod.outlook.com>
References: <CAJzRJ5+2TC5Cmt-LP=jp31zHOJkbqwZ9QA6uU6_Y5_hWBtZeSQ@mail.gmail.com>
	<DB6PR0701MB2998448960DDA2167BCD6B53E6020@DB6PR0701MB2998.eurprd07.prod.outlook.com>
Message-ID: <CAKp1Nw5Qf9UtzGPFwfsU0X7kHPD4QyBMu1tEwgrMC1Mu0UvO7Q@mail.gmail.com>

Hi Cesar,
     Regarding the performance issues found in the mailing list thread you
referred to, I submitted 5 PRs. 3 have been merged and 2 are still pending
review.

https://github.com/keycloak/keycloak/pull/3561
https://github.com/keycloak/keycloak/pull/3557
https://github.com/keycloak/keycloak/pull/3558
https://github.com/keycloak/keycloak/pull/3572
https://github.com/keycloak/keycloak/pull/3573

You can look at
http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html for
more details on the changes.

We are still running on a custom build of Keycloak with all those changes
applied and at the moment is supports our administrative load with over
1000 realms. Restart/use of the admin API/access to the admin console are
now fast enough not to generate complains from our operators. Most of the
issues with the large number of realms were related with the use of
NamedQueries (generates too many flush() within Hibernate) and the very
large number of child roles on the super admin composite role.

Upgrades are still considered problematic for us. I found other performance
issues within the Java based data migration code, mostly related with
explicit em.flush() statements, but I haven't digged into them.

I hope it helps,

Gabriel

2017-04-13 4:19 GMT-04:00 Mailing lists <lists at m3b.net>:

> >From the thread you linked to it looks like someone already laid out some
> ideas where optimization could work. (Appears to be something with loading
> reals, caching, and flushing).
>
>
> Furthermore, it would seem that a slow startup phase is (or should be) an
> infrequent event. As well as administration. These are not show-stoppers
> for me.
>
>
> If anything, perhaps a better work-around would be to architect a
> deployment where keycloak lives closer to the tenant application instances.
> Simply treat the keycloak as a microservice that is bundled with your apps,
> and have it automated to a point where it is more "code as configuration"
> rather than manually logging into keycloak and clicking around?
>
>
>
>
>
>
>
>
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Cesar Salazar <csalazar at devsu.com>
> Sent: Wednesday, April 12, 2017 6:39:44 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Multi tenancy with realms
>
> Hi. I'm looking to use keycloak for a SASS service, using realms for
> multi-tenancy. There's a discussion on a previous thread about performance
> issues when there are lots of realms:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
>
> I wanted to ask if there is some work done in that direction. If not, where
> can I start looking at so I can contribute?
>
> Also, I was wondering what would be the implications of using a custom user
> attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
> make my microservices validate against it). I know it's not the ideal way,
> but would it be possible? Do you know of any considerations I should take
> into account?
>
> Thanks!
>
> --
> *Cesar Salazar*
> CTO - DEVSU | www.devsu.com<http://www.devsu.com>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Gabriel Lavoie
glavoie at gmail.com

From krishna1shiva at gmail.com  Thu Apr 13 10:21:42 2017
From: krishna1shiva at gmail.com (Shiva Krishna)
Date: Thu, 13 Apr 2017 19:51:42 +0530
Subject: [keycloak-user] Logout Issue with Keycloak
In-Reply-To: <0b945dc7-5162-43c5-da87-bd97b7916469@redhat.com>
References: <CAJPC-HF+tvmsgkZMKT9U5rQXThFNUEsDAC5kZRK7=1cdTWgdOA@mail.gmail.com>
	<0b945dc7-5162-43c5-da87-bd97b7916469@redhat.com>
Message-ID: <CAJPC-HECg8TFhjefe-ywQyRSXo3WTht2fjdU1rPcxBzh=UMVjA@mail.gmail.com>

Hello Bill,

We also tried this activity using Google Console
(https://console.developers.google.com/apis/dashboard) as IDP. We
faced the same issue. Can you suggest any other IDP where we can test
this scenario? Please suggest any other alternative as well.

Thanks,
Krishna S

On Thu, Apr 13, 2017 at 7:00 PM, Bill Burke <bburke at redhat.com> wrote:
> I'm pretty sure this is an issue with Salesforce.
>
> google "salesforce SAML logout"
>
>
> https://success.salesforce.com/ideaView?id=08730000000DjseAAC
>
>
> On 4/13/17 4:27 AM, Shiva Krishna wrote:
>> Hello,
>>
>> I am using Keycloak as Identity and Access Management in my
>> application(ServiceProvider) and  Salesforce as IDP.  I am having a
>> logout issue when logging out of Salesforce.
>>
>> 1. Login to Salesforce and Open my application.
>> 2. Request is redirected to Keycloak and opens my application in a new tab.
>> 3. Now logout from Salesforce.
>> 4. Go to my application and browse through it.
>>
>> Expected Scenario:
>> In ideal scenario, since I have logged out of Salesforce, my
>> application should return to login page asking to login again.
>>
>> Current Scenario:
>> Application is not logging out and I can browse through the application.
>>
>> I guess, backchannel logout is not working properly. I have "Front
>> Channel Logout" enabled in my client in keycloak. Do I need to perform
>> any other configuration to logout completely?
>>
>> Thanks,
>> Krishna S
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Kris.....

From bburke at redhat.com  Thu Apr 13 10:25:14 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 13 Apr 2017 10:25:14 -0400
Subject: [keycloak-user] Identity Brokering
In-Reply-To: <CAOvb8mW5dgDE5x24kVwSAn=d79nFH1i-GDfD3K=V=tPYNbwR_g@mail.gmail.com>
References: <CAOvb8mW5dgDE5x24kVwSAn=d79nFH1i-GDfD3K=V=tPYNbwR_g@mail.gmail.com>
Message-ID: <3e60adeb-bb6f-ef07-7f55-3c5611c0122b@redhat.com>

brokering is authentication delegation.  The user is imported, a local 
account is created and linked to the external IDP.


On 4/13/17 9:12 AM, Danny Regis wrote:
> Hello,
>
> I'm trying to gain clarity on whether there is a subtle difference between
> Identity Federation / Identity Brokering / Authentication Brokering.
>
> Looking at the documentation for Identity Providers, it details this as
> Identity Brokering, what I can't ascertain (and haven't been able to demo)
> is exactly how this works. The documentation implies that the first broker
> login flow creates a local user. What happens on the second login? Would
> the user always be redirected to the IdP login pages? If so what is the
> local user copy for?
>
> Potentially I'm confusing federated Open ID Connect SSO with Identity
> Brokering.
>
>
> My specific use case...
>
> Application A users authenticated and authorised via Identity Provider B
> (Open Id Connect)
>
> However application A users should always be authenticated against IdP B,
> there should never be local authentication based upon a local KC user.
>
> Would disabling "Create User If Unique" from the First Broker Login flow
> fulfil my requirement?
>
> Thanks
> Danny
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From daduev.ad at gmail.com  Thu Apr 13 12:43:39 2017
From: daduev.ad at gmail.com (Adam Daduev)
Date: Thu, 13 Apr 2017 16:43:39 +0000
Subject: [keycloak-user] Fwd: Error when session expired and ajax
 request execute in Keycloak?
In-Reply-To: <CAMZCGg_knVB95V4ENU15_Gmy9XxFryomUWUWJai8ndgkeTRkJQ@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
	<CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
	<CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>
	<CACKoP8HE4nqNCC=PvVqX0C87WDE8iwv9BrrODeG9iQmAHmnb7w@mail.gmail.com>
	<CAMZCGg_knVB95V4ENU15_Gmy9XxFryomUWUWJai8ndgkeTRkJQ@mail.gmail.com>
Message-ID: <CACKoP8E1ML=3KLP913dOYG_mtzBNiwq9SL4Zd8VB9yEnYuSkhQ@mail.gmail.com>

Hi Seb,

For all i do not say, but i would wanted. About specs, i do not know. I use
Keycloak in my application, and i can not to report user when session is
expired. I do not know whether i said, but when occur redirect request, not
ajax request, i catched error with jsf exception handler (there is in my
example CommonExceptionHandler), and to report users, i want that same
occurred with my ajax request. It is occur not only in Richfaces, but in
Primefaces, i think it it happens with all jsf ajax request.
And one more, i observed that keycloak session expire early than i setup in
the keycloak admin console, and in keycloak log i have warning, error
refresh token. Maybe these problems are bind, i do not know.
I have one little question, can i disable refresh token, use Implicit Flow,
when i disabled Authorization Code Flow, nothing works?

Thank you.

??, 12 ???. 2017 ?. ? 15:47, Sebastien Blanc <sblanc at redhat.com>:

> Hi Adam,
>
> I started today to look at your ticket. First of all, thank you for the
> provided example, it makes it really easier to reproduce.
>
> So Stian is right, it's expecting a token which isn't present and
> therefore returning a 401.
> Stian suggested that we should maybe support ajax request secured with the
> session (to support Richfaces ajax requests).
>
> I would like to have the opinion of everyone here, is that something we
> want ? Doesn't we break any specs here (I have no idea just asking) ?
>
> Anyway I will start looking how this change could be implemented.
>
> Seb
>
>
> On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:
>
>> I created JIRA bug, and add simple example.
>> https://issues.jboss.org/browse/KEYCLOAK-4214
>>
>>
>> ??, 13 ???. 2017 ?. ? 9:34, Stian Thorgersen <sthorger at redhat.com>:
>>
>> > Might be that it's expecting a token in the ajax request rather than
>> > checking for a session, not 100% sure though. RichFaces won't work
>> unless
>> > we can support securing the requests from the session.
>> >
>> > Can you create a JIRA bug for this please? If you can attach a simple
>> > example we can build and deploy to reproduce the issue that would be
>> > extremely helpful and we would be able to look at it sooner.
>> >
>> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > After login, i get in my app, and for all my ajax request from page to
>> > backing bean, i receive response 401 even if the session is still alive.
>> > If removed autodetect-bearer-only option, all work fine, but going back
>> to
>> > the old error.
>> >
>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>> > realms/azovstal/protocol/openid-connect/auth??ml&state=
>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>> > 'Access-Control-Allow-Origin' header is present on the requested
>> resource.
>> > Origin 'http://localhost:8080' is therefore not allowed access.
>> >
>> > ---------- Forwarded message ---------
>> > From: Adam Daduev <daduev.ad at gmail.com>
>> > Date: ??, 10 ???. 2017 ?. ? 14:08
>> > Subject: Re: [keycloak-user] Error when session expired and ajax request
>> > execute in Keycloak?
>> > To: <stian at redhat.com>
>> >
>> >
>> > I tried, but does not work.
>> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
>> wildfly
>> > not started, he not know autodetect-bearer-only option, then, i added
>> via
>> > json, wildfly started and app was deployed.
>> > Secondly, on my ajax request to backing bean, i receive response 401 and
>> > does not happend.
>> > This is my keycloak.json
>> > {
>> > "realm": "azovstal",
>> > "auth-server-url": "http://dc09-apps-06:8090/auth",
>> > "ssl-required": "none",
>> > "resource": "web-test",
>> > "public-client": true,
>> > "use-resource-role-mappings": true,
>> > "autodetect-bearer-only": true
>> > }
>> >
>> > ??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:
>> >
>> > Ok, I try, thanks.
>> >
>> > 10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com>
>> > ???????(?):
>> >
>> > In that case take a look at the new autodetect-bearer-only option.
>> You'll
>> > need 2.5.0.Final for that.
>> >
>> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>> >
>> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
>> > 10.1.
>> >
>> > 9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com>
>> > ???????(?):
>> >
>> > [Adding list back]
>> >
>> > A web app redirects the user to a login page if not authenticated,
>> while a
>> > service should return a 401.
>> >
>> > It sounds like what you have is a JS application with a service
>> backend. In
>> > Keycloak you should have two separate types of clients for that. The JS
>> > application should be a public client, while the services a bearer-only
>> > client.
>> >
>> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > Thanks for the answer.
>> > Yes i have confidential client, i have web application, that asks
>> > Keycloak server
>> > to authenticate a user for them. As I understand, bearer-only is for web
>> > services clients.
>> > I probably something do not understand?
>> >
>> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>> >
>> > Looks like your services are configured as confidential clients rather
>> than
>> > bearer-only and hence is sending a login request back rather than a 401.
>> > You should either swap your service war to be a bearer-only client or
>> use
>> > the new autodetect-bearer-only option in adapters if you have both web
>> > pages and services in the same war.
>> >
>> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > Hi, can you help me!
>> > When session expired and ajax request execute in Keycloak, i have error
>> in
>> > browser console:
>> >
>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>> > realms/azovstal/protocol/openid-connect/auth??ml&state=
>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>> > 'Access-Control-Allow-Origin' header is present on the requested
>> resource.
>> > Origin 'http://localhost:8080' is therefore not allowed access.
>> >
>> > I add in Keycloak admin console, in the client setting, Web Origins=
>> > http://localhost:8080 (or *), and enabled cors in app, but still has
>> error
>> > in console. I used Keycloak 2.5.0
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From chexxor at gmail.com  Thu Apr 13 16:39:47 2017
From: chexxor at gmail.com (Alex Berg)
Date: Thu, 13 Apr 2017 15:39:47 -0500
Subject: [keycloak-user] Securing Web Apps with Sessions and KeyCloak?
Message-ID: <CABgV3qsxykVjTRtik3AjREj03vNsTo7ksioR7Ys00N_i5xUdcA@mail.gmail.com>

Hello KeyCloak users,

I spent tons of time trying to find an example of using KeyCloak to secure
an https-cookie-based session id for managing user sessions, but I can't
find it. I found examples which demonstrate using the OID redirect flow
from an AngularJS app to get tokens, but I'm concerned about the security
of storing this token in JS-land in a browser. I suspect a malicious script
could grab it and impersonate the user. Also, I don't know of any websites
I use which use this flow, but I'm new to managing user accounts so it
could be invisible to me.

I was thinking I'd like to send have a form which sends the user's id and
secret to my server, then turn it into session id to keep on an https
cookie. Or perhaps this is "the old way" of doing auth?

Anyway, is my concerns unwarranted? Is common practice now to simply treat
my browser app as an OID client and pass a user token when requesting data
from the server?

Thanks for KeyCloak! I love how easy it is to deploy it as containers! I
was originally planning to use Gluu, but they have a pretty crappy story
for deploying as containers. Also, the KeyCloak docs and examples are
simply more relate-able! Nice work on those!

- Alex

From unimail at edgestep.com  Thu Apr 13 19:19:33 2017
From: unimail at edgestep.com (Consolodated Emails)
Date: Thu, 13 Apr 2017 19:19:33 -0400
Subject: [keycloak-user] New to Keycloak - stuck trying to setup SSO via
	Kerberos and Active Directory
Message-ID: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>

Hi all,

I have a big project due by end of the week and the last item I have to
deliver is Single Sign On for Active Directory users using IE,Firefox &
Chrome. I am able to login to my application if i use the Keycloak login
form but I can't get it to auto login. If I set Kerberos to Required under
Authentication, I get an error saying Kerberos is not setup. You cannot
login.

Currently I'm investigating these as possible causes:
my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
Fiddler to check headers but I can't get a clear understanding of what I
should look for. The best I can tell WWW-Authenticate Negotiate being sent
to me in the 401 response. I guess my browser isn't sending the Kerberos
credentials.

I'm using a NGINX proxy in front of my application. I've found some
evidence of people updating configuration files in order to make this work
properly. But I'm not sure this applies to me, since my proxy doesn't sit
in front of the keycloak server.
https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
/jboss/keycloak/standalone/configuration/standalone.xml

I don't think Kerberos is setup up properly under User Federation/Active
Directory (my LDAP's Config name).
II pieced together some information from Matt's article on using Keycloak
to authenticate with AD. He didn't go in to any detail about Kerberos
configuration for Active Directory. One line "Configure the Kerberos
integration like this:" and a screenshot is all I had to work with. After
doing some reading I'm left to think there is an important step that is
left out of all the articles, forum posts, user manual, etc. From what I
can tell I have to run a command in the container to create a Keytab and it
has to have the proper permissions for Keycloak to access it. I also think
I have to setup /etc/kerb5.conf but I'm not sure what I need to do exactly.
I can't find an article directly discussing Keycloak.

http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html

My Env:
Windows Server 2012 R2
AWS Ec2
Active Directory
Pseudo workstation (I'm logging on as a non-domain admin for testing).

Keycloak
AWS Ec2
Docker - Jboss/Keycloak:latest
Ubuntu 16:04 Host:
Container is Redhat based (obviously it's jboss).

Ruby on Rails 1.8.7 application
AWS Ec2
Nginx Proxy in front of it.
OpenID client connected to KeyCloak


Under User Federation:
I've created an Active Directory Provider, it's able to sync users from my
test Active Directory.

Authentication:
Kereberos

Any help would be really appreciated.. I'm in a real tough spot on this
project.

-Dustin

From llivezking at gmail.com  Fri Apr 14 01:59:10 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Fri, 14 Apr 2017 15:59:10 +1000
Subject: [keycloak-user] Get magic link for users to login
In-Reply-To: <CADn3RNVGR=pt=Eem_jnvDnjhd++YFYxbeuBftSprtkiDmYGN3Q@mail.gmail.com>
References: <CADn3RNVGR=pt=Eem_jnvDnjhd++YFYxbeuBftSprtkiDmYGN3Q@mail.gmail.com>
Message-ID: <cc2f3fcd-f740-18d8-034e-fbedc508338e@gmail.com>

Hi, could you explain more detailed what you want to achieve? As for my 
team we also implemented custom rest endpoint, which send customized 
emails to users. Check out 
org.keycloak.services.resources.admin.UsersResource for details of 
default link constructing. (methods: resetPasswordEmail(), 
executeActionsEmail(), sendVerifyEmail())


On 13.04.2017 17:54, Martin Johansson wrote:
> Is it possible to retrieve the magic link that are sent by e-mail via the Java
> API? We have implemented an SPI with a REST interface and would like to get
> the link for usage in custom e-mails.
> Any hints which provider to be used is much appreciated.
>
> Regards,
> Martin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From llivezking at gmail.com  Fri Apr 14 02:15:05 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Fri, 14 Apr 2017 16:15:05 +1000
Subject: [keycloak-user] Keycloak ACL for a specific user on a specific
 object
In-Reply-To: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>
References: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>
Message-ID: <f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>

Generally Yes. First of all carefully study Authorization Docs.

According to you case:

/my/entity/{entity_id} - this is your resource and you will have to 
define it in keycloak

Any access to resources is based on permissions of user. (In other words 
KC adapters will check whether user has or hasn't permission to 
specified resource). So the main question is how user will acquire his 
permissions to resources. This could be achieved via policies, so in you 
case there could be a policy that checks whether user in group1, and if 
so grant him permission to read (HTTP_GET) resource.

Take a look to 
https://keycloak.gitbooks.io/documentation/authorization_services/index.html 
(it takes from me reasonable amount of time and experiments to "get the 
picture", so don't be hurry)


You should also check out authz examples from keycloak repo.


If you will try to use Spring Security adapter read this thread 
http://lists.jboss.org/pipermail/keycloak-user/2017-March/010107.html 
about some issues that i faced with this adapter and suitable solutions.



On 13.04.2017 17:25, Antoine Carton wrote:
> Hello,
>
> Is there a way to manage fine grained authorizations with Keycloak like in
> the following scenario:
>
> - A user user1 belongs to a group group1
> - group1 has READ access to the REST path: GET /my/entity/{entity_id}
> - group1 has not WRITE access to this path: POST /my/entity/{entity_id}
>
> This means that all users of that group can only READ at that path,
> whatever the {entity_id} is.
>
> The question is:
> Is it possible to allow user1 ONLY of group1, to have WRITE access to a
> specific entity_id.
>
> The purpose is to use the Spring Boot/Spring Security Adapter and replace
> what Spring security does with @PreAuthorize annotation for example.
>
> Thank you for your help,
>
> Best regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mstrukel at redhat.com  Fri Apr 14 05:30:39 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 14 Apr 2017 11:30:39 +0200
Subject: [keycloak-user] New to Keycloak - stuck trying to setup SSO via
 Kerberos and Active Directory
In-Reply-To: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>
References: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>
Message-ID: <CA+1OW+jAT4ibWXmRVE+L=wYWPegv1yfMnBXJGYt+sMsDCoHESg@mail.gmail.com>

One source of information you did not mention and might help you is
Keycloak documentation:

https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/user-federation/ldap.html
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html


There is also an example for Kerberos:
https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos

And you may also want to check out our blog at http://blog.keycloak.org/
for articles on MSAD integration.


On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com>
wrote:

> Hi all,
>
> I have a big project due by end of the week and the last item I have to
> deliver is Single Sign On for Active Directory users using IE,Firefox &
> Chrome. I am able to login to my application if i use the Keycloak login
> form but I can't get it to auto login. If I set Kerberos to Required under
> Authentication, I get an error saying Kerberos is not setup. You cannot
> login.
>
> Currently I'm investigating these as possible causes:
> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
> Fiddler to check headers but I can't get a clear understanding of what I
> should look for. The best I can tell WWW-Authenticate Negotiate being sent
> to me in the 401 response. I guess my browser isn't sending the Kerberos
> credentials.
>
> I'm using a NGINX proxy in front of my application. I've found some
> evidence of people updating configuration files in order to make this work
> properly. But I'm not sure this applies to me, since my proxy doesn't sit
> in front of the keycloak server.
> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
> /jboss/keycloak/standalone/configuration/standalone.xml
>
> I don't think Kerberos is setup up properly under User Federation/Active
> Directory (my LDAP's Config name).
> II pieced together some information from Matt's article on using Keycloak
> to authenticate with AD. He didn't go in to any detail about Kerberos
> configuration for Active Directory. One line "Configure the Kerberos
> integration like this:" and a screenshot is all I had to work with. After
> doing some reading I'm left to think there is an important step that is
> left out of all the articles, forum posts, user manual, etc. From what I
> can tell I have to run a command in the container to create a Keytab and it
> has to have the proper permissions for Keycloak to access it. I also think
> I have to setup /etc/kerb5.conf but I'm not sure what I need to do exactly.
> I can't find an article directly discussing Keycloak.
>
> http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-
> with.html
>
> My Env:
> Windows Server 2012 R2
> AWS Ec2
> Active Directory
> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>
> Keycloak
> AWS Ec2
> Docker - Jboss/Keycloak:latest
> Ubuntu 16:04 Host:
> Container is Redhat based (obviously it's jboss).
>
> Ruby on Rails 1.8.7 application
> AWS Ec2
> Nginx Proxy in front of it.
> OpenID client connected to KeyCloak
>
>
> Under User Federation:
> I've created an Active Directory Provider, it's able to sync users from my
> test Active Directory.
>
> Authentication:
> Kereberos
>
> Any help would be really appreciated.. I'm in a real tough spot on this
> project.
>
> -Dustin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kevin.berendsen at pharmapartners.nl  Fri Apr 14 06:14:09 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Fri, 14 Apr 2017 10:14:09 +0000
Subject: [keycloak-user] Securing Web Apps with Sessions and KeyCloak?
In-Reply-To: <CABgV3qsxykVjTRtik3AjREj03vNsTo7ksioR7Ys00N_i5xUdcA@mail.gmail.com>
References: <CABgV3qsxykVjTRtik3AjREj03vNsTo7ksioR7Ys00N_i5xUdcA@mail.gmail.com>
Message-ID: <aecf7ea035cb4367bca7d07115524084@FERB.ppg.lan>

Hi Alex

I understand your concern.  Using the standard flow means that the user is directed to your keycloak instance, logs in and returns an autherization code to your browser which the user finally turns into an access token. By default these access tokens only live for 5 minutes which means if there's a malicious script on the end user's computer, he will have a hard time to constantly use his access token.  But honestly, these flaws can also happen if you have a cookie stored locally.

And then again, the probability of your Keycloak instance to be hacked or under attack is very small. If you happen to be hacked, it's usually because they found a way to access Keycloak's machine by bypassing SSH or whatsoever. 

So use HTTPS and follow the basic guidelines on creating a public client and you're good to go.  If you're interested in how these flow work in detail, search for OAuth2 protocol and you will find plenty of information that could be very helpful.

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Alex Berg
Verzonden: donderdag 13 april 2017 22:40
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Securing Web Apps with Sessions and KeyCloak?

Hello KeyCloak users,

I spent tons of time trying to find an example of using KeyCloak to secure an https-cookie-based session id for managing user sessions, but I can't find it. I found examples which demonstrate using the OID redirect flow from an AngularJS app to get tokens, but I'm concerned about the security of storing this token in JS-land in a browser. I suspect a malicious script could grab it and impersonate the user. Also, I don't know of any websites I use which use this flow, but I'm new to managing user accounts so it could be invisible to me.

I was thinking I'd like to send have a form which sends the user's id and secret to my server, then turn it into session id to keep on an https cookie. Or perhaps this is "the old way" of doing auth?

Anyway, is my concerns unwarranted? Is common practice now to simply treat my browser app as an OID client and pass a user token when requesting data from the server?

Thanks for KeyCloak! I love how easy it is to deploy it as containers! I was originally planning to use Gluu, but they have a pretty crappy story for deploying as containers. Also, the KeyCloak docs and examples are simply more relate-able! Nice work on those!

- Alex
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From unimail at edgestep.com  Fri Apr 14 07:29:40 2017
From: unimail at edgestep.com (Consolodated Emails)
Date: Fri, 14 Apr 2017 07:29:40 -0400
Subject: [keycloak-user] New to Keycloak - stuck trying to setup SSO via
 Kerberos and Active Directory
In-Reply-To: <CA+1OW+jAT4ibWXmRVE+L=wYWPegv1yfMnBXJGYt+sMsDCoHESg@mail.gmail.com>
References: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>
	<CA+1OW+jAT4ibWXmRVE+L=wYWPegv1yfMnBXJGYt+sMsDCoHESg@mail.gmail.com>
Message-ID: <CAARUMvA0JwevdC3iWSZNQrSHCVZpyRS8ORHnaggR59S5zT7tKQ@mail.gmail.com>

Marko,

Thank you for those links. I have come across them and have been using them
as reference.

I'm pretty sure I have LDAP working. Those instructions are very complete.
I can sync users and then authenticate to my app using those credentials.
When I update a user in Active Directory I can sync those changes to
Keycloak.

Where I'm stuck is the Kerberos setup & configuration. I could use more
information on how to install, configure it and what commands to run, etc.
The articles you posted are very brief about Kerberos setup.

For example in the Kerberos document there is a paragraph titled "Setup and
configuration of Keycloak server" it seems seems to be an important part of
the setup but this section is just a basic outline. Install a client,
configure it, edit the krb5.conf to add your realm, export a keytab and
secure the keytab file. Not details really.
https://keycloak.gitbooks.io/server-adminstration-guide/
content/topics/authentication/kerberos.html

In the "examples for Kerberos" step 4 is install the Kerberos client and
step 5 is configure it. There are one or two sentences with information but
not to much details on what they mean. There is supposed to be a
test.krb5.conf file which should explain more but the link is broken.
https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos


I spent most of the day researching but I haven't found much information on
how to setup Kerberos for Active Directory SSO. I don't have a lot of time
to experiment so following a walkthrough on getting Kerberos setup so linux
machines can join in a Active Directory domain might give me the info I
need or I might lose 3-6 hours.

One thing I'm not 100% is do I need to run a Kerberos client and server? In
my environment we want users to login to their Windows workstations, open
the browser and auto-login to our application with no login prompts. We use
Active Directory as the User Federation source and OpenID client as our
destination.


I've been putting a ton of hours in to the this project and I really
appreciate the help. :)

-Dustin

?

On Fri, Apr 14, 2017 at 5:30 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> One source of information you did not mention and might help you is
> Keycloak documentation:
>
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/user-federation/ldap.html
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/authentication/kerberos.html
>
>
> There is also an example for Kerberos: https://github.com/
> keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
>
> And you may also want to check out our blog at http://blog.keycloak.org/
> for articles on MSAD integration.
>
>
> On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com
> > wrote:
>
>> Hi all,
>>
>> I have a big project due by end of the week and the last item I have to
>> deliver is Single Sign On for Active Directory users using IE,Firefox &
>> Chrome. I am able to login to my application if i use the Keycloak login
>> form but I can't get it to auto login. If I set Kerberos to Required under
>> Authentication, I get an error saying Kerberos is not setup. You cannot
>> login.
>>
>> Currently I'm investigating these as possible causes:
>> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
>> Fiddler to check headers but I can't get a clear understanding of what I
>> should look for. The best I can tell WWW-Authenticate Negotiate being sent
>> to me in the 401 response. I guess my browser isn't sending the Kerberos
>> credentials.
>>
>> I'm using a NGINX proxy in front of my application. I've found some
>> evidence of people updating configuration files in order to make this work
>> properly. But I'm not sure this applies to me, since my proxy doesn't sit
>> in front of the keycloak server.
>> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
>> /jboss/keycloak/standalone/configuration/standalone.xml
>> <https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile//jboss/keycloak/standalone/configuration/standalone.xml>
>>
>> I don't think Kerberos is setup up properly under User Federation/Active
>> Directory (my LDAP's Config name).
>> II pieced together some information from Matt's article on using Keycloak
>> to authenticate with AD. He didn't go in to any detail about Kerberos
>> configuration for Active Directory. One line "Configure the Kerberos
>> integration like this:" and a screenshot is all I had to work with. After
>> doing some reading I'm left to think there is an important step that is
>> left out of all the articles, forum posts, user manual, etc. From what I
>> can tell I have to run a command in the container to create a Keytab and
>> it
>> has to have the proper permissions for Keycloak to access it. I also think
>> I have to setup /etc/kerb5.conf but I'm not sure what I need to do
>> exactly.
>> I can't find an article directly discussing Keycloak.
>>
>> http://matthewcasperson.blogspot.com/2015/07/authenticating-
>> via-kerberos-with.html
>>
>> My Env:
>> Windows Server 2012 R2
>> AWS Ec2
>> Active Directory
>> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>>
>> Keycloak
>> AWS Ec2
>> Docker - Jboss/Keycloak:latest
>> Ubuntu 16:04 Host:
>> Container is Redhat based (obviously it's jboss).
>>
>> Ruby on Rails 1.8.7 application
>> AWS Ec2
>> Nginx Proxy in front of it.
>> OpenID client connected to KeyCloak
>>
>>
>> Under User Federation:
>> I've created an Active Directory Provider, it's able to sync users from my
>> test Active Directory.
>>
>> Authentication:
>> Kereberos
>>
>> Any help would be really appreciated.. I'm in a real tough spot on this
>> project.
>>
>> -Dustin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From roger.turnau at pwc.com  Fri Apr 14 11:42:23 2017
From: roger.turnau at pwc.com (Roger Turnau (US - Advisory))
Date: Fri, 14 Apr 2017 11:42:23 -0400
Subject: [keycloak-user] Keycloak App Logs out in Under 1 Minute
Message-ID: <CAM96OPsCAO4nMq0VDcqk0gfwKdMGCcNQ-rjNGA0obJf0DF64kA@mail.gmail.com>

Hi all,

I am experiencing a weird behavior where Keycloak immediately logs out a
user who has just logged in. A few details:

   - The Keycloak server has two realms. The issue only happens on one of
   the realms. The other one works as expected.
   - The configuration of both realms is pretty much identical.
   - The login happens from an AngularJS app. The JS Keycloak code is
   identical to the code that runs in the other realm's app.
   - Keycloak has been working with almost no issues for a few months now.
   This is a new behavior.
   - I have examined the JWT token, and don't see anything unusual. The
   "exp" claims and "iat" claims are giving the correct epoch time.

The app will accept the bearer token, make its back-end REST calls, and
then suddenly fall back to the login screen. Any ideas what might cause
behavior like this?

Thank you for your help,

-- 
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

From kevin.berendsen at pharmapartners.nl  Fri Apr 14 14:01:28 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Fri, 14 Apr 2017 18:01:28 +0000
Subject: [keycloak-user] Keycloak App Logs out in Under 1 Minute
In-Reply-To: <CAM96OPsCAO4nMq0VDcqk0gfwKdMGCcNQ-rjNGA0obJf0DF64kA@mail.gmail.com>
References: <CAM96OPsCAO4nMq0VDcqk0gfwKdMGCcNQ-rjNGA0obJf0DF64kA@mail.gmail.com>
Message-ID: <2945f040d4a14896ae9676fcce1d7689@FERB.ppg.lan>

Hello Roger,

I have got a few questions to know a little more about your situation:
* Is a single AngularJS app with multi-tenancy support or are there two codebases with identical code but different keycloak.json files?
* Have you checked your loggings of Keycloak already to get to know where it possibly might go wrong? Loggings would be a major help and solve most of your issues.
* Have you set the default checkLoginIframe from true to false in the init() method of the Keycloak JS Adapter?

If you could answer these three questions, that'd be great to help you out further :) I ran into similar problems and hopefully I can solve your's as well.

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Roger Turnau (US - Advisory)
Verzonden: vrijdag 14 april 2017 17:42
Aan: keycloak-user <keycloak-user at lists.jboss.org>
Onderwerp: [keycloak-user] Keycloak App Logs out in Under 1 Minute

Hi all,

I am experiencing a weird behavior where Keycloak immediately logs out a user who has just logged in. A few details:

   - The Keycloak server has two realms. The issue only happens on one of
   the realms. The other one works as expected.
   - The configuration of both realms is pretty much identical.
   - The login happens from an AngularJS app. The JS Keycloak code is
   identical to the code that runs in the other realm's app.
   - Keycloak has been working with almost no issues for a few months now.
   This is a new behavior.
   - I have examined the JWT token, and don't see anything unusual. The
   "exp" claims and "iat" claims are giving the correct epoch time.

The app will accept the bearer token, make its back-end REST calls, and then suddenly fall back to the login screen. Any ideas what might cause behavior like this?

Thank you for your help,

--
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From roger.turnau at pwc.com  Fri Apr 14 15:14:59 2017
From: roger.turnau at pwc.com (Roger Turnau (US - Advisory))
Date: Fri, 14 Apr 2017 15:14:59 -0400
Subject: [keycloak-user] Keycloak App Logs out in Under 1 Minute
In-Reply-To: <2945f040d4a14896ae9676fcce1d7689@FERB.ppg.lan>
References: <CAM96OPsCAO4nMq0VDcqk0gfwKdMGCcNQ-rjNGA0obJf0DF64kA@mail.gmail.com>
	<2945f040d4a14896ae9676fcce1d7689@FERB.ppg.lan>
Message-ID: <CAM96OPsRvJr84Skphu-+SckBGETRMYwhJVMjPAn2gZ=7-Ris5A@mail.gmail.com>

Kevin,

Thanks for getting back to me. Here are the answers, and a little bit of
clarification from further investigations:


   1. The realms are for two separate codebases with different keycloak
   configurations, but otherwise identical keycloak code.
   2. Nothing is showing up in the Keycloak logs. There are no server
   errors that I can see.
   3. We are not doing anything with checkLoginIFrame in our initialization
   code.

Looking under the hood at the Javascript adapter, we found that the token
was being revoked by the following code:

if (event.data != "unchanged") {
    kc.clearToken();
}

I notice that that happens in the message callback created when the
iframe is set up. I assume that means that setting checkLoginIFrame to
false in our configuration will fix the issue. Is that correct?

Thanks again,

Roger Turnau




On Fri, Apr 14, 2017 at 2:01 PM, Kevin Berendsen <
kevin.berendsen at pharmapartners.nl> wrote:

> Hello Roger,
>
> I have got a few questions to know a little more about your situation:
> * Is a single AngularJS app with multi-tenancy support or are there two
> codebases with identical code but different keycloak.json files?
> * Have you checked your loggings of Keycloak already to get to know where
> it possibly might go wrong? Loggings would be a major help and solve most
> of your issues.
> * Have you set the default checkLoginIframe from true to false in the
> init() method of the Keycloak JS Adapter?
>
> If you could answer these three questions, that'd be great to help you out
> further :) I ran into similar problems and hopefully I can solve your's as
> well.
>
> Kind regards,
>
> Kevin
>
> -----Oorspronkelijk bericht-----
> Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Namens Roger Turnau (US - Advisory)
> Verzonden: vrijdag 14 april 2017 17:42
> Aan: keycloak-user <keycloak-user at lists.jboss.org>
> Onderwerp: [keycloak-user] Keycloak App Logs out in Under 1 Minute
>
> Hi all,
>
> I am experiencing a weird behavior where Keycloak immediately logs out a
> user who has just logged in. A few details:
>
>    - The Keycloak server has two realms. The issue only happens on one of
>    the realms. The other one works as expected.
>    - The configuration of both realms is pretty much identical.
>    - The login happens from an AngularJS app. The JS Keycloak code is
>    identical to the code that runs in the other realm's app.
>    - Keycloak has been working with almost no issues for a few months now.
>    This is a new behavior.
>    - I have examined the JWT token, and don't see anything unusual. The
>    "exp" claims and "iat" claims are giving the correct epoch time.
>
> The app will accept the bearer token, make its back-end REST calls, and
> then suddenly fall back to the login screen. Any ideas what might cause
> behavior like this?
>
> Thank you for your help,
>
> --
> *Roger Turnau*
>
> PwC | Manager - Advisory Financial Services
> Mobile: 850-228-2006
> Email: roger.turnau at pwc.com
> PricewaterhouseCoopers LLP
> 50 North Laura Street, Suite 3000, Jacksonville FL 32202
> http://www.pwc.com/us
>
> Save energy. Save a tree. Save the printing for something really important.
>
> ______________________________________________________________________
> The information transmitted, including any attachments, is intended only
> for the person or entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon,
> this information by persons or entities other than the intended recipient
> is prohibited, and all liability arising therefrom is disclaimed. If you
> received this in error, please contact the sender and delete the material
> from any computer. PricewaterhouseCoopers LLP is a Delaware limited
> liability partnership.  This communication may come from
> PricewaterhouseCoopers LLP or one of its subsidiaries.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

From kevin.berendsen at pharmapartners.nl  Fri Apr 14 15:57:38 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Fri, 14 Apr 2017 19:57:38 +0000
Subject: [keycloak-user] Keycloak App Logs out in Under 1 Minute
Message-ID: <451ef7a8-4a3c-4dff-874a-7f0bdd6cf047@email.android.com>

Hi,

I think by setting checkLoginIframe to false in your initialization call that it may solve your problem.

You could also debug the Keycloak adapter in Firefox or Chrome to see whats happening and when.

On 14 Apr 2017 9:15 pm, "Roger Turnau (US - Advisory)" <roger.turnau at pwc.com> wrote:
Kevin,

Thanks for getting back to me. Here are the answers, and a little bit of clarification from further investigations:


  1.  The realms are for two separate codebases with different keycloak configurations, but otherwise identical keycloak code.
  2.  Nothing is showing up in the Keycloak logs. There are no server errors that I can see.
  3.  We are not doing anything with checkLoginIFrame in our initialization code.

Looking under the hood at the Javascript adapter, we found that the token was being revoked by the following code:


if (event.data != "unchanged") {
    kc.clearToken();
}

I notice that that happens in the message callback created when the iframe is set up. I assume that means that setting checkLoginIFrame to false in our configuration will fix the issue. Is that correct?

Thanks again,

Roger Turnau



On Fri, Apr 14, 2017 at 2:01 PM, Kevin Berendsen <kevin.berendsen at pharmapartners.nl<mailto:kevin.berendsen at pharmapartners.nl>> wrote:
Hello Roger,

I have got a few questions to know a little more about your situation:
* Is a single AngularJS app with multi-tenancy support or are there two codebases with identical code but different keycloak.json files?
* Have you checked your loggings of Keycloak already to get to know where it possibly might go wrong? Loggings would be a major help and solve most of your issues.
* Have you set the default checkLoginIframe from true to false in the init() method of the Keycloak JS Adapter?

If you could answer these three questions, that'd be great to help you out further :) I ran into similar problems and hopefully I can solve your's as well.

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] Namens Roger Turnau (US - Advisory)
Verzonden: vrijdag 14 april 2017 17:42
Aan: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Onderwerp: [keycloak-user] Keycloak App Logs out in Under 1 Minute

Hi all,

I am experiencing a weird behavior where Keycloak immediately logs out a user who has just logged in. A few details:

   - The Keycloak server has two realms. The issue only happens on one of
   the realms. The other one works as expected.
   - The configuration of both realms is pretty much identical.
   - The login happens from an AngularJS app. The JS Keycloak code is
   identical to the code that runs in the other realm's app.
   - Keycloak has been working with almost no issues for a few months now.
   This is a new behavior.
   - I have examined the JWT token, and don't see anything unusual. The
   "exp" claims and "iat" claims are giving the correct epoch time.

The app will accept the bearer token, make its back-end REST calls, and then suddenly fall back to the login screen. Any ideas what might cause behavior like this?

Thank you for your help,

--
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006<tel:850-228-2006>
Email: roger.turnau at pwc.com<mailto:roger.turnau at pwc.com>
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Roger Turnau

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com<mailto:roger.turnau at pwc.com>
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.
________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.


From lists at merit.unu.edu  Sat Apr 15 05:34:27 2017
From: lists at merit.unu.edu (mj)
Date: Sat, 15 Apr 2017 11:34:27 +0200
Subject: [keycloak-user] New to Keycloak - stuck trying to setup SSO via
 Kerberos and Active Directory
In-Reply-To: <CAARUMvA0JwevdC3iWSZNQrSHCVZpyRS8ORHnaggR59S5zT7tKQ@mail.gmail.com>
References: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>
	<CA+1OW+jAT4ibWXmRVE+L=wYWPegv1yfMnBXJGYt+sMsDCoHESg@mail.gmail.com>
	<CAARUMvA0JwevdC3iWSZNQrSHCVZpyRS8ORHnaggR59S5zT7tKQ@mail.gmail.com>
Message-ID: <7d826e90-c696-673a-8de0-57c57ee76daa@merit.unu.edu>

Some of my notes, but these are for samba4 AD:

>
>     add spn to account files, since id is running on the id.company.com machine:
>
> samba-tool spn add HTTP/id.samba.company.com id$
> samba-tool domain exportkeytab --principal HTTP/id.samba.company.com id.keytab
>
> List keys in id.keytab:
>
> root at dc4:~# klist -k ./id.keytab
> Keytab name: FILE:./id.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>
> Make sure that a reverse dns exists! (so, in case you use id.company.com, add a reverse for id.company.com) Then:
>
> 2016-11-21 15:05:55,649 INFO  [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] (default task-3) Creating new LDAP based partition manager for the Federation provider: active directory, LDAP Configuration: {serverPrincipal=HTTP/id.copany.com at SAMBA.COMPANY.COM, pagination=true, connectionPooling=true, usersDn=cn=users,dc=samba,dc=company,dc=com, userAccountControlsAfterPasswordUpdate=true, useKerberosForPasswordAuthentication=false, bindDn=cn=service_account,cn=users,dc=samba,dc=company,dc=com, usernameLDAPAttribute=sAMAccountName, vendor=ad, uuidLDAPAttribute=objectGUID, allowKerberosAuthentication=true, connectionUrl=ldaps://localhost:636, syncRegistrations=false, authType=simple, debug=true, searchScope=1, keyTab=/usr/local/keycloak/standalone/configuration/id.keytab, useTruststoreSpi=ldapsOnly, kerberosRealm=SAMBA.COMPANY.COM, userObjectClasses=person, organizationalPerson, user, rdnLDAPAttribute=cn, editMode=READ_ONLY, batchSizeForSync=1000}
> 2016-11-21 15:05:55,746 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /usr/local/keycloak/standalone/configuration/id.keytab refreshKrb5Config is false principal is HTTP/id.company.com at SAMBA.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2016-11-21 15:05:55,790 INFO  [stdout] (default task-3) principal is HTTP/id.company.com at SAMBA.COMPANY.COM
> 2016-11-21 15:05:55,790 INFO  [stdout] (default task-3) Will use keytab
> 2016-11-21 15:05:55,792 INFO  [stdout] (default task-3) Commit Succeeded
> 2016-11-21 15:05:55,792 INFO  [stdout] (default task-3)
> 2016-11-21 15:05:55,994 INFO  [stdout] (default task-3) 		[Krb5LoginModule]: Entering logout
> 2016-11-21 15:05:55,995 INFO  [stdout] (default task-3) 		[Krb5LoginModule]: logged out Subject

Goodluck,

MJ

From quasiben at gmail.com  Sat Apr 15 10:56:05 2017
From: quasiben at gmail.com (Benjamin Zaitlen)
Date: Sat, 15 Apr 2017 07:56:05 -0700
Subject: [keycloak-user] Session Logout with Offline Access Token
In-Reply-To: <65e110ab-ac61-30f9-2189-6ec1c12ba06c@redhat.com>
References: <CAP3F+vrf0YYUU5H3==4AJHEF2OonnMTMM=VoFmb12ACihy_PwQ@mail.gmail.com>
	<CAP3F+vpmseRYjEctzDUT0cR-_veYO46zpNvn7-VH=Zrb0URjnQ@mail.gmail.com>
	<b20db25c-0312-5333-0a1f-089f96793e7e@redhat.com>
	<CAP3F+vpS0mEK==bu05d9GKxD5S84ivSMZ3pbBHJezQYPbgRwjw@mail.gmail.com>
	<65e110ab-ac61-30f9-2189-6ec1c12ba06c@redhat.com>
Message-ID: <CAP3F+vo+7VB+jBtVdR9F3mHJ76AcfmXaO9bmV0KHmgtr50a-9A@mail.gmail.com>

Hi Marek,

Apologies for the delayed reply.  The examples work!  It turns out it was
an error with my how I was defining and encoding the the scope.  The
difference between


> scope=['openid', 'offline_access']

and

>scope='openid offline_access'

What was/is a problem?  was that first scope declaration was valid and an
access token was granted.

In any case, thank you again for helping me debug my error.

--Ben

On Wed, Mar 29, 2017 at 12:50 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Do you have a chance to try the example I pointed and see if it works as
> expected?
>
> Marek
>
>
> On 29/03/17 21:13, Benjamin Zaitlen wrote:
>
> Hi Marek,
>
> Thanks for the response.  I am saving the token for APP2.  The behavior
> I'm observing is that after the SSO Logout, the offline token access is
> revoked, and the previously saved token is no longer value.  Perhaps I'm
> doing something incorrectly.  This is also on 2.5.X
>
> --Ben
>
> On Wed, Mar 29, 2017 at 1:28 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 29/03/17 13:43, Benjamin Zaitlen wrote:
>>
>>> Any thoughts on this?
>>>
>>> --Ben
>>>
>>> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben at gmail.com>
>>> wrote:
>>>
>>> Hi All,
>>>>
>>>> I'm having some trouble with sessions, clients, and offline access
>>>> tokens.  Let's say I have a client (APP 1) and I've logged in with
>>>> OIDC.  I
>>>> now have a refresh_token and session for APP 1. Using the auth code
>>>> flow I
>>>> can generate an offline_access token (refresh_token) for a second
>>>> client:
>>>> APP 2.   When I look in *realms/myrealm/account/sessions, *I see one
>>>> session but two clients.  At first I thought, great!  I was able to get
>>>> the
>>>> auth code flow working and I generated a refresh token for a second
>>>> client.
>>>>
>>>> But then disaster set in, when I logged out of the APP 1 client with the
>>>> URL: *protocol/openid-connect/logout.* I was logged out the session
>>>> which
>>>> included the* second client* and thus the offline access token for APP 2
>>>> was effectively revoked.
>>>>
>>>> I've seen a handful of JIRAs related to offline access tokens and
>>>> logouts
>>>> but I think they don't quite cover this usecase. I have two questions:
>>>>
>>>> 1. Is it possible, using the auth code flow, to generate a refresh token
>>>> in separate session. That is can APP 1 generate an offline_access token
>>>> for
>>>> APP 2 in a separate session without re-authenticating?
>>>>
>>> Once you logged to your APP 2, you have both online session, which is
>> part of SSO login (hence you are able to browse APP 2 with your browser)
>> and offline session. After login to APP 2, you need to somehow save your
>> offline token for later use, which is responsibility of your APP 2.
>>
>> SSO logout will clear your browser session, but offline token will be
>> still valid and can be used for further refreshes. Offline token will also
>> survive server restart.
>>
>> You can take a look at the example in the keycloak-examples distribution
>> under "preconfigured-demo/offline-access-app" , which also does logout
>> of browser session (or server restart), but offline token is still valid.
>>
>>>
>>>> 2. Can I logout a specific client for a session by passing additional
>>>> parameters in the logout URL ?
>>>>
>>> Nope, Logout is always global SSO logout as it clears the userSession on
>> the Keycloak side. Assume that when the "global" userSession is not
>> cleared, then the single logged-out client will be still always able to
>> login anytime due to SSO session, hence logout would be a bit pointless
>> though?
>>
>> Marek
>>
>>>
>>>> Thanks,
>>>> --Ben
>>>>
>>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>

From yizhoujiang at hengtiansoft.com  Mon Apr 17 05:08:34 2017
From: yizhoujiang at hengtiansoft.com (Yizhou Jiang(Yizhou))
Date: Mon, 17 Apr 2017 09:08:34 +0000
Subject: [keycloak-user] Access Token And PRT(request party token),
 which one should I use to access the resource protected by keycloak
Message-ID: <8410B795605D1A4C9DC12833971BFA753246577E@PWSDEX01.hengtiansoft.com>

Hi,
               By reading the document of KeyCloak ,I found that I can use a Access-token  or a PRT(request party token) to access the resources protected by keycloak.

1  Use  PRT: https://keycloak.gitbooks.io/documentation/authorization_services/topics/enforcer/keycloak-enforcement-bearer.html

GET /my-resource-server/my-protected-resource HTTP/1.1
Host: host.com
Authorization: Bearer ${RPT}

2  Use access token: https://github.com/keycloak/keycloak-quickstarts/blob/master/app-jee-html5/src/main/webapp/app.js

line 38

if (keycloak.authenticated) {
       req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
}

   I'm  confused about the  difference  between them.  I don't know  When I should use access token , and when I should use another one ?
I am looking forward to your reply.

thanks ,
yizhou


From psilva at redhat.com  Mon Apr 17 07:22:47 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 17 Apr 2017 08:22:47 -0300
Subject: [keycloak-user] Access Token And PRT(request party token),
 which one should I use to access the resource protected by keycloak
In-Reply-To: <8410B795605D1A4C9DC12833971BFA753246577E@PWSDEX01.hengtiansoft.com>
References: <8410B795605D1A4C9DC12833971BFA753246577E@PWSDEX01.hengtiansoft.com>
Message-ID: <CAJrcDBfG32zreGXPyV3C3XD46BxW9Nf90Owsk5CdhWoqSidLfg@mail.gmail.com>

Hi,

If your resources are protected with a policy enforcer you should send a
RPT. This token is pretty much an access token with an additional claim
holding the permissions.

Regards.
Pedro Igor

On Mon, Apr 17, 2017 at 6:08 AM, Yizhou Jiang(Yizhou) <
yizhoujiang at hengtiansoft.com> wrote:

> Hi,
>                By reading the document of KeyCloak ,I found that I can use
> a Access-token  or a PRT(request party token) to access the resources
> protected by keycloak.
>
> 1  Use  PRT: https://keycloak.gitbooks.io/documentation/authorization_
> services/topics/enforcer/keycloak-enforcement-bearer.html
>
> GET /my-resource-server/my-protected-resource HTTP/1.1
> Host: host.com
> Authorization: Bearer ${RPT}
>
> 2  Use access token: https://github.com/keycloak/
> keycloak-quickstarts/blob/master/app-jee-html5/src/main/webapp/app.js
>
> line 38
>
> if (keycloak.authenticated) {
>        req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
> }
>
>    I'm  confused about the  difference  between them.  I don't know  When
> I should use access token , and when I should use another one ?
> I am looking forward to your reply.
>
> thanks ,
> yizhou
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Apr 17 08:29:45 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 17 Apr 2017 09:29:45 -0300
Subject: [keycloak-user] Keycloak ACL for a specific user on a specific
	object
In-Reply-To: <f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>
References: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>
	<f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>
Message-ID: <CAJrcDBdvkf733g=r3unkmE74wMvUUtNHAdDQ-YANtsYmc2arZw@mail.gmail.com>

We are also lacking a Group-Based Policy. Once we have it, you will be able
to address the requirements you mentioned.

So, for "user1 ONLY of group1, to have WRITE access" you would need to
define a specific permission (e.g.: scope permission) telling that user1
can WRITE.

Maybe you can test this behavior today using roles.

On Fri, Apr 14, 2017 at 3:15 AM, Ilya Korol <llivezking at gmail.com> wrote:

> Generally Yes. First of all carefully study Authorization Docs.
>
> According to you case:
>
> /my/entity/{entity_id} - this is your resource and you will have to
> define it in keycloak
>
> Any access to resources is based on permissions of user. (In other words
> KC adapters will check whether user has or hasn't permission to
> specified resource). So the main question is how user will acquire his
> permissions to resources. This could be achieved via policies, so in you
> case there could be a policy that checks whether user in group1, and if
> so grant him permission to read (HTTP_GET) resource.
>
> Take a look to
> https://keycloak.gitbooks.io/documentation/authorization_
> services/index.html
> (it takes from me reasonable amount of time and experiments to "get the
> picture", so don't be hurry)
>
>
> You should also check out authz examples from keycloak repo.
>
>
> If you will try to use Spring Security adapter read this thread
> http://lists.jboss.org/pipermail/keycloak-user/2017-March/010107.html
> about some issues that i faced with this adapter and suitable solutions.
>
>
>
> On 13.04.2017 17:25, Antoine Carton wrote:
> > Hello,
> >
> > Is there a way to manage fine grained authorizations with Keycloak like
> in
> > the following scenario:
> >
> > - A user user1 belongs to a group group1
> > - group1 has READ access to the REST path: GET /my/entity/{entity_id}
> > - group1 has not WRITE access to this path: POST /my/entity/{entity_id}
> >
> > This means that all users of that group can only READ at that path,
> > whatever the {entity_id} is.
> >
> > The question is:
> > Is it possible to allow user1 ONLY of group1, to have WRITE access to a
> > specific entity_id.
> >
> > The purpose is to use the Spring Boot/Spring Security Adapter and replace
> > what Spring security does with @PreAuthorize annotation for example.
> >
> > Thank you for your help,
> >
> > Best regards
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Apr 17 08:32:04 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 17 Apr 2017 09:32:04 -0300
Subject: [keycloak-user] Keycloak ACL for a specific user on a specific
	object
In-Reply-To: <f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>
References: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>
	<f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>
Message-ID: <CAJrcDBc23h4RRfTCgYz4HxsTMAoBHxbFPOcQL4KzE8RT+TKk2A@mail.gmail.com>

On Fri, Apr 14, 2017 at 3:15 AM, Ilya Korol <llivezking at gmail.com> wrote:

> Take a look to
> https://keycloak.gitbooks.io/documentation/authorization_
> services/index.html
> (it takes from me reasonable amount of time and experiments to "get the
> picture", so don't be hurry)
>
>
What do you think we can improve in docs to make it more clear and easy to
follow ?

From llivezking at gmail.com  Mon Apr 17 09:03:27 2017
From: llivezking at gmail.com (=?UTF-8?B?0JrQvtGA0L7Qu9GMINCY0LvRjNGP?=)
Date: Mon, 17 Apr 2017 23:03:27 +1000
Subject: [keycloak-user] Keycloak ACL for a specific user on a specific
 object
In-Reply-To: <CAJrcDBc23h4RRfTCgYz4HxsTMAoBHxbFPOcQL4KzE8RT+TKk2A@mail.gmail.com>
References: <CAMghK0af-m4o-CzjsP7DihEq-9-TyOzrmaTuSyRfeJY03A2mYQ@mail.gmail.com>
	<f7db33a3-c81c-6f4e-fde7-892f8ebf082e@gmail.com>
	<CAJrcDBc23h4RRfTCgYz4HxsTMAoBHxbFPOcQL4KzE8RT+TKk2A@mail.gmail.com>
Message-ID: <00d709aa-c648-6f15-ca16-f8741d6a5406@gmail.com>

Honestly docs are quite good. But their usefullness becomes reasonable 
only after proper rtfm about OAuth2, OIDC (and UMA, but UMA tldr:-) ). 
In my team we trying to integrate apps with keycloak via Spring Adapter 
and it takes us a lot off time to solve Single Logout and Policy 
Enforcer issues. But afaik Spring Adapter is community, so maybe thats 
why there is a little incompleteness in examples and docs.


By the way current issue that i didn't found in the docs is how to 
enable scoped roles in adapters config.

I asked about this issue there 
http://lists.jboss.org/pipermail/keycloak-user/2017-April/010305.html


Maybe i should open issue at Jira?


17.04.2017 22:32, Pedro Igor Silva ?????:
> On Fri, Apr 14, 2017 at 3:15 AM, Ilya Korol <llivezking at gmail.com 
> <mailto:llivezking at gmail.com>> wrote:
>
>     Take a look to
>     https://keycloak.gitbooks.io/documentation/authorization_services/index.html
>     <https://keycloak.gitbooks.io/documentation/authorization_services/index.html>
>     (it takes from me reasonable amount of time and experiments to
>     "get the
>     picture", so don't be hurry)
>
>
> What do you think we can improve in docs to make it more clear and 
> easy to follow ?


From celso.agra at gmail.com  Mon Apr 17 10:09:31 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Mon, 17 Apr 2017 11:09:31 -0300
Subject: [keycloak-user] how to use keycloak JS Adapter with a signed JWT
	Token?
Message-ID: <CAOFYJDsmxP_XmFPM17S4e07L5WyisGOSwDySq0mq6jsTEPX53w@mail.gmail.com>

Hi there,

It's me again!
I'd like to know if would be possible to configure my frontend app with
keycloak JS adapter, bu my app is configured with a signed JWT.

Here is the credential configs:
"credentials": {
  "jwt": {
    "client-key-password": "REPLACE WITH THE KEY PASSWORD IN KEYSTORE",
    "client-keystore-file": "REPLACE WITH THE LOCATION OF YOUR KEYSTORE
FILE",
    "client-keystore-password": "REPLACE WITH THE KEYSTORE PASSWORD",
    "client-key-alias": "<my alias>",
    "token-timeout": 10,
    "client-keystore-type": "jks"
  }
}

When I try to add this config in the Keycloak JS:
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js

I haven't see config to do with signed JWT. So, How people do this
configuration?
Best regards,

-- 
---
*Celso Agra*

From yizhoujiang at hengtiansoft.com  Mon Apr 17 10:22:25 2017
From: yizhoujiang at hengtiansoft.com (Yizhou Jiang(Yizhou))
Date: Mon, 17 Apr 2017 14:22:25 +0000
Subject: [keycloak-user] Access Token And PRT(request party token),
 which one should I use to access the resource protected by keycloak
In-Reply-To: <CAJrcDBfG32zreGXPyV3C3XD46BxW9Nf90Owsk5CdhWoqSidLfg@mail.gmail.com>
References: <8410B795605D1A4C9DC12833971BFA753246577E@PWSDEX01.hengtiansoft.com>
	<CAJrcDBfG32zreGXPyV3C3XD46BxW9Nf90Owsk5CdhWoqSidLfg@mail.gmail.com>
Message-ID: <8410B795605D1A4C9DC12833971BFA75324658F0@PWSDEX01.hengtiansoft.com>

Hi Pedro Igor,

         Thanks for your reply. but  I still have some confusion.

            https://keycloak.gitbooks.io/documentation/authorization_services/topics/enforcer/keycloak-enforcement-filter.html  have text like follow:
To enable policy enforcement for your application, add the following property to your keycloak.json file:
keycloak.json
{
  "policy-enforcer": {}
}


 so ,the example  https://github.com/keycloak/keycloak-quickstarts/tree/master/service-jee-jaxrs   is protected  by a policy enforcer.  Because  there is



{
  "policy-enforcer": {}
}

in   keycloak.json file  which was  downloaded from the keycloak server.

But the example https://github.com/keycloak/keycloak-quickstarts/blob/master/app-jee-html5/src/main/webapp/app.js
call the  services  using Access Token NOT PRT.



thanks ,
yizhou

From: Pedro Igor Silva [mailto:psilva at redhat.com]
Sent: Monday, April 17, 2017 7:23 PM
To: Yizhou Jiang(Yizhou)
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Access Token And PRT(request party token), which one should I use to access the resource protected by keycloak

Hi,

If your resources are protected with a policy enforcer you should send a RPT. This token is pretty much an access token with an additional claim holding the permissions.

Regards.
Pedro Igor

On Mon, Apr 17, 2017 at 6:08 AM, Yizhou Jiang(Yizhou) <yizhoujiang at hengtiansoft.com<mailto:yizhoujiang at hengtiansoft.com>> wrote:
Hi,
               By reading the document of KeyCloak ,I found that I can use a Access-token  or a PRT(request party token) to access the resources protected by keycloak.

1  Use  PRT: https://keycloak.gitbooks.io/documentation/authorization_services/topics/enforcer/keycloak-enforcement-bearer.html

GET /my-resource-server/my-protected-resource HTTP/1.1
Host: host.com<http://host.com>
Authorization: Bearer ${RPT}

2  Use access token: https://github.com/keycloak/keycloak-quickstarts/blob/master/app-jee-html5/src/main/webapp/app.js

line 38

if (keycloak.authenticated) {
       req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
}

   I'm  confused about the  difference  between them.  I don't know  When I should use access token , and when I should use another one ?
I am looking forward to your reply.

thanks ,
yizhou

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Mon Apr 17 13:02:32 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 17 Apr 2017 14:02:32 -0300
Subject: [keycloak-user] Access Token And PRT(request party token),
 which one should I use to access the resource protected by keycloak
In-Reply-To: <8410B795605D1A4C9DC12833971BFA75324658F0@PWSDEX01.hengtiansoft.com>
References: <8410B795605D1A4C9DC12833971BFA753246577E@PWSDEX01.hengtiansoft.com>
	<CAJrcDBfG32zreGXPyV3C3XD46BxW9Nf90Owsk5CdhWoqSidLfg@mail.gmail.com>
	<8410B795605D1A4C9DC12833971BFA75324658F0@PWSDEX01.hengtiansoft.com>
Message-ID: <CAJrcDBd4_hg-GSuK8O6L4QMH+GU1jK8O0gE3xQtp2ye13PjLvg@mail.gmail.com>

On Mon, Apr 17, 2017 at 11:22 AM, Yizhou Jiang(Yizhou) <
yizhoujiang at hengtiansoft.com> wrote:

> Hi Pedro Igor,
>
>
>
>          Thanks for your reply. but  I still have some confusion.
>
>
>
>             https://keycloak.gitbooks.io/documentation/authorization_
> services/topics/enforcer/keycloak-enforcement-filter.html  have text like
> follow:
>
> To enable policy enforcement for your application, add the following
> property to your *keycloak.json* file:
>
> keycloak.json
>
> {
>
>   "policy-enforcer": {}
>
> }
>
>
>
>  so ,the example  https://github.com/keycloak/keycloak-quickstarts/tree/master/service-jee-jaxrs   is protected  by a policy enforcer.  Because  there is
>
>
>
> *{*
>
>   *"policy-enforcer"**: {}*
>
> *}*
>
>
>
> in   *keycloak.json* file  which was  downloaded from the keycloak server.
>
>
>
> But the example https://github.com/keycloak/keycloak-quickstarts/blob/
> master/app-jee-html5/src/main/webapp/app.js
>
> call the  services  using Access Token NOT PRT.
>

In this example, you need to change it in order to use the RPT properly if
you have enabled authz. We have some quickstarts here [1] for RH-SSO. But
none in keycloak-quickstarts repo. Will take with Stian about that.

[1] https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.1.x


>
>
>
>
>
>
> thanks ,
>
> yizhou
>
>
>
> *From:* Pedro Igor Silva [mailto:psilva at redhat.com]
> *Sent:* Monday, April 17, 2017 7:23 PM
> *To:* Yizhou Jiang(Yizhou)
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Access Token And PRT(request party token),
> which one should I use to access the resource protected by keycloak
>
>
>
> Hi,
>
>
>
> If your resources are protected with a policy enforcer you should send a
> RPT. This token is pretty much an access token with an additional claim
> holding the permissions.
>
>
>
> Regards.
> Pedro Igor
>
>
>
> On Mon, Apr 17, 2017 at 6:08 AM, Yizhou Jiang(Yizhou) <
> yizhoujiang at hengtiansoft.com> wrote:
>
> Hi,
>                By reading the document of KeyCloak ,I found that I can use
> a Access-token  or a PRT(request party token) to access the resources
> protected by keycloak.
>
> 1  Use  PRT: https://keycloak.gitbooks.io/documentation/authorization_
> services/topics/enforcer/keycloak-enforcement-bearer.html
>
> GET /my-resource-server/my-protected-resource HTTP/1.1
> Host: host.com
> Authorization: Bearer ${RPT}
>
> 2  Use access token: https://github.com/keycloak/
> keycloak-quickstarts/blob/master/app-jee-html5/src/main/webapp/app.js
>
> line 38
>
> if (keycloak.authenticated) {
>        req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
> }
>
>    I'm  confused about the  difference  between them.  I don't know  When
> I should use access token , and when I should use another one ?
> I am looking forward to your reply.
>
> thanks ,
> yizhou
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From danny at sigerconsulting.com  Mon Apr 17 15:41:53 2017
From: danny at sigerconsulting.com (Danny Regis)
Date: Mon, 17 Apr 2017 20:41:53 +0100
Subject: [keycloak-user] =?utf-8?q?=E2=80=8BRe=3A__Identity_Brokering?=
Message-ID: <CAOvb8mVkDW2_JhyacnX9SAhGb7W-9+hj7djsg+ObmtUg2DW9fQ@mail.gmail.com>

>
> Thanks Bill ,
>

?Is there a subtle distinction between identity brokering vs federation??

?Is there anywhere which details the interaction on subsequent logins, I
found this page useful for the initial login:

http://www.keycloak.org/docs/1.9/server_admin_guide/topics/identity-broker/overview.html

I assume credentials are not imported/created during the identity
federation, hence on a return visit Keycloak would forward an
authentication request to the target IdP - effectively step 5 in the flow
linked above.

Danny

>


>
> Message: 6
> Date: Thu, 13 Apr 2017 10:25:14 -0400
> From: Bill Burke <bburke at redhat.com>
> Subject:
> ??
> Re: [keycloak-user] Identity Brokering
> To: keycloak-user at lists.jboss.org
> Message-ID: <3e60adeb-bb6f-ef07-7f55-3c5611c0122b at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> ??
>
> brokering is authentication delegation.  The user is imported, a local
> account is created and linked to the external IDP.
>
>
> On 4/13/17 9:12 AM, Danny Regis wrote:
> > Hello,
> >
> > I'm trying to gain clarity on whether there is a subtle difference
> between
> > Identity Federation / Identity Brokering / Authentication Brokering.
> >
> > Looking at the documentation for Identity Providers, it details this as
> > Identity Brokering, what I can't ascertain (and haven't been able to
> demo)
> > is exactly how this works. The documentation implies that the first
> broker
> > login flow creates a local user. What happens on the second login? Would
> > the user always be redirected to the IdP login pages? If so what is the
> > local user copy for?
> >
> > Potentially I'm confusing federated Open ID Connect SSO with Identity
> > Brokering.
> >
> >
> > My specific use case...
> >
> > Application A users authenticated and authorised via Identity Provider B
> > (Open Id Connect)
> >
> > However application A users should always be authenticated against IdP B,
> > there should never be local authentication based upon a local KC user.
> >
> > Would disabling "Create User If Unique" from the First Broker Login flow
> > fulfil my requirement?
> >
> > Thanks
> > Danny
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 40, Issue 20
> *********************************************
>

From kevin.berendsen at pharmapartners.nl  Mon Apr 17 16:22:12 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Mon, 17 Apr 2017 20:22:12 +0000
Subject: [keycloak-user] how to use keycloak JS Adapter with a signed
	JWT	Token?
In-Reply-To: <CAOFYJDsmxP_XmFPM17S4e07L5WyisGOSwDySq0mq6jsTEPX53w@mail.gmail.com>
References: <CAOFYJDsmxP_XmFPM17S4e07L5WyisGOSwDySq0mq6jsTEPX53w@mail.gmail.com>
Message-ID: <999f9af16dfd4623bb4fe0c0002a53a4@FERB.ppg.lan>

Hi Celso,

Angular is written in JavaScript which is basically all client side. Meaning that if you use a private key on client side, the key must be publicly accessible and I'm sure you don't want that.
You must configure any JavaScript client to be a public client. It's all there in the docs of Keycloak [1][2]

I know it's not really the answer you're looking for but this could blow a major security issue in your application.

[1] https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/javascript-adapter.html
[2] https://www.keycloak.org/docs/3.0/server_admin/topics/clients/client-oidc.html#_access-type 

Kind regards,

Kevin Berendsen

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Celso Agra
Verzonden: maandag 17 april 2017 16:10
Aan: keycloak-user <keycloak-user at lists.jboss.org>
Onderwerp: [keycloak-user] how to use keycloak JS Adapter with a signed JWT Token?

Hi there,

It's me again!
I'd like to know if would be possible to configure my frontend app with keycloak JS adapter, bu my app is configured with a signed JWT.

Here is the credential configs:
"credentials": {
  "jwt": {
    "client-key-password": "REPLACE WITH THE KEY PASSWORD IN KEYSTORE",
    "client-keystore-file": "REPLACE WITH THE LOCATION OF YOUR KEYSTORE FILE",
    "client-keystore-password": "REPLACE WITH THE KEYSTORE PASSWORD",
    "client-key-alias": "<my alias>",
    "token-timeout": 10,
    "client-keystore-type": "jks"
  }
}

When I try to add this config in the Keycloak JS:
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js

I haven't see config to do with signed JWT. So, How people do this configuration?
Best regards,

--
---
*Celso Agra*
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From marc.tempelmeier at flane.de  Tue Apr 18 04:04:34 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 18 Apr 2017 08:04:34 +0000
Subject: [keycloak-user] Load Balancer and Domain Clustered Mode
In-Reply-To: <25c59e22eb42440e914a5b8bb15b8670@dehamex2013.europe.flane.local>
References: <25c59e22eb42440e914a5b8bb15b8670@dehamex2013.europe.flane.local>
Message-ID: <f0339fc5f5cb4cc89efc0d71d76bd071@dehamex2013.europe.flane.local>

Hi,

Anyone an idea? :)

Greetings

Marc

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier
Gesendet: Tuesday, April 11, 2017 3:49 PM
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Load Balancer and Domain Clustered Mode

Hi,

The docu said we should use our own load balancer. Is nginx a good idea there and how is the general rough setup then?

Nginx in front, Domain controller is admin only and just controls the config, 2 slaves with an open Port (8080, 8081) which the load balancer uses?
Or does the Domain Controller has some another role in this setup?

Not asking for specifics, just the general workflow.

Greetings

Marc
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From martin.johansson at metrical.se  Tue Apr 18 05:09:30 2017
From: martin.johansson at metrical.se (Martin Johansson)
Date: Tue, 18 Apr 2017 11:09:30 +0200
Subject: [keycloak-user]  Re: Get magic link for users to login
Message-ID: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>

Hi!

We want to achieve the following:

Expose a REST endpoint where an authenticated client can retrieve a magic
login link for a specific user. We have an ID in the attributes for the
user which enables us to get the correct user.

The reason for this is that we need to expose the possibility to send
e-mails from other systems than Keycloak. We have other ways of composing
the e-mails.

So wanted final state is that a user can click a link in his e-mail client
and be redirected to our app and be logged in.

BR,
Martin

---------- Forwarded message ----------
> From: Ilya Korol <llivezking at gmail.com>
> To: keycloak-user at lists.jboss.org
> Cc:
> Bcc:
> Date: Fri, 14 Apr 2017 15:59:10 +1000
> Subject: Re: [keycloak-user] Get magic link for users to login
> Hi, could you explain more detailed what you want to achieve? As for my
> team we also implemented custom rest endpoint, which send customized emails
> to users. Check out org.keycloak.services.resources.admin.UsersResource
> for details of default link constructing. (methods: resetPasswordEmail(),
> executeActionsEmail(), sendVerifyEmail())
>
>
> On 13.04.2017 17:54, Martin Johansson wrote:
>
>> Is it possible to retrieve the magic link that are sent by e-mail via the
>> Java
>> API? We have implemented an SPI with a REST interface and would like to
>> get
>> the link for usage in custom e-mails.
>> Any hints which provider to be used is much appreciated.
>>
>> Regards,
>> Martin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mr.beel at gmail.com  Tue Apr 18 05:53:42 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Tue, 18 Apr 2017 14:53:42 +0500
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
Message-ID: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>

Hi Everyone,

I am using keycloak 2.4.0.Final and creating ldap user federation provider.
Getting the following error when creating UserFederationMappers.



14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
Exception handling request to
/auth/admin/realms/DecisionSpace_Integration_Server/user-federation/instances/79a731e1-6d8d-499e-a62f-73cb38af72e2/mappers:
org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
        at
org.keycloak.services.resources.admin.UserFederationProviderResource.validateModel(UserFederationProviderResource.java:450)
        at
org.keycloak.services.resources.admin.UserFederationProviderResource.addMapper(UserFederationProviderResource.java:321)
        at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
        ... 37 more



Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

From mr.beel at gmail.com  Tue Apr 18 05:55:24 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Tue, 18 Apr 2017 14:55:24 +0500
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
In-Reply-To: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
Message-ID: <CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>

+ Using REST API

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:

> Hi Everyone,
>
> I am using keycloak 2.4.0.Final and creating ldap user federation
> provider.
> Getting the following error when creating UserFederationMappers.
>
>
>
> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
> Exception handling request to /auth/admin/realms/
> DecisionSpace_Integration_Server/user-federation/
> instances/79a731e1-6d8d-499e-a62f-73cb38af72e2/mappers:
> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
>         at org.jboss.resteasy.core.ExceptionHandler.
> handleApplicationException(ExceptionHandler.java:76)
>         at org.jboss.resteasy.core.ExceptionHandler.handleException(
> ExceptionHandler.java:212)
>         at org.jboss.resteasy.core.SynchronousDispatcher.writeException(
> SynchronousDispatcher.java:168)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:411)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
>         at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
>         at org.keycloak.services.filters.KeycloakSessionServletFilter.
> doFilter(KeycloakSessionServletFilter.java:90)
>         at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>         at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
>         at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
>         at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
>         at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
>         at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
>         at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
>         at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
>         at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
>         at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>         at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
>         at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:202)
>         at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.NullPointerException
>         at org.keycloak.services.resources.admin.
> UserFederationProviderResource.validateModel(
> UserFederationProviderResource.java:450)
>         at org.keycloak.services.resources.admin.
> UserFederationProviderResource.addMapper(UserFederationProviderResource
> .java:321)
>         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
>         ... 37 more
>
>
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>

From mr.beel at gmail.com  Tue Apr 18 06:01:19 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Tue, 18 Apr 2017 15:01:19 +0500
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
In-Reply-To: <CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
Message-ID: <CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>

URL: /auth/admin/realms/DecisionSpace_Integration_Server/user-federation/instances/845968bd-499e-4cd2-ad52-69bbe258c56c/mappers

POST Request JSON :

{"name":"email","federationProviderDisplayName":"dsis-ldap","federationMapperType":"user-attribute-ldap-mapper","config":{"ldap.attribute":"mail","is.mandatory.in.ldap":"false","read.only":"true","always.read.value.from.ldap":"false","user.model.attribute":"email"}}

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Tue, Apr 18, 2017 at 2:55 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:

> + Using REST API
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>
>> Hi Everyone,
>>
>> I am using keycloak 2.4.0.Final and creating ldap user federation
>> provider.
>> Getting the following error when creating UserFederationMappers.
>>
>>
>>
>> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
>> Exception handling request to /auth/admin/realms/DecisionSpa
>> ce_Integration_Server/user-federation/instances/79a731e1-
>> 6d8d-499e-a62f-73cb38af72e2/mappers: org.jboss.resteasy.spi.UnhandledException:
>> java.lang.NullPointerException
>>         at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>> ception(ExceptionHandler.java:76)
>>         at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>> eptionHandler.java:212)
>>         at org.jboss.resteasy.core.SynchronousDispatcher.writeException
>> (SynchronousDispatcher.java:168)
>>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:411)
>>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>>         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>>         at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>>         at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>> r.java:60)
>>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>>         at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>         at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>>         at org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>         at io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>         at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>         at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>         at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>>         at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>         at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>         at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>>         at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>         at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>         at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>>         at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>>         at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>>         at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>>         at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>>         at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.NullPointerException
>>         at org.keycloak.services.resources.admin.UserFederationProvider
>> Resource.validateModel(UserFederationProviderResource.java:450)
>>         at org.keycloak.services.resources.admin.UserFederationProvider
>> Resource.addMapper(UserFederationProviderResource.java:321)
>>         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>>         ... 37 more
>>
>>
>>
>> Regards,
>>
>> Nabeel Ahmed
>> Cell # +92 333 540 5542
>>
>
>

From bruno at abstractj.org  Tue Apr 18 08:29:23 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 18 Apr 2017 12:29:23 +0000
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
In-Reply-To: <CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
Message-ID: <CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>

Is the same happening with 3.0.0.Final?

On Tue, Apr 18, 2017 at 7:01 AM Nabeel Ahmed <mr.beel at gmail.com> wrote:

> URL:
> /auth/admin/realms/DecisionSpace_Integration_Server/user-federation/instances/845968bd-499e-4cd2-ad52-69bbe258c56c/mappers
>
> POST Request JSON :
>
>
> {"name":"email","federationProviderDisplayName":"dsis-ldap","federationMapperType":"user-attribute-ldap-mapper","config":{"ldap.attribute":"mail","is.mandatory.in.ldap":"false","read.only":"true","always.read.value.from.ldap":"false","user.model.attribute":"email"}}
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Tue, Apr 18, 2017 at 2:55 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>
> > + Using REST API
> >
> > Regards,
> >
> > Nabeel Ahmed
> > Cell # +92 333 540 5542
> >
> > On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
> >
> >> Hi Everyone,
> >>
> >> I am using keycloak 2.4.0.Final and creating ldap user federation
> >> provider.
> >> Getting the following error when creating UserFederationMappers.
> >>
> >>
> >>
> >> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
> >> Exception handling request to /auth/admin/realms/DecisionSpa
> >> ce_Integration_Server/user-federation/instances/79a731e1-
> >> 6d8d-499e-a62f-73cb38af72e2/mappers:
> org.jboss.resteasy.spi.UnhandledException:
> >> java.lang.NullPointerException
> >>         at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
> >> ception(ExceptionHandler.java:76)
> >>         at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
> >> eptionHandler.java:212)
> >>         at org.jboss.resteasy.core.SynchronousDispatcher.writeException
> >> (SynchronousDispatcher.java:168)
> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> >> nousDispatcher.java:411)
> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> >> nousDispatcher.java:202)
> >>         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> >> spatcher.service(ServletContainerDispatcher.java:221)
> >>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> >> her.service(HttpServletDispatcher.java:56)
> >>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> >> her.service(HttpServletDispatcher.java:51)
> >>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> >>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> >> rvletHandler.java:85)
> >>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> >> oFilter(FilterHandler.java:129)
> >>         at org.keycloak.services.filters.KeycloakSessionServletFilter.d
> >> oFilter(KeycloakSessionServletFilter.java:90)
> >>         at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
> >> r.java:60)
> >>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> >> oFilter(FilterHandler.java:131)
> >>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> >> terHandler.java:84)
> >>         at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> >> dler.handleRequest(ServletSecurityRoleHandler.java:62)
> >>         at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> >> eRequest(ServletDispatchingHandler.java:36)
> >>         at org.wildfly.extension.undertow.security.SecurityContextAssoc
> >> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> >> redicateHandler.java:43)
> >>         at io.undertow.servlet.handlers.security.SSLInformationAssociat
> >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> >>         at io.undertow.servlet.handlers.security.ServletAuthenticationC
> >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> >> redicateHandler.java:43)
> >>         at io.undertow.security.handlers.AbstractConfidentialityHandler
> >> .handleRequest(AbstractConfidentialityHandler.java:46)
> >>         at io.undertow.servlet.handlers.security.ServletConfidentiality
> >> ConstraintHandler.handleRequest(ServletConfident
> >> ialityConstraintHandler.java:64)
> >>         at io.undertow.security.handlers.AuthenticationMechanismsHandle
> >> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> >>         at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >>         at io.undertow.security.handlers.NotificationReceiverHandler.ha
> >> ndleRequest(NotificationReceiverHandler.java:50)
> >>         at io.undertow.security.handlers.AbstractSecurityContextAssocia
> >> tionHandler.handleRequest(AbstractSecurityContextAssociation
> >> Handler.java:43)
> >>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> >> redicateHandler.java:43)
> >>         at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> >> ndler.handleRequest(JACCContextIdHandler.java:61)
> >>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> >> redicateHandler.java:43)
> >>         at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> >> redicateHandler.java:43)
> >>         at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> >> stRequest(ServletInitialHandler.java:284)
> >>         at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> >> equest(ServletInitialHandler.java:263)
> >>         at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> >> 0(ServletInitialHandler.java:81)
> >>         at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> >> equest(ServletInitialHandler.java:174)
> >>         at io.undertow.server.Connectors.executeRootHandler(Connectors.
> >> java:202)
> >>         at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> >> ge.java:793)
> >>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> >> Executor.java:1142)
> >>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> >> lExecutor.java:617)
> >>         at java.lang.Thread.run(Thread.java:745)
> >> Caused by: java.lang.NullPointerException
> >>         at org.keycloak.services.resources.admin.UserFederationProvider
> >> Resource.validateModel(UserFederationProviderResource.java:450)
> >>         at org.keycloak.services.resources.admin.UserFederationProvider
> >> Resource.addMapper(UserFederationProviderResource.java:321)
> >>         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
> >>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> >> thodAccessorImpl.java:43)
> >>         at java.lang.reflect.Method.invoke(Method.java:498)
> >>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> >> ctorImpl.java:139)
> >>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> >> (ResourceMethodInvoker.java:295)
> >>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> >> eMethodInvoker.java:249)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> >> tObject(ResourceLocatorInvoker.java:138)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> >> ceLocatorInvoker.java:107)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> >> tObject(ResourceLocatorInvoker.java:133)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> >> ceLocatorInvoker.java:107)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> >> tObject(ResourceLocatorInvoker.java:133)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> >> ceLocatorInvoker.java:107)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> >> tObject(ResourceLocatorInvoker.java:133)
> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> >> ceLocatorInvoker.java:101)
> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> >> nousDispatcher.java:395)
> >>         ... 37 more
> >>
> >>
> >>
> >> Regards,
> >>
> >> Nabeel Ahmed
> >> Cell # +92 333 540 5542
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mr.beel at gmail.com  Tue Apr 18 08:32:45 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Tue, 18 Apr 2017 17:32:45 +0500
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
In-Reply-To: <CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
	<CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
Message-ID: <CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>

Didn't tried 3.x. as we cannot upgrade from 2.4.0.Final for now.



Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Tue, Apr 18, 2017 at 5:29 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Is the same happening with 3.0.0.Final?
>
> On Tue, Apr 18, 2017 at 7:01 AM Nabeel Ahmed <mr.beel at gmail.com> wrote:
>
>> URL: /auth/admin/realms/DecisionSpace_Integration_Server/user-federation/
>> instances/845968bd-499e-4cd2-ad52-69bbe258c56c/mappers
>>
>> POST Request JSON :
>>
>> {"name":"email","federationProviderDisplayName":"dsis-ldap","
>> federationMapperType":"user-attribute-ldap-mapper","
>> config":{"ldap.attribute":"mail","is.mandatory.in.ldap":"
>> false","read.only":"true","always.read.value.from.ldap":"
>> false","user.model.attribute":"email"}}
>>
>> Regards,
>>
>> Nabeel Ahmed
>> Cell # +92 333 540 5542
>>
>> On Tue, Apr 18, 2017 at 2:55 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>>
>> > + Using REST API
>> >
>> > Regards,
>> >
>> > Nabeel Ahmed
>> > Cell # +92 333 540 5542
>> >
>> > On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com>
>> wrote:
>> >
>> >> Hi Everyone,
>> >>
>> >> I am using keycloak 2.4.0.Final and creating ldap user federation
>> >> provider.
>> >> Getting the following error when creating UserFederationMappers.
>> >>
>> >>
>> >>
>> >> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
>> >> Exception handling request to /auth/admin/realms/DecisionSpa
>> >> ce_Integration_Server/user-federation/instances/79a731e1-
>> >> 6d8d-499e-a62f-73cb38af72e2/mappers: org.jboss.resteasy.spi.
>> UnhandledException:
>> >> java.lang.NullPointerException
>> >>         at org.jboss.resteasy.core.ExceptionHandler.
>> handleApplicationEx
>> >> ception(ExceptionHandler.java:76)
>> >>         at org.jboss.resteasy.core.ExceptionHandler.
>> handleException(Exc
>> >> eptionHandler.java:212)
>> >>         at org.jboss.resteasy.core.SynchronousDispatcher.
>> writeException
>> >> (SynchronousDispatcher.java:168)
>> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> Synchro
>> >> nousDispatcher.java:411)
>> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> Synchro
>> >> nousDispatcher.java:202)
>> >>         at org.jboss.resteasy.plugins.server.servlet.
>> ServletContainerDi
>> >> spatcher.service(ServletContainerDispatcher.java:221)
>> >>         at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatc
>> >> her.service(HttpServletDispatcher.java:56)
>> >>         at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatc
>> >> her.service(HttpServletDispatcher.java:51)
>> >>         at javax.servlet.http.HttpServlet.service(
>> HttpServlet.java:790)
>> >>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> Se
>> >> rvletHandler.java:85)
>> >>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> d
>> >> oFilter(FilterHandler.java:129)
>> >>         at org.keycloak.services.filters.
>> KeycloakSessionServletFilter.d
>> >> oFilter(KeycloakSessionServletFilter.java:90)
>> >>         at io.undertow.servlet.core.ManagedFilter.doFilter(
>> ManagedFilte
>> >> r.java:60)
>> >>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> d
>> >> oFilter(FilterHandler.java:131)
>> >>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> Fil
>> >> terHandler.java:84)
>> >>         at io.undertow.servlet.handlers.security.
>> ServletSecurityRoleHan
>> >> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> >>         at io.undertow.servlet.handlers.ServletDispatchingHandler.
>> handl
>> >> eRequest(ServletDispatchingHandler.java:36)
>> >>         at org.wildfly.extension.undertow.security.
>> SecurityContextAssoc
>> >> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> >>         at io.undertow.server.handlers.PredicateHandler.
>> handleRequest(P
>> >> redicateHandler.java:43)
>> >>         at io.undertow.servlet.handlers.security.
>> SSLInformationAssociat
>> >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> >>         at io.undertow.servlet.handlers.security.
>> ServletAuthenticationC
>> >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> >>         at io.undertow.server.handlers.PredicateHandler.
>> handleRequest(P
>> >> redicateHandler.java:43)
>> >>         at io.undertow.security.handlers.
>> AbstractConfidentialityHandler
>> >> .handleRequest(AbstractConfidentialityHandler.java:46)
>> >>         at io.undertow.servlet.handlers.security.
>> ServletConfidentiality
>> >> ConstraintHandler.handleRequest(ServletConfident
>> >> ialityConstraintHandler.java:64)
>> >>         at io.undertow.security.handlers.
>> AuthenticationMechanismsHandle
>> >> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> >>         at io.undertow.servlet.handlers.security.
>> CachedAuthenticatedSes
>> >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> >>         at io.undertow.security.handlers.
>> NotificationReceiverHandler.ha
>> >> ndleRequest(NotificationReceiverHandler.java:50)
>> >>         at io.undertow.security.handlers.
>> AbstractSecurityContextAssocia
>> >> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> >> Handler.java:43)
>> >>         at io.undertow.server.handlers.PredicateHandler.
>> handleRequest(P
>> >> redicateHandler.java:43)
>> >>         at org.wildfly.extension.undertow.security.jacc.
>> JACCContextIdHa
>> >> ndler.handleRequest(JACCContextIdHandler.java:61)
>> >>         at io.undertow.server.handlers.PredicateHandler.
>> handleRequest(P
>> >> redicateHandler.java:43)
>> >>         at io.undertow.server.handlers.PredicateHandler.
>> handleRequest(P
>> >> redicateHandler.java:43)
>> >>         at io.undertow.servlet.handlers.ServletInitialHandler.
>> handleFir
>> >> stRequest(ServletInitialHandler.java:284)
>> >>         at io.undertow.servlet.handlers.ServletInitialHandler.
>> dispatchR
>> >> equest(ServletInitialHandler.java:263)
>> >>         at io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 00
>> >> 0(ServletInitialHandler.java:81)
>> >>         at io.undertow.servlet.handlers.ServletInitialHandler$1.
>> handleR
>> >> equest(ServletInitialHandler.java:174)
>> >>         at io.undertow.server.Connectors.
>> executeRootHandler(Connectors.
>> >> java:202)
>> >>         at io.undertow.server.HttpServerExchange$1.run(
>> HttpServerExchan
>> >> ge.java:793)
>> >>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPool
>> >> Executor.java:1142)
>> >>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoo
>> >> lExecutor.java:617)
>> >>         at java.lang.Thread.run(Thread.java:745)
>> >> Caused by: java.lang.NullPointerException
>> >>         at org.keycloak.services.resources.admin.
>> UserFederationProvider
>> >> Resource.validateModel(UserFederationProviderResource.java:450)
>> >>         at org.keycloak.services.resources.admin.
>> UserFederationProvider
>> >> Resource.addMapper(UserFederationProviderResource.java:321)
>> >>         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown
>> Source)
>> >>         at sun.reflect.DelegatingMethodAccessorImpl.
>> invoke(DelegatingMe
>> >> thodAccessorImpl.java:43)
>> >>         at java.lang.reflect.Method.invoke(Method.java:498)
>> >>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInje
>> >> ctorImpl.java:139)
>> >>         at org.jboss.resteasy.core.ResourceMethodInvoker.
>> invokeOnTarget
>> >> (ResourceMethodInvoker.java:295)
>> >>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> Resourc
>> >> eMethodInvoker.java:249)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTarge
>> >> tObject(ResourceLocatorInvoker.java:138)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> Resour
>> >> ceLocatorInvoker.java:107)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTarge
>> >> tObject(ResourceLocatorInvoker.java:133)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> Resour
>> >> ceLocatorInvoker.java:107)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTarge
>> >> tObject(ResourceLocatorInvoker.java:133)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> Resour
>> >> ceLocatorInvoker.java:107)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTarge
>> >> tObject(ResourceLocatorInvoker.java:133)
>> >>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> Resour
>> >> ceLocatorInvoker.java:101)
>> >>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> Synchro
>> >> nousDispatcher.java:395)
>> >>         ... 37 more
>> >>
>> >>
>> >>
>> >> Regards,
>> >>
>> >> Nabeel Ahmed
>> >> Cell # +92 333 540 5542
>> >>
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From mselvi78 at gmail.com  Tue Apr 18 09:04:16 2017
From: mselvi78 at gmail.com (Metehan Selvi)
Date: Tue, 18 Apr 2017 15:04:16 +0200
Subject: [keycloak-user] Encrypt samlp:Response with Keycloak
Message-ID: <CADyKGVHxE8vUX0PUKy+MN04qDCb_p5qsmBMseDE_FObf9kkR0A@mail.gmail.com>

Hi there,
I configured OpenAM as IDP and Keycloak as SP together.
I use the sales-post-enc - example App.

SAML-AuthnRequests and SAML-Repsonses are working.
( Encryption disabled)

When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
cannot be encrypted in OpenAM as it throws Exceptions with Http 500
Responses.

How do I get out from the Problem ?

When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
it contains only the KeyDescriptor for Signing. Normally it should be also
possible to export the KeyDescriptor for encryption. Is this maybe the
failure?

Other ideas to get rid of the problem.. ?!

Cheers
Metehan Selvi

From mr.beel at gmail.com  Tue Apr 18 10:35:04 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Tue, 18 Apr 2017 19:35:04 +0500
Subject: [keycloak-user] NullPointerException while adding
	userFederationMappers
In-Reply-To: <CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
	<CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
	<CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>
Message-ID: <CABi4XQBrOVtDNT8MTETvUgM=HwGt6CkyPFf7N2Vawoex_p1JGQ@mail.gmail.com>

Guys,
Any help on it?

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Tue, Apr 18, 2017 at 5:32 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:

> Didn't tried 3.x. as we cannot upgrade from 2.4.0.Final for now.
>
>
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Tue, Apr 18, 2017 at 5:29 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> Is the same happening with 3.0.0.Final?
>>
>> On Tue, Apr 18, 2017 at 7:01 AM Nabeel Ahmed <mr.beel at gmail.com> wrote:
>>
>>> URL: /auth/admin/realms/DecisionSpace_Integration_Server/user-
>>> federation/instances/845968bd-499e-4cd2-ad52-69bbe258c56c/mappers
>>>
>>> POST Request JSON :
>>>
>>> {"name":"email","federationProviderDisplayName":"dsis-ldap",
>>> "federationMapperType":"user-attribute-ldap-mapper","config"
>>> :{"ldap.attribute":"mail","is.mandatory.in.ldap":"false","
>>> read.only":"true","always.read.value.from.ldap":"false",
>>> "user.model.attribute":"email"}}
>>>
>>> Regards,
>>>
>>> Nabeel Ahmed
>>> Cell # +92 333 540 5542
>>>
>>> On Tue, Apr 18, 2017 at 2:55 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>>>
>>> > + Using REST API
>>> >
>>> > Regards,
>>> >
>>> > Nabeel Ahmed
>>> > Cell # +92 333 540 5542
>>> >
>>> > On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com>
>>> wrote:
>>> >
>>> >> Hi Everyone,
>>> >>
>>> >> I am using keycloak 2.4.0.Final and creating ldap user federation
>>> >> provider.
>>> >> Getting the following error when creating UserFederationMappers.
>>> >>
>>> >>
>>> >>
>>> >> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
>>> >> Exception handling request to /auth/admin/realms/DecisionSpa
>>> >> ce_Integration_Server/user-federation/instances/79a731e1-
>>> >> 6d8d-499e-a62f-73cb38af72e2/mappers: org.jboss.resteasy.spi.Unhandl
>>> edException:
>>> >> java.lang.NullPointerException
>>> >>         at org.jboss.resteasy.core.Except
>>> ionHandler.handleApplicationEx
>>> >> ception(ExceptionHandler.java:76)
>>> >>         at org.jboss.resteasy.core.Except
>>> ionHandler.handleException(Exc
>>> >> eptionHandler.java:212)
>>> >>         at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.writeException
>>> >> (SynchronousDispatcher.java:168)
>>> >>         at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(Synchro
>>> >> nousDispatcher.java:411)
>>> >>         at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(Synchro
>>> >> nousDispatcher.java:202)
>>> >>         at org.jboss.resteasy.plugins.ser
>>> ver.servlet.ServletContainerDi
>>> >> spatcher.service(ServletContainerDispatcher.java:221)
>>> >>         at org.jboss.resteasy.plugins.ser
>>> ver.servlet.HttpServletDispatc
>>> >> her.service(HttpServletDispatcher.java:56)
>>> >>         at org.jboss.resteasy.plugins.ser
>>> ver.servlet.HttpServletDispatc
>>> >> her.service(HttpServletDispatcher.java:51)
>>> >>         at javax.servlet.http.HttpServlet
>>> .service(HttpServlet.java:790)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletHandler.handleRequest(Se
>>> >> rvletHandler.java:85)
>>> >>         at io.undertow.servlet.handlers.F
>>> ilterHandler$FilterChainImpl.d
>>> >> oFilter(FilterHandler.java:129)
>>> >>         at org.keycloak.services.filters.
>>> KeycloakSessionServletFilter.d
>>> >> oFilter(KeycloakSessionServletFilter.java:90)
>>> >>         at io.undertow.servlet.core.Manag
>>> edFilter.doFilter(ManagedFilte
>>> >> r.java:60)
>>> >>         at io.undertow.servlet.handlers.F
>>> ilterHandler$FilterChainImpl.d
>>> >> oFilter(FilterHandler.java:131)
>>> >>         at io.undertow.servlet.handlers.F
>>> ilterHandler.handleRequest(Fil
>>> >> terHandler.java:84)
>>> >>         at io.undertow.servlet.handlers.s
>>> ecurity.ServletSecurityRoleHan
>>> >> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletDispatchingHandler.handl
>>> >> eRequest(ServletDispatchingHandler.java:36)
>>> >>         at org.wildfly.extension.undertow
>>> .security.SecurityContextAssoc
>>> >> iationHandler.handleRequest(SecurityContextAssociationHandle
>>> r.java:78)
>>> >>         at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(P
>>> >> redicateHandler.java:43)
>>> >>         at io.undertow.servlet.handlers.s
>>> ecurity.SSLInformationAssociat
>>> >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> >>         at io.undertow.servlet.handlers.s
>>> ecurity.ServletAuthenticationC
>>> >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> >>         at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(P
>>> >> redicateHandler.java:43)
>>> >>         at io.undertow.security.handlers.
>>> AbstractConfidentialityHandler
>>> >> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> >>         at io.undertow.servlet.handlers.s
>>> ecurity.ServletConfidentiality
>>> >> ConstraintHandler.handleRequest(ServletConfident
>>> >> ialityConstraintHandler.java:64)
>>> >>         at io.undertow.security.handlers.
>>> AuthenticationMechanismsHandle
>>> >> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> >>         at io.undertow.servlet.handlers.s
>>> ecurity.CachedAuthenticatedSes
>>> >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> >>         at io.undertow.security.handlers.
>>> NotificationReceiverHandler.ha
>>> >> ndleRequest(NotificationReceiverHandler.java:50)
>>> >>         at io.undertow.security.handlers.
>>> AbstractSecurityContextAssocia
>>> >> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> >> Handler.java:43)
>>> >>         at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(P
>>> >> redicateHandler.java:43)
>>> >>         at org.wildfly.extension.undertow
>>> .security.jacc.JACCContextIdHa
>>> >> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> >>         at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(P
>>> >> redicateHandler.java:43)
>>> >>         at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(P
>>> >> redicateHandler.java:43)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.handleFir
>>> >> stRequest(ServletInitialHandler.java:284)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.dispatchR
>>> >> equest(ServletInitialHandler.java:263)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.access$00
>>> >> 0(ServletInitialHandler.java:81)
>>> >>         at io.undertow.servlet.handlers.S
>>> ervletInitialHandler$1.handleR
>>> >> equest(ServletInitialHandler.java:174)
>>> >>         at io.undertow.server.Connectors.
>>> executeRootHandler(Connectors.
>>> >> java:202)
>>> >>         at io.undertow.server.HttpServerE
>>> xchange$1.run(HttpServerExchan
>>> >> ge.java:793)
>>> >>         at java.util.concurrent.ThreadPoo
>>> lExecutor.runWorker(ThreadPool
>>> >> Executor.java:1142)
>>> >>         at java.util.concurrent.ThreadPoo
>>> lExecutor$Worker.run(ThreadPoo
>>> >> lExecutor.java:617)
>>> >>         at java.lang.Thread.run(Thread.java:745)
>>> >> Caused by: java.lang.NullPointerException
>>> >>         at org.keycloak.services.resource
>>> s.admin.UserFederationProvider
>>> >> Resource.validateModel(UserFederationProviderResource.java:450)
>>> >>         at org.keycloak.services.resource
>>> s.admin.UserFederationProvider
>>> >> Resource.addMapper(UserFederationProviderResource.java:321)
>>> >>         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown
>>> Source)
>>> >>         at sun.reflect.DelegatingMethodAc
>>> cessorImpl.invoke(DelegatingMe
>>> >> thodAccessorImpl.java:43)
>>> >>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> >>         at org.jboss.resteasy.core.Method
>>> InjectorImpl.invoke(MethodInje
>>> >> ctorImpl.java:139)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invokeOnTarget
>>> >> (ResourceMethodInvoker.java:295)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invoke(Resourc
>>> >> eMethodInvoker.java:249)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTarge
>>> >> tObject(ResourceLocatorInvoker.java:138)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(Resour
>>> >> ceLocatorInvoker.java:107)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTarge
>>> >> tObject(ResourceLocatorInvoker.java:133)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(Resour
>>> >> ceLocatorInvoker.java:107)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTarge
>>> >> tObject(ResourceLocatorInvoker.java:133)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(Resour
>>> >> ceLocatorInvoker.java:107)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTarge
>>> >> tObject(ResourceLocatorInvoker.java:133)
>>> >>         at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(Resour
>>> >> ceLocatorInvoker.java:101)
>>> >>         at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(Synchro
>>> >> nousDispatcher.java:395)
>>> >>         ... 37 more
>>> >>
>>> >>
>>> >>
>>> >> Regards,
>>> >>
>>> >> Nabeel Ahmed
>>> >> Cell # +92 333 540 5542
>>> >>
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>

From bburke at redhat.com  Tue Apr 18 10:53:50 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 18 Apr 2017 10:53:50 -0400
Subject: [keycloak-user] NullPointerException while adding
 userFederationMappers
In-Reply-To: <CABi4XQBrOVtDNT8MTETvUgM=HwGt6CkyPFf7N2Vawoex_p1JGQ@mail.gmail.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
	<CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
	<CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>
	<CABi4XQBrOVtDNT8MTETvUgM=HwGt6CkyPFf7N2Vawoex_p1JGQ@mail.gmail.com>
Message-ID: <5b62a7e6-9c54-a0d4-5843-cb735df4380c@redhat.com>

You need to upgrade to the latest 2.5.x  We do not support or provide 
patches for 2.4.x


On 4/18/17 10:35 AM, Nabeel Ahmed wrote:
> Guys,
> Any help on it?
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Tue, Apr 18, 2017 at 5:32 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>
>> Didn't tried 3.x. as we cannot upgrade from 2.4.0.Final for now.
>>
>>
>>
>> Regards,
>>
>> Nabeel Ahmed
>> Cell # +92 333 540 5542
>>
>> On Tue, Apr 18, 2017 at 5:29 PM, Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> Is the same happening with 3.0.0.Final?
>>>
>>> On Tue, Apr 18, 2017 at 7:01 AM Nabeel Ahmed <mr.beel at gmail.com> wrote:
>>>
>>>> URL: /auth/admin/realms/DecisionSpace_Integration_Server/user-
>>>> federation/instances/845968bd-499e-4cd2-ad52-69bbe258c56c/mappers
>>>>
>>>> POST Request JSON :
>>>>
>>>> {"name":"email","federationProviderDisplayName":"dsis-ldap",
>>>> "federationMapperType":"user-attribute-ldap-mapper","config"
>>>> :{"ldap.attribute":"mail","is.mandatory.in.ldap":"false","
>>>> read.only":"true","always.read.value.from.ldap":"false",
>>>> "user.model.attribute":"email"}}
>>>>
>>>> Regards,
>>>>
>>>> Nabeel Ahmed
>>>> Cell # +92 333 540 5542
>>>>
>>>> On Tue, Apr 18, 2017 at 2:55 PM, Nabeel Ahmed <mr.beel at gmail.com> wrote:
>>>>
>>>>> + Using REST API
>>>>>
>>>>> Regards,
>>>>>
>>>>> Nabeel Ahmed
>>>>> Cell # +92 333 540 5542
>>>>>
>>>>> On Tue, Apr 18, 2017 at 2:53 PM, Nabeel Ahmed <mr.beel at gmail.com>
>>>> wrote:
>>>>>> Hi Everyone,
>>>>>>
>>>>>> I am using keycloak 2.4.0.Final and creating ldap user federation
>>>>>> provider.
>>>>>> Getting the following error when creating UserFederationMappers.
>>>>>>
>>>>>>
>>>>>>
>>>>>> 14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
>>>>>> Exception handling request to /auth/admin/realms/DecisionSpa
>>>>>> ce_Integration_Server/user-federation/instances/79a731e1-
>>>>>> 6d8d-499e-a62f-73cb38af72e2/mappers: org.jboss.resteasy.spi.Unhandl
>>>> edException:
>>>>>> java.lang.NullPointerException
>>>>>>          at org.jboss.resteasy.core.Except
>>>> ionHandler.handleApplicationEx
>>>>>> ception(ExceptionHandler.java:76)
>>>>>>          at org.jboss.resteasy.core.Except
>>>> ionHandler.handleException(Exc
>>>>>> eptionHandler.java:212)
>>>>>>          at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.writeException
>>>>>> (SynchronousDispatcher.java:168)
>>>>>>          at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(Synchro
>>>>>> nousDispatcher.java:411)
>>>>>>          at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(Synchro
>>>>>> nousDispatcher.java:202)
>>>>>>          at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.ServletContainerDi
>>>>>> spatcher.service(ServletContainerDispatcher.java:221)
>>>>>>          at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.HttpServletDispatc
>>>>>> her.service(HttpServletDispatcher.java:56)
>>>>>>          at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.HttpServletDispatc
>>>>>> her.service(HttpServletDispatcher.java:51)
>>>>>>          at javax.servlet.http.HttpServlet
>>>> .service(HttpServlet.java:790)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletHandler.handleRequest(Se
>>>>>> rvletHandler.java:85)
>>>>>>          at io.undertow.servlet.handlers.F
>>>> ilterHandler$FilterChainImpl.d
>>>>>> oFilter(FilterHandler.java:129)
>>>>>>          at org.keycloak.services.filters.
>>>> KeycloakSessionServletFilter.d
>>>>>> oFilter(KeycloakSessionServletFilter.java:90)
>>>>>>          at io.undertow.servlet.core.Manag
>>>> edFilter.doFilter(ManagedFilte
>>>>>> r.java:60)
>>>>>>          at io.undertow.servlet.handlers.F
>>>> ilterHandler$FilterChainImpl.d
>>>>>> oFilter(FilterHandler.java:131)
>>>>>>          at io.undertow.servlet.handlers.F
>>>> ilterHandler.handleRequest(Fil
>>>>>> terHandler.java:84)
>>>>>>          at io.undertow.servlet.handlers.s
>>>> ecurity.ServletSecurityRoleHan
>>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletDispatchingHandler.handl
>>>>>> eRequest(ServletDispatchingHandler.java:36)
>>>>>>          at org.wildfly.extension.undertow
>>>> .security.SecurityContextAssoc
>>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle
>>>> r.java:78)
>>>>>>          at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>>          at io.undertow.servlet.handlers.s
>>>> ecurity.SSLInformationAssociat
>>>>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>>          at io.undertow.servlet.handlers.s
>>>> ecurity.ServletAuthenticationC
>>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>>          at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>>          at io.undertow.security.handlers.
>>>> AbstractConfidentialityHandler
>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>>          at io.undertow.servlet.handlers.s
>>>> ecurity.ServletConfidentiality
>>>>>> ConstraintHandler.handleRequest(ServletConfident
>>>>>> ialityConstraintHandler.java:64)
>>>>>>          at io.undertow.security.handlers.
>>>> AuthenticationMechanismsHandle
>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>>          at io.undertow.servlet.handlers.s
>>>> ecurity.CachedAuthenticatedSes
>>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>>          at io.undertow.security.handlers.
>>>> NotificationReceiverHandler.ha
>>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>>>          at io.undertow.security.handlers.
>>>> AbstractSecurityContextAssocia
>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>>> Handler.java:43)
>>>>>>          at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>>          at org.wildfly.extension.undertow
>>>> .security.jacc.JACCContextIdHa
>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>>>          at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>>          at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.handleFir
>>>>>> stRequest(ServletInitialHandler.java:284)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.dispatchR
>>>>>> equest(ServletInitialHandler.java:263)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.access$00
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>>          at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler$1.handleR
>>>>>> equest(ServletInitialHandler.java:174)
>>>>>>          at io.undertow.server.Connectors.
>>>> executeRootHandler(Connectors.
>>>>>> java:202)
>>>>>>          at io.undertow.server.HttpServerE
>>>> xchange$1.run(HttpServerExchan
>>>>>> ge.java:793)
>>>>>>          at java.util.concurrent.ThreadPoo
>>>> lExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>>          at java.util.concurrent.ThreadPoo
>>>> lExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>>          at java.lang.Thread.run(Thread.java:745)
>>>>>> Caused by: java.lang.NullPointerException
>>>>>>          at org.keycloak.services.resource
>>>> s.admin.UserFederationProvider
>>>>>> Resource.validateModel(UserFederationProviderResource.java:450)
>>>>>>          at org.keycloak.services.resource
>>>> s.admin.UserFederationProvider
>>>>>> Resource.addMapper(UserFederationProviderResource.java:321)
>>>>>>          at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown
>>>> Source)
>>>>>>          at sun.reflect.DelegatingMethodAc
>>>> cessorImpl.invoke(DelegatingMe
>>>>>> thodAccessorImpl.java:43)
>>>>>>          at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>          at org.jboss.resteasy.core.Method
>>>> InjectorImpl.invoke(MethodInje
>>>>>> ctorImpl.java:139)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invokeOnTarget
>>>>>> (ResourceMethodInvoker.java:295)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invoke(Resourc
>>>>>> eMethodInvoker.java:249)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTarge
>>>>>> tObject(ResourceLocatorInvoker.java:138)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(Resour
>>>>>> ceLocatorInvoker.java:107)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTarge
>>>>>> tObject(ResourceLocatorInvoker.java:133)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(Resour
>>>>>> ceLocatorInvoker.java:107)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTarge
>>>>>> tObject(ResourceLocatorInvoker.java:133)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(Resour
>>>>>> ceLocatorInvoker.java:107)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTarge
>>>>>> tObject(ResourceLocatorInvoker.java:133)
>>>>>>          at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(Resour
>>>>>> ceLocatorInvoker.java:101)
>>>>>>          at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(Synchro
>>>>>> nousDispatcher.java:395)
>>>>>>          ... 37 more
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Nabeel Ahmed
>>>>>> Cell # +92 333 540 5542
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From aucunnin at redhat.com  Tue Apr 18 10:53:46 2017
From: aucunnin at redhat.com (Austin Cunningham)
Date: Tue, 18 Apr 2017 15:53:46 +0100
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or JWT
Message-ID: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>

Hi ,

I am looking for an example of JWT or Bearer implemented in Node.js with
express js with Keycloak .

Regards,
Austin

From francisco.tanudjaja at bina.roche.com  Tue Apr 18 13:49:08 2017
From: francisco.tanudjaja at bina.roche.com (Tanudjaja, Francisco)
Date: Tue, 18 Apr 2017 10:49:08 -0700
Subject: [keycloak-user] java.net.ConnectException: JBAS012144: Could not
	connect to http-remoting://127.0.0.1:9990
Message-ID: <CA+3coEQ7gCe1j8W09QE7b+9nJA0aGX95SMTQJ8svfBx1Tdkkgg@mail.gmail.com>

Hi,

I've followed the instructions on
https://keycloak.gitbooks.io/documentation/content/
authorization_services/topics/getting-started/hello-world/deploy.html

I have the following keycloak.json in the 'config' directory of
~/path/to/keycloak-quickstarts/app-profile-jee-vanilla

"""
{
  "realm": "Foo",
  "auth-server-url": "http://localhost:8180/auth",
  "ssl-required": "external",
  "resource": "fclient",
  "credentials": {
    "secret": "0749b4fc-db40-410a-ac2c-8837ce206c5d"
  },
  "policy-enforcer": {}
}
"""

Got the following error and wasn't able to find any references to port 9990
in the configuration.

[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-
maven-plugin:1.0.1.Final:deploy (default-cli) on project
keycloak-app-profile-jee-vanilla: Could not execute goal deploy on
/Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/target/vanilla.war.
Reason: I/O Error could not execute operation '{
[ERROR] "operation" => "read-attribute",
[ERROR] "address" => [],
[ERROR] "name" => "launch-type"
[ERROR] }': java.net.ConnectException: JBAS012144: Could not connect to
http-remoting://127.0.0.1:9990. The connection timed out
[ERROR] -> [Help 1]

Please advise.


-----------------------------------------------------
Additional note:

I jumped a few hoops while navigating the documentation. Its possible the
issue is caused by my changes I've made. For reference, I've listed them
below

## wrong link on github in https://keycloak.gitbooks.io/
documentation/content/authorization_services/topics/
getting-started/hello-world/deploy.html

** easy fix, looks like the folder was renamed
- $ cd keycloak-quickstarts/app-authz-jee-vanilla
+ $ cd keycloak-quickstarts/app-profile-jee-vanilla


## wrong version on pom
There is no '3.1.0.CR1-SNAPSHOT' published in maven repo
See
-> https://github.com/keycloak/keycloak/blob/3.0.x/boms/adapter/pom.xml
-> https://mvnrepository.com/artifact/org.keycloak.bom/keycloak-adapter-bom

** resolved by changing pom.xml
-        <version>3.1.0.CR1-SNAPSHOT</version>
+        <version>3.0.0.Final</version>


## cannot compile test
[ERROR] Failed to execute goal org.apache.maven.plugins:
maven-compiler-plugin:3.1:testCompile (default-testCompile) on project
keycloak-app-profile-jee-vanilla: Compilation failure: Compilation failure:
[ERROR] /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
package org.keycloak.test does not exist
...

** resolved by removing app-profile-jee-vanilla/src/test/java/org/keycloak/
quickstart/ArquillianProfileJeeVanillaTest.java

From ulrik.lejon at mollyware.se  Tue Apr 18 15:51:17 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Tue, 18 Apr 2017 19:51:17 +0000
Subject: [keycloak-user] help
Message-ID: <CAG2z6=TnRTV5Nu_gpNuiMOHVM9fqtzEd=01GB=jy2xArWd+b0A@mail.gmail.com>

-- 
Ulrik Lejon
Mollyware AB

+46-700-137786
ulrik.lejon at mollyware.se
www.mollyware.se

From bruno at abstractj.org  Tue Apr 18 16:25:28 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 18 Apr 2017 20:25:28 +0000
Subject: [keycloak-user] java.net.ConnectException: JBAS012144: Could
 not connect to http-remoting://127.0.0.1:9990
In-Reply-To: <CA+3coEQ7gCe1j8W09QE7b+9nJA0aGX95SMTQJ8svfBx1Tdkkgg@mail.gmail.com>
References: <CA+3coEQ7gCe1j8W09QE7b+9nJA0aGX95SMTQJ8svfBx1Tdkkgg@mail.gmail.com>
Message-ID: <CAM5SUC7e77xJBMY2k+kJ3fHHad0o90wn+r-i28q+cRaE11NPtg@mail.gmail.com>

If you're starting WildFly on port 8180. I believe that you should
specify -Dwildfly.port=10090 for deployment.

The quickstarts depend on keycloak-tests-helper, which wasn't released yet.
That's the reason why it points to the same release specified on Keycloak
master branch. Here's what you can do to workaround this while we fix:

- git clone https://github.com/keycloak/keycloak.git && cd keycloak && mvn
clean install -Pdistribution -DskipTests=true

I hope it helps.


On Tue, Apr 18, 2017 at 2:52 PM Tanudjaja, Francisco <
francisco.tanudjaja at bina.roche.com> wrote:

> Hi,
>
> I've followed the instructions on
> https://keycloak.gitbooks.io/documentation/content/
> authorization_services/topics/getting-started/hello-world/deploy.html
>
> I have the following keycloak.json in the 'config' directory of
> ~/path/to/keycloak-quickstarts/app-profile-jee-vanilla
>
> """
> {
>   "realm": "Foo",
>   "auth-server-url": "http://localhost:8180/auth",
>   "ssl-required": "external",
>   "resource": "fclient",
>   "credentials": {
>     "secret": "0749b4fc-db40-410a-ac2c-8837ce206c5d"
>   },
>   "policy-enforcer": {}
> }
> """
>
> Got the following error and wasn't able to find any references to port 9990
> in the configuration.
>
> [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-
> maven-plugin:1.0.1.Final:deploy (default-cli) on project
> keycloak-app-profile-jee-vanilla: Could not execute goal deploy on
>
> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/target/vanilla.war.
> Reason: I/O Error could not execute operation '{
> [ERROR] "operation" => "read-attribute",
> [ERROR] "address" => [],
> [ERROR] "name" => "launch-type"
> [ERROR] }': java.net.ConnectException: JBAS012144: Could not connect to
> http-remoting://127.0.0.1:9990. The connection timed out
> [ERROR] -> [Help 1]
>
> Please advise.
>
>
> -----------------------------------------------------
> Additional note:
>
> I jumped a few hoops while navigating the documentation. Its possible the
> issue is caused by my changes I've made. For reference, I've listed them
> below
>
> ## wrong link on github in https://keycloak.gitbooks.io/
> documentation/content/authorization_services/topics/
> getting-started/hello-world/deploy.html
>
> ** easy fix, looks like the folder was renamed
> - $ cd keycloak-quickstarts/app-authz-jee-vanilla
> + $ cd keycloak-quickstarts/app-profile-jee-vanilla
>
>
> ## wrong version on pom
> There is no '3.1.0.CR1-SNAPSHOT' published in maven repo
> See
> -> https://github.com/keycloak/keycloak/blob/3.0.x/boms/adapter/pom.xml
> ->
> https://mvnrepository.com/artifact/org.keycloak.bom/keycloak-adapter-bom
>
> ** resolved by changing pom.xml
> -        <version>3.1.0.CR1-SNAPSHOT</version>
> +        <version>3.0.0.Final</version>
>
>
> ## cannot compile test
> [ERROR] Failed to execute goal org.apache.maven.plugins:
> maven-compiler-plugin:3.1:testCompile (default-testCompile) on project
> keycloak-app-profile-jee-vanilla: Compilation failure: Compilation failure:
> [ERROR] /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
>
> vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
> package org.keycloak.test does not exist
> ...
>
> ** resolved by removing app-profile-jee-vanilla/src/test/java/org/keycloak/
> quickstart/ArquillianProfileJeeVanillaTest.java
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Dana.Danet at Evisions.com  Tue Apr 18 18:28:04 2017
From: Dana.Danet at Evisions.com (Dana Danet)
Date: Tue, 18 Apr 2017 22:28:04 +0000
Subject: [keycloak-user] Multi tenancy with realms
In-Reply-To: <DB6PR0701MB2998448960DDA2167BCD6B53E6020@DB6PR0701MB2998.eurprd07.prod.outlook.com>
References: <CAJzRJ5+2TC5Cmt-LP=jp31zHOJkbqwZ9QA6uU6_Y5_hWBtZeSQ@mail.gmail.com>
	<DB6PR0701MB2998448960DDA2167BCD6B53E6020@DB6PR0701MB2998.eurprd07.prod.outlook.com>
Message-ID: <3B2825A1-AF83-4B56-BC12-9E4B8AA1ABCD@Evisions.com>

Hello Cesar,

We also struggled with these decisions in our first implementation.  I am just now starting to think about transitioning to a ?Keycloak' multi-tenant architecture.

Currently, we are running a Spring Cloud Microservice Architecture fronted by several SPA sites leveraging a single realm Keycloak instance.  This is done by storing a user attribute ?tenant_id? when creating a user which is done by a user microservice that delegates to Keycloak.  In fact Keycloak is only directly accessed as part of the login flow.  User creation is done via an admin SPA web module and user-service.

This design has brought a few challenges, such as restricting resources per tenant, paging users across tenant, etc (need for a better admin api here).   Fortunately by considering Keycloak as just another service within our cloud platform and proxying through a user or tenant service, we have reduced that tight coupling to the Keycloak rest API.

No performance issues yet, but one memory leak was found with the way Keycloak logs events with Spring Framework.

-dana


On Apr 13, 2017, at 1:19 AM, Mailing lists <lists at m3b.net<mailto:lists at m3b.net>> wrote:

From the thread you linked to it looks like someone already laid out some ideas where optimization could work. (Appears to be something with loading reals, caching, and flushing).


Furthermore, it would seem that a slow startup phase is (or should be) an infrequent event. As well as administration. These are not show-stoppers for me.


If anything, perhaps a better work-around would be to architect a deployment where keycloak lives closer to the tenant application instances. Simply treat the keycloak as a microservice that is bundled with your apps, and have it automated to a point where it is more "code as configuration" rather than manually logging into keycloak and clicking around?











________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Cesar Salazar <csalazar at devsu.com<mailto:csalazar at devsu.com>>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Multi tenancy with realms

Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html

I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?

Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?

Thanks!

--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com<http://www.devsu.com/><http://www.devsu.com<http://www.devsu.com/>>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From francisco.tanudjaja at bina.roche.com  Tue Apr 18 19:31:41 2017
From: francisco.tanudjaja at bina.roche.com (Tanudjaja, Francisco)
Date: Tue, 18 Apr 2017 16:31:41 -0700
Subject: [keycloak-user] java.net.ConnectException: JBAS012144: Could
 not connect to http-remoting://127.0.0.1:9990
In-Reply-To: <CAM5SUC7e77xJBMY2k+kJ3fHHad0o90wn+r-i28q+cRaE11NPtg@mail.gmail.com>
References: <CA+3coEQ7gCe1j8W09QE7b+9nJA0aGX95SMTQJ8svfBx1Tdkkgg@mail.gmail.com>
	<CAM5SUC7e77xJBMY2k+kJ3fHHad0o90wn+r-i28q+cRaE11NPtg@mail.gmail.com>
Message-ID: <CA+3coERyrf57u9eK0F6dPOgTEhnJMQfVyarx8gSVg0rKQyuxFA@mail.gmail.com>

Thanks for the reply.


I didn't exactly catch what you mean ... both the auth-server and
vanilla-client are running wildfly ?

I've restarted my auth-server using the command =>

./standalone.sh -Djboss.socket.binding.port-offset=1910


Then I checked that I was able to login to the admin console on =>

http://localhost:9990/auth


Ran my vanilla client using the command =>

mvn install -DskipTests wildfly:deploy


Now I got a different error message =>

[ERROR] }': java.net.ConnectException: JBAS012174: Could not connect to
http-remoting://127.0.0.1:9990. The connection failed: For now upgrade
responses must have a content length of zero.



Also, checking out keycloak repo and running mvn install helped to some
extent, but still running 'mvn install wildfly:deploy' has issues


1. keycloak-test-helpers dependency on the parent pom.xml may not have been
defined correctly.

I got this compilation error

[ERROR] COMPILATION ERROR :

[INFO] -------------------------------------------------------------

[ERROR]
/Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
package org.keycloak.test does not exist

[ERROR]
/Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[42,34]
package org.keycloak.test.builders does not exist

[ERROR]
/Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[51,32]
package org.keycloak.test does not exist


Seems to at least compile if I add the dependency manually on the child
pom.xml

+       <dependency>

+               <groupId>org.keycloak</groupId>

+               <artifactId>keycloak-test-helper</artifactId>

+               <version>${version.keycloak}</version>

+               <scope>test</scope>

+       </dependency>


2. Still after it compiles there's a runtime exception thrown

-------------------------------------------------------

 T E S T S

-------------------------------------------------------

Running org.keycloak.quickstart.ArquillianProfileJeeVanillaTest

Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.179 sec
<<< FAILURE!

org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
1.177 sec  <<< ERROR!

java.lang.RuntimeException: Could not create new instance of class
org.jboss.arquillian.test.impl.EventTestRunnerAdaptor

at
org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)

at
org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)

at
org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)

at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)

at
org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)

at
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)

at
org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:497)

at
org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)

at
org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)

at
org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)

at
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)

at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:422)

at
org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)

... 15 more


On Tue, Apr 18, 2017 at 1:25 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> If you're starting WildFly on port 8180. I believe that you should
> specify -Dwildfly.port=10090 for deployment.
>
> The quickstarts depend on keycloak-tests-helper, which wasn't released
> yet. That's the reason why it points to the same release specified on
> Keycloak master branch. Here's what you can do to workaround this while we
> fix:
>
> - git clone https://github.com/keycloak/keycloak.git && cd keycloak &&
> mvn clean install -Pdistribution -DskipTests=true
>
> I hope it helps.
>
>
> On Tue, Apr 18, 2017 at 2:52 PM Tanudjaja, Francisco <
> francisco.tanudjaja at bina.roche.com> wrote:
>
>> Hi,
>>
>> I've followed the instructions on
>> https://keycloak.gitbooks.io/documentation/content/
>> authorization_services/topics/getting-started/hello-world/deploy.html
>>
>> I have the following keycloak.json in the 'config' directory of
>> ~/path/to/keycloak-quickstarts/app-profile-jee-vanilla
>>
>> """
>> {
>>   "realm": "Foo",
>>   "auth-server-url": "http://localhost:8180/auth",
>>   "ssl-required": "external",
>>   "resource": "fclient",
>>   "credentials": {
>>     "secret": "0749b4fc-db40-410a-ac2c-8837ce206c5d"
>>   },
>>   "policy-enforcer": {}
>> }
>> """
>>
>> Got the following error and wasn't able to find any references to port
>> 9990
>> in the configuration.
>>
>> [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-
>> maven-plugin:1.0.1.Final:deploy (default-cli) on project
>> keycloak-app-profile-jee-vanilla: Could not execute goal deploy on
>> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
>> vanilla/target/vanilla.war.
>> Reason: I/O Error could not execute operation '{
>> [ERROR] "operation" => "read-attribute",
>> [ERROR] "address" => [],
>> [ERROR] "name" => "launch-type"
>> [ERROR] }': java.net.ConnectException: JBAS012144: Could not connect to
>> http-remoting://127.0.0.1:9990. The connection timed out
>> [ERROR] -> [Help 1]
>>
>> Please advise.
>>
>>
>> -----------------------------------------------------
>> Additional note:
>>
>> I jumped a few hoops while navigating the documentation. Its possible the
>> issue is caused by my changes I've made. For reference, I've listed them
>> below
>>
>> ## wrong link on github in https://keycloak.gitbooks.io/
>> documentation/content/authorization_services/topics/
>> getting-started/hello-world/deploy.html
>>
>> ** easy fix, looks like the folder was renamed
>> - $ cd keycloak-quickstarts/app-authz-jee-vanilla
>> + $ cd keycloak-quickstarts/app-profile-jee-vanilla
>>
>>
>> ## wrong version on pom
>> There is no '3.1.0.CR1-SNAPSHOT' published in maven repo
>> See
>> -> https://github.com/keycloak/keycloak/blob/3.0.x/boms/adapter/pom.xml
>> -> https://mvnrepository.com/artifact/org.keycloak.bom/
>> keycloak-adapter-bom
>>
>> ** resolved by changing pom.xml
>> -        <version>3.1.0.CR1-SNAPSHOT</version>
>> +        <version>3.0.0.Final</version>
>>
>>
>> ## cannot compile test
>> [ERROR] Failed to execute goal org.apache.maven.plugins:
>> maven-compiler-plugin:3.1:testCompile (default-testCompile) on project
>> keycloak-app-profile-jee-vanilla: Compilation failure: Compilation
>> failure:
>> [ERROR] /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
>> vanilla/src/test/java/org/keycloak/quickstart/
>> ArquillianProfileJeeVanillaTest.java:[41,25]
>> package org.keycloak.test does not exist
>> ...
>>
>> ** resolved by removing app-profile-jee-vanilla/src/
>> test/java/org/keycloak/
>> quickstart/ArquillianProfileJeeVanillaTest.java
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From llivezking at gmail.com  Tue Apr 18 21:49:39 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 19 Apr 2017 11:49:39 +1000
Subject: [keycloak-user] Get magic link for users to login
In-Reply-To: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>
References: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>
Message-ID: <6c50a0b0-c4ff-0648-8db8-e0448eac7153@gmail.com>

Hi recently i implemented almost same feature for our environment. I've 
done it via custom Authenticator implementation. This authenticator is 
injected in browser authentication flow as alternative execution just 
before cookie execution, and check request link whether he should 
authenticate user by this link. Here some snippet:


     @Override
     public void authenticate(AuthenticationFlowContext context) {
         MultivaluedMap<String, String> queryParams = 
context.getHttpRequest().getUri().getQueryParameters();

         // If uri doesn't contain appropriate query params this flow is 
not applicable,
         // so we pass it by to other flow chain
         if (!(queryParams.containsKey("marker") && 
queryParams.containsKey("userId"))) {
             context.attempted();
             return;
         }

         // Extract params from request
         String userId = queryParams.getFirst("userId");
         String marker = queryParams.getFirst("marker");

         RealmModel realm = context.getSession().getContext().getRealm();
         UserModel user = 
context.getSession().users().getUserById(userId, realm);

         // If user state doesn't match requirements this flow is not 
applicable,
         // so we pass it by to other flow chain
         if (checkConditions(user, marker, otherStruff)) {

             // User could be authenticated

             context.setUser(user);
             context.success();
         } else {
             context.attempted();
         }
     }



On 18.04.2017 19:09, Martin Johansson wrote:
> Hi!
>
> We want to achieve the following:
>
> Expose a REST endpoint where an authenticated client can retrieve a magic
> login link for a specific user. We have an ID in the attributes for the
> user which enables us to get the correct user.
>
> The reason for this is that we need to expose the possibility to send
> e-mails from other systems than Keycloak. We have other ways of composing
> the e-mails.
>
> So wanted final state is that a user can click a link in his e-mail client
> and be redirected to our app and be logged in.
>
> BR,
> Martin
>
> ---------- Forwarded message ----------
>> From: Ilya Korol <llivezking at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Cc:
>> Bcc:
>> Date: Fri, 14 Apr 2017 15:59:10 +1000
>> Subject: Re: [keycloak-user] Get magic link for users to login
>> Hi, could you explain more detailed what you want to achieve? As for my
>> team we also implemented custom rest endpoint, which send customized emails
>> to users. Check out org.keycloak.services.resources.admin.UsersResource
>> for details of default link constructing. (methods: resetPasswordEmail(),
>> executeActionsEmail(), sendVerifyEmail())
>>
>>
>> On 13.04.2017 17:54, Martin Johansson wrote:
>>
>>> Is it possible to retrieve the magic link that are sent by e-mail via the
>>> Java
>>> API? We have implemented an SPI with a REST interface and would like to
>>> get
>>> the link for usage in custom e-mails.
>>> Any hints which provider to be used is much appreciated.
>>>
>>> Regards,
>>> Martin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ulrik.lejon at mollyware.se  Wed Apr 19 01:59:06 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Wed, 19 Apr 2017 05:59:06 +0000
Subject: [keycloak-user] Get magic link for users to login
In-Reply-To: <6c50a0b0-c4ff-0648-8db8-e0448eac7153@gmail.com>
References: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>
	<6c50a0b0-c4ff-0648-8db8-e0448eac7153@gmail.com>
Message-ID: <CAG2z6=Qt3OKYn6znoCC=jGNDSa1bxCwi3Agvo48REe2KqidNyQ@mail.gmail.com>

Hi

Sounds like a good idea!
Out of curiosity, how do you create the links? Also, will the links ever
expire?

BR,
Ulrik

On Wed, 19 Apr 2017, 04:02 Ilya Korol, <llivezking at gmail.com> wrote:

> Hi recently i implemented almost same feature for our environment. I've
> done it via custom Authenticator implementation. This authenticator is
> injected in browser authentication flow as alternative execution just
> before cookie execution, and check request link whether he should
> authenticate user by this link. Here some snippet:
>
>
>      @Override
>      public void authenticate(AuthenticationFlowContext context) {
>          MultivaluedMap<String, String> queryParams =
> context.getHttpRequest().getUri().getQueryParameters();
>
>          // If uri doesn't contain appropriate query params this flow is
> not applicable,
>          // so we pass it by to other flow chain
>          if (!(queryParams.containsKey("marker") &&
> queryParams.containsKey("userId"))) {
>              context.attempted();
>              return;
>          }
>
>          // Extract params from request
>          String userId = queryParams.getFirst("userId");
>          String marker = queryParams.getFirst("marker");
>
>          RealmModel realm = context.getSession().getContext().getRealm();
>          UserModel user =
> context.getSession().users().getUserById(userId, realm);
>
>          // If user state doesn't match requirements this flow is not
> applicable,
>          // so we pass it by to other flow chain
>          if (checkConditions(user, marker, otherStruff)) {
>
>              // User could be authenticated
>
>              context.setUser(user);
>              context.success();
>          } else {
>              context.attempted();
>          }
>      }
>
>
>
> On 18.04.2017 19:09, Martin Johansson wrote:
> > Hi!
> >
> > We want to achieve the following:
> >
> > Expose a REST endpoint where an authenticated client can retrieve a magic
> > login link for a specific user. We have an ID in the attributes for the
> > user which enables us to get the correct user.
> >
> > The reason for this is that we need to expose the possibility to send
> > e-mails from other systems than Keycloak. We have other ways of composing
> > the e-mails.
> >
> > So wanted final state is that a user can click a link in his e-mail
> client
> > and be redirected to our app and be logged in.
> >
> > BR,
> > Martin
> >
> > ---------- Forwarded message ----------
> >> From: Ilya Korol <llivezking at gmail.com>
> >> To: keycloak-user at lists.jboss.org
> >> Cc:
> >> Bcc:
> >> Date: Fri, 14 Apr 2017 15:59:10 +1000
> >> Subject: Re: [keycloak-user] Get magic link for users to login
> >> Hi, could you explain more detailed what you want to achieve? As for my
> >> team we also implemented custom rest endpoint, which send customized
> emails
> >> to users. Check out org.keycloak.services.resources.admin.UsersResource
> >> for details of default link constructing. (methods:
> resetPasswordEmail(),
> >> executeActionsEmail(), sendVerifyEmail())
> >>
> >>
> >> On 13.04.2017 17:54, Martin Johansson wrote:
> >>
> >>> Is it possible to retrieve the magic link that are sent by e-mail via
> the
> >>> Java
> >>> API? We have implemented an SPI with a REST interface and would like to
> >>> get
> >>> the link for usage in custom e-mails.
> >>> Any hints which provider to be used is much appreciated.
> >>>
> >>> Regards,
> >>> Martin
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
Ulrik Lejon
Mollyware AB

+46-700-137786
ulrik.lejon at mollyware.se
www.mollyware.se

From llivezking at gmail.com  Wed Apr 19 02:12:22 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 19 Apr 2017 16:12:22 +1000
Subject: [keycloak-user] Get magic link for users to login
In-Reply-To: <CAG2z6=Qt3OKYn6znoCC=jGNDSa1bxCwi3Agvo48REe2KqidNyQ@mail.gmail.com>
References: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>
	<6c50a0b0-c4ff-0648-8db8-e0448eac7153@gmail.com>
	<CAG2z6=Qt3OKYn6znoCC=jGNDSa1bxCwi3Agvo48REe2KqidNyQ@mail.gmail.com>
Message-ID: <6c296c34-b2c9-b144-a0c1-fa6c8f20c306@gmail.com>

Hi. I implemented custom REST endpoint for Keycloak Admin REST API, 
where link will be constructed.

For example if you go to keycloak account client you will see in browser 
address bar something like:

http://localhost:8081/auth/realms/test-modules/protocol/openid-connect/auth?client_id=account&redirect_uri=%2Fauth%2Frealms%2Ftest-modules%2Faccount&state=41dacfb3-fa49-499e-9797-2137c618a8a8&response_type=code&scope=openid

so authenticator will play his game if you will follow similar link with 
format:

${default_authentication_link}&userId=bla&marker=blabla


So construction of this link is pretty simple:

     private String generateActivationLink(UserModel user, String 
targetClientId) {
         ClientModel client = realm.getClientByClientId(targetClientId);

         user.setSingleAttribute(ATTR_EXPIRATION, 
String.valueOf(computeExpirationTime(realm)));
         user.setSingleAttribute(ATTR_MARKER, UUID.randomUUID().toString());

         try {
             URIBuilder linkUri = new URIBuilder(String.format(
                     "%srealms/%s/protocol/openid-connect/auth", 
uriInfo.getBaseUri().toString(), realm.getName()
             ))
                     .addParameter("client_id", client.getClientId())
                     .addParameter("redirect_uri", client.getBaseUrl())
                     .addParameter("state", UUID.randomUUID().toString())
                     .addParameter("response_type", "code")
                     .addParameter("scope", "openid")
                     // Add additional params
                     .addParameter("user", user.getUserId())
                     .addParameter("marker", 
user.getFirstAttribute(ATTR_MARKER));

             return linkUri.build().toString();
         } catch (URISyntaxException e) {
             logger.error("Unable to construct activation link");
             return null;
         }
     }


Expiration of link or any other restriction could be implemented as 
adding attributes to UserModel while constructing the link and checking 
their values during authentication.


The only thing that bother me now how secure is this approach, so it 
would be great if someone point me to any potential security drawbacks. 
As for me this is not less secure than standard reset credentials flow


On 19.04.2017 15:59, Ulrik Lejon wrote:
> Hi
>
> Sounds like a good idea!
> Out of curiosity, how do you create the links? Also, will the links ever
> expire?
>
> BR,
> Ulrik
>
> On Wed, 19 Apr 2017, 04:02 Ilya Korol, <llivezking at gmail.com> wrote:
>
>> Hi recently i implemented almost same feature for our environment. I've
>> done it via custom Authenticator implementation. This authenticator is
>> injected in browser authentication flow as alternative execution just
>> before cookie execution, and check request link whether he should
>> authenticate user by this link. Here some snippet:
>>
>>
>>       @Override
>>       public void authenticate(AuthenticationFlowContext context) {
>>           MultivaluedMap<String, String> queryParams =
>> context.getHttpRequest().getUri().getQueryParameters();
>>
>>           // If uri doesn't contain appropriate query params this flow is
>> not applicable,
>>           // so we pass it by to other flow chain
>>           if (!(queryParams.containsKey("marker") &&
>> queryParams.containsKey("userId"))) {
>>               context.attempted();
>>               return;
>>           }
>>
>>           // Extract params from request
>>           String userId = queryParams.getFirst("userId");
>>           String marker = queryParams.getFirst("marker");
>>
>>           RealmModel realm = context.getSession().getContext().getRealm();
>>           UserModel user =
>> context.getSession().users().getUserById(userId, realm);
>>
>>           // If user state doesn't match requirements this flow is not
>> applicable,
>>           // so we pass it by to other flow chain
>>           if (checkConditions(user, marker, otherStruff)) {
>>
>>               // User could be authenticated
>>
>>               context.setUser(user);
>>               context.success();
>>           } else {
>>               context.attempted();
>>           }
>>       }
>>
>>
>>
>> On 18.04.2017 19:09, Martin Johansson wrote:
>>> Hi!
>>>
>>> We want to achieve the following:
>>>
>>> Expose a REST endpoint where an authenticated client can retrieve a magic
>>> login link for a specific user. We have an ID in the attributes for the
>>> user which enables us to get the correct user.
>>>
>>> The reason for this is that we need to expose the possibility to send
>>> e-mails from other systems than Keycloak. We have other ways of composing
>>> the e-mails.
>>>
>>> So wanted final state is that a user can click a link in his e-mail
>> client
>>> and be redirected to our app and be logged in.
>>>
>>> BR,
>>> Martin
>>>
>>> ---------- Forwarded message ----------
>>>> From: Ilya Korol <llivezking at gmail.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Cc:
>>>> Bcc:
>>>> Date: Fri, 14 Apr 2017 15:59:10 +1000
>>>> Subject: Re: [keycloak-user] Get magic link for users to login
>>>> Hi, could you explain more detailed what you want to achieve? As for my
>>>> team we also implemented custom rest endpoint, which send customized
>> emails
>>>> to users. Check out org.keycloak.services.resources.admin.UsersResource
>>>> for details of default link constructing. (methods:
>> resetPasswordEmail(),
>>>> executeActionsEmail(), sendVerifyEmail())
>>>>
>>>>
>>>> On 13.04.2017 17:54, Martin Johansson wrote:
>>>>
>>>>> Is it possible to retrieve the magic link that are sent by e-mail via
>> the
>>>>> Java
>>>>> API? We have implemented an SPI with a REST interface and would like to
>>>>> get
>>>>> the link for usage in custom e-mails.
>>>>> Any hints which provider to be used is much appreciated.
>>>>>
>>>>> Regards,
>>>>> Martin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From marc.tempelmeier at flane.de  Wed Apr 19 03:02:32 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 19 Apr 2017 07:02:32 +0000
Subject: [keycloak-user] Admin user in Clustered Domain Mode
Message-ID: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>

Hi,

We connected a Domain Controller and 2 Slaves. How can I create an admin user?

There is a "--domain" switch, but the users created with it don?t work. If I create a admin user on a slave it works and after that I can use him on the other slave, because he is in the db. 

How is the intended workflow here?

Greetings

Marc


From hmlnarik at redhat.com  Wed Apr 19 03:17:38 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 19 Apr 2017 09:17:38 +0200
Subject: [keycloak-user] Encrypt samlp:Response with Keycloak
In-Reply-To: <CADyKGVHxE8vUX0PUKy+MN04qDCb_p5qsmBMseDE_FObf9kkR0A@mail.gmail.com>
References: <CADyKGVHxE8vUX0PUKy+MN04qDCb_p5qsmBMseDE_FObf9kkR0A@mail.gmail.com>
Message-ID: <CAMvXD=F9uZyUUHsstMbZhUTcbF7PqjXO2dBDmAV713Ja8ksQiw@mail.gmail.com>

On Tue, Apr 18, 2017 at 3:04 PM, Metehan Selvi <mselvi78 at gmail.com> wrote:
> Hi there,
> I configured OpenAM as IDP and Keycloak as SP together.
> I use the sales-post-enc - example App.

Do you mean using Keycloak adapters as SP and OpenAM as IdP, or OpenAM
as brokered IdP while using Keycloak as IdP for sales-post-enc SP?

> SAML-AuthnRequests and SAML-Repsonses are working.
> ( Encryption disabled)
>
> When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
> cannot be encrypted in OpenAM as it throws Exceptions with Http 500
> Responses.

Is it OpenAM or Keycloak returning HTTP 500 error? If Keycloak, can
you share details of the exception?

> How do I get out from the Problem ?
>
> When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
> it contains only the KeyDescriptor for Signing. Normally it should be also
> possible to export the KeyDescriptor for encryption. Is this maybe the
> failure?
>
> Other ideas to get rid of the problem.. ?!
>
> Cheers
> Metehan Selvi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From ulrik.lejon at mollyware.se  Wed Apr 19 03:25:34 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Wed, 19 Apr 2017 07:25:34 +0000
Subject: [keycloak-user] help
In-Reply-To: <0335b84a-846f-4d16-a490-29c54a2a41f2@redhat.com>
References: <CAG2z6=TnRTV5Nu_gpNuiMOHVM9fqtzEd=01GB=jy2xArWd+b0A@mail.gmail.com>
	<CA+z0A8BoptZ39oPWT5zDOZ1pCSFQip3W884vTh36HtA7XS56xQ@mail.gmail.com>
	<0335b84a-846f-4d16-a490-29c54a2a41f2@redhat.com>
Message-ID: <CAG2z6=RbK_0BB6gnhTv02vmEXL4pRDgzjTAN__+QkNkMthCp1w@mail.gmail.com>

Hi!

Thanx :-)
I was trying to send the 'help' command but used the wrong recipient email
address.

// Ulrik

On Tue, 18 Apr 2017, 22:34 Josh Cain, <jcain at redhat.com> wrote:

> OK, all kidding aside give us some information on what you need help
> with and the community is pretty about helping out ;)
>
> Josh Cain
> Senior Software Applications Engineer, RHCSA
> Red Hat North America
> jcain at redhat.com M: +1 256-452-0150 <(256)%20452-0150> IRC: jcain
>
> On 04/18/2017 03:27 PM, Josh Cain wrote:
> > [image: Inline image 1]
> >
> > Josh Cain
> >
> > Senior Software Applications Engineer, RHCSA
> >
> > Red Hat USA <https://www.redhat.com>
> >
> > josh.cain at redhat.com    M: 256-452-0150 <(256)%20452-0150>
> > <http://redhatemailsignature-marketing.itos.redhat.com/>     IM: jcain
> > <https://red.ht/sig>
> >
> > On Tue, Apr 18, 2017 at 2:51 PM, Ulrik Lejon <ulrik.lejon at mollyware.se>
> > wrote:
> >
> >> --
> >> Ulrik Lejon
> >> Mollyware AB
> >>
> >> +46-700-137786
> >> ulrik.lejon at mollyware.se
> >> www.mollyware.se
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>

From kevin.berendsen at pharmapartners.nl  Wed Apr 19 03:32:51 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Wed, 19 Apr 2017 07:32:51 +0000
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
 JWT
In-Reply-To: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
Message-ID: <b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>

Hi Austin,

I believe this example is what you're looking for. [1]

Make sure you read the README carefully.

[1] https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example 

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Austin Cunningham
Verzonden: dinsdag 18 april 2017 16:54
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer or JWT

Hi ,

I am looking for an example of JWT or Bearer implemented in Node.js with express js with Keycloak .

Regards,
Austin
_______________________________________________
keycloak-user mailing list
mailto:keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From aucunnin at redhat.com  Wed Apr 19 05:01:57 2017
From: aucunnin at redhat.com (Austin Cunningham)
Date: Wed, 19 Apr 2017 10:01:57 +0100
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
	JWT
In-Reply-To: <b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
	<b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
Message-ID: <CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>

Hi Kevin,

Thanks for getting back to me , I have reviewed that example before , it
seems to be using sessions , not bearer or jwt. Correct me if I am wrong I
could be missing something. I was hoping to find an implementation of
http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html.
Regards
Austin

On 19 April 2017 at 08:32, Kevin Berendsen <
kevin.berendsen at pharmapartners.nl> wrote:

> Hi Austin,
>
> I believe this example is what you're looking for. [1]
>
> Make sure you read the README carefully.
>
> [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/
> master/example
>
> Kind regards,
>
> Kevin
>
> -----Oorspronkelijk bericht-----
> Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Namens Austin Cunningham
> Verzonden: dinsdag 18 april 2017 16:54
> Aan: keycloak-user at lists.jboss.org
> Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer or
> JWT
>
> Hi ,
>
> I am looking for an example of JWT or Bearer implemented in Node.js with
> express js with Keycloak .
>
> Regards,
> Austin
> _______________________________________________
> keycloak-user mailing list
> mailto:keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

Austin Cunningham

Software Engineering Intern

Red Hat Mobile <https://www.redhat.com>

Communications House, Cork Road, Waterford X91NY33

Ireland

aucunnin at redhat.com
<https://red.ht/sig>

From rohitchaudhary95 at gmail.com  Wed Apr 19 07:35:42 2017
From: rohitchaudhary95 at gmail.com (rohit chaudhary)
Date: Wed, 19 Apr 2017 17:05:42 +0530
Subject: [keycloak-user] User Storage SPI for multiple db
Message-ID: <CAHJH4F_+FEj0aGNsq0JGeUAA=Xyp==FUiTDonQrzbubQiRXsZQ@mail.gmail.com>

Hi,

I am implementing Keycloak SSO for Django and .NET apps. I have a doubt on
how to go with the user database. All apps have separate db. How to
proceed? Need some suggestions and please refer some examples of custom
user storage SPI.

Thanks,
Rohit

From llivezking at gmail.com  Wed Apr 19 08:10:53 2017
From: llivezking at gmail.com (=?UTF-8?B?0JrQvtGA0L7Qu9GMINCY0LvRjNGP?=)
Date: Wed, 19 Apr 2017 12:10:53 +0000
Subject: [keycloak-user] User Storage SPI for multiple db
In-Reply-To: <CAHJH4F_+FEj0aGNsq0JGeUAA=Xyp==FUiTDonQrzbubQiRXsZQ@mail.gmail.com>
References: <CAHJH4F_+FEj0aGNsq0JGeUAA=Xyp==FUiTDonQrzbubQiRXsZQ@mail.gmail.com>
Message-ID: <c7f4b6c0-166a-04f2-75af-c3c46b135b34@gmail.com>

Hi. If every of your apps has separate users db what do you want to have 
in ideal circumstances? Do you databases include equal users? For 
example if you want to have "merged" user storage you could implement 
custom user storage for every db, so when user would be redirected to 
keycloak for login, keycloak will consecutively try to extract user data 
from this user storages. And you will have opportunity to set priorities 
of this storages in keycloak admin console.

As for examples you should check examples from git repo and also 
carefully read tutorial in docs.

Also your implementations could have ability to create users in keycloak 
itself on the fly while extracting users from user storages (so later 
you will have merged user db in keycloak). Dee details in docs (Server 
development -> User Storage Spi -> Import Implementation Strategy).


19.04.2017 11:35, rohit chaudhary ?????:
> Hi,
>
> I am implementing Keycloak SSO for Django and .NET apps. I have a doubt on
> how to go with the user database. All apps have separate db. How to
> proceed? Need some suggestions and please refer some examples of custom
> user storage SPI.
>
> Thanks,
> Rohit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rajkiran.k at inteqsolutions.com  Wed Apr 19 08:33:27 2017
From: rajkiran.k at inteqsolutions.com (Rajkiran K)
Date: Wed, 19 Apr 2017 18:03:27 +0530
Subject: [keycloak-user] Resteasy client SSLHandshakeException
Message-ID: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>

Hi all,

We are trying to get all roles data of realm from keycloak. We are 
getting "SSLHandshakeException", can any one help on this issue

*Keycloak version*: 1.9.8 Final

*resteasy-client version*: resteasy-client-3.0.14.Final

build    19-Apr-2017 02:00:18    2017-04-19 02:00:18 INFO 
KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
error    19-Apr-2017 02:00:19    javax.ws.rs.ProcessingException: 
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Remote 
host closed connection during handshake
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
error    19-Apr-2017 02:00:19        at 
com.sun.proxy.$Proxy27.list(Unknown Source)
error    19-Apr-2017 02:00:19        at 
com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230)
error    19-Apr-2017 02:00:19        at 
com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199)
error    19-Apr-2017 02:00:19        at 
com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34)
error    19-Apr-2017 02:00:19    Caused by: java.lang.RuntimeException: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection 
during handshake
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
error    19-Apr-2017 02:00:19        at 
com.sun.proxy.$Proxy19.grantToken(Unknown Source)
error    19-Apr-2017 02:00:19        at 
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85)
error    19-Apr-2017 02:00:19        at 
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65)
error    19-Apr-2017 02:00:19        at 
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60)
error    19-Apr-2017 02:00:19        at 
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413)
error    19-Apr-2017 02:00:19        ... 6 more
error    19-Apr-2017 02:00:19    Caused by: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection 
during handshake
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
error    19-Apr-2017 02:00:19        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
error    19-Apr-2017 02:00:19        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
error    19-Apr-2017 02:00:19        at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
error    19-Apr-2017 02:00:19        at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
error    19-Apr-2017 02:00:19        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
error    19-Apr-2017 02:00:19        at 
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167)
error    19-Apr-2017 02:00:19        ... 16 more
error    19-Apr-2017 02:00:19    Caused by: java.io.EOFException: SSL 
peer shut down incorrectly
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.InputRecord.read(InputRecord.java:505)
error    19-Apr-2017 02:00:19        at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
error    19-Apr-2017 02:00:19        ... 25 more
build    19-Apr-2017 02:00:19    2017-04-19 02:00:19 ERROR 
KeycloakDataManager:38 - java.lang.RuntimeException: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection 
during handshake

-- 
Thanks in advance,

Rajkiran K


From watson409 at gmail.com  Wed Apr 19 08:51:59 2017
From: watson409 at gmail.com (Brian Watson)
Date: Wed, 19 Apr 2017 08:51:59 -0400
Subject: [keycloak-user] Updating a client secret
Message-ID: <CAC9D9d_PhukQrNoe=KT0B+1AZHvsrRPyKe1sT8A5q+_ZiFYYkg@mail.gmail.com>

Hi all,

I've noticed that when a client is created via the API, the caller can
set the client secret. However, on a client update API call, the
client secret can not be updated. I am aware that there is an API for
resetting the a client secret, and another for obtaining the new
secret. However, I was wondering if the ability to update a client
secret on a client update API call could be readdressed. Here is my
use case:

My company is writing a tool that allows us to configure keycloak via
configuration. One of the main uses is to be able to update the data
for a client for a given microservice in our deployment pipeline. If
we could update the client secret via an update call, then all
configuration could be set before a deployment: the keycloak client
secret in the tool configuration, and the client secret configuration
in the microservice. During deployment, this would minimize downtime.
Additionally, the tool is simplified, as it doesn't need to know how
the microservice handles it's configuration.

However, if we rely on the reset secret functionality, we either have to:
- Use the UI to reset the secret, put the new secret in the
microservice configuration, then deploy. This will create a good
amount of downtime for the microservice -> keycloak communication.
- Update the tool we are creating to use the reset API, fetch the new
secret, then automatically update the microservice configuration. This
is problematic, as our system is a polyglot system, and the tool would
need some complicated logic and per-microservice customizations to
programmatically update the given microservice's configuration during
deployment.

Again, being able to update a secret with a predefined value would
greatly simplify the tool development and deployment process.

Thoughts?

From hmlnarik at redhat.com  Wed Apr 19 09:11:52 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 19 Apr 2017 15:11:52 +0200
Subject: [keycloak-user] Encrypt samlp:Response with Keycloak
In-Reply-To: <CADyKGVFeX5kSD+mXA1-5oZsvTyC0-XFZy0qVZmO05yMjHyEhbA@mail.gmail.com>
References: <CADyKGVHxE8vUX0PUKy+MN04qDCb_p5qsmBMseDE_FObf9kkR0A@mail.gmail.com>
	<CAMvXD=F9uZyUUHsstMbZhUTcbF7PqjXO2dBDmAV713Ja8ksQiw@mail.gmail.com>
	<CADyKGVFeX5kSD+mXA1-5oZsvTyC0-XFZy0qVZmO05yMjHyEhbA@mail.gmail.com>
Message-ID: <6839c39c-e3e1-91fe-af76-c2e9166a80c3@redhat.com>

[re-adding list]

On 04/19/2017 02:47 PM, Metehan Selvi wrote:
> Hi,
> in fact it is the second option:
> Keycloak as IdP for sales-post-enc SP ( both on the same wildfly/keycloak instance) with OpenAM as brokered idP :
> 
> - I deployed sales-post-enc with mvn clean package wildfly:deploy option,
> - I entered the admin console and inside the saml-demo realm, I imported the OpenAm IDPSSODescriptor
> - On the tab Export (from Menu Identity Providers) I took the SPSSODescriptor - Section under the Download Button and imported keycloak as remote SP on the OpenAm - Login Site.
> What I found strange is that there is no KeyDescriptor for encryption, only for signing.
> 
> ( Also there is no KeyDescriptor for enrycption in the SPSSODescriptor for Clients when Enrypt Assertions is enabled and there are EncrptionKey and SigningKey available)

Please file an issue in Keycloak JIRA.

> The 500 HTTP-Error occurs on OpenAM site when Encryption is enabled on the IDP and before the SAML Response is generated.
> If Encryption is disabled on OpenAM, the SAML Responses are generated correctly without Errors.

500 is not thrown in Keycloak and the SAML response [to be generated by OpenAM] does not get to Keycloak either. Hence I believe OpenAM support is the correct target audience. Please share further details (e.g. the exception) if you find out that the issue is specific to Keycloak communication with OpenAM.

Thanks

--Hynek

> 
> Cheers
> 
> 
> On Wed, Apr 19, 2017 at 9:17 AM, Hynek Mlnarik <hmlnarik at redhat.com <mailto:hmlnarik at redhat.com>> wrote:
> 
>     On Tue, Apr 18, 2017 at 3:04 PM, Metehan Selvi <mselvi78 at gmail.com <mailto:mselvi78 at gmail.com>> wrote:
>     > Hi there,
>     > I configured OpenAM as IDP and Keycloak as SP together.
>     > I use the sales-post-enc - example App.
> 
>     Do you mean using Keycloak adapters as SP and OpenAM as IdP, or OpenAM
>     as brokered IdP while using Keycloak as IdP for sales-post-enc SP?
> 
>     > SAML-AuthnRequests and SAML-Repsonses are working.
>     > ( Encryption disabled)
>     >
>     > When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
>     > cannot be encrypted in OpenAM as it throws Exceptions with Http 500
>     > Responses.
> 
>     Is it OpenAM or Keycloak returning HTTP 500 error? If Keycloak, can
>     you share details of the exception?
> 
>     > How do I get out from the Problem ?
>     >
>     > When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
>     > it contains only the KeyDescriptor for Signing. Normally it should be also
>     > possible to export the KeyDescriptor for encryption. Is this maybe the
>     > failure?
>     >
>     > Other ideas to get rid of the problem.. ?!
>     >
>     > Cheers
>     > Metehan Selvi
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
>     --
> 
>     --Hynek
> 
> 

From tecnologia at growingup.com.co  Wed Apr 19 10:51:21 2017
From: tecnologia at growingup.com.co (tecnologia at growingup.com.co)
Date: Wed, 19 Apr 2017 09:51:21 -0500
Subject: [keycloak-user] Tunning Keycloak server in PROD
Message-ID: <000f01d2b91c$6a9e2e60$3fda8b20$@growingup.com.co>

Hello community,

Do you know any recommendations to improve the performance of the Keycloak
server in production?

My case is that I use Keycloak's REST services a lot, they are used
frequently and with high concurrency. What do you recommend?

Usually JVM memory, connection pool and threads

Thanks

 

--

 

Cordialmente

 

Jairo Henao Rojas


From mposolda at redhat.com  Wed Apr 19 12:11:43 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 19 Apr 2017 18:11:43 +0200
Subject: [keycloak-user] Updating a client secret
In-Reply-To: <CAC9D9d_PhukQrNoe=KT0B+1AZHvsrRPyKe1sT8A5q+_ZiFYYkg@mail.gmail.com>
References: <CAC9D9d_PhukQrNoe=KT0B+1AZHvsrRPyKe1sT8A5q+_ZiFYYkg@mail.gmail.com>
Message-ID: <f4fd874d-5dc1-18cd-f9aa-dc8520888000@redhat.com>

You're right. It seems we don't have possibility to update the secret. I 
agree that it might be useful for some cases. It can be set just during 
client creation or realm import though.

It looks your possibility for now is to use either:
- use client creation or realm import instead of client update
- update your tool to retrieve the generated secret from client
- create custom REST endpoint, which will allow you to update client 
including secret (See Keycloak docs and example in directory "providers" 
on how to do that).

Feel free to create JIRA for it.

Marek

On 19/04/17 14:51, Brian Watson wrote:
> Hi all,
>
> I've noticed that when a client is created via the API, the caller can
> set the client secret. However, on a client update API call, the
> client secret can not be updated. I am aware that there is an API for
> resetting the a client secret, and another for obtaining the new
> secret. However, I was wondering if the ability to update a client
> secret on a client update API call could be readdressed. Here is my
> use case:
>
> My company is writing a tool that allows us to configure keycloak via
> configuration. One of the main uses is to be able to update the data
> for a client for a given microservice in our deployment pipeline. If
> we could update the client secret via an update call, then all
> configuration could be set before a deployment: the keycloak client
> secret in the tool configuration, and the client secret configuration
> in the microservice. During deployment, this would minimize downtime.
> Additionally, the tool is simplified, as it doesn't need to know how
> the microservice handles it's configuration.
>
> However, if we rely on the reset secret functionality, we either have to:
> - Use the UI to reset the secret, put the new secret in the
> microservice configuration, then deploy. This will create a good
> amount of downtime for the microservice -> keycloak communication.
> - Update the tool we are creating to use the reset API, fetch the new
> secret, then automatically update the microservice configuration. This
> is problematic, as our system is a polyglot system, and the tool would
> need some complicated logic and per-microservice customizations to
> programmatically update the given microservice's configuration during
> deployment.
>
> Again, being able to update a secret with a predefined value would
> greatly simplify the tool development and deployment process.
>
> Thoughts?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Apr 19 12:15:32 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 19 Apr 2017 18:15:32 +0200
Subject: [keycloak-user] Tunning Keycloak server in PROD
In-Reply-To: <000f01d2b91c$6a9e2e60$3fda8b20$@growingup.com.co>
References: <000f01d2b91c$6a9e2e60$3fda8b20$@growingup.com.co>
Message-ID: <355897c5-3405-0cd5-b817-efac1ebfb739@redhat.com>

This depends a lot on your environment and load.

I think that we don't have any specific guidelines, but there are some 
general informations online about how to tune JVM memory, pools etc in 
Wildfly documentation or for Java in general. It is also good if you try 
some profiling/testing by yourself and increase resources, which are 
bottleneck for you (eg. if you notify that connection to DB is 
bottleneck, you can increase number of DB connections etc).

Marek

On 19/04/17 16:51, tecnologia at growingup.com.co wrote:
> Hello community,
>
> Do you know any recommendations to improve the performance of the Keycloak
> server in production?
>
> My case is that I use Keycloak's REST services a lot, they are used
> frequently and with high concurrency. What do you recommend?
>
> Usually JVM memory, connection pool and threads
>
> Thanks
>
>   
>
> --
>
>   
>
> Cordialmente
>
>   
>
> Jairo Henao Rojas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Apr 19 12:26:56 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 19 Apr 2017 18:26:56 +0200
Subject: [keycloak-user] Resteasy client SSLHandshakeException
In-Reply-To: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>
References: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>
Message-ID: <b1a35f39-5232-b5a5-a61b-1cc564992062@redhat.com>

It seems that your application where admin-client is running, needs to 
trust the Keycloak server, so it's able to communicate with it through SSL.

One possibility to do it is to ensure that your SSL certificate is 
signed by some well known Certificate Authority. This is good especially 
in production environments.

Other possibility is to configure your admin-client to trust the 
Keycloak server. The easiest is to use property like 
javax.net.ssl.trustStore system properties (see JVM docs for more 
details). Another possibility is to use custom RestEasyClient or 
SSLContext to your admin client, which will "trust" the Keycloak server.

Marek

On 19/04/17 14:33, Rajkiran K wrote:
> Hi all,
>
> We are trying to get all roles data of realm from keycloak. We are
> getting "SSLHandshakeException", can any one help on this issue
>
> *Keycloak version*: 1.9.8 Final
>
> *resteasy-client version*: resteasy-client-3.0.14.Final
>
> build    19-Apr-2017 02:00:18    2017-04-19 02:00:18 INFO
> KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
> error    19-Apr-2017 02:00:19    javax.ws.rs.ProcessingException:
> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Remote
> host closed connection during handshake
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
> error    19-Apr-2017 02:00:19        at
> com.sun.proxy.$Proxy27.list(Unknown Source)
> error    19-Apr-2017 02:00:19        at
> com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230)
> error    19-Apr-2017 02:00:19        at
> com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199)
> error    19-Apr-2017 02:00:19        at
> com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34)
> error    19-Apr-2017 02:00:19    Caused by: java.lang.RuntimeException:
> javax.net.ssl.SSLHandshakeException: Remote host closed connection
> during handshake
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
> error    19-Apr-2017 02:00:19        at
> com.sun.proxy.$Proxy19.grantToken(Unknown Source)
> error    19-Apr-2017 02:00:19        at
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85)
> error    19-Apr-2017 02:00:19        at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65)
> error    19-Apr-2017 02:00:19        at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60)
> error    19-Apr-2017 02:00:19        at
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413)
> error    19-Apr-2017 02:00:19        ... 6 more
> error    19-Apr-2017 02:00:19    Caused by:
> javax.net.ssl.SSLHandshakeException: Remote host closed connection
> during handshake
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> error    19-Apr-2017 02:00:19        at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> error    19-Apr-2017 02:00:19        at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> error    19-Apr-2017 02:00:19        at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
> error    19-Apr-2017 02:00:19        at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
> error    19-Apr-2017 02:00:19        at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> error    19-Apr-2017 02:00:19        at
> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167)
> error    19-Apr-2017 02:00:19        ... 16 more
> error    19-Apr-2017 02:00:19    Caused by: java.io.EOFException: SSL
> peer shut down incorrectly
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.InputRecord.read(InputRecord.java:505)
> error    19-Apr-2017 02:00:19        at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
> error    19-Apr-2017 02:00:19        ... 25 more
> build    19-Apr-2017 02:00:19    2017-04-19 02:00:19 ERROR
> KeycloakDataManager:38 - java.lang.RuntimeException:
> javax.net.ssl.SSLHandshakeException: Remote host closed connection
> during handshake
>


From sts at ono.at  Wed Apr 19 12:43:04 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Wed, 19 Apr 2017 18:43:04 +0200
Subject: [keycloak-user] Password expiry via API
Message-ID: <1FC0091C-6D1B-439E-B3C7-5973141B527E@ono.at>

Hello folks,

is there a way to query Keycloak for when a user last changed its password, or at what date it will expire?

There is an open feature request, I wonder whether there exist any workarounds for it.

https://issues.jboss.org/browse/KEYCLOAK-3680

It would also be great to somehow find user accounts which have been inactive for a while.

Best,

Stefan.




From RLewis at carbonite.com  Wed Apr 19 13:38:31 2017
From: RLewis at carbonite.com (Reed Lewis)
Date: Wed, 19 Apr 2017 17:38:31 +0000
Subject: [keycloak-user] Behavior of Keycloak when performing an upgrade.
Message-ID: <EACFD909-93C9-472F-8047-274B1404FB8E@carbonite.com>

We are planning on implementing Keycloak with a very large dataset of users (in excess of 5 to 10 million).    We are going to have a single SQL datastore running in Azure, with multiple keycloak servers pointing to that single datastore.   The question that is being asked is what happens when we wish to upgrade keycloak from version xx to version yy (whatever the versions are I do not know).   The questions are:


1.       If the schema changes does Keycloak automatically handle that?

2.       If there is schema changes, how long will that process take?

3.       If there is no schema change can I shut down everything but one server, then shutdown the last one and start immediately a new one with the new software version?

So bottom line:  What is the upgrade path for Keycloak for major version to major version or minor to minor or whatever?

Reed
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail

From bruno at abstractj.org  Wed Apr 19 14:39:11 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 19 Apr 2017 18:39:11 +0000
Subject: [keycloak-user] java.net.ConnectException: JBAS012144: Could
 not connect to http-remoting://127.0.0.1:9990
In-Reply-To: <CA+3coERyrf57u9eK0F6dPOgTEhnJMQfVyarx8gSVg0rKQyuxFA@mail.gmail.com>
References: <CA+3coEQ7gCe1j8W09QE7b+9nJA0aGX95SMTQJ8svfBx1Tdkkgg@mail.gmail.com>
	<CAM5SUC7e77xJBMY2k+kJ3fHHad0o90wn+r-i28q+cRaE11NPtg@mail.gmail.com>
	<CA+3coERyrf57u9eK0F6dPOgTEhnJMQfVyarx8gSVg0rKQyuxFA@mail.gmail.com>
Message-ID: <CAM5SUC7OkB2C6agDru0vge7ftz+KqgHUW=0=yJiWMc=qYW=DJw@mail.gmail.com>

On Tue, Apr 18, 2017 at 8:32 PM Tanudjaja, Francisco <
francisco.tanudjaja at bina.roche.com> wrote:

> Thanks for the reply.
>
>
> I didn't exactly catch what you mean ... both the auth-server and
> vanilla-client are running wildfly ?
>

What I meant was, if you're running your server in different port. You must
specify it during deployment. For example:

If my app was deployed on WildFly, using the the port offset 1910.
Certainly the correct url to WF admin console is: http://127.0.0.1:11900 and
of course, you must specify it to Maven plugin:

mvn install -DskipTests wildfly:deploy -Dwildfly.port=10090


> I've restarted my auth-server using the command =>
>
> ./standalone.sh -Djboss.socket.binding.port-offset=1910
>
All the examples point to the Keycloak server on port 8180 like specified
at the README(
https://github.com/keycloak/keycloak-quickstarts/blob/master/README.md)
file. So if you're going to change it, make sure to change to the proper
port.

>
> Then I checked that I was able to login to the admin console on =>
>
> http://localhost:9990/auth
>


> Like I mentioned, all the examples, assume port 8180.


>
> Ran my vanilla client using the command =>
>
> mvn install -DskipTests wildfly:deploy
>
>
> Now I got a different error message =>
>
> [ERROR] }': java.net.ConnectException: JBAS012174: Could not connect to
> http-remoting://127.0.0.1:9990. The connection failed: For now upgrade
> responses must have a content length of zero.
>

I could not reproduce the steps to your issue. maybe try to start the
server with $WILDFLY_HOME/bin/standalone.sh -b 0.0.0.0

>
>
> Also, checking out keycloak repo and running mvn install helped to some
> extent, but still running 'mvn install wildfly:deploy' has issues
>
>
> 1. keycloak-test-helpers dependency on the parent pom.xml may not have
> been defined correctly.
>

It was fixed here:
https://github.com/keycloak/keycloak-quickstarts/commit/692bfd38049fbab70bd4c73d7bfb07dbe4520d78

I got this compilation error
>
> [ERROR] COMPILATION ERROR :
>
> [INFO] -------------------------------------------------------------
>
> [ERROR]
> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
> package org.keycloak.test does not exist
>
> [ERROR]
> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[42,34]
> package org.keycloak.test.builders does not exist
>
> [ERROR]
> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[51,32]
> package org.keycloak.test does not exist
>
>
> Seems to at least compile if I add the dependency manually on the child
> pom.xml
>
> +       <dependency>
>
> +               <groupId>org.keycloak</groupId>
>
> +               <artifactId>keycloak-test-helper</artifactId>
>
> +               <version>${version.keycloak}</version>
>
> +               <scope>test</scope>
>
> +       </dependency>
>
>
> 2. Still after it compiles there's a runtime exception thrown
>

The runtime exception will happen if you don't copy the artifact, like I
mentioned, keycloak-test-helper was not released yet. You have to use the
artifact generated by -Pdistribution located at
keycloak-repo/distribution/server-dist/target/keycloak-3.1.0.CR1-SNAPSHOT.tar.gz

Yep, it sucks and will be fixed on the next release.


> -------------------------------------------------------
>
>  T E S T S
>
> -------------------------------------------------------
>
> Running org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.179 sec
> <<< FAILURE!
>
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 1.177 sec  <<< ERROR!
>
> java.lang.RuntimeException: Could not create new instance of class
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
>
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
>
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
>
> at
> org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
>
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
>
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
>
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
>
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:497)
>
> at
> org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
>
> at
> org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
>
> at
> org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
>
> at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
>
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
>
> Caused by: java.lang.reflect.InvocationTargetException
>
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
>
> ... 15 more
>
>
> On Tue, Apr 18, 2017 at 1:25 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> If you're starting WildFly on port 8180. I believe that you should
>> specify -Dwildfly.port=10090 for deployment.
>>
>> The quickstarts depend on keycloak-tests-helper, which wasn't released
>> yet. That's the reason why it points to the same release specified on
>> Keycloak master branch. Here's what you can do to workaround this while we
>> fix:
>>
>> - git clone https://github.com/keycloak/keycloak.git && cd keycloak &&
>> mvn clean install -Pdistribution -DskipTests=true
>>
>> I hope it helps.
>>
>>
>> On Tue, Apr 18, 2017 at 2:52 PM Tanudjaja, Francisco <
>> francisco.tanudjaja at bina.roche.com> wrote:
>>
>>> Hi,
>>>
>>> I've followed the instructions on
>>> https://keycloak.gitbooks.io/documentation/content/
>>> authorization_services/topics/getting-started/hello-world/deploy.html
>>>
>>> I have the following keycloak.json in the 'config' directory of
>>> ~/path/to/keycloak-quickstarts/app-profile-jee-vanilla
>>>
>>> """
>>> {
>>>   "realm": "Foo",
>>>   "auth-server-url": "http://localhost:8180/auth",
>>>   "ssl-required": "external",
>>>   "resource": "fclient",
>>>   "credentials": {
>>>     "secret": "0749b4fc-db40-410a-ac2c-8837ce206c5d"
>>>   },
>>>   "policy-enforcer": {}
>>> }
>>> """
>>>
>>> Got the following error and wasn't able to find any references to port
>>> 9990
>>> in the configuration.
>>>
>>> [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-
>>> maven-plugin:1.0.1.Final:deploy (default-cli) on project
>>> keycloak-app-profile-jee-vanilla: Could not execute goal deploy on
>>>
>>> /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-vanilla/target/vanilla.war.
>>> Reason: I/O Error could not execute operation '{
>>> [ERROR] "operation" => "read-attribute",
>>> [ERROR] "address" => [],
>>> [ERROR] "name" => "launch-type"
>>> [ERROR] }': java.net.ConnectException: JBAS012144: Could not connect to
>>> http-remoting://127.0.0.1:9990. The connection timed out
>>> [ERROR] -> [Help 1]
>>>
>>> Please advise.
>>>
>>>
>>> -----------------------------------------------------
>>> Additional note:
>>>
>>> I jumped a few hoops while navigating the documentation. Its possible the
>>> issue is caused by my changes I've made. For reference, I've listed them
>>> below
>>>
>>> ## wrong link on github in https://keycloak.gitbooks.io/
>>> documentation/content/authorization_services/topics/
>>> getting-started/hello-world/deploy.html
>>>
>>> ** easy fix, looks like the folder was renamed
>>> - $ cd keycloak-quickstarts/app-authz-jee-vanilla
>>> + $ cd keycloak-quickstarts/app-profile-jee-vanilla
>>>
>>>
>>> ## wrong version on pom
>>> There is no '3.1.0.CR1-SNAPSHOT' published in maven repo
>>> See
>>> -> https://github.com/keycloak/keycloak/blob/3.0.x/boms/adapter/pom.xml
>>> ->
>>> https://mvnrepository.com/artifact/org.keycloak.bom/keycloak-adapter-bom
>>>
>>> ** resolved by changing pom.xml
>>> -        <version>3.1.0.CR1-SNAPSHOT</version>
>>> +        <version>3.0.0.Final</version>
>>>
>>>
>>> ## cannot compile test
>>> [ERROR] Failed to execute goal org.apache.maven.plugins:
>>> maven-compiler-plugin:3.1:testCompile (default-testCompile) on project
>>> keycloak-app-profile-jee-vanilla: Compilation failure: Compilation
>>> failure:
>>> [ERROR] /Users/tanudjaf/git/keycloak-quickstarts/app-profile-jee-
>>>
>>> vanilla/src/test/java/org/keycloak/quickstart/ArquillianProfileJeeVanillaTest.java:[41,25]
>>> package org.keycloak.test does not exist
>>> ...
>>>
>>> ** resolved by removing
>>> app-profile-jee-vanilla/src/test/java/org/keycloak/
>>> quickstart/ArquillianProfileJeeVanillaTest.java
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>

From mposolda at redhat.com  Wed Apr 19 16:02:07 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 19 Apr 2017 22:02:07 +0200
Subject: [keycloak-user] New to Keycloak - stuck trying to setup SSO via
 Kerberos and Active Directory
In-Reply-To: <CAARUMvA0JwevdC3iWSZNQrSHCVZpyRS8ORHnaggR59S5zT7tKQ@mail.gmail.com>
References: <CAARUMvCm1qA17_6++aVJad0x8TjiGxCa42v==_gG_bcQvOyUtQ@mail.gmail.com>
	<CA+1OW+jAT4ibWXmRVE+L=wYWPegv1yfMnBXJGYt+sMsDCoHESg@mail.gmail.com>
	<CAARUMvA0JwevdC3iWSZNQrSHCVZpyRS8ORHnaggR59S5zT7tKQ@mail.gmail.com>
Message-ID: <de1d11e8-ec25-26d5-51e7-8336a04cecd8@redhat.com>

On 14/04/17 13:29, Consolodated Emails wrote:
> Marko,
>
> Thank you for those links. I have come across them and have been using them
> as reference.
>
> I'm pretty sure I have LDAP working. Those instructions are very complete.
> I can sync users and then authenticate to my app using those credentials.
> When I update a user in Active Directory I can sync those changes to
> Keycloak.
>
> Where I'm stuck is the Kerberos setup & configuration. I could use more
> information on how to install, configure it and what commands to run, etc.
> The articles you posted are very brief about Kerberos setup.
>
> For example in the Kerberos document there is a paragraph titled "Setup and
> configuration of Keycloak server" it seems seems to be an important part of
> the setup but this section is just a basic outline. Install a client,
> configure it, edit the krb5.conf to add your realm, export a keytab and
> secure the keytab file. Not details really.
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/authentication/kerberos.html
Thing is, that there are bunch of Kerberos vendors (MS Active Directory, 
MIT Kerberos, ApacheDS...) and the details how to setup particular 
Kerberos server and Kerberos client are platform dependent. Steps are 
different according to what Kerberos vendor are you using, and what 
platform your server and clients are. Steps to integrate your web 
browser are also different for every browser.

Unfortunately we can't provide detailed instructions for every 
combination. Hence in the documentation, we focus mostly on the steps, 
which are specific to the Keycloak server side. This is configuration of 
authentication flow and configuration of LDAP provider, where you need 
to configure location of keytab file and the name of HTTP principal.

For the MSAD specific details, you can use articles on the internet, 
which focus purely on MSAD and use MSAD specific steps to setup Kerberos 
domain and clients. The one you pointed or for example this 
https://www.ibm.com/support/knowledgecenter/SSB2MV_8.0.0/com.ibm.rational.buildforge.doc/topics/config_sec_sso_spnego.html 
.

If you see that your browser doesn't respond to "WWW-Authenticate: 
Negotiate", then the problem really seems to be either in the setup of 
your client (krb5.conf) or browser. You can maybe try different 
browsers. You can also try to temporarily disable firewall. Marko 
pointed other things and reference to the example, which can possibly 
give you some other hints.

More inline.

>
> In the "examples for Kerberos" step 4 is install the Kerberos client and
> step 5 is configure it. There are one or two sentences with information but
> not to much details on what they mean. There is supposed to be a
> test.krb5.conf file which should explain more but the link is broken.
> https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
Thanks. I will fix it. The correct location is 
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/test-krb5.conf
>
>
> I spent most of the day researching but I haven't found much information on
> how to setup Kerberos for Active Directory SSO. I don't have a lot of time
> to experiment so following a walkthrough on getting Kerberos setup so linux
> machines can join in a Active Directory domain might give me the info I
> need or I might lose 3-6 hours.
>
> One thing I'm not 100% is do I need to run a Kerberos client and server? In
> my environment we want users to login to their Windows workstations, open
> the browser and auto-login to our application with no login prompts. We use
> Active Directory as the User Federation source and OpenID client as our
> destination.
Kerberos server should be provided automatically by Windows Active 
Directory domain. Details about it are Microsoft documentation and bunch 
of other sources online.

Marek
>
>
> I've been putting a ton of hours in to the this project and I really
> appreciate the help. :)
>
> -Dustin
>
> ?
>
> On Fri, Apr 14, 2017 at 5:30 AM, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> One source of information you did not mention and might help you is
>> Keycloak documentation:
>>
>> https://keycloak.gitbooks.io/server-adminstration-guide/
>> content/topics/user-federation/ldap.html
>> https://keycloak.gitbooks.io/server-adminstration-guide/
>> content/topics/authentication/kerberos.html
>>
>>
>> There is also an example for Kerberos: https://github.com/
>> keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
>>
>> And you may also want to check out our blog at http://blog.keycloak.org/
>> for articles on MSAD integration.
>>
>>
>> On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com
>>> wrote:
>>> Hi all,
>>>
>>> I have a big project due by end of the week and the last item I have to
>>> deliver is Single Sign On for Active Directory users using IE,Firefox &
>>> Chrome. I am able to login to my application if i use the Keycloak login
>>> form but I can't get it to auto login. If I set Kerberos to Required under
>>> Authentication, I get an error saying Kerberos is not setup. You cannot
>>> login.
>>>
>>> Currently I'm investigating these as possible causes:
>>> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
>>> Fiddler to check headers but I can't get a clear understanding of what I
>>> should look for. The best I can tell WWW-Authenticate Negotiate being sent
>>> to me in the 401 response. I guess my browser isn't sending the Kerberos
>>> credentials.
>>>
>>> I'm using a NGINX proxy in front of my application. I've found some
>>> evidence of people updating configuration files in order to make this work
>>> properly. But I'm not sure this applies to me, since my proxy doesn't sit
>>> in front of the keycloak server.
>>> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
>>> /jboss/keycloak/standalone/configuration/standalone.xml
>>> <https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile//jboss/keycloak/standalone/configuration/standalone.xml>
>>>
>>> I don't think Kerberos is setup up properly under User Federation/Active
>>> Directory (my LDAP's Config name).
>>> II pieced together some information from Matt's article on using Keycloak
>>> to authenticate with AD. He didn't go in to any detail about Kerberos
>>> configuration for Active Directory. One line "Configure the Kerberos
>>> integration like this:" and a screenshot is all I had to work with. After
>>> doing some reading I'm left to think there is an important step that is
>>> left out of all the articles, forum posts, user manual, etc. From what I
>>> can tell I have to run a command in the container to create a Keytab and
>>> it
>>> has to have the proper permissions for Keycloak to access it. I also think
>>> I have to setup /etc/kerb5.conf but I'm not sure what I need to do
>>> exactly.
>>> I can't find an article directly discussing Keycloak.
>>>
>>> http://matthewcasperson.blogspot.com/2015/07/authenticating-
>>> via-kerberos-with.html
>>>
>>> My Env:
>>> Windows Server 2012 R2
>>> AWS Ec2
>>> Active Directory
>>> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>>>
>>> Keycloak
>>> AWS Ec2
>>> Docker - Jboss/Keycloak:latest
>>> Ubuntu 16:04 Host:
>>> Container is Redhat based (obviously it's jboss).
>>>
>>> Ruby on Rails 1.8.7 application
>>> AWS Ec2
>>> Nginx Proxy in front of it.
>>> OpenID client connected to KeyCloak
>>>
>>>
>>> Under User Federation:
>>> I've created an Active Directory Provider, it's able to sync users from my
>>> test Active Directory.
>>>
>>> Authentication:
>>> Kereberos
>>>
>>> Any help would be really appreciated.. I'm in a real tough spot on this
>>> project.
>>>
>>> -Dustin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Apr 19 16:11:58 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 19 Apr 2017 22:11:58 +0200
Subject: [keycloak-user] Behavior of Keycloak when performing an upgrade.
In-Reply-To: <EACFD909-93C9-472F-8047-274B1404FB8E@carbonite.com>
References: <EACFD909-93C9-472F-8047-274B1404FB8E@carbonite.com>
Message-ID: <1070b1e8-ea05-b1bb-f6f4-fc5ff3b793be@redhat.com>

On 19/04/17 19:38, Reed Lewis wrote:
> We are planning on implementing Keycloak with a very large dataset of users (in excess of 5 to 10 million).    We are going to have a single SQL datastore running in Azure, with multiple keycloak servers pointing to that single datastore.   The question that is being asked is what happens when we wish to upgrade keycloak from version xx to version yy (whatever the versions are I do not know).   The questions are:
>
>
> 1.       If the schema changes does Keycloak automatically handle that?
Yes, it should. We use Liquibase under the hood to migrate DB schema and 
data automatically. However it's highly recommended to backup your 
database before upgrade Keycloak. DB migration is always a bit tricky 
and bad things could happen ;)
>
> 2.       If there is schema changes, how long will that process take?
Depends what exactly was changed in the schema. For example if there is 
just one minor change in the table REALM and you have just 1 realm, it 
will be very fast. On the other hand change in the table related to USER 
data (for example removing foreign key and creating new foreign key) 
might be more tricky considering size of your DB.
>
> 3.       If there is no schema change can I shut down everything but one server, then shutdown the last one and start immediately a new one with the new software version?
Yes. See our Migration guide for more details. We usually provide some 
versions specific migration instructions in case there is some important 
manual migration step, which is needed to be done between migration from 
version X to version Y.

Marek
>
> So bottom line:  What is the upgrade path for Keycloak for major version to major version or minor to minor or whatever?
>
> Reed
> This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
> If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From john.d.ament at gmail.com  Wed Apr 19 19:55:22 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 19 Apr 2017 23:55:22 +0000
Subject: [keycloak-user] Need input on KEYCLOAK-4765
Message-ID: <CAOqetn-JOaNNsBAiPaYcW8TN-HiOSC+7=5+mVXR=tHNDCNaOcA@mail.gmail.com>

Hi

I was wondering if others had some input for me on
https://issues.jboss.org/browse/KEYCLOAK-4765 ?

In my use case, we have parts of our app that already use the query param
"access_token".  These values are not a RSA signed bearer.  I've locally
modified the client adapter code to disable checking for this header, per
deployment.  I'm not sure that's the right approach.  Would it make more
sense to ignore invalid access_tokens in Keycloak (and make that
configurable)?  Or other ideas?

John

From adam.keily at adelaide.edu.au  Wed Apr 19 22:28:31 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Thu, 20 Apr 2017 02:28:31 +0000
Subject: [keycloak-user] External Role to Role Mapper
Message-ID: <SYXPR01MB1853EC6D8E4384198EFFD117CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>

Hi All,

I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.

I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".

During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.

If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.

Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.

I have noticed an error though if I try to map to a non-existant role in Realm A.

Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?

Thanks
Adam

From rajkiran.k at inteqsolutions.com  Thu Apr 20 01:37:03 2017
From: rajkiran.k at inteqsolutions.com (Rajkiran K)
Date: Thu, 20 Apr 2017 11:07:03 +0530
Subject: [keycloak-user] Resteasy client SSLHandshakeException
In-Reply-To: <b1a35f39-5232-b5a5-a61b-1cc564992062@redhat.com>
References: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>
	<b1a35f39-5232-b5a5-a61b-1cc564992062@redhat.com>
Message-ID: <a057e963-1afd-76be-e0c2-ee416908f912@inteqsolutions.com>

Thanks you for reply marek.

yes, SSL certificate is signed by well known Certificate Authority. This 
SSLHandshakeException is occuring few times only. Many times this 
exception is not seen, can you guess possible issue here (if 
admin-client is not trusted by Keycloak server, we should get exception 
every time)

Thanks,

Raj Kiran K


On 4/19/2017 9:56 PM, Marek Posolda wrote:
> It seems that your application where admin-client is running, needs to 
> trust the Keycloak server, so it's able to communicate with it through 
> SSL.
>
> One possibility to do it is to ensure that your SSL certificate is 
> signed by some well known Certificate Authority. This is good 
> especially in production environments.
>
> Other possibility is to configure your admin-client to trust the 
> Keycloak server. The easiest is to use property like 
> javax.net.ssl.trustStore system properties (see JVM docs for more 
> details). Another possibility is to use custom RestEasyClient or 
> SSLContext to your admin client, which will "trust" the Keycloak server.
>
> Marek
>
> On 19/04/17 14:33, Rajkiran K wrote:
>> Hi all,
>>
>> We are trying to get all roles data of realm from keycloak. We are
>> getting "SSLHandshakeException", can any one help on this issue
>>
>> *Keycloak version*: 1.9.8 Final
>>
>> *resteasy-client version*: resteasy-client-3.0.14.Final
>>
>> build    19-Apr-2017 02:00:18    2017-04-19 02:00:18 INFO
>> KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
>> error    19-Apr-2017 02:00:19 javax.ws.rs.ProcessingException:
>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Remote
>> host closed connection during handshake
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) 
>>
>> error    19-Apr-2017 02:00:19        at
>> com.sun.proxy.$Proxy27.list(Unknown Source)
>> error    19-Apr-2017 02:00:19        at
>> com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230) 
>>
>> error    19-Apr-2017 02:00:19        at
>> com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199) 
>>
>> error    19-Apr-2017 02:00:19        at
>> com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34)
>> error    19-Apr-2017 02:00:19    Caused by: java.lang.RuntimeException:
>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>> during handshake
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) 
>>
>> error    19-Apr-2017 02:00:19        at
>> com.sun.proxy.$Proxy19.grantToken(Unknown Source)
>> error    19-Apr-2017 02:00:19        at
>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) 
>>
>> error    19-Apr-2017 02:00:19        ... 6 more
>> error    19-Apr-2017 02:00:19    Caused by:
>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>> during handshake
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
>>
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> error    19-Apr-2017 02:00:19        at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) 
>>
>> error    19-Apr-2017 02:00:19        at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) 
>>
>> error    19-Apr-2017 02:00:19        at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316) 
>>
>> error    19-Apr-2017 02:00:19        at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291) 
>>
>> error    19-Apr-2017 02:00:19        at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) 
>>
>> error    19-Apr-2017 02:00:19        at
>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167) 
>>
>> error    19-Apr-2017 02:00:19        ... 16 more
>> error    19-Apr-2017 02:00:19    Caused by: java.io.EOFException: SSL
>> peer shut down incorrectly
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.InputRecord.read(InputRecord.java:505)
>> error    19-Apr-2017 02:00:19        at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>> error    19-Apr-2017 02:00:19        ... 25 more
>> build    19-Apr-2017 02:00:19    2017-04-19 02:00:19 ERROR
>> KeycloakDataManager:38 - java.lang.RuntimeException:
>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>> during handshake
>>
>
>
>
>

-- 
Thanks & Regards,

Rajkiran K


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material; unauthorized use of this information is prohibited. If you have received this in error, please contact the sender and delete the material immediately.



From adam.keily at adelaide.edu.au  Thu Apr 20 01:48:02 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Thu, 20 Apr 2017 05:48:02 +0000
Subject: [keycloak-user] External Role to Role Mapper
In-Reply-To: <SYXPR01MB1853EC6D8E4384198EFFD117CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <SYXPR01MB1853EC6D8E4384198EFFD117CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <SYXPR01MB185394037ED0C9259F298A25CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>

Found this and thought it may have been resolved in 2.5.5. Upgraded and tested again but Role mappings are still not being updated correctly.

https://issues.jboss.org/browse/KEYCLOAK-4378?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.5.4.Final

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
Sent: Thursday, 20 April 2017 11:59 AM
To: keycloak-user <keycloak-user at lists.jboss.org>
Subject: [keycloak-user] External Role to Role Mapper

Hi All,

I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.

I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".

During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.

If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.

Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.

I have noticed an error though if I try to map to a non-existant role in Realm A.

Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?

Thanks
Adam
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From hmlnarik at redhat.com  Thu Apr 20 04:35:44 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Thu, 20 Apr 2017 10:35:44 +0200
Subject: [keycloak-user] External Role to Role Mapper
In-Reply-To: <SYXPR01MB185394037ED0C9259F298A25CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <SYXPR01MB1853EC6D8E4384198EFFD117CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
	<SYXPR01MB185394037ED0C9259F298A25CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <CAMvXD=FCdRcf4-WwPKtNFMJNe_vWTKmN_PDkL2eAyzHXvb16AA@mail.gmail.com>

Could you please file a JIRA issue? The External Role to Role mapper
is OIDC-specific, while the KEYCLOAK-4378 fixed an issue with SAML
attribute mapper.

--Hynek

On Thu, Apr 20, 2017 at 7:48 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Found this and thought it may have been resolved in 2.5.5. Upgraded and tested again but Role mappings are still not being updated correctly.
>
> https://issues.jboss.org/browse/KEYCLOAK-4378?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.5.4.Final
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
> Sent: Thursday, 20 April 2017 11:59 AM
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] External Role to Role Mapper
>
> Hi All,
>
> I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.
>
> I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".
>
> During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.
>
> If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.
>
> Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.
>
> I have noticed an error though if I try to map to a non-existant role in Realm A.
>
> Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?
>
> Thanks
> Adam
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From jim-keycloak at spudsoft.co.uk  Thu Apr 20 05:37:07 2017
From: jim-keycloak at spudsoft.co.uk (jim-keycloak at spudsoft.co.uk)
Date: Thu, 20 Apr 2017 10:37:07 +0100
Subject: [keycloak-user] Any way to disable generation of refresh tokens?
Message-ID: <f2384141-023e-5e5c-3e81-8b5d97bfe85f@spudsoft.co.uk>

Hi,

For many of our use cases we don't want the client to be using refresh 
tokens.

Is there any way to prevent the creation of refresh tokens?
Ideally on a per-client basis.

Thanks.

Jim


From bleporini at gmail.com  Thu Apr 20 06:04:09 2017
From: bleporini at gmail.com (Brice)
Date: Thu, 20 Apr 2017 12:04:09 +0200
Subject: [keycloak-user] Spring adapters
Message-ID: <CAJ+Gv_dPC1TJAf6E3-8OGkButDG0DQwXQta+jxacQxWMrF+7_w@mail.gmail.com>

Hello guys!

I find Keycloak is a great product but I'd like to share with you some
thoughts about the Spring adapters.

First one is about token storage: by default all Spring adapters
(SpringBoot and Spring security) store all three tokens in the HTTP
session. JWT is great because it allows to propagate a trusted identity at
scale in a micro-service architecture: every service is able to verify the
token autonomously only by checking its signature; but if the store is the
HTTP session, it works only for single instance applications or you may be
back in the session replication hell for multiple instances...

Any way, the adapter offers the opportunity to store the tokens on the
client itself by concatenating the access token, the id token and the
refresh token in a single cookie separated by '__'. And it works... but the
size of the cookie is very closed to 4KB. This may seem small but at scale,
it may represent a huge bandwidth cost: imagine the overhead for a simple
'GET /api/any_resource/id + standard headers + 4KB'. It may be complicated
to use for some businesses like online gaming or retail for example.
In addition, if the Keycloak host name is something else than localhost
(i.e. longer, a real FQHN) and/or you add a few claims in the token, the
cookie weights more than 4KB, it is more than the limit allowed by the RFC
 (https://tools.ietf.org/html/rfc6265#section-6.1) and the browser ignores
the cookie... thus there's no client storage (and I don't talk about
https://issues.jboss.org/browse/KEYCLOAK-4342 , but its fix is in
progress)!
I'm far from being a security expert, but it seems some people are totally
opposed to drop refresh token on the client because if it is stolen by an
attacker, it may be used for a while to generate access tokens.

So, all that points lead me to ask if we can think about a more flexible
way to store the client state? It would be great to have distinct stores
for refresh token and access token: it would give the opportunity to
release access token on the client and to store server side the refresh
token. The server side store might be implemented in many ways like the
current session store or let the developper provide its own: you can
imagine store the refresh token in a Redis cluster for example.

Another point is about the fact that the spring boot adapter isn't based on
Spring Security. It's surprising because it implies one implementation per
servlet container (instead of one for all) and may not work with Spring
5/Netty; but after discussing with @sebi2706 IRL at Devoxx France, he
explained that many users expect to user SpringBoot without Spring Security.

One more thing... ? The Spring Boot adapter doesn't support multi tenancy!

The need for which I'm currently working on mixes all this points : multi
tenancy, client side storage, scaling, etc. So I had to unweave half of the
components provided by the adapters to comply the requirements, but of
course it doesn't perform all checks like adapters do.

So guys, WDYT about all that stuff?

Best regards and thanks for your work!

Brice

From bruno at abstractj.org  Thu Apr 20 07:10:57 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 20 Apr 2017 11:10:57 +0000
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
	JWT
In-Reply-To: <CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
	<b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
	<CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>
Message-ID: <CAM5SUC54C+Bad4XFteZov4x20Y9-+-fsASVua5H4tAOdBzxdSQ@mail.gmail.com>

Hi Austin, this is one of bearer only examples which I can think about
https://github.com/keycloak/keycloak-quickstarts/tree/master/service-nodejs

I hope it helps.

On Wed, Apr 19, 2017 at 6:02 AM Austin Cunningham <aucunnin at redhat.com>
wrote:

> Hi Kevin,
>
> Thanks for getting back to me , I have reviewed that example before , it
> seems to be using sessions , not bearer or jwt. Correct me if I am wrong I
> could be missing something. I was hoping to find an implementation of
> http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html
> .
> Regards
> Austin
>
> On 19 April 2017 at 08:32, Kevin Berendsen <
> kevin.berendsen at pharmapartners.nl> wrote:
>
> > Hi Austin,
> >
> > I believe this example is what you're looking for. [1]
> >
> > Make sure you read the README carefully.
> >
> > [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/
> > master/example
> >
> > Kind regards,
> >
> > Kevin
> >
> > -----Oorspronkelijk bericht-----
> > Van: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> > lists.jboss.org] Namens Austin Cunningham
> > Verzonden: dinsdag 18 april 2017 16:54
> > Aan: keycloak-user at lists.jboss.org
> > Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer or
> > JWT
> >
> > Hi ,
> >
> > I am looking for an example of JWT or Bearer implemented in Node.js with
> > express js with Keycloak .
> >
> > Regards,
> > Austin
> > _______________________________________________
> > keycloak-user mailing list
> > mailto:keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> Austin Cunningham
>
> Software Engineering Intern
>
> Red Hat Mobile <https://www.redhat.com>
>
> Communications House, Cork Road, Waterford X91NY33
>
> Ireland
>
> aucunnin at redhat.com
> <https://red.ht/sig>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pkboucher801 at gmail.com  Thu Apr 20 07:52:34 2017
From: pkboucher801 at gmail.com (Peter K. Boucher)
Date: Thu, 20 Apr 2017 07:52:34 -0400
Subject: [keycloak-user] Use OIDC Scope to limit the roles included in
	Offline Token and/or to enforce separation of duties?
In-Reply-To: <002601d2a3d3$b8e30b80$2aa92280$@gmail.com>
References: <002601d2a3d3$b8e30b80$2aa92280$@gmail.com>
Message-ID: <001001d2b9cc$998605d0$cc921170$@gmail.com>

Stian (or anyone),  Could you please steer me to the right docs for how to
do this? 

 

From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] 
Sent: Thursday, March 23, 2017 8:48 AM
To: keycloak-user at lists.jboss.org
Subject: Use OIDC Scope to limit the roles included in Offline Token and/or
to enforce separation of duties?

 

Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access.  We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).

 

Can we (and if so, how best would we) use openid scope to 

*       Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?

*       Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?

 

I think I gathered from this thread in keycloak-dev
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers to docs with practical guidance for how best to do these two
things.

 

Thanks!

 

Regards,

Peter K. Boucher


From sblanc at redhat.com  Thu Apr 20 08:07:51 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 20 Apr 2017 14:07:51 +0200
Subject: [keycloak-user] Spring adapters
In-Reply-To: <CAJ+Gv_dPC1TJAf6E3-8OGkButDG0DQwXQta+jxacQxWMrF+7_w@mail.gmail.com>
References: <CAJ+Gv_dPC1TJAf6E3-8OGkButDG0DQwXQta+jxacQxWMrF+7_w@mail.gmail.com>
Message-ID: <CAMZCGg9WAhxJsQ39eCbeLHB2TWCsH2Ld-_hU6W6jfkZ9Yk1Bcg@mail.gmail.com>

Hi Brice !

Thanks for your email ;)
I really hope the rest of the community will reply as well since most of
the questions you raise go beyond the scope of just the Spring Adapters,
Some answers inline

On Thu, Apr 20, 2017 at 12:04 PM, Brice <bleporini at gmail.com> wrote:

> Hello guys!
>
> I find Keycloak is a great product but I'd like to share with you some
> thoughts about the Spring adapters.
>
> First one is about token storage: by default all Spring adapters
> (SpringBoot and Spring security) store all three tokens in the HTTP
> session. JWT is great because it allows to propagate a trusted identity at
> scale in a micro-service architecture: every service is able to verify the
> token autonomously only by checking its signature; but if the store is the
> HTTP session, it works only for single instance applications or you may be
> back in the session replication hell for multiple instances...
>

Isn't this  where sticky/replicated sessions solve this use case ?

>
> Any way, the adapter offers the opportunity to store the tokens on the
> client itself by concatenating the access token, the id token and the
> refresh token in a single cookie separated by '__'. And it works... but the
> size of the cookie is very closed to 4KB. This may seem small but at scale,
> it may represent a huge bandwidth cost: imagine the overhead for a simple
> 'GET /api/any_resource/id + standard headers + 4KB'. It may be complicated
> to use for some businesses like online gaming or retail for example.
> In addition, if the Keycloak host name is something else than localhost
> (i.e. longer, a real FQHN) and/or you add a few claims in the token, the
> cookie weights more than 4KB, it is more than the limit allowed by the RFC
>  (https://tools.ietf.org/html/rfc6265#section-6.1) and the browser ignores
> the cookie... thus there's no client storage (and I don't talk about
> https://issues.jboss.org/browse/KEYCLOAK-4342 , but its fix is in
> progress)!
>
So, on this one I really need opinions from the rest of the teams and that
could be affecting all our adapters.

> I'm far from being a security expert, but it seems some people are totally
> opposed to drop refresh token on the client because if it is stolen by an
> attacker, it may be used for a while to generate access tokens.
>
> So, all that points lead me to ask if we can think about a more flexible
> way to store the client state? It would be great to have distinct stores
> for refresh token and access token: it would give the opportunity to
> release access token on the client and to store server side the refresh
> token. The server side store might be implemented in many ways like the
> current session store or let the developper provide its own: you can
> imagine store the refresh token in a Redis cluster for example.
>

For sure, we can discuss on how to make it more flexible. At Devoxx, I
think you mentioned that you had already started something on that, you
could open a ticket + PR to boostrap the discussion around this.

>
> Another point is about the fact that the spring boot adapter isn't based on
> Spring Security. It's surprising because it implies one implementation per
> servlet container (instead of one for all) and may not work with Spring
> 5/Netty; but after discussing with @sebi2706 IRL at Devoxx France, he
> explained that many users expect to user SpringBoot without Spring
> Security.
>

Yes, these are not official numbers but I think that around 40% of the
users uses SB adapter without Spring Security.
But I'm currently discussing with the Pivotal guys to make it easier
regarding the servlet container stuff. One option (that I still must
discuss with my team ;) ) is to provide a web-constainer-adapter , which is
in fact a shadded package of the tomcat/jetty/undertow adapters. This way
you would just to add this dep regardless of the servlet container being
used. (
https://github.com/sebastienblanc/keycloak/tree/spring_starter/misc/keycloak-container-adapters
)

>
> One more thing... ? The Spring Boot adapter doesn't support multi tenancy!
>
True ! Is that for instance something on which you could contribute by
sharing your solution ?

>
> The need for which I'm currently working on mixes all this points : multi
> tenancy, client side storage, scaling, etc. So I had to unweave half of the
> components provided by the adapters to comply the requirements, but of
> course it doesn't perform all checks like adapters do.
>
> So guys, WDYT about all that stuff?
>
> Best regards and thanks for your work!
>
Thanks !

>
> Brice
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From leo.nunes at gjccorp.com.br  Thu Apr 20 10:34:27 2017
From: leo.nunes at gjccorp.com.br (Leonardo Nunes)
Date: Thu, 20 Apr 2017 14:34:27 +0000
Subject: [keycloak-user] Retrieve User Information from Facebook
Message-ID: <4EF4E36D-D8D0-4BD1-B5E9-BDE5CC1B941C@ojc.com.br>

Hi, how can I retreive Gender and Birthday from a User that logged in from Facebook?

The methods below returns null.
AccessToken.getGender()
AccessToken.getBirthdate()

Another thing, how do I identify with which social network has the user logged in?


--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

From kevin.berendsen at pharmapartners.nl  Thu Apr 20 10:38:53 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Thu, 20 Apr 2017 14:38:53 +0000
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
 JWT
Message-ID: <efd5672d07564838895795bf5267d572@PHINEAS.ppg.lan>

Hi Austin,

The token stored in the session storage of the Node.js application is the JWT. If you program your application to output the stored token and parse it into the jwt.io website, you will be able to see the actual content of the token. This token is also used as bearer token. 

The only reason to use the token as bearer token is when you wish to get access of cross origin resources that are protected by your Keycloak instance. 

If you want to use your node.js application as your resource server, then configure the client in Keycloak to be a bearer-only client that accepts only bearer tokens in the HTTP Authorization header. 

Things to do:
? Go to your Keycloak instance and configure your Client?s Access Type to ?bearer-only?;
? Generate a new Keycloak.json file (docs of this configuration file [1])
? Remove the session store from the Keycloak object initialization [2] 
And I believe that?s it.

[1] https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/java/java-adapter-config.html 
[2] https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/nodejs-adapter.html#_usage 

Kind regards,

Kevin

--------------------------------------
Van: Austin Cunningham [mailto:aucunnin at redhat.com] 
Verzonden: woensdag 19 april 2017 11:02
Aan: Kevin Berendsen <mailto:kevin.berendsen at pharmapartners.nl>
CC: mailto:keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] Example of npm keycloak-connect with bearer or JWT

Hi Kevin, 
Thanks for getting back to me , I have reviewed that example before , it seems to be using sessions , not bearer or jwt. Correct me if I am wrong I could be missing something. I was hoping to find an implementation of http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html.
Regards
Austin

On 19 April 2017 at 08:32, Kevin Berendsen <mailto:kevin.berendsen at pharmapartners.nl> wrote:
Hi Austin,

I believe this example is what you're looking for. [1]

Make sure you read the README carefully.

[1] https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: mailto:keycloak-user-bounces at lists.jboss.org [mailto:mailto:keycloak-user-bounces at lists.jboss.org] Namens Austin Cunningham
Verzonden: dinsdag 18 april 2017 16:54
Aan: mailto:keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer or JWT

Hi ,

I am looking for an example of JWT or Bearer implemented in Node.js with express js with Keycloak .

Regards,
Austin
_______________________________________________
keycloak-user mailing list
mailto:mailto:keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
mailto:keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
AUSTIN CUNNINGHAM
SOFTWARE ENGINEERING INTERN 
https://www.redhat.com
Communications House, Cork Road, Waterford X91NY33
Ireland
mailto:aucunnin at redhat.com? ? 
https://red.ht/sig




From scottpelliott at gmail.com  Thu Apr 20 14:38:14 2017
From: scottpelliott at gmail.com (Scott Elliott)
Date: Thu, 20 Apr 2017 18:38:14 +0000
Subject: [keycloak-user] Performance with a large number of resources
Message-ID: <CADjvtpT50NgSLPZEtKnzqSUPwAQGWz5pnGfNj6j41zZgFVHRvA@mail.gmail.com>

Using the photoz application as an example, what is the expected
performance if there are a very large (say, 5M) number of albums?  What
about if there are multiple resources per album?  You quickly get a very
large number of resources. The OIDC adapters cache some number of these, so
what effect will that have on the resource server?

Ideally there would be a way to authorize any resource associated with an
album, so if /album/vacation were authorized by /album/{id},
/album/vacation/photo/1 was also authorized, i.e., the URI that selects the
resource to be authorized would always be /album/vacation.

From stone_gu at hotmail.com  Thu Apr 20 16:19:38 2017
From: stone_gu at hotmail.com (GU STONE)
Date: Thu, 20 Apr 2017 20:19:38 +0000
Subject: [keycloak-user] javax.interceptor for implements of
	RealmResourceProvider
Message-ID: <CY4PR22MB0504958EE4D93256389B9851E11B0@CY4PR22MB0504.namprd22.prod.outlook.com>

Hello,

I have some customized ResourceProviders implements RealmResourceProvider (follow the example in keycloak: org.keycloak.examples.rest), something like this:

public class UserProvider implements RealmResourceProvider {
   ...
   @Path("/{username}/pre-authentication")
   @PUT
   @Produces(MediaType.APPLICATION_JSON)
   public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
   }
   ...
}

I also create Log Interceptor following the document here: https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm, <https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm> and add Log interceptor annotation in previous class like :

public class UserProvider implements RealmResourceProvider {
   ...
   @Path("/{username}/pre-authentication")
   @LogInterceptor
   @PUT
   @Produces(MediaType.APPLICATION_JSON)
   public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
   }
   ...
}


But the Interceptor doesn't work. Do you have any ideas why?

Many Thanks!
Stone



25.6 Using Interceptors in CDI Applications - Java ...<https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm>
docs.oracle.com
25.6 Using Interceptors in CDI Applications. An interceptor is a class used to interpose in method invocations or lifecycle events that occur in an associated target ...



From stone_gu at hotmail.com  Thu Apr 20 16:25:29 2017
From: stone_gu at hotmail.com (GU STONE)
Date: Thu, 20 Apr 2017 20:25:29 +0000
Subject: [keycloak-user] Add new filter for RealmResourceProvider
Message-ID: <CY4PR22MB0504B95CA52B0424BFCBC4C9E11B0@CY4PR22MB0504.namprd22.prod.outlook.com>

Hello,

I have some customized provider implements RealmResourceProvider, something likes this:

public class UserProvider implements RealmResourceProvider {
   ...
   @Path("/{username}/pre-authentication")
   @PUT
   @Produces(MediaType.APPLICATION_JSON)
   public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
   }
   ...
}

Everytime I put a rest call to this provider, and I can see 'keycloakSessionServletFilter' is already passed. My question is: Can I add extra filter after 'keycloakSessionServletFilter'? and How?


Thanks!

Stone

From maisacaceres at gmail.com  Thu Apr 20 17:51:30 2017
From: maisacaceres at gmail.com (=?UTF-8?B?TWHDrXNhIEPDoWNlcmVz?=)
Date: Thu, 20 Apr 2017 18:51:30 -0300
Subject: [keycloak-user] User account
Message-ID: <CAJFUPXkevSqW1n_Tm7GXWyjffU6SbRfE+DTm0+q6SjpZs7tdBw@mail.gmail.com>

Hi everyone,
I'm developing a system and using Keycloak to manage users.
I try to find out if it's possible for a user to manage his information
account by API, I could not found anything about it.
Is it possible?

Thanks in advanced.

-- 
Ma?sa C?ceres

From chardin at shadowforge-computing.com  Thu Apr 20 17:55:31 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Thu, 20 Apr 2017 17:55:31 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
Message-ID: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>

Hello All,

I have setup an instance of Keycloak 3 and connected it to AD. It is setup
to sync users and is writeable edit mode. I also have Pasword Policy Hints
enabled in the MSAD Account Controls mapper. I have user registration
turned on in Keycloak.

When I register a user in keycloak, it creates the user in a disabled state
in AD, and prompts the user in keycloak to change the password they just
set during account creation to activate the account. This then fails
because AD is currently configured to enforce a minimum password age of one
day.

I am ok with the account being created disabled, but how do I get around
the immediate 2nd password request?

Thanks,

Chuck

From mitya at cargosoft.ru  Thu Apr 20 19:20:40 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Fri, 21 Apr 2017 02:20:40 +0300
Subject: [keycloak-user] Tracking user session lifecycle in providers
Message-ID: <1492730440.32477.3.camel@cargosoft.ru>

Hi,

Is it possible for a Keycloak provider to track user session
creation/disposal/etc., for example, by subscribing to some events?
I've looked through different event types in Keycloak, but couldn't
find anything relevant to user session lifecycle.

If not possible ATM, do you think this is worth being added to mainline
Keycloak?

Thanks,
Dmitry

From matt at woolnough.com.au  Thu Apr 20 20:00:32 2017
From: matt at woolnough.com.au (Matthew Woolnough)
Date: Fri, 21 Apr 2017 10:00:32 +1000
Subject: [keycloak-user] User account
In-Reply-To: <CAJFUPXkevSqW1n_Tm7GXWyjffU6SbRfE+DTm0+q6SjpZs7tdBw@mail.gmail.com>
References: <CAJFUPXkevSqW1n_Tm7GXWyjffU6SbRfE+DTm0+q6SjpZs7tdBw@mail.gmail.com>
Message-ID: <CAKTcrg5yCscaG3DW7UUrJQPPwcg5kECcuHM0KXE=UQ73gWtJAA@mail.gmail.com>

Is this what you're looking for?

http://www.keycloak.org/docs-api/3.0/rest-api/index.html

You can also look at the Chrome Developer tools when you are making changes
?in the Keycloak Admin Interface to see how it uses the API.

mW

On 21 April 2017 at 07:51, Ma?sa C?ceres <maisacaceres at gmail.com> wrote:

> Hi everyone,
> I'm developing a system and using Keycloak to manage users.
> I try to find out if it's possible for a user to manage his information
> account by API, I could not found anything about it.
> Is it possible?
>
> Thanks in advanced.
>
> --
> Ma?sa C?ceres
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From llivezking at gmail.com  Thu Apr 20 20:50:57 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Fri, 21 Apr 2017 10:50:57 +1000
Subject: [keycloak-user] User Storage SPI for multiple db
In-Reply-To: <CAHJH4F-mdTp19Mj5vTDfwb9fzM35O23Ng6pmfyCLWu835z-e3w@mail.gmail.com>
References: <CAHJH4F_+FEj0aGNsq0JGeUAA=Xyp==FUiTDonQrzbubQiRXsZQ@mail.gmail.com>
	<c7f4b6c0-166a-04f2-75af-c3c46b135b34@gmail.com>
	<CAHJH4F-mdTp19Mj5vTDfwb9fzM35O23Ng6pmfyCLWu835z-e3w@mail.gmail.com>
Message-ID: <6f76d4df-def6-2398-5f4c-3069a281b2c7@gmail.com>

As you can see in docs and examples there two main interfaces for 
implementing User Storage Providers (USP):

UserStorageProvider and UserStorageProviderFactory, so any DAO should be 
initialized within USPFactory concrete class and then be injected to 
UserStorageProvider object within create() method of Fabric class.

For connecting with MySQL you could use any libraries as you usually do 
it in other applications, but there could be some troubles with 
packaging, because by default you lib jars(MySQL connectors etc.) will 
not be linked with your USP, so for testing convenience you could add 
those libs as modules to wildfly (where keycloak runs) and refer to them 
in dependencies from USP deployment descriptor. Google jar module.xml 
wildfly.


On 20.04.2017 20:15, rohit chaudhary wrote:
> Hi,
>
> Each db contains users which can be merged on basis of username. But I 
> can't find an example to connect to mysql server using User storage 
> SPI, being a newbie basically I'm having doubts on how to connect to 
> mysql db.
>
> Thanks,
> Rohit
>
> On Wed, Apr 19, 2017 at 5:40 PM, ?????? ???? <llivezking at gmail.com 
> <mailto:llivezking at gmail.com>> wrote:
>
>     Hi. If every of your apps has separate users db what do you want
>     to have
>     in ideal circumstances? Do you databases include equal users? For
>     example if you want to have "merged" user storage you could implement
>     custom user storage for every db, so when user would be redirected to
>     keycloak for login, keycloak will consecutively try to extract
>     user data
>     from this user storages. And you will have opportunity to set
>     priorities
>     of this storages in keycloak admin console.
>
>     As for examples you should check examples from git repo and also
>     carefully read tutorial in docs.
>
>     Also your implementations could have ability to create users in
>     keycloak
>     itself on the fly while extracting users from user storages (so later
>     you will have merged user db in keycloak). Dee details in docs (Server
>     development -> User Storage Spi -> Import Implementation Strategy).
>
>
>     19.04.2017 11:35, rohit chaudhary ?????:
>     > Hi,
>     >
>     > I am implementing Keycloak SSO for Django and .NET apps. I have
>     a doubt on
>     > how to go with the user database. All apps have separate db. How to
>     > proceed? Need some suggestions and please refer some examples of
>     custom
>     > user storage SPI.
>     >
>     > Thanks,
>     > Rohit
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From mposolda at redhat.com  Fri Apr 21 03:42:37 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 09:42:37 +0200
Subject: [keycloak-user] Use OIDC Scope to limit the roles included in
 Offline Token and/or to enforce separation of duties?
In-Reply-To: <001001d2b9cc$998605d0$cc921170$@gmail.com>
References: <002601d2a3d3$b8e30b80$2aa92280$@gmail.com>
	<001001d2b9cc$998605d0$cc921170$@gmail.com>
Message-ID: <76ef7099-94ce-7472-a277-d984beacd638@redhat.com>

Some pointers for you:
- If you want offline token, you need to attach "scope=offline_access" 
when you send request to the secured URL of your application. 
Server-side adapter will then automatically re-send the content of scope 
parameter to Keycloak server, which will then know that it should issue 
an offline token. For example if you send request to 
"http://your-host/your-app/secured?scope=offline_access" then Keycloak 
adapter will automatically resend "scope=offline_access" to the Keycloak 
server.

- We have some docs for offline tokens and the example in examples 
distribution in "preconfigured-demo/offline-access-app"

- If your role has "Scope param required" set to ON in Keycloak server, 
then it is added to the token just if you use it in scope parameter. So 
for example if you attach scope parameter like "scope=borg_cube", then 
role "borg_cube" will be used for the token.

- ATM there is no builtin possibility to have just one or the other 
through scope parameter. So if you use "scope=borg_cube 
quantum_singularity" then your token will contain both those roles. You 
may need to implement custom protocolMapper if you want such requirement 
that either just one or the other is used. Or somehow handle it in your 
app (eg. if accessToken has both roles, then throw an error or 
something. Looks like workaround, but maybe the easiest path for you).

Another possibility is, that you want use scope parameter at all, but 
you will use 2 different clients - one for "borg_cube" and second for 
"quantum_singularity". First client will have scope (tab "Scope" in the 
client in KC admin console) just to invoke the "borg_cube" and second 
just to invoke "quantum_singularity" . But this would mean that you will 
need 2 separate clients on KC side for one application, which looks like 
workaround too.

Also maybe authorization services can help you.

Anyway, there are bunch of things you can try. You can decide the best 
path according your requirements. Hope something is helpful for you :)

Marek

On 20/04/17 13:52, Peter K. Boucher wrote:
> Stian (or anyone),  Could you please steer me to the right docs for how to
> do this?
>
>   
>
> From: Peter K. Boucher [mailto:pkboucher801 at gmail.com]
> Sent: Thursday, March 23, 2017 8:48 AM
> To: keycloak-user at lists.jboss.org
> Subject: Use OIDC Scope to limit the roles included in Offline Token and/or
> to enforce separation of duties?
>
>   
>
> Suppose there are some limited families of APIs to which we would want users
> to explicitly delegate access.  We were thinking we could assign a role to
> the user that allows the use of each of the families of APIs (say for
> example that with the "quantum_singularity" role, they can use the
> "tetrion_emission" APIs, and with the "borg_cube" role, they can use the
> "culture_assimilation" APIs).
>
>   
>
> Can we (and if so, how best would we) use openid scope to
>
> *       Offline refresh tokens - Allow the user to delegate a 3rd-party app
> to act on their behalf in an offline fashion that is limited to one, the
> other, or both of the quantum_singularity and/or borg_cube roles?
>
> *       Separation of duties - (only partially-related question) Allow an
> app to enforce separation of duties such that an online, logged-in user can
> only have one or the other, but not both of the quantum_singularity and/or
> borg_cube roles for the duration of a session?
>
>   
>
> I think I gathered from this thread in keycloak-dev
> (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
> these things should be possible, but I was hoping to confirm and to get
> pointers to docs with practical guidance for how best to do these two
> things.
>
>   
>
> Thanks!
>
>   
>
> Regards,
>
> Peter K. Boucher
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Apr 21 03:45:41 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 09:45:41 +0200
Subject: [keycloak-user] Resteasy client SSLHandshakeException
In-Reply-To: <a057e963-1afd-76be-e0c2-ee416908f912@inteqsolutions.com>
References: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>
	<b1a35f39-5232-b5a5-a61b-1cc564992062@redhat.com>
	<a057e963-1afd-76be-e0c2-ee416908f912@inteqsolutions.com>
Message-ID: <a7df81fc-78be-430d-2797-de3077714d11@redhat.com>

Forgot to add list yesterday:

Ah ok. Then the problem is possibly in connection pooling. Maybe it 
helps if you increase connection pool of Apache HTTP Client on 
admin-client side or maximum number of IO threads and/or Worker threads 
in the undertow subsystem on the Keycloak server side. Exception states 
"Remote host closed the connection", which indicates that issue is 
rather on server side, but I am not 100% sure.

Marek

On 20/04/17 07:37, Rajkiran K wrote:
> Thanks you for reply marek.
>
> yes, SSL certificate is signed by well known Certificate Authority. This
> SSLHandshakeException is occuring few times only. Many times this
> exception is not seen, can you guess possible issue here (if
> admin-client is not trusted by Keycloak server, we should get exception
> every time)
>
> Thanks,
>
> Raj Kiran K
>
>
> On 4/19/2017 9:56 PM, Marek Posolda wrote:
>> It seems that your application where admin-client is running, needs to
>> trust the Keycloak server, so it's able to communicate with it through
>> SSL.
>>
>> One possibility to do it is to ensure that your SSL certificate is
>> signed by some well known Certificate Authority. This is good
>> especially in production environments.
>>
>> Other possibility is to configure your admin-client to trust the
>> Keycloak server. The easiest is to use property like
>> javax.net.ssl.trustStore system properties (see JVM docs for more
>> details). Another possibility is to use custom RestEasyClient or
>> SSLContext to your admin client, which will "trust" the Keycloak server.
>>
>> Marek
>>
>> On 19/04/17 14:33, Rajkiran K wrote:
>>> Hi all,
>>>
>>> We are trying to get all roles data of realm from keycloak. We are
>>> getting "SSLHandshakeException", can any one help on this issue
>>>
>>> *Keycloak version*: 1.9.8 Final
>>>
>>> *resteasy-client version*: resteasy-client-3.0.14.Final
>>>
>>> build    19-Apr-2017 02:00:18    2017-04-19 02:00:18 INFO
>>> KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
>>> error    19-Apr-2017 02:00:19 javax.ws.rs.ProcessingException:
>>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Remote
>>> host closed connection during handshake
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> com.sun.proxy.$Proxy27.list(Unknown Source)
>>> error    19-Apr-2017 02:00:19        at
>>> com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34)
>>> error    19-Apr-2017 02:00:19    Caused by: java.lang.RuntimeException:
>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>> during handshake
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> com.sun.proxy.$Proxy19.grantToken(Unknown Source)
>>> error    19-Apr-2017 02:00:19        at
>>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413)
>>>
>>> error    19-Apr-2017 02:00:19        ... 6 more
>>> error    19-Apr-2017 02:00:19    Caused by:
>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>> during handshake
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>> error    19-Apr-2017 02:00:19        at
>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>>>
>>> error    19-Apr-2017 02:00:19        at
>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167)
>>>
>>> error    19-Apr-2017 02:00:19        ... 16 more
>>> error    19-Apr-2017 02:00:19    Caused by: java.io.EOFException: SSL
>>> peer shut down incorrectly
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.InputRecord.read(InputRecord.java:505)
>>> error    19-Apr-2017 02:00:19        at
>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>> error    19-Apr-2017 02:00:19        ... 25 more
>>> build    19-Apr-2017 02:00:19    2017-04-19 02:00:19 ERROR
>>> KeycloakDataManager:38 - java.lang.RuntimeException:
>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>> during handshake
>>>
>>
>>
>>


From thomas.darimont at googlemail.com  Fri Apr 21 04:32:05 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 21 Apr 2017 10:32:05 +0200
Subject: [keycloak-user] Passing information from custom Authenticator to a
	Token
Message-ID: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>

Hello group,

I need to pass some information form a custom Authenticator to the
IDToken/AccessToken.
One way I found to do that is by using UserSessionNotes and a "User Session
Note"
Protocol Mapper defined in a client template which is shared by all clients.

public void authenticate(AuthenticationFlowContext context) {
   ...

 context.getClientSession().getUserSessionNotes().put("someKey","someValue");
   ...
}

is this the intended way to do this sort of things?

Cheers,
Thomas

From rajkiran.k at inteqsolutions.com  Fri Apr 21 04:39:56 2017
From: rajkiran.k at inteqsolutions.com (Rajkiran K)
Date: Fri, 21 Apr 2017 14:09:56 +0530
Subject: [keycloak-user] Resteasy client SSLHandshakeException
In-Reply-To: <a7df81fc-78be-430d-2797-de3077714d11@redhat.com>
References: <c4345634-0707-e947-c580-a37d4165ee05@inteqsolutions.com>
	<b1a35f39-5232-b5a5-a61b-1cc564992062@redhat.com>
	<a057e963-1afd-76be-e0c2-ee416908f912@inteqsolutions.com>
	<a7df81fc-78be-430d-2797-de3077714d11@redhat.com>
Message-ID: <9ab8307f-5926-67df-45d1-6537bc4b9dd2@inteqsolutions.com>

Thank you marek.


On 4/21/2017 1:15 PM, Marek Posolda wrote:
> Forgot to add list yesterday:
>
> Ah ok. Then the problem is possibly in connection pooling. Maybe it 
> helps if you increase connection pool of Apache HTTP Client on 
> admin-client side or maximum number of IO threads and/or Worker 
> threads in the undertow subsystem on the Keycloak server side. 
> Exception states "Remote host closed the connection", which indicates 
> that issue is rather on server side, but I am not 100% sure.
>
> Marek
>
> On 20/04/17 07:37, Rajkiran K wrote:
>> Thanks you for reply marek.
>>
>> yes, SSL certificate is signed by well known Certificate Authority. This
>> SSLHandshakeException is occuring few times only. Many times this
>> exception is not seen, can you guess possible issue here (if
>> admin-client is not trusted by Keycloak server, we should get exception
>> every time)
>>
>> Thanks,
>>
>> Raj Kiran K
>>
>>
>> On 4/19/2017 9:56 PM, Marek Posolda wrote:
>>> It seems that your application where admin-client is running, needs to
>>> trust the Keycloak server, so it's able to communicate with it through
>>> SSL.
>>>
>>> One possibility to do it is to ensure that your SSL certificate is
>>> signed by some well known Certificate Authority. This is good
>>> especially in production environments.
>>>
>>> Other possibility is to configure your admin-client to trust the
>>> Keycloak server. The easiest is to use property like
>>> javax.net.ssl.trustStore system properties (see JVM docs for more
>>> details). Another possibility is to use custom RestEasyClient or
>>> SSLContext to your admin client, which will "trust" the Keycloak 
>>> server.
>>>
>>> Marek
>>>
>>> On 19/04/17 14:33, Rajkiran K wrote:
>>>> Hi all,
>>>>
>>>> We are trying to get all roles data of realm from keycloak. We are
>>>> getting "SSLHandshakeException", can any one help on this issue
>>>>
>>>> *Keycloak version*: 1.9.8 Final
>>>>
>>>> *resteasy-client version*: resteasy-client-3.0.14.Final
>>>>
>>>> build    19-Apr-2017 02:00:18    2017-04-19 02:00:18 INFO
>>>> KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
>>>> error    19-Apr-2017 02:00:19 javax.ws.rs.ProcessingException:
>>>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
>>>> Remote
>>>> host closed connection during handshake
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> com.sun.proxy.$Proxy27.list(Unknown Source)
>>>> error    19-Apr-2017 02:00:19        at
>>>> com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34) 
>>>>
>>>> error    19-Apr-2017 02:00:19    Caused by: 
>>>> java.lang.RuntimeException:
>>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>>> during handshake
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> com.sun.proxy.$Proxy19.grantToken(Unknown Source)
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        ... 6 more
>>>> error    19-Apr-2017 02:00:19    Caused by:
>>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>>> during handshake
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        at
>>>> org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167) 
>>>>
>>>>
>>>> error    19-Apr-2017 02:00:19        ... 16 more
>>>> error    19-Apr-2017 02:00:19    Caused by: java.io.EOFException: SSL
>>>> peer shut down incorrectly
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.InputRecord.read(InputRecord.java:505)
>>>> error    19-Apr-2017 02:00:19        at
>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>>> error    19-Apr-2017 02:00:19        ... 25 more
>>>> build    19-Apr-2017 02:00:19    2017-04-19 02:00:19 ERROR
>>>> KeycloakDataManager:38 - java.lang.RuntimeException:
>>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>>> during handshake
>>>>
>>>
>>>
>>>
>
>
>
>

-- 
Thanks & Regards,

Rajkiran K


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material; unauthorized use of this information is prohibited. If you have received this in error, please contact the sender and delete the material immediately.



From marc.tempelmeier at flane.de  Fri Apr 21 06:51:37 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Fri, 21 Apr 2017 10:51:37 +0000
Subject: [keycloak-user] "Clustering" in Clients settings
Message-ID: <b0ab4fdf311042e6ad8535d7f22dbc62@dehamex2013.europe.flane.local>

Hi,

What is this tab about? Is there shown if the slaves can see each other with multicast?

BR

Marc

From ulrik.lejon at mollyware.se  Fri Apr 21 07:14:16 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Fri, 21 Apr 2017 11:14:16 +0000
Subject: [keycloak-user] Package custom rest endpoint in EAR
Message-ID: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>

According to the documentation it should be possible to drop an .ear file
in the standslone/deployment folder.
Based on this, what would one need to do to package the domain-extension
example (
https://github.com/keycloak/keycloak/tree/2.5.x/examples/providers/domain-extension)
in a valid ear?

Anyone with experience in successfully deploying ear archives that can
share some examples?

Note: I'm using keycloak 2.5.4

Br
Ulrik

From llivezking at gmail.com  Fri Apr 21 07:40:38 2017
From: llivezking at gmail.com (=?UTF-8?B?0JrQvtGA0L7Qu9GMINCY0LvRjNGP?=)
Date: Fri, 21 Apr 2017 11:40:38 +0000
Subject: [keycloak-user] Passing information from custom Authenticator
 to a Token
In-Reply-To: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>
References: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>
Message-ID: <b8130fb8-5458-267b-e6bd-ca8a6760f9a6@gmail.com>

First thing that came to my head is to populate required data to 
attributes of UserModel and use mappers to map attr to AT claim, but 
your way also look interesting and i don't see any problems here.


21.04.2017 8:32, Thomas Darimont ?????:
> Hello group,
>
> I need to pass some information form a custom Authenticator to the
> IDToken/AccessToken.
> One way I found to do that is by using UserSessionNotes and a "User Session
> Note"
> Protocol Mapper defined in a client template which is shared by all clients.
>
> public void authenticate(AuthenticationFlowContext context) {
>     ...
>
>   context.getClientSession().getUserSessionNotes().put("someKey","someValue");
>     ...
> }
>
> is this the intended way to do this sort of things?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From tech at psynd.net  Fri Apr 21 07:45:49 2017
From: tech at psynd.net (Tech)
Date: Fri, 21 Apr 2017 13:45:49 +0200
Subject: [keycloak-user] Grabbing messages flow between oidc client and Kc
Message-ID: <09a3a00c-a2c5-03cc-0943-ec9c9834df19@psynd.net>

Dear experts,

we are running the following test between a client written in PHP and 
deployed on IIS and KC (2.5.4) using OIDC.

Our main configuration:

  * ClientID and Name: IIS-client
  * Enabled [On]
  * Consent Required [Off]
  * Protocol [Oidc]
  * Access type [confidential]
  * Standard flow enabled [On]
  * Implicit Flow enabled [Off]
  * Direct access grant enabled [On]
  * Service accounts enabled [Off]
  * Authorization Enabled [Off]
  * Root Url [http://localhost:56579/*]
  * Valid redirect [http://localhost:56579/]
  * Admin [http://localhost:56579/]

We challenge this configuration from our VB code where:

Redirection
code = 
WbCGHl6Btf5QemAJ3aGEsaBx-0zxnyiC1Hsx7hYIQFU.4ead731d-871a-4ba9-bbdd-1bcb251616dc
state = ayyd9co1zzcar83
sClientId = IIS-client
sClientSecret = b1c08260-5f8d-4f18-95e4-6928e340d1d2

*Token Request*:
Header:
authorization = Basic 
SVNNLWNsaWVudDpiMWMwODI2MC01ZjhkLTRmMTgtOTVlNC02OTI4ZTM0MGQxZDI=
content-type = application/json
charset = utf-8

FormField:
grant_type=authorization_code&code=WbCGHl6Btf5QemAJ3aGEsaBx-0zxnyiC1Hsx7hYIQFU.4ead731d-871a-4ba9-bbdd-1bcb251616dc&state=ayyd9co1zzcar83&scope=openid&redirect_uri=http%3a%2f%2flocalhost%3a56579%2f
Try POST oWebClient.UploadString at :
sTokenUrl = 
http://localhost:8080/auth/realms/Test/protocol/openid-connect/token



Keycloak is replying with an error 400, we have the feeling that is not 
correctly receiving the message in the format it is expecting, but we 
are not neither able to grab the message from the Keycloak's to read 
what is actually Keycloak receiving.

Could you please support?

Thanks


From mposolda at redhat.com  Fri Apr 21 07:56:19 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 13:56:19 +0200
Subject: [keycloak-user] Tracking user session lifecycle in providers
In-Reply-To: <1492730440.32477.3.camel@cargosoft.ru>
References: <1492730440.32477.3.camel@cargosoft.ru>
Message-ID: <43d6c3e4-5431-c33a-7f9c-4afdc5dcb975@redhat.com>

I think that in the future, the userSession will be always created 
during login event (I am working on some refactoring, which will 
introduce that). But deletion of user session can be either logout or 
periodic cleanup or removal by admin. Hence those Keycloak events are 
not 100% reliable.

Other (and probably better) possibility is to manually add some listener 
to infinispan cache. You can do it in your own provider at the startup 
time though.

Marek



On 21/04/17 01:20, Dmitry Telegin wrote:
> Hi,
>
> Is it possible for a Keycloak provider to track user session
> creation/disposal/etc., for example, by subscribing to some events?
> I've looked through different event types in Keycloak, but couldn't
> find anything relevant to user session lifecycle.
>
> If not possible ATM, do you think this is worth being added to mainline
> Keycloak?
>
> Thanks,
> Dmitry
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Apr 21 07:57:25 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 13:57:25 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
Message-ID: <b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>

I will try to reproduce that. What's your MSAD version btv?

Thanks,
Marek

On 20/04/17 23:55, Charles Hardin wrote:
> Hello All,
>
> I have setup an instance of Keycloak 3 and connected it to AD. It is setup
> to sync users and is writeable edit mode. I also have Pasword Policy Hints
> enabled in the MSAD Account Controls mapper. I have user registration
> turned on in Keycloak.
>
> When I register a user in keycloak, it creates the user in a disabled state
> in AD, and prompts the user in keycloak to change the password they just
> set during account creation to activate the account. This then fails
> because AD is currently configured to enforce a minimum password age of one
> day.
>
> I am ok with the account being created disabled, but how do I get around
> the immediate 2nd password request?
>
> Thanks,
>
> Chuck
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From thomas.darimont at googlemail.com  Fri Apr 21 08:08:15 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 21 Apr 2017 14:08:15 +0200
Subject: [keycloak-user] Passing information from custom Authenticator
 to a Token
In-Reply-To: <b8130fb8-5458-267b-e6bd-ca8a6760f9a6@gmail.com>
References: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>
	<b8130fb8-5458-267b-e6bd-ca8a6760f9a6@gmail.com>
Message-ID: <CAK-7U1hgAkBKVhqDz_urpFpEwcs_jDbnqrK7qpAhNFRf-Yxn+g@mail.gmail.com>

Thanks for your reply :)

I think (ab)using user attributes for storing temporary data is not a good
idea, e.g. one would need to take care to clear that information etc.

I'm currently using
   context.getClientSession().setUserSessionNote("key","value");
in combination with a user protocol mapper for "user session note".

Cheers,
Thomas

2017-04-21 13:40 GMT+02:00 ?????? ???? <llivezking at gmail.com>:

> First thing that came to my head is to populate required data to
> attributes of UserModel and use mappers to map attr to AT claim, but
> your way also look interesting and i don't see any problems here.
>
>
> 21.04.2017 8:32, Thomas Darimont ?????:
> > Hello group,
> >
> > I need to pass some information form a custom Authenticator to the
> > IDToken/AccessToken.
> > One way I found to do that is by using UserSessionNotes and a "User
> Session
> > Note"
> > Protocol Mapper defined in a client template which is shared by all
> clients.
> >
> > public void authenticate(AuthenticationFlowContext context) {
> >     ...
> >
> >   context.getClientSession().getUserSessionNotes().put("
> someKey","someValue");
> >     ...
> > }
> >
> > is this the intended way to do this sort of things?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Chris.Rains at jtv.com  Fri Apr 21 08:27:47 2017
From: Chris.Rains at jtv.com (Rains, Chris)
Date: Fri, 21 Apr 2017 12:27:47 +0000
Subject: [keycloak-user] NullPointerException with empty attribute
Message-ID: <5DE8B4BE-71BF-497C-BA14-80BC496DFC69@jtv.com>

Hi,

I?m seeing Keycloak throw a NullPointerException whenever an access token is being generated for a user with an empty attribute value. Here?s a snippet of the stack trace:

Caused By: java.lang.NullPointerException
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.convertToType(OIDCAttributeMapperHelper.java:103)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:77)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:147)
at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:98)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:520)
at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:324)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:674)

Looking at OIDCAttributeMapperHelper.java, this seems to be happening because no null check is being performed on attributeValue in convertToType. Therefore, I think we would just need to add a null check at the beginning of convertToType:

if (attributeValue == null) return null;

Would this be a reasonable solution?

Thanks!
- Chris Rains



From mposolda at redhat.com  Fri Apr 21 08:33:33 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 14:33:33 +0200
Subject: [keycloak-user] "Clustering" in Clients settings
In-Reply-To: <b0ab4fdf311042e6ad8535d7f22dbc62@dehamex2013.europe.flane.local>
References: <b0ab4fdf311042e6ad8535d7f22dbc62@dehamex2013.europe.flane.local>
Message-ID: <e31113c9-2c0e-32dc-b0f4-9294649b4bd0@redhat.com>

Nope, that shows the self-registered cluster nodes where the particular 
client application is deployed. For example if you have cluster with 2 
backend nodes "app-node1" and "app-node2", those are shown there. This 
allows that admin requests (eg. Clicking "Logout all" in admin console 
or push new notBefore policy) are sent to all the registered nodes.

Some docs is here 
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/application-clustering.html

Btv. maybe we will remove this in the future and add some different 
solution as application backend nodes are not always visible from the KC 
server.

Marek

On 21/04/17 12:51, Marc Tempelmeier wrote:
> Hi,
>
> What is this tab about? Is there shown if the slaves can see each other with multicast?
>
> BR
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Fri Apr 21 08:33:50 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 21 Apr 2017 14:33:50 +0200
Subject: [keycloak-user] NullPointerException with empty attribute
In-Reply-To: <5DE8B4BE-71BF-497C-BA14-80BC496DFC69@jtv.com>
References: <5DE8B4BE-71BF-497C-BA14-80BC496DFC69@jtv.com>
Message-ID: <CAJgngAf9SBUdU5jcx0Ero7vXKVVCR5XYWtBL1WLsuA=QoOgzzw@mail.gmail.com>

+1

Please create a JIRA and if you'd like a PR including tests would be great.

On 21 April 2017 at 14:27, Rains, Chris <Chris.Rains at jtv.com> wrote:

> Hi,
>
> I?m seeing Keycloak throw a NullPointerException whenever an access token
> is being generated for a user with an empty attribute value. Here?s a
> snippet of the stack trace:
>
> Caused By: java.lang.NullPointerException
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.
> convertToType(OIDCAttributeMapperHelper.java:103)
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.
> mapAttributeValue(OIDCAttributeMapperHelper.java:77)
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(
> OIDCAttributeMapperHelper.java:147)
> at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.
> setClaim(UserAttributeMapper.java:98)
> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.
> transformAccessToken(AbstractOIDCProtocolMapper.java:81)
> at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(
> TokenManager.java:520)
> at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(
> TokenManager.java:324)
> at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.
> generateAccessToken(TokenManager.java:674)
>
> Looking at OIDCAttributeMapperHelper.java, this seems to be happening
> because no null check is being performed on attributeValue in
> convertToType. Therefore, I think we would just need to add a null check at
> the beginning of convertToType:
>
> if (attributeValue == null) return null;
>
> Would this be a reasonable solution?
>
> Thanks!
> - Chris Rains
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Apr 21 08:36:50 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 14:36:50 +0200
Subject: [keycloak-user] NullPointerException with empty attribute
In-Reply-To: <5DE8B4BE-71BF-497C-BA14-80BC496DFC69@jtv.com>
References: <5DE8B4BE-71BF-497C-BA14-80BC496DFC69@jtv.com>
Message-ID: <52b06166-e4df-3189-2466-39f320a7c4b7@redhat.com>

+1

Feel free to create JIRA . And ideally also send PR with the test :) 
Maybe to OIDCProtocolMappersTest.

Marek

On 21/04/17 14:27, Rains, Chris wrote:
> Hi,
>
> I?m seeing Keycloak throw a NullPointerException whenever an access token is being generated for a user with an empty attribute value. Here?s a snippet of the stack trace:
>
> Caused By: java.lang.NullPointerException
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.convertToType(OIDCAttributeMapperHelper.java:103)
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:77)
> at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:147)
> at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:98)
> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
> at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:520)
> at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:324)
> at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:674)
>
> Looking at OIDCAttributeMapperHelper.java, this seems to be happening because no null check is being performed on attributeValue in convertToType. Therefore, I think we would just need to add a null check at the beginning of convertToType:
>
> if (attributeValue == null) return null;
>
> Would this be a reasonable solution?
>
> Thanks!
> - Chris Rains
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Apr 21 08:48:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 21 Apr 2017 14:48:42 +0200
Subject: [keycloak-user] Passing information from custom Authenticator
 to a Token
In-Reply-To: <CAK-7U1hgAkBKVhqDz_urpFpEwcs_jDbnqrK7qpAhNFRf-Yxn+g@mail.gmail.com>
References: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>
	<b8130fb8-5458-267b-e6bd-ca8a6760f9a6@gmail.com>
	<CAK-7U1hgAkBKVhqDz_urpFpEwcs_jDbnqrK7qpAhNFRf-Yxn+g@mail.gmail.com>
Message-ID: <48e7f387-6e1d-7241-decd-43a3c58d0095@redhat.com>

+1

I would use same approach based on "User Session Notes" with the usecase 
like yours :)

Marek

On 21/04/17 14:08, Thomas Darimont wrote:
> Thanks for your reply :)
>
> I think (ab)using user attributes for storing temporary data is not a good
> idea, e.g. one would need to take care to clear that information etc.
>
> I'm currently using
>     context.getClientSession().setUserSessionNote("key","value");
> in combination with a user protocol mapper for "user session note".
>
> Cheers,
> Thomas
>
> 2017-04-21 13:40 GMT+02:00 ?????? ???? <llivezking at gmail.com>:
>
>> First thing that came to my head is to populate required data to
>> attributes of UserModel and use mappers to map attr to AT claim, but
>> your way also look interesting and i don't see any problems here.
>>
>>
>> 21.04.2017 8:32, Thomas Darimont ?????:
>>> Hello group,
>>>
>>> I need to pass some information form a custom Authenticator to the
>>> IDToken/AccessToken.
>>> One way I found to do that is by using UserSessionNotes and a "User
>> Session
>>> Note"
>>> Protocol Mapper defined in a client template which is shared by all
>> clients.
>>> public void authenticate(AuthenticationFlowContext context) {
>>>      ...
>>>
>>>    context.getClientSession().getUserSessionNotes().put("
>> someKey","someValue");
>>>      ...
>>> }
>>>
>>> is this the intended way to do this sort of things?
>>>
>>> Cheers,
>>> Thomas
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From chardin at shadowforge-computing.com  Fri Apr 21 09:42:22 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Fri, 21 Apr 2017 09:42:22 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
Message-ID: <CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>

2016

On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com> wrote:

> I will try to reproduce that. What's your MSAD version btv?
>
> Thanks,
> Marek
>
>
> On 20/04/17 23:55, Charles Hardin wrote:
>
>> Hello All,
>>
>> I have setup an instance of Keycloak 3 and connected it to AD. It is setup
>> to sync users and is writeable edit mode. I also have Pasword Policy Hints
>> enabled in the MSAD Account Controls mapper. I have user registration
>> turned on in Keycloak.
>>
>> When I register a user in keycloak, it creates the user in a disabled
>> state
>> in AD, and prompts the user in keycloak to change the password they just
>> set during account creation to activate the account. This then fails
>> because AD is currently configured to enforce a minimum password age of
>> one
>> day.
>>
>> I am ok with the account being created disabled, but how do I get around
>> the immediate 2nd password request?
>>
>> Thanks,
>>
>> Chuck
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From chexxor at gmail.com  Fri Apr 21 14:16:58 2017
From: chexxor at gmail.com (Alex Berg)
Date: Fri, 21 Apr 2017 13:16:58 -0500
Subject: [keycloak-user] Why use keycloak-nodejs-connect instead of general
	OID client?
Message-ID: <CABgV3qs+wyUyS1PyNy4d7JBWz4jin_0oq=_9eo0K0z6m+im-NQ@mail.gmail.com>

I am trying to install the keycloak-nodejs-connect middleware into my app.
It isn't working well, so of course I'm thinking of trying a different
openid-connect client library.

What does the keycloak-nodejs-connect library do that other openid-connect
client libraries doesn't do? It looks like one unique thing is that it
listens for a logout request to be sent from the keycloak admin console,
but I'm not sure as docs don't exist.

From gaalvarez0910 at gmail.com  Fri Apr 21 10:40:33 2017
From: gaalvarez0910 at gmail.com (Gustavo Alvarez)
Date: Fri, 21 Apr 2017 14:40:33 +0000
Subject: [keycloak-user] Angular 2 app whit route url whit hash problem
Message-ID: <CAAhLkKM3k8nGXmk_CWsFX_8nuqeKMOg2bX9781RA8uGQ5-X56A@mail.gmail.com>

Hello.

I have a angular 2 webapp and use url routing whit hash (#), for example
the home url is http://ip_server:port/#/smac, but the redirect uri after
login in keycloak is broken: http://ip_server:port/smac#. I use javascript
client adapter keycloak 2.3.0 and example for angular production.

Thanks.

From aucunnin at redhat.com  Fri Apr 21 10:58:25 2017
From: aucunnin at redhat.com (Austin Cunningham)
Date: Fri, 21 Apr 2017 15:58:25 +0100
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
	JWT
In-Reply-To: <CAM5SUC54C+Bad4XFteZov4x20Y9-+-fsASVua5H4tAOdBzxdSQ@mail.gmail.com>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
	<b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
	<CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>
	<CAM5SUC54C+Bad4XFteZov4x20Y9-+-fsASVua5H4tAOdBzxdSQ@mail.gmail.com>
Message-ID: <CAHE0bNGeZtgH6tkFptGJGZxTRQG5qyhLtbMcF=cn9bcm7kt7_w@mail.gmail.com>

Thanks Kevin and Bruno,

Managed to get bearer up and running . Small note keycloak-connect needs an
object when instantiated or won?t compile.

var keycloak = new Keycloak({});

Regards
Austin
?

On 20 April 2017 at 12:10, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Austin, this is one of bearer only examples which I can think about
> https://github.com/keycloak/keycloak-quickstarts/
> tree/master/service-nodejs
>
> I hope it helps.
>
> On Wed, Apr 19, 2017 at 6:02 AM Austin Cunningham <aucunnin at redhat.com>
> wrote:
>
>> Hi Kevin,
>>
>> Thanks for getting back to me , I have reviewed that example before , it
>> seems to be using sessions , not bearer or jwt. Correct me if I am wrong I
>> could be missing something. I was hoping to find an implementation of
>> http://blog.keycloak.org/2015/10/authentication-of-clients-
>> with-signed.html.
>> Regards
>> Austin
>>
>> On 19 April 2017 at 08:32, Kevin Berendsen <
>> kevin.berendsen at pharmapartners.nl> wrote:
>>
>> > Hi Austin,
>> >
>> > I believe this example is what you're looking for. [1]
>> >
>> > Make sure you read the README carefully.
>> >
>> > [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/
>> > master/example
>> >
>> > Kind regards,
>> >
>> > Kevin
>> >
>> > -----Oorspronkelijk bericht-----
>> > Van: keycloak-user-bounces at lists.jboss.org [mailto:
>> keycloak-user-bounces@
>> > lists.jboss.org] Namens Austin Cunningham
>> > Verzonden: dinsdag 18 april 2017 16:54
>> > Aan: keycloak-user at lists.jboss.org
>> > Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer
>> or
>> > JWT
>> >
>> > Hi ,
>> >
>> > I am looking for an example of JWT or Bearer implemented in Node.js with
>> > express js with Keycloak .
>> >
>> > Regards,
>> > Austin
>> > _______________________________________________
>> > keycloak-user mailing list
>> > mailto:keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>>
>>
>> --
>>
>> Austin Cunningham
>>
>> Software Engineering Intern
>>
>> Red Hat Mobile <https://www.redhat.com>
>>
>> Communications House, Cork Road, Waterford X91NY33
>>
>> Ireland
>>
>> aucunnin at redhat.com
>> <https://red.ht/sig>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


-- 

Austin Cunningham

Software Engineering Intern

Red Hat Mobile <https://www.redhat.com>

Communications House, Cork Road, Waterford X91NY33

Ireland

aucunnin at redhat.com
<https://red.ht/sig>

From ulrik.lejon at mollyware.se  Fri Apr 21 17:06:26 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Fri, 21 Apr 2017 21:06:26 +0000
Subject: [keycloak-user] Package custom rest endpoint in EAR
In-Reply-To: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
References: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
Message-ID: <CAG2z6=Q6UmxS4MZSfYi5pmfVBd3vfv_o=rwZ94Xnv1KyDpO=BQ@mail.gmail.com>

Here is a link to my repository:
https://github.com/ulejon/keycloak-custom-rest-provider-ear

Here is the log output when I try to deploy the ear to standalone/deployment

19:03:21,117 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-6) WFLYSRV0027: Starting deployment of "custom-ear.ear" (runtime-name:
"custom-ear.ear")
19:03:21,175 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-7) WFLYSRV0207: Starting subdeployment (runtime-name:
"provider-1.0-SNAPSHOT.jar")
19:03:21,211 INFO
 [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-7) Deploying Keycloak provider: {0}
19:03:21,220 WARN  [org.jboss.modules] (MSC service thread 1-7) Failed to
define class se.lejon.keycloak.custom.TestRestResourceProviderFactory in
Module "deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from
Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

19:03:21,223 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7)
MSC000001: Failed to start service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
... 5 more

19:03:21,231 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "custom-ear.ear")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
=> "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
\"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
    Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
\"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main\" from Service
Module Loader):
org/keycloak/services/resource/RealmResourceProviderFactory"}}
19:03:21,291 ERROR [stderr] (DeploymentScanner-threads - 1)
java.io.IOException: Mount point not found
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.nio.file.Files.getFileStore(Files.java:1461)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.security.AccessController.doPrivileged(Native Method)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
19:03:21,304 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.lang.Thread.run(Thread.java:745)
19:03:21,306 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.threads.JBossThread.run(JBossThread.java:320)
19:03:21,308 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 1)
WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name : "custom-ear.ear")
19:03:21,309 INFO  [org.jboss.as.controller] (DeploymentScanner-threads -
1) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"

fre 21 apr. 2017 kl 13:14 skrev Ulrik Lejon <ulrik.lejon at mollyware.se>:

> According to the documentation it should be possible to drop an .ear file
> in the standslone/deployment folder.
> Based on this, what would one need to do to package the domain-extension
> example (
> https://github.com/keycloak/keycloak/tree/2.5.x/examples/providers/domain-extension)
> in a valid ear?
>
> Anyone with experience in successfully deploying ear archives that can
> share some examples?
>
> Note: I'm using keycloak 2.5.4
>
> Br
> Ulrik
>

From ulrik.lejon at mollyware.se  Fri Apr 21 15:15:08 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Fri, 21 Apr 2017 19:15:08 +0000
Subject: [keycloak-user] Package custom rest endpoint in EAR
In-Reply-To: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
References: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
Message-ID: <CAG2z6=RK7vSEh20Wh1Dv2X8qqC2H4+i8w8_An4wr5+PP2snd_g@mail.gmail.com>

Here is a link to my repository:
https://github.com/ulejon/keycloak-custom-rest-provider-ear

Here is the log output when I try to deploy the ear to standalone/deployment

19:03:21,117 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-6) WFLYSRV0027: Starting deployment of "custom-ear.ear" (runtime-name:
"custom-ear.ear")
19:03:21,175 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-7) WFLYSRV0207: Starting subdeployment (runtime-name:
"provider-1.0-SNAPSHOT.jar")
19:03:21,211 INFO
 [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-7) Deploying Keycloak provider: {0}
19:03:21,220 WARN  [org.jboss.modules] (MSC service thread 1-7) Failed to
define class se.lejon.keycloak.custom.TestRestResourceProviderFactory in
Module "deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from
Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

19:03:21,223 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7)
MSC000001: Failed to start service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
... 5 more

19:03:21,231 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "custom-ear.ear")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
=> "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
\"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
    Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
\"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main\" from Service
Module Loader):
org/keycloak/services/resource/RealmResourceProviderFactory"}}
19:03:21,291 ERROR [stderr] (DeploymentScanner-threads - 1)
java.io.IOException: Mount point not found
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1) at
sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.nio.file.Files.getFileStore(Files.java:1461)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.security.AccessController.doPrivileged(Native Method)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
19:03:21,304 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1) at
java.lang.Thread.run(Thread.java:745)
19:03:21,306 ERROR [stderr] (DeploymentScanner-threads - 1) at
org.jboss.threads.JBossThread.run(JBossThread.java:320)
19:03:21,308 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 1)
WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name : "custom-ear.ear")
19:03:21,309 INFO  [org.jboss.as.controller] (DeploymentScanner-threads -
1) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"

fre 21 apr. 2017 kl 13:14 skrev Ulrik Lejon <ulrik.lejon at mollyware.se>:

> According to the documentation it should be possible to drop an .ear file
> in the standslone/deployment folder.
> Based on this, what would one need to do to package the domain-extension
> example (
> https://github.com/keycloak/keycloak/tree/2.5.x/examples/providers/domain-extension)
> in a valid ear?
>
> Anyone with experience in successfully deploying ear archives that can
> share some examples?
>
> Note: I'm using keycloak 2.5.4
>
> Br
> Ulrik
>

From roger.turnau at pwc.com  Fri Apr 21 15:52:54 2017
From: roger.turnau at pwc.com (Roger Turnau (US - Advisory))
Date: Fri, 21 Apr 2017 09:52:54 -1000
Subject: [keycloak-user] Token Request Problems when Reverse Proxying to
	Keycloak Server
Message-ID: <CAM96OPu7-cQR0r4at7VoVaq_YJCyj=Z85e-r5fUsvVVJFgAaEw@mail.gmail.com>

Hi all,

We have Keycloak set up in front of an AngularJS app. The app is served up
by an Apache server that lives in the DMZ, and it reverse proxies all
requests to a separate server behind the DMZ. We've noticed, however, that
token requests are not being successfully returned to the app, resulting in
users being logged out when, for instance, they do a page refresh. Or they
get logged out instantly when the Javascript adapter's authentication
iframe does its heartbeat check with the Keycloak server.

Our best guess at this point is that this is an Apache issue rather than a
Keycloak issue -- that our eventual solution will probably involve checking
our virtual host configuration, etc -- but I still wanted to see if anyone
could answer the following questions:


   1. Has anyone run into the same sorts of reverse proxying issues? If so,
   how did you solve them?
   2. What are the risks if, while searching for a solution, we were to
   temporarily move the Keycloak server into the DMZ, so that it is hosted on
   the same server that Apache is set up on? Is that an acceptable temporary
   fix while we work to resolve the underlying problem?

Thank you,

-- 
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

From ulrik.lejon at mollyware.se  Fri Apr 21 15:39:19 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Fri, 21 Apr 2017 19:39:19 +0000
Subject: [keycloak-user] Package custom rest endpoint in EAR
In-Reply-To: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
References: <CAG2z6=QcpRThA4fNqs3-w_3yVjb3Sd+=u2fJn6g1Ajwky3XmUA@mail.gmail.com>
Message-ID: <CAG2z6=QyK98hDt6kOVB_arGPZfWmDJ+ZzyNLjGqJezuCxSru5w@mail.gmail.com>

Here is a link to my repository:
https://github.com/ulejon/keycloak-custom-rest-provider-ear

Here is the log output when I try to deploy the ear to standalone/deployment

19:03:21,117 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-6) WFLYSRV0027: Starting deployment of "custom-ear.ear" (runtime-name:
"custom-ear.ear")
19:03:21,175 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-7) WFLYSRV0207: Starting subdeployment (runtime-name:
"provider-1.0-SNAPSHOT.jar")
19:03:21,211 INFO
 [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-7) Deploying Keycloak provider: {0}
19:03:21,220 WARN  [org.jboss.modules] (MSC service thread 1-7) Failed to
define class se.lejon.keycloak.custom.TestRestResourceProviderFactory in
Module "deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from
Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

19:03:21,223 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7)
MSC000001: Failed to start service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main" from Service
Module Loader): org/keycloak/services/resource/RealmResourceProviderFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
... 5 more

19:03:21,231 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "custom-ear.ear")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
=> "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
\"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
    Caused by: java.lang.NoClassDefFoundError: Failed to link
se/lejon/keycloak/custom/TestRestResourceProviderFactory (Module
\"deployment.custom-ear.ear.provider-1.0-SNAPSHOT.jar:main\" from Service
Module Loader):
org/keycloak/services/resource/RealmResourceProviderFactory"}}
19:03:21,291 ERROR [stderr] (DeploymentScanner-threads - 1)
java.io.IOException: Mount point not found
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
19:03:21,292 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
19:03:21,293 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1)  at
sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
19:03:21,294 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.nio.file.Files.getFileStore(Files.java:1461)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
19:03:21,295 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
19:03:21,296 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
19:03:21,297 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
19:03:21,298 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
19:03:21,299 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
19:03:21,300 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.security.AccessController.doPrivileged(Native Method)
19:03:21,301 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
19:03:21,302 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
19:03:21,303 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
19:03:21,304 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
19:03:21,305 ERROR [stderr] (DeploymentScanner-threads - 1)  at
java.lang.Thread.run(Thread.java:745)
19:03:21,306 ERROR [stderr] (DeploymentScanner-threads - 1)  at
org.jboss.threads.JBossThread.run(JBossThread.java:320)
19:03:21,308 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 1)
WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name : "custom-ear.ear")
19:03:21,309 INFO  [org.jboss.as.controller] (DeploymentScanner-threads -
1) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"

fre 21 apr. 2017 kl 13:14 skrev Ulrik Lejon <ulrik.lejon at mollyware.se>:

> According to the documentation it should be possible to drop an .ear file
> in the standslone/deployment folder.
> Based on this, what would one need to do to package the domain-extension
> example (
> https://github.com/keycloak/keycloak/tree/2.5.x/examples/providers/domain-extension)
> in a valid ear?
>
> Anyone with experience in successfully deploying ear archives that can
> share some examples?
>
> Note: I'm using keycloak 2.5.4
>
> Br
> Ulrik
>

From sblanc at redhat.com  Sat Apr 22 03:32:28 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 22 Apr 2017 09:32:28 +0200
Subject: [keycloak-user] Why use keycloak-nodejs-connect instead of
 general OID client?
In-Reply-To: <CABgV3qs+wyUyS1PyNy4d7JBWz4jin_0oq=_9eo0K0z6m+im-NQ@mail.gmail.com>
References: <CABgV3qs+wyUyS1PyNy4d7JBWz4jin_0oq=_9eo0K0z6m+im-NQ@mail.gmail.com>
Message-ID: <CAMZCGg8fOod0VEmp=UXR93NMcq2i1QFfJSd2MUpK301h2Cpd+w@mail.gmail.com>

On Fri, Apr 21, 2017 at 8:16 PM, Alex Berg <chexxor at gmail.com> wrote:

> I am trying to install the keycloak-nodejs-connect middleware into my app.
> It isn't working well, so of course I'm thinking of trying a different
> openid-connect client library.
>
What doesn't work well ? Have you opened tickets for this ?

>
> What does the keycloak-nodejs-connect library do that other openid-connect
> client libraries doesn't do? It looks like one unique thing is that it
> listens for a logout request to be sent from the keycloak admin console,
> but I'm not sure as docs don't exist.
>
It also handles the admin backend channel for revocation, it handles public
key rotation retrieval, role-based authorization. This is documented in the
docs that exists
https://keycloak.gitbooks.io/documentation/content/securing_apps/topics/oidc/nodejs-adapter.html


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Sat Apr 22 03:34:05 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 22 Apr 2017 09:34:05 +0200
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
	JWT
In-Reply-To: <CAHE0bNGeZtgH6tkFptGJGZxTRQG5qyhLtbMcF=cn9bcm7kt7_w@mail.gmail.com>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
	<b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
	<CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>
	<CAM5SUC54C+Bad4XFteZov4x20Y9-+-fsASVua5H4tAOdBzxdSQ@mail.gmail.com>
	<CAHE0bNGeZtgH6tkFptGJGZxTRQG5qyhLtbMcF=cn9bcm7kt7_w@mail.gmail.com>
Message-ID: <CAMZCGg_eU2042jWTF7a4E9=fTCG4+sG7tw=BuEgv6vNNb48O5Q@mail.gmail.com>

On Fri, Apr 21, 2017 at 4:58 PM, Austin Cunningham <aucunnin at redhat.com>
wrote:

> Thanks Kevin and Bruno,
>
> Managed to get bearer up and running . Small note keycloak-connect needs an
> object when instantiated or won?t compile.
>
> var keycloak = new Keycloak({});
>
can you open a ticket for that ? I think it should be possible to do just
var keycloak = new Keycloak();

>
> Regards
> Austin
> ?
>
> On 20 April 2017 at 12:10, Bruno Oliveira <bruno at abstractj.org> wrote:
>
> > Hi Austin, this is one of bearer only examples which I can think about
> > https://github.com/keycloak/keycloak-quickstarts/
> > tree/master/service-nodejs
> >
> > I hope it helps.
> >
> > On Wed, Apr 19, 2017 at 6:02 AM Austin Cunningham <aucunnin at redhat.com>
> > wrote:
> >
> >> Hi Kevin,
> >>
> >> Thanks for getting back to me , I have reviewed that example before , it
> >> seems to be using sessions , not bearer or jwt. Correct me if I am
> wrong I
> >> could be missing something. I was hoping to find an implementation of
> >> http://blog.keycloak.org/2015/10/authentication-of-clients-
> >> with-signed.html.
> >> Regards
> >> Austin
> >>
> >> On 19 April 2017 at 08:32, Kevin Berendsen <
> >> kevin.berendsen at pharmapartners.nl> wrote:
> >>
> >> > Hi Austin,
> >> >
> >> > I believe this example is what you're looking for. [1]
> >> >
> >> > Make sure you read the README carefully.
> >> >
> >> > [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/
> >> > master/example
> >> >
> >> > Kind regards,
> >> >
> >> > Kevin
> >> >
> >> > -----Oorspronkelijk bericht-----
> >> > Van: keycloak-user-bounces at lists.jboss.org [mailto:
> >> keycloak-user-bounces@
> >> > lists.jboss.org] Namens Austin Cunningham
> >> > Verzonden: dinsdag 18 april 2017 16:54
> >> > Aan: keycloak-user at lists.jboss.org
> >> > Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer
> >> or
> >> > JWT
> >> >
> >> > Hi ,
> >> >
> >> > I am looking for an example of JWT or Bearer implemented in Node.js
> with
> >> > express js with Keycloak .
> >> >
> >> > Regards,
> >> > Austin
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > mailto:keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >>
> >>
> >>
> >> --
> >>
> >> Austin Cunningham
> >>
> >> Software Engineering Intern
> >>
> >> Red Hat Mobile <https://www.redhat.com>
> >>
> >> Communications House, Cork Road, Waterford X91NY33
> >>
> >> Ireland
> >>
> >> aucunnin at redhat.com
> >> <https://red.ht/sig>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
> --
>
> Austin Cunningham
>
> Software Engineering Intern
>
> Red Hat Mobile <https://www.redhat.com>
>
> Communications House, Cork Road, Waterford X91NY33
>
> Ireland
>
> aucunnin at redhat.com
> <https://red.ht/sig>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From blackbellamy at posteo.de  Sat Apr 22 09:22:19 2017
From: blackbellamy at posteo.de (BlackBellamy)
Date: Sat, 22 Apr 2017 15:22:19 +0200
Subject: [keycloak-user] Multitenancy and further segmentation
Message-ID: <0f8f5221-c8d3-20b8-051c-f1dabf84375f@posteo.de>

Hey there,

we are currently developing the following web service and are uncertain
how to achieve our goals with the aid of Keycloak as IAM:

To understand the problem I'll try to explain the case from the
non-technical side:
Youth welfare sector; organizational head managing different facilities;
these facilities provide different offers; each facility has it's own
employees which belong to 1..n of these offers; the employees shall
document data online about e.g. the attendees (e.g. to record progress
etc); we have to take care of very strict data protection guidelines
(especially in this sector)


Now more technically:
1) Several tenants/OUs (the facilities) will use a single web service to
record sensitive data about their patients
2) These tenants are not allowed to view other tenant's records
3) Furthermore these tenants will be graduated into departments (the
different offers)
4) A tenants user shall be able to e.g. 'write record type A' for 1..n
departments. We'd need these roles per user (and preferably per
department, as user A may not have the same rights in each dept)
5) A tenant will have one user to manage the other users, but without
the possibility to grant himself superior rights than that
6) There shouldn't be any admin (master or other realms) that is able to
manage 'everything' online (as it implies to many possibilities for data
abuse)


Our thoughts for now are as follows:
1/2) Each facility will be represented by one realm -> strict bounds
3) A department(offer) will be represented by a group -> employees can
belong to 1..n offers
4) A user will be assigned to the roles (e.g. 'write record type A'),
BUT we won't be able to differentiate between department-specific roles
(user A may write in dept 1, but only read in dept 2)
5) Create a user with the only role: manage-users, BUT as stated here:
http://lists.jboss.org/pipermail/keycloak-user/2015-August/002814.html
He can grant himself superior rights. As JIRA is not accessible at the
moment I cannot examine the progress on that ticket.
6) Not sure about the feasibility: delete any admins and create/manage
realms over API


So far we have covered most of our goals, but have some critical
problems on items 4 - 6. Do you see any solution? Or would recommend a
completely different strategy to cover our goals?

Thanks a lot in advance!


--
Fair winds,
Black Bellamy

From rationull at gmail.com  Sat Apr 22 11:35:00 2017
From: rationull at gmail.com (Jonathan Little)
Date: Sat, 22 Apr 2017 08:35:00 -0700
Subject: [keycloak-user] Example of npm keycloak-connect with bearer or
	JWT
In-Reply-To: <CAMZCGg_eU2042jWTF7a4E9=fTCG4+sG7tw=BuEgv6vNNb48O5Q@mail.gmail.com>
References: <CAHE0bNEzRCfs=2ueHPfYatLJoy7rP60zPyr6mtAxiPosA4rA+g@mail.gmail.com>
	<b1d4797c12a5451fa2f7be7f394f8bbc@FERB.ppg.lan>
	<CAHE0bNGBvu-wtqYUA_nFXaRBtQV+B+PvUYcz+boOCUX9CDxE3w@mail.gmail.com>
	<CAM5SUC54C+Bad4XFteZov4x20Y9-+-fsASVua5H4tAOdBzxdSQ@mail.gmail.com>
	<CAHE0bNGeZtgH6tkFptGJGZxTRQG5qyhLtbMcF=cn9bcm7kt7_w@mail.gmail.com>
	<CAMZCGg_eU2042jWTF7a4E9=fTCG4+sG7tw=BuEgv6vNNb48O5Q@mail.gmail.com>
Message-ID: <CALLLnfUk-Bfoms+ZNi5K2rQ4fScHOp-HmmXs-RczjZdurjoWvg@mail.gmail.com>

FWIW that was handled recently in KEYCLOAK-4685 which called it a doc bug,
implying that new Keycloak() with no args is not allowed. Changeset:
https://github.com/keycloak/keycloak-nodejs-connect/commit/9cb0c9d2ef37370a26c12572cea6c80744c9cf84

On Sat, Apr 22, 2017 at 12:34 AM, Sebastien Blanc <sblanc at redhat.com> wrote:

> On Fri, Apr 21, 2017 at 4:58 PM, Austin Cunningham <aucunnin at redhat.com>
> wrote:
>
> > Thanks Kevin and Bruno,
> >
> > Managed to get bearer up and running . Small note keycloak-connect needs
> an
> > object when instantiated or won?t compile.
> >
> > var keycloak = new Keycloak({});
> >
> can you open a ticket for that ? I think it should be possible to do just
> var keycloak = new Keycloak();
>
> >
> > Regards
> > Austin
> > ?
> >
> > On 20 April 2017 at 12:10, Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> > > Hi Austin, this is one of bearer only examples which I can think about
> > > https://github.com/keycloak/keycloak-quickstarts/
> > > tree/master/service-nodejs
> > >
> > > I hope it helps.
> > >
> > > On Wed, Apr 19, 2017 at 6:02 AM Austin Cunningham <aucunnin at redhat.com
> >
> > > wrote:
> > >
> > >> Hi Kevin,
> > >>
> > >> Thanks for getting back to me , I have reviewed that example before ,
> it
> > >> seems to be using sessions , not bearer or jwt. Correct me if I am
> > wrong I
> > >> could be missing something. I was hoping to find an implementation of
> > >> http://blog.keycloak.org/2015/10/authentication-of-clients-
> > >> with-signed.html.
> > >> Regards
> > >> Austin
> > >>
> > >> On 19 April 2017 at 08:32, Kevin Berendsen <
> > >> kevin.berendsen at pharmapartners.nl> wrote:
> > >>
> > >> > Hi Austin,
> > >> >
> > >> > I believe this example is what you're looking for. [1]
> > >> >
> > >> > Make sure you read the README carefully.
> > >> >
> > >> > [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/
> > >> > master/example
> > >> >
> > >> > Kind regards,
> > >> >
> > >> > Kevin
> > >> >
> > >> > -----Oorspronkelijk bericht-----
> > >> > Van: keycloak-user-bounces at lists.jboss.org [mailto:
> > >> keycloak-user-bounces@
> > >> > lists.jboss.org] Namens Austin Cunningham
> > >> > Verzonden: dinsdag 18 april 2017 16:54
> > >> > Aan: keycloak-user at lists.jboss.org
> > >> > Onderwerp: [keycloak-user] Example of npm keycloak-connect with
> bearer
> > >> or
> > >> > JWT
> > >> >
> > >> > Hi ,
> > >> >
> > >> > I am looking for an example of JWT or Bearer implemented in Node.js
> > with
> > >> > express js with Keycloak .
> > >> >
> > >> > Regards,
> > >> > Austin
> > >> > _______________________________________________
> > >> > keycloak-user mailing list
> > >> > mailto:keycloak-user at lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >> >
> > >> > _______________________________________________
> > >> > keycloak-user mailing list
> > >> > keycloak-user at lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >>
> > >> Austin Cunningham
> > >>
> > >> Software Engineering Intern
> > >>
> > >> Red Hat Mobile <https://www.redhat.com>
> > >>
> > >> Communications House, Cork Road, Waterford X91NY33
> > >>
> > >> Ireland
> > >>
> > >> aucunnin at redhat.com
> > >> <https://red.ht/sig>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >
> >
> >
> > --
> >
> > Austin Cunningham
> >
> > Software Engineering Intern
> >
> > Red Hat Mobile <https://www.redhat.com>
> >
> > Communications House, Cork Road, Waterford X91NY33
> >
> > Ireland
> >
> > aucunnin at redhat.com
> > <https://red.ht/sig>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tech at psynd.net  Sat Apr 22 13:51:40 2017
From: tech at psynd.net (Tech)
Date: Sat, 22 Apr 2017 19:51:40 +0200
Subject: [keycloak-user] Keycloak grant_type
Message-ID: <446c046f-3a81-e417-8608-33a0dd46dd8b@psynd.net>

Hi,

We are trying to setup a working login infrastructure as follows: an 
application which we are trying to login through Keycloak.

The flow is as follows: we get to the application, which redirects us to 
Keycloak, which should log the user and give correct access rights. This 
works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY, 
KEYCLOAK_SESSION) and that redirects us back to the application.

The problem that we have is that we are not able to identify the user 
logged in to KeyCloak. This is doable by the access_token, if we would 
work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.

We are trying to somehow get the openid token with this 
url /auth/realms/demo/protocol/openid-connect/token with the following 
URL Encoded params:

- grant_type: authorization_code
- client_id: *client-id*
- client_secret: *secret*
- code: ???what code should we provide here??? (we tried adding the code 
seen from browser requests but that throws invalid_code error)

The actual problem is that there is no available example in the 
documentation (or at least we didn't find any) that shows how to setup a 
login flow without access_token request.

Thanks,

Alin


From maisacaceres at gmail.com  Sun Apr 23 11:42:28 2017
From: maisacaceres at gmail.com (=?UTF-8?B?TWHDrXNhIEPDoWNlcmVz?=)
Date: Sun, 23 Apr 2017 12:42:28 -0300
Subject: [keycloak-user] User account
In-Reply-To: <CAKTcrg5yCscaG3DW7UUrJQPPwcg5kECcuHM0KXE=UQ73gWtJAA@mail.gmail.com>
References: <CAJFUPXkevSqW1n_Tm7GXWyjffU6SbRfE+DTm0+q6SjpZs7tdBw@mail.gmail.com>
	<CAKTcrg5yCscaG3DW7UUrJQPPwcg5kECcuHM0KXE=UQ73gWtJAA@mail.gmail.com>
Message-ID: <CAJFUPXk3==VZ2AV_PyLfBqcbVpxoRuNQKymQw4uURj6HHx3v4w@mail.gmail.com>

Hi, thank you for your reply.
I'm already using this documentation to make my requests for the user
endpoint.
It works perfect, but I just can make a request to those endpoints if the
user's token has the role admin-realm. In my case, I want that a
common user to be able to change his profile data (First name, email, for
example). So when I make the same request to user's endpoints but with a
token with the role account-management I receive 403 as a response.
In my case I want the user of my system to be able to change his profile
data and I couldn't find a way to it by API.
Is there another endpoint to do it ?

On 20 April 2017 at 21:00, Matthew Woolnough <matt at woolnough.com.au> wrote:

>
> Is this what you're looking for?
>
> http://www.keycloak.org/docs-api/3.0/rest-api/index.html
>
> You can also look at the Chrome Developer tools when you are making
> changes ?in the Keycloak Admin Interface to see how it uses the API.
>
> mW
>
> On 21 April 2017 at 07:51, Ma?sa C?ceres <maisacaceres at gmail.com> wrote:
>
>> Hi everyone,
>> I'm developing a system and using Keycloak to manage users.
>> I try to find out if it's possible for a user to manage his information
>> account by API, I could not found anything about it.
>> Is it possible?
>>
>> Thanks in advanced.
>>
>> --
>> Ma?sa C?ceres
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Ma?sa C?ceres

From assassin.creed60 at gmail.com  Mon Apr 24 03:20:26 2017
From: assassin.creed60 at gmail.com (Jyoti Kumar Singh)
Date: Mon, 24 Apr 2017 12:50:26 +0530
Subject: [keycloak-user] Keycloak is throwing invalid_authn_request error
	for SAML Client
Message-ID: <CAOi6RbBhW9VkDM_arqeYpCJrNzQuRKPA7ErRUKV+GMEOD5UQ9w@mail.gmail.com>

Hi Team,

We have integrated SAP HANA system as a Service Provider with the Keycloak
2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
needs to be imported at Service Provider end.

But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
end, SingleSignOnService Location is getting saved with addition of 443
port number in the Destination URL. For example, If Keycloak is providing
IDP SingleSignOnService Location as "
https://test.example.com/auth/realms/zzz/protocol/saml", Service Provider
is saving it as "https://test.example.com:443/auth/realms/zzz/protocol/saml
".

Once Service Provider is making a AuthnRequest Call to Keycloak, it is
sending Destination URL as "
https://test.example.com:443/auth/realms/zzz/protocol/saml" as part of
AuthnRequest. As the destination URL contains ":443" extra, Keycloak is
refusing to accept it and throws "error=invalid_authn_request,
reason=invalid_destination" error.

Looks like Keycloak is very strict about destination URL matching which is
sent from SP as part of AuthnRequest. Do we have any option in Keycloak
which will accept the Destination URL with port number in AuthnRequest or
is there any work around to handle this?

Please let me know for any other information regarding this.

-- 


*With Regards, Jyoti Kumar Singh*

From mposolda at redhat.com  Mon Apr 24 03:38:54 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 24 Apr 2017 09:38:54 +0200
Subject: [keycloak-user] Keycloak grant_type
In-Reply-To: <446c046f-3a81-e417-8608-33a0dd46dd8b@psynd.net>
References: <446c046f-3a81-e417-8608-33a0dd46dd8b@psynd.net>
Message-ID: <f6373938-a15c-a2aa-18c2-f6a72ff0d7df@redhat.com>

Hi,

Keycloak is using OpenID Connect / OAuth2 protocol. Once you 
authenticate in Keycloak, then Keycloak redirects to the application 
with the "code" and "state" parameter. Then your application is supposed 
to use this code in the code-to-token request (request needs to be sent 
to the endpoint you mentioned).

The important thing is, that if you use our built-in adapters, you don't 
need to care about any protocol details at all. Adapter will 
automatically send the request to the token endpoint and exchange the 
code for the token. Similarly it automatically handles token refreshing, 
logouts etc.

We have examples on how to use our adapters. You can take a look at 
them. You need to care about exchanging code manually etc just in case 
that you can't use our adapters for some reason. But using our adapters 
(or at least some other existing 3rd party OIDC/OAuth2 adapter) is 
preferred way over writing the whole OIDC/OAuth2 workflow by yourself as 
that's quite error prone.

Marek


On 22/04/17 19:51, Tech wrote:
> Hi,
>
> We are trying to setup a working login infrastructure as follows: an
> application which we are trying to login through Keycloak.
>
> The flow is as follows: we get to the application, which redirects us to
> Keycloak, which should log the user and give correct access rights. This
> works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY,
> KEYCLOAK_SESSION) and that redirects us back to the application.
>
> The problem that we have is that we are not able to identify the user
> logged in to KeyCloak. This is doable by the access_token, if we would
> work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.
>
> We are trying to somehow get the openid token with this
> url /auth/realms/demo/protocol/openid-connect/token with the following
> URL Encoded params:
>
> - grant_type: authorization_code
> - client_id: *client-id*
> - client_secret: *secret*
> - code: ???what code should we provide here??? (we tried adding the code
> seen from browser requests but that throws invalid_code error)
>
> The actual problem is that there is no available example in the
> documentation (or at least we didn't find any) that shows how to setup a
> login flow without access_token request.
>
> Thanks,
>
> Alin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mr.beel at gmail.com  Mon Apr 24 07:58:32 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Mon, 24 Apr 2017 16:58:32 +0500
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
Message-ID: <CABi4XQD7Tfmm3n-LuUe_rDrfF_gkCvELWxS+UhLXD0acGErikw@mail.gmail.com>

i have relevant question but different scenario.
If i have configure ldap account with READ_ONLY mode and registration are
off.
Is there a way to create local users? I mean is there anyway to tell
keycloak that it creates user in his database instead in ldap.

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Fri, Apr 21, 2017 at 6:42 PM, Charles Hardin <
chardin at shadowforge-computing.com> wrote:

> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
> > I will try to reproduce that. What's your MSAD version btv?
> >
> > Thanks,
> > Marek
> >
> >
> > On 20/04/17 23:55, Charles Hardin wrote:
> >
> >> Hello All,
> >>
> >> I have setup an instance of Keycloak 3 and connected it to AD. It is
> setup
> >> to sync users and is writeable edit mode. I also have Pasword Policy
> Hints
> >> enabled in the MSAD Account Controls mapper. I have user registration
> >> turned on in Keycloak.
> >>
> >> When I register a user in keycloak, it creates the user in a disabled
> >> state
> >> in AD, and prompts the user in keycloak to change the password they just
> >> set during account creation to activate the account. This then fails
> >> because AD is currently configured to enforce a minimum password age of
> >> one
> >> day.
> >>
> >> I am ok with the account being created disabled, but how do I get around
> >> the immediate 2nd password request?
> >>
> >> Thanks,
> >>
> >> Chuck
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ssilvert at redhat.com  Mon Apr 24 08:04:16 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 24 Apr 2017 08:04:16 -0400
Subject: [keycloak-user] Angular 2 app whit route url whit hash problem
In-Reply-To: <CAAhLkKM3k8nGXmk_CWsFX_8nuqeKMOg2bX9781RA8uGQ5-X56A@mail.gmail.com>
References: <CAAhLkKM3k8nGXmk_CWsFX_8nuqeKMOg2bX9781RA8uGQ5-X56A@mail.gmail.com>
Message-ID: <9b4229cc-8e61-0ddf-c359-c23ded5bfb45@redhat.com>

I'm working on an angular 2 app with Keycloak right now.  It's using 
hash routing and I don't have this issue.

I'm going to add a new angular 2 example to 
https://github.com/keycloak/keycloak-quickstarts pretty soon. I'll think 
about including an example of hash routing.

Stan

On 4/21/2017 10:40 AM, Gustavo Alvarez wrote:
> Hello.
>
> I have a angular 2 webapp and use url routing whit hash (#), for example
> the home url is http://ip_server:port/#/smac, but the redirect uri after
> login in keycloak is broken: http://ip_server:port/smac#. I use javascript
> client adapter keycloak 2.3.0 and example for angular production.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Mon Apr 24 08:05:15 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 24 Apr 2017 14:05:15 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CABi4XQD7Tfmm3n-LuUe_rDrfF_gkCvELWxS+UhLXD0acGErikw@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<CABi4XQD7Tfmm3n-LuUe_rDrfF_gkCvELWxS+UhLXD0acGErikw@mail.gmail.com>
Message-ID: <f46955d9-2b99-9f8d-962d-57973acaf088@redhat.com>

On 24/04/17 13:58, Nabeel Ahmed wrote:
> i have relevant question but different scenario.
> If i have configure ldap account with READ_ONLY mode and registration 
> are off.
> Is there a way to create local users? I mean is there anyway to tell 
> keycloak that it creates user in his database instead in ldap.
You mean LDAP provider has edit mode as "READ_ONLY" and "Sync 
registrations" is off?

Then yes, any newly created users in Keycloak will be added just to 
Keycloak DB. Not to LDAP.

Marek
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Fri, Apr 21, 2017 at 6:42 PM, Charles Hardin 
> <chardin at shadowforge-computing.com 
> <mailto:chardin at shadowforge-computing.com>> wrote:
>
>     2016
>
>     On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>     > I will try to reproduce that. What's your MSAD version btv?
>     >
>     > Thanks,
>     > Marek
>     >
>     >
>     > On 20/04/17 23:55, Charles Hardin wrote:
>     >
>     >> Hello All,
>     >>
>     >> I have setup an instance of Keycloak 3 and connected it to AD.
>     It is setup
>     >> to sync users and is writeable edit mode. I also have Pasword
>     Policy Hints
>     >> enabled in the MSAD Account Controls mapper. I have user
>     registration
>     >> turned on in Keycloak.
>     >>
>     >> When I register a user in keycloak, it creates the user in a
>     disabled
>     >> state
>     >> in AD, and prompts the user in keycloak to change the password
>     they just
>     >> set during account creation to activate the account. This then
>     fails
>     >> because AD is currently configured to enforce a minimum
>     password age of
>     >> one
>     >> day.
>     >>
>     >> I am ok with the account being created disabled, but how do I
>     get around
>     >> the immediate 2nd password request?
>     >>
>     >> Thanks,
>     >>
>     >> Chuck
>     >> _______________________________________________
>     >> keycloak-user mailing list
>     >> keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >>
>     >
>     >
>     >
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From ulrik.lejon at mollyware.se  Mon Apr 24 09:30:46 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Mon, 24 Apr 2017 13:30:46 +0000
Subject: [keycloak-user] Get magic link for users to login
In-Reply-To: <6c296c34-b2c9-b144-a0c1-fa6c8f20c306@gmail.com>
References: <CADn3RNW2fgSCTDBzL-=5s52S7cFUGOMFsKQXSFNys+R9t6LeOw@mail.gmail.com>
	<6c50a0b0-c4ff-0648-8db8-e0448eac7153@gmail.com>
	<CAG2z6=Qt3OKYn6znoCC=jGNDSa1bxCwi3Agvo48REe2KqidNyQ@mail.gmail.com>
	<6c296c34-b2c9-b144-a0c1-fa6c8f20c306@gmail.com>
Message-ID: <CAG2z6=Qe-ao2u-6eJq3mw_13a1iiXsVuDricNETX7v2=u3eHGA@mail.gmail.com>

Hi,

Thank you for providing this example!
The problem I'm having now is how to provide the frontend application with
the OAuth 2 bearer token? Is it possible to generate a token on behalf of
the user without knowing the user's password?

The flow right now is like this:

1. User makes a request to my custom keycloak rest endpoint to get the
magic link
2. User paste the link in the browser
3. My custom keycloak authenticator, which is first in the browser flow
chain, marks the AuthenticationFlowContext as successfull and sets the user
property.
4. User is redirected to my frontend app

To be able to continue the flow I need to obtain a OAuth2 bearer token that
I can use in each request to my backend application. Is there a way of
doing that?


ons 19 apr. 2017 kl 08:17 skrev Ilya Korol <llivezking at gmail.com>:

> Hi. I implemented custom REST endpoint for Keycloak Admin REST API,
> where link will be constructed.
>
> For example if you go to keycloak account client you will see in browser
> address bar something like:
>
>
> http://localhost:8081/auth/realms/test-modules/protocol/openid-connect/auth?client_id=account&redirect_uri=%2Fauth%2Frealms%2Ftest-modules%2Faccount&state=41dacfb3-fa49-499e-9797-2137c618a8a8&response_type=code&scope=openid
>
> so authenticator will play his game if you will follow similar link with
> format:
>
> ${default_authentication_link}&userId=bla&marker=blabla
>
>
> So construction of this link is pretty simple:
>
>      private String generateActivationLink(UserModel user, String
> targetClientId) {
>          ClientModel client = realm.getClientByClientId(targetClientId);
>
>          user.setSingleAttribute(ATTR_EXPIRATION,
> String.valueOf(computeExpirationTime(realm)));
>          user.setSingleAttribute(ATTR_MARKER,
> UUID.randomUUID().toString());
>
>          try {
>              URIBuilder linkUri = new URIBuilder(String.format(
>                      "%srealms/%s/protocol/openid-connect/auth",
> uriInfo.getBaseUri().toString(), realm.getName()
>              ))
>                      .addParameter("client_id", client.getClientId())
>                      .addParameter("redirect_uri", client.getBaseUrl())
>                      .addParameter("state", UUID.randomUUID().toString())
>                      .addParameter("response_type", "code")
>                      .addParameter("scope", "openid")
>                      // Add additional params
>                      .addParameter("user", user.getUserId())
>                      .addParameter("marker",
> user.getFirstAttribute(ATTR_MARKER));
>
>              return linkUri.build().toString();
>          } catch (URISyntaxException e) {
>              logger.error("Unable to construct activation link");
>              return null;
>          }
>      }
>
>
> Expiration of link or any other restriction could be implemented as
> adding attributes to UserModel while constructing the link and checking
> their values during authentication.
>
>
> The only thing that bother me now how secure is this approach, so it
> would be great if someone point me to any potential security drawbacks.
> As for me this is not less secure than standard reset credentials flow
>
>
> On 19.04.2017 15:59, Ulrik Lejon wrote:
> > Hi
> >
> > Sounds like a good idea!
> > Out of curiosity, how do you create the links? Also, will the links ever
> > expire?
> >
> > BR,
> > Ulrik
> >
> > On Wed, 19 Apr 2017, 04:02 Ilya Korol, <llivezking at gmail.com> wrote:
> >
> >> Hi recently i implemented almost same feature for our environment. I've
> >> done it via custom Authenticator implementation. This authenticator is
> >> injected in browser authentication flow as alternative execution just
> >> before cookie execution, and check request link whether he should
> >> authenticate user by this link. Here some snippet:
> >>
> >>
> >>       @Override
> >>       public void authenticate(AuthenticationFlowContext context) {
> >>           MultivaluedMap<String, String> queryParams =
> >> context.getHttpRequest().getUri().getQueryParameters();
> >>
> >>           // If uri doesn't contain appropriate query params this flow
> is
> >> not applicable,
> >>           // so we pass it by to other flow chain
> >>           if (!(queryParams.containsKey("marker") &&
> >> queryParams.containsKey("userId"))) {
> >>               context.attempted();
> >>               return;
> >>           }
> >>
> >>           // Extract params from request
> >>           String userId = queryParams.getFirst("userId");
> >>           String marker = queryParams.getFirst("marker");
> >>
> >>           RealmModel realm =
> context.getSession().getContext().getRealm();
> >>           UserModel user =
> >> context.getSession().users().getUserById(userId, realm);
> >>
> >>           // If user state doesn't match requirements this flow is not
> >> applicable,
> >>           // so we pass it by to other flow chain
> >>           if (checkConditions(user, marker, otherStruff)) {
> >>
> >>               // User could be authenticated
> >>
> >>               context.setUser(user);
> >>               context.success();
> >>           } else {
> >>               context.attempted();
> >>           }
> >>       }
> >>
> >>
> >>
> >> On 18.04.2017 19:09, Martin Johansson wrote:
> >>> Hi!
> >>>
> >>> We want to achieve the following:
> >>>
> >>> Expose a REST endpoint where an authenticated client can retrieve a
> magic
> >>> login link for a specific user. We have an ID in the attributes for the
> >>> user which enables us to get the correct user.
> >>>
> >>> The reason for this is that we need to expose the possibility to send
> >>> e-mails from other systems than Keycloak. We have other ways of
> composing
> >>> the e-mails.
> >>>
> >>> So wanted final state is that a user can click a link in his e-mail
> >> client
> >>> and be redirected to our app and be logged in.
> >>>
> >>> BR,
> >>> Martin
> >>>
> >>> ---------- Forwarded message ----------
> >>>> From: Ilya Korol <llivezking at gmail.com>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Cc:
> >>>> Bcc:
> >>>> Date: Fri, 14 Apr 2017 15:59:10 +1000
> >>>> Subject: Re: [keycloak-user] Get magic link for users to login
> >>>> Hi, could you explain more detailed what you want to achieve? As for
> my
> >>>> team we also implemented custom rest endpoint, which send customized
> >> emails
> >>>> to users. Check out
> org.keycloak.services.resources.admin.UsersResource
> >>>> for details of default link constructing. (methods:
> >> resetPasswordEmail(),
> >>>> executeActionsEmail(), sendVerifyEmail())
> >>>>
> >>>>
> >>>> On 13.04.2017 17:54, Martin Johansson wrote:
> >>>>
> >>>>> Is it possible to retrieve the magic link that are sent by e-mail via
> >> the
> >>>>> Java
> >>>>> API? We have implemented an SPI with a REST interface and would like
> to
> >>>>> get
> >>>>> the link for usage in custom e-mails.
> >>>>> Any hints which provider to be used is much appreciated.
> >>>>>
> >>>>> Regards,
> >>>>> Martin
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From anders.kabell.kristensen at systematic.com  Mon Apr 24 10:12:43 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Mon, 24 Apr 2017 07:12:43 -0700 (MST)
Subject: [keycloak-user] SAML parsing error
Message-ID: <1493043163420-3667.post@n6.nabble.com>

Hi,

We have setup Keycloak as an identity broker with a SAML IdP. Keycloak
recieves a SAML response from the IdP and we can decrypt this response by
hand and it looks like we expect.

When the browser hits our SAML endpoint
(https://[domain]/auth/realms/[realm]/[client]/[IdP alias]/endpoint) we get
an exception: 
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.

The log shows this error: PL00062: Parser : Unknown
tag:AuthnStatement::location=[row,col {unknown-source}]: [1,9341]

It seems that Keycloak do not know the tag AuthnStatement even though this
is part of the SAML 2.0 standard?
Are we missing something here?

Kind regards,
Ulrik and Anders




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From mr.beel at gmail.com  Mon Apr 24 11:37:35 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Mon, 24 Apr 2017 20:37:35 +0500
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <f46955d9-2b99-9f8d-962d-57973acaf088@redhat.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<CABi4XQD7Tfmm3n-LuUe_rDrfF_gkCvELWxS+UhLXD0acGErikw@mail.gmail.com>
	<f46955d9-2b99-9f8d-962d-57973acaf088@redhat.com>
Message-ID: <CABi4XQB7BqJx39W+DtEg1SNEvpk2z7e3QEEmkudt85o0juNKqA@mail.gmail.com>

is this the default behaviour or we need to do any configurations ?

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Mon, Apr 24, 2017 at 5:05 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 24/04/17 13:58, Nabeel Ahmed wrote:
>
> i have relevant question but different scenario.
> If i have configure ldap account with READ_ONLY mode and registration are
> off.
> Is there a way to create local users? I mean is there anyway to tell
> keycloak that it creates user in his database instead in ldap.
>
> You mean LDAP provider has edit mode as "READ_ONLY" and "Sync
> registrations" is off?
>
> Then yes, any newly created users in Keycloak will be added just to
> Keycloak DB. Not to LDAP.
>
> Marek
>
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Fri, Apr 21, 2017 at 6:42 PM, Charles Hardin <chardin at shadowforge-
> computing.com> wrote:
>
>> 2016
>>
>> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>> > I will try to reproduce that. What's your MSAD version btv?
>> >
>> > Thanks,
>> > Marek
>> >
>> >
>> > On 20/04/17 23:55, Charles Hardin wrote:
>> >
>> >> Hello All,
>> >>
>> >> I have setup an instance of Keycloak 3 and connected it to AD. It is
>> setup
>> >> to sync users and is writeable edit mode. I also have Pasword Policy
>> Hints
>> >> enabled in the MSAD Account Controls mapper. I have user registration
>> >> turned on in Keycloak.
>> >>
>> >> When I register a user in keycloak, it creates the user in a disabled
>> >> state
>> >> in AD, and prompts the user in keycloak to change the password they
>> just
>> >> set during account creation to activate the account. This then fails
>> >> because AD is currently configured to enforce a minimum password age of
>> >> one
>> >> day.
>> >>
>> >> I am ok with the account being created disabled, but how do I get
>> around
>> >> the immediate 2nd password request?
>> >>
>> >> Thanks,
>> >>
>> >> Chuck
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From hendrikdev22 at gmail.com  Mon Apr 24 12:55:33 2017
From: hendrikdev22 at gmail.com (Hendrik Dev)
Date: Mon, 24 Apr 2017 18:55:33 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
Message-ID: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>

Hi,

I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
Purpose is to provide single sign on for users logging in via IE from
a windows domain.
Keycloak itself is running on centOS, Kerberos server is Active
Directory. The setup is working so far because i can login via 'curl
--negotiate'. There are also several other java applications running
in this environment which are capable of doing SPNEGO over Kerberos
authentication successfully.

If the user access a Keycloak protected application the SPNEGO login
does not work and the Keycloak login page is displayed instead.
In the logs i see "Defective token detected (Mechanism level:
GSSHeader did not find the right tag)" and thats totally right because
the browser sends
'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).

For me it looks like the browser never gets either a
'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
In other words: The browser seems to never gets challenged to do
SPNEGO over Kerberos.

I already tried to fix it
(https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
but this oddly just ends up in a Basic Auth popup from the browser.
For the client app the standard flow as well as direct access grants
is enabled.

Keycloak is deployed as HA with 3 nodes and runs behind a HW
loadbalancer and Kerberos is setup within the LDAP Federation ()

Any ideas?

Thanks
Hendrik

-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC

From mposolda at redhat.com  Mon Apr 24 14:30:27 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 24 Apr 2017 20:30:27 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CABi4XQB7BqJx39W+DtEg1SNEvpk2z7e3QEEmkudt85o0juNKqA@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<CABi4XQD7Tfmm3n-LuUe_rDrfF_gkCvELWxS+UhLXD0acGErikw@mail.gmail.com>
	<f46955d9-2b99-9f8d-962d-57973acaf088@redhat.com>
	<CABi4XQB7BqJx39W+DtEg1SNEvpk2z7e3QEEmkudt85o0juNKqA@mail.gmail.com>
Message-ID: <f17a329a-8436-97ee-f619-7dc8ade94fac@redhat.com>

The configuration is what I mentioned. You have LDAP provider configured 
with "Sync registration" to "off" and then newly created users in 
Keycloak won't be created to LDAP.

Marek

On 24/04/17 17:37, Nabeel Ahmed wrote:
> is this the default behaviour or we need to do any configurations ?
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
>
> On Mon, Apr 24, 2017 at 5:05 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 24/04/17 13:58, Nabeel Ahmed wrote:
>>     i have relevant question but different scenario.
>>     If i have configure ldap account with READ_ONLY mode and
>>     registration are off.
>>     Is there a way to create local users? I mean is there anyway to
>>     tell keycloak that it creates user in his database instead in ldap.
>     You mean LDAP provider has edit mode as "READ_ONLY" and "Sync
>     registrations" is off?
>
>     Then yes, any newly created users in Keycloak will be added just
>     to Keycloak DB. Not to LDAP.
>
>     Marek
>
>>
>>     Regards,
>>
>>     Nabeel Ahmed
>>     Cell # +92 333 540 5542
>>
>>     On Fri, Apr 21, 2017 at 6:42 PM, Charles Hardin
>>     <chardin at shadowforge-computing.com
>>     <mailto:chardin at shadowforge-computing.com>> wrote:
>>
>>         2016
>>
>>         On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
>>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         > I will try to reproduce that. What's your MSAD version btv?
>>         >
>>         > Thanks,
>>         > Marek
>>         >
>>         >
>>         > On 20/04/17 23:55, Charles Hardin wrote:
>>         >
>>         >> Hello All,
>>         >>
>>         >> I have setup an instance of Keycloak 3 and connected it to
>>         AD. It is setup
>>         >> to sync users and is writeable edit mode. I also have
>>         Pasword Policy Hints
>>         >> enabled in the MSAD Account Controls mapper. I have user
>>         registration
>>         >> turned on in Keycloak.
>>         >>
>>         >> When I register a user in keycloak, it creates the user in
>>         a disabled
>>         >> state
>>         >> in AD, and prompts the user in keycloak to change the
>>         password they just
>>         >> set during account creation to activate the account. This
>>         then fails
>>         >> because AD is currently configured to enforce a minimum
>>         password age of
>>         >> one
>>         >> day.
>>         >>
>>         >> I am ok with the account being created disabled, but how
>>         do I get around
>>         >> the immediate 2nd password request?
>>         >>
>>         >> Thanks,
>>         >>
>>         >> Chuck
>>         >> _______________________________________________
>>         >> keycloak-user mailing list
>>         >> keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>         >>
>>         >
>>         >
>>         >
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>


From bburke at redhat.com  Mon Apr 24 18:50:22 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 24 Apr 2017 18:50:22 -0400
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <1493043163420-3667.post@n6.nabble.com>
References: <1493043163420-3667.post@n6.nabble.com>
Message-ID: <c24e91fa-2ee8-9f98-d4e6-d27beacc7831@redhat.com>

without seeing the XML it is impossible for me to help you.  I believe 
you need to go to character 9341 to see what Keycloak doesn't understand 
about the assertion.  Your IDP may be sending an XML type that Keycloak 
does not support yet.


On 4/24/17 10:12 AM, Anders KK wrote:
> Hi,
>
> We have setup Keycloak as an identity broker with a SAML IdP. Keycloak
> recieves a SAML response from the IdP and we can decrypt this response by
> hand and it looks like we expect.
>
> When the browser hits our SAML endpoint
> (https://[domain]/auth/realms/[realm]/[client]/[IdP alias]/endpoint) we get
> an exception:
> org.keycloak.broker.provider.IdentityBrokerException: Could not process
> response from SAML identity provider.
>
> The log shows this error: PL00062: Parser : Unknown
> tag:AuthnStatement::location=[row,col {unknown-source}]: [1,9341]
>
> It seems that Keycloak do not know the tag AuthnStatement even though this
> is part of the SAML 2.0 standard?
> Are we missing something here?
>
> Kind regards,
> Ulrik and Anders
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From assassin.creed60 at gmail.com  Mon Apr 24 23:29:10 2017
From: assassin.creed60 at gmail.com (Jyoti Kumar Singh)
Date: Tue, 25 Apr 2017 08:59:10 +0530
Subject: [keycloak-user] Keycloak is throwing invalid_authn_request
	error for SAML Client
In-Reply-To: <CAOi6RbBhW9VkDM_arqeYpCJrNzQuRKPA7ErRUKV+GMEOD5UQ9w@mail.gmail.com>
References: <CAOi6RbBhW9VkDM_arqeYpCJrNzQuRKPA7ErRUKV+GMEOD5UQ9w@mail.gmail.com>
Message-ID: <CAOi6RbDdt651nyxqYrP-QQYEeGGwcMmvBh=AfSNOaxXmRy1dLA@mail.gmail.com>

Hi Team,

Is there any suggestion for me to look upon regarding the keycloak
invalid_authn_request error for SAML client ?

On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
assassin.creed60 at gmail.com> wrote:

> Hi Team,
>
> We have integrated SAP HANA system as a Service Provider with the Keycloak
> 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> needs to be imported at Service Provider end.
>
> But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
> end, SingleSignOnService Location is getting saved with addition of 443
> port number in the Destination URL. For example, If Keycloak is providing
> IDP SingleSignOnService Location as "https://test.example.com/
> auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> https://test.example.com:443/auth/realms/zzz/protocol/saml".
>
> Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> sending Destination URL as "https://test.example.com:443/
> auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> destination URL contains ":443" extra, Keycloak is refusing to accept it
> and throws "error=invalid_authn_request, reason=invalid_destination" error.
>
> Looks like Keycloak is very strict about destination URL matching which is
> sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> which will accept the Destination URL with port number in AuthnRequest or
> is there any work around to handle this?
>
> Please let me know for any other information regarding this.
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
>



-- 


*With Regards, Jyoti Kumar Singh*

From hmlnarik at redhat.com  Tue Apr 25 02:30:56 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 25 Apr 2017 08:30:56 +0200
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <1493043163420-3667.post@n6.nabble.com>
References: <1493043163420-3667.post@n6.nabble.com>
Message-ID: <CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>

Can you please share the SAML document? AuthnStatements are handled by
Keycloak, this seems rather an issue with the format of the SAML
document.

Thanks

--Hynek

On Mon, Apr 24, 2017 at 4:12 PM, Anders KK
<anders.kabell.kristensen at systematic.com> wrote:
> Hi,
>
> We have setup Keycloak as an identity broker with a SAML IdP. Keycloak
> recieves a SAML response from the IdP and we can decrypt this response by
> hand and it looks like we expect.
>
> When the browser hits our SAML endpoint
> (https://[domain]/auth/realms/[realm]/[client]/[IdP alias]/endpoint) we get
> an exception:
> org.keycloak.broker.provider.IdentityBrokerException: Could not process
> response from SAML identity provider.
>
> The log shows this error: PL00062: Parser : Unknown
> tag:AuthnStatement::location=[row,col {unknown-source}]: [1,9341]
>
> It seems that Keycloak do not know the tag AuthnStatement even though this
> is part of the SAML 2.0 standard?
> Are we missing something here?
>
> Kind regards,
> Ulrik and Anders
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From anders.kabell.kristensen at systematic.com  Tue Apr 25 02:57:46 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Mon, 24 Apr 2017 23:57:46 -0700 (MST)
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
Message-ID: <1493103466160-3674.post@n6.nabble.com>

SAML-response.xml
<http://keycloak-user.88327.x6.nabble.com/file/n3674/SAML-response.xml>  

Please find the response attached.
As far as we can see, character 9341 is inside the base 64 encoded chunk of
the Privileges_intermediate attribute. However, the error mentioned (Unknown
tag:AuthnStatement) is at a later position.

Thanks
Ulrik and Anders




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3674.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From mposolda at redhat.com  Tue Apr 25 03:33:59 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Apr 2017 09:33:59 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
Message-ID: <05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>

I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have 
same setup as you (Password Policy Hints enabled, Writable edit mode).

After the registration is user's password successfully updated in MSAD 
and I can see that MSAD attributes of user are in expected state 
(pwdLastSet is updated to latest time, userAccountControls are in 512, 
which corresponds to fully created and enabled user).

Not sure if the difference is with your MSAD setup or if this is related 
to MSAD 2016. We don't yet test with this version for now.

The workaround might be to disable "Password Policy Hints". But then 
some advanced password policies won't work (password history etc).

Marek

On 21/04/17 15:42, Charles Hardin wrote:
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I will try to reproduce that. What's your MSAD version btv?
>
>     Thanks,
>     Marek
>
>
>     On 20/04/17 23:55, Charles Hardin wrote:
>
>         Hello All,
>
>         I have setup an instance of Keycloak 3 and connected it to AD.
>         It is setup
>         to sync users and is writeable edit mode. I also have Pasword
>         Policy Hints
>         enabled in the MSAD Account Controls mapper. I have user
>         registration
>         turned on in Keycloak.
>
>         When I register a user in keycloak, it creates the user in a
>         disabled state
>         in AD, and prompts the user in keycloak to change the password
>         they just
>         set during account creation to activate the account. This then
>         fails
>         because AD is currently configured to enforce a minimum
>         password age of one
>         day.
>
>         I am ok with the account being created disabled, but how do I
>         get around
>         the immediate 2nd password request?
>
>         Thanks,
>
>         Chuck
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>


From hmlnarik at redhat.com  Tue Apr 25 03:56:18 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 25 Apr 2017 09:56:18 +0200
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <1493103466160-3674.post@n6.nabble.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
	<1493103466160-3674.post@n6.nabble.com>
Message-ID: <CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>

Thanks, this is a bug in KC SAML parser, it does not handle properly
an empty attribute value set by empty element in the last attribute of
the AttributeStatement:

[...]
            <Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <AttributeValue/>
            </Attribute>
        </AttributeStatement>

Could you please file a JIRA issue?

If that is possible for you, you might be able to work around the
issue by changing the order of attributes to put an attribute that
would never be empty to the last position.

Thanks

--Hynek

On Tue, Apr 25, 2017 at 8:57 AM, Anders KK
<anders.kabell.kristensen at systematic.com> wrote:
> SAML-response.xml
> <http://keycloak-user.88327.x6.nabble.com/file/n3674/SAML-response.xml>
>
> Please find the response attached.
> As far as we can see, character 9341 is inside the base 64 encoded chunk of
> the Privileges_intermediate attribute. However, the error mentioned (Unknown
> tag:AuthnStatement) is at a later position.
>
> Thanks
> Ulrik and Anders
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3674.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From anders.kabell.kristensen at systematic.com  Tue Apr 25 04:35:02 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Tue, 25 Apr 2017 01:35:02 -0700 (MST)
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
	<1493103466160-3674.post@n6.nabble.com>
	<CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>
Message-ID: <1493109302868-3677.post@n6.nabble.com>

Thank you so much, Hynek.

We created the following JIRA:  KEYCLOAK-4790
<https://issues.jboss.org/browse/KEYCLOAK-4790>  

We have a workaround for now.

Ulrik and Anders



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3677.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From tech at psynd.net  Tue Apr 25 06:31:18 2017
From: tech at psynd.net (Tech)
Date: Tue, 25 Apr 2017 12:31:18 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
Message-ID: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>

Dear experts,

we are working with Moodle, a PHP based platform, where we have been 
able to configure correctly Keycloak to implement OIDC.

To test Keycloak we cloned this application, with different URLs and we 
did the first test:

  * Connect to portal1
  * User not recognized and redirected to Keycloak through OIDC
  * Enter credentials stored into Keycloak
  * User accepted and redirected to portal1
  * Logout from portal1

After this we tested the second application:

  * Connect to portal2
  * User not recognized and redirected to Keycloak through OIDC
  * Enter credentials stored into Keycloak
  * User accepted and redirected to portal2
  * Logout from portal2

In this case I know that OIDC is working for the two applications and we 
can expect that also the SSO is working, but after the login in portal1 
we have to login again portal2, and vice-versa.

We attach below here some logs, could you please help?

Thanks





*Login to portal1*

2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic 
Recovery) Send recover request for transaction origin node identifier 1 
to EJB receiver with node name 79051ccf69ac
2017-04-25 09:54:45,055 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new 
JtaTransactionWrapper
2017-04-25 09:54:45,056 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was 
existing? false
2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-30) RESTEASY002315: PathInfo: 
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-30) 
AUTHENTICATE
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-30) 
AUTHENTICATE ONLY
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator: auth-cookie
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-30) 
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator ATTEMPTED: auth-cookie
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) check execution: auth-spnego requirement: DISABLED
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) execution is processed
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) check execution: identity-provider-redirector requirement: 
ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) check execution: null requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) execution is flow
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator: auth-username-password-form
2017-04-25 09:54:45,059 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30) 
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30) 
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30) 
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30) 
"template.ftl"("en_US", UTF-8, parsed): using cached since 
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:54:45,064 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-30) authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:54:45,064 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) 
JtaTransactionWrapper  commit
2017-04-25 09:54:45,064 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) 
JtaTransactionWrapper end
2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic 
Recovery) Send recover request for transaction origin node identifier 1 
to EJB receiver with node name 79051ccf69ac




*After authentication to portal1**
*
2017-04-25 09:54:56,041 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new 
JtaTransactionWrapper
2017-04-25 09:54:56,041 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was 
existing? false
2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-31) RESTEASY002315: PathInfo: 
/realms/Demo/login-actions/authenticate
2017-04-25 09:54:56,042 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-31) 
authenticationAction
2017-04-25 09:54:56,042 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check: auth-spnego requirement: DISABLED
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check: null requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:56,043 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) action: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) authenticator SUCCESS: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:54:56,141 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) authenticator: auth-otp-form
2017-04-25 09:54:56,141 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default 
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG 
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
(default task-31) Hibernate RegisteredSynchronization successfully 
registered with JTA platform
2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:54:56,142 DEBUG 
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default 
task-31) MySqlDS: getConnection(null, 
WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:54:56,143 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31) 
type=LOGIN, realmId=Demo, clientId=moodle, 
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27, 
auth_method=openid-connect, auth_type=code, 
redirect_uri=https://localhost/moodleiam/auth/oidc/, 
consent=no_consent_required, 
code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
2017-04-25 09:54:56,145 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-31) 
Removing old user session: session: 9a5218f8-aa9c-496c-aa00-780430f19c1b
2017-04-25 09:54:56,145 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-31) 
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo, 
max-age: -1
2017-04-25 09:54:56,145 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-31) 
Expiring remember me cookie
2017-04-25 09:54:56,145 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-31) 
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:54:56,146 DEBUG 
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31) 
redirectAccessCode: state: bIJNAcPb8Rxz8Wb
2017-04-25 09:54:56,146 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) 
JtaTransactionWrapper  commit
2017-04-25 09:54:56,149 DEBUG 
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default 
task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:54:56,149 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-31) Initiating JDBC connection release from afterTransaction
2017-04-25 09:54:56,149 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) 
JtaTransactionWrapper end
2017-04-25 09:54:56,642 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new 
JtaTransactionWrapper
2017-04-25 09:54:56,642 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was 
existing? false
2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-24) RESTEASY002315: PathInfo: 
/realms/demo/protocol/openid-connect/token
2017-04-25 09:54:56,643 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-24) 
AUTHENTICATE CLIENT
2017-04-25 09:54:56,643 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24) 
client authenticator: client-secret
2017-04-25 09:54:56,643 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24) 
client authenticator SUCCESS: client-secret
2017-04-25 09:54:56,643 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24) 
Client moodle authenticated by client-secret
2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24) 
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle, 
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213, 
token_id=75173922-dd56-44ca-9255-9a5368e557f4, 
grant_type=authorization_code, refresh_token_type=Refresh, 
refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df, 
code_id=08539f13-cb1c-423e-86a3-365c29b055f1, 
client_auth_method=client-secret
2017-04-25 09:54:56,663 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) 
JtaTransactionWrapper  commit
2017-04-25 09:54:56,663 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) 
JtaTransactionWrapper end




*Login to portal2**
*
2017-04-25 09:56:17,566 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new 
JtaTransactionWrapper
2017-04-25 09:56:17,566 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was 
existing? false
2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-6) RESTEASY002315: PathInfo: 
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-6) 
AUTHENTICATE
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-6) 
AUTHENTICATE ONLY
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
processFlow
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator: auth-cookie
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-6) 
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator ATTEMPTED: auth-cookie
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
check execution: auth-spnego requirement: DISABLED
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
execution is processed
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
check execution: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
check execution: null requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
execution is flow
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
processFlow
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator: auth-username-password-form
2017-04-25 09:56:17,569 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
invoke authenticator.authenticate
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6) 
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6) 
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6) 
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6) 
"template.ftl"("en_US", UTF-8, parsed): using cached since 
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:56:17,573 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) 
authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:56:17,573 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) 
JtaTransactionWrapper  commit
2017-04-25 09:56:17,573 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) 
JtaTransactionWrapper end




*After authentication to portal2**
*
2017-04-25 09:56:29,001 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new 
JtaTransactionWrapper
2017-04-25 09:56:29,001 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was 
existing? false
2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-4) RESTEASY002315: PathInfo: 
/realms/Demo/login-actions/authenticate
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-4) 
authenticationAction
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
execution is processed
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check: auth-spnego requirement: DISABLED
2017-04-25 09:56:29,002 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
execution is processed
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
execution is processed
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check: null requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:29,004 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
action: auth-username-password-form
2017-04-25 09:56:29,099 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
authenticator SUCCESS: auth-username-password-form
2017-04-25 09:56:29,100 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
processFlow
2017-04-25 09:56:29,100 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:56:29,100 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
authenticator: auth-otp-form
2017-04-25 09:56:29,100 DEBUG 
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4) 
processFlow
2017-04-25 09:56:29,100 DEBUG 
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
(default task-4) Hibernate RegisteredSynchronization successfully 
registered with JTA platform
2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:56:29,101 DEBUG 
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default 
task-4) MySqlDS: getConnection(null, 
WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:56:29,102 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:56:29,103 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
     select
         roleentity0_.ID as col_0_0_
     from
         KEYCLOAK_ROLE roleentity0_
     where
         roleentity0_.CLIENT_ROLE=0
         and roleentity0_.NAME=?
         and roleentity0_.REALM=?
2017-04-25 09:56:29,104 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4) 
type=LOGIN, realmId=Demo, clientId=moodle2, 
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27, 
auth_method=openid-connect, auth_type=code, 
redirect_uri=https://localhost/moodle2iam/auth/oidc/, 
consent=no_consent_required, 
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
2017-04-25 09:56:29,104 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-4) 
Removing old user session: session: 431cecf6-5a6b-4bbc-9467-3f52eff8090f
2017-04-25 09:56:29,105 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-4) 
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo, 
max-age: -1
2017-04-25 09:56:29,105 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-4) 
Expiring remember me cookie
2017-04-25 09:56:29,105 DEBUG 
[org.keycloak.services.managers.AuthenticationManager] (default task-4) 
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:56:29,105 DEBUG 
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) 
redirectAccessCode: state: WUCTMXokISFDbFN
2017-04-25 09:56:29,105 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) 
JtaTransactionWrapper  commit
2017-04-25 09:56:29,106 DEBUG 
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default 
task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:56:29,106 DEBUG 
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
(default task-4) Initiating JDBC connection release from afterTransaction
2017-04-25 09:56:29,106 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) 
JtaTransactionWrapper end
2017-04-25 09:56:29,626 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new 
JtaTransactionWrapper
2017-04-25 09:56:29,626 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was 
existing? false
2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] 
(default task-13) RESTEASY002315: PathInfo: 
/realms/demo/protocol/openid-connect/token
2017-04-25 09:56:29,627 DEBUG 
[org.keycloak.authentication.AuthenticationProcessor] (default task-13) 
AUTHENTICATE CLIENT
2017-04-25 09:56:29,627 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13) 
client authenticator: client-secret
2017-04-25 09:56:29,627 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13) 
client authenticator SUCCESS: client-secret
2017-04-25 09:56:29,627 DEBUG 
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13) 
Client moodle2 authenticated by client-secret
2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13) 
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2, 
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213, 
token_id=ff9b3385-1362-4559-ad53-05317755b280, 
grant_type=authorization_code, refresh_token_type=Refresh, 
refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7, 
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, 
client_auth_method=client-secret
2017-04-25 09:56:29,656 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) 
JtaTransactionWrapper  commit
2017-04-25 09:56:29,656 DEBUG 
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) 
JtaTransactionWrapper end
2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1) 
Error reading request: java.io.IOException: Connection reset by peer
         at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
         at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
         at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
         at sun.nio.ch.IOUtil.read(IOUtil.java:192)
         at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
         at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
         at 
io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
         at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
         at 
org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
         at 
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152)
         at 
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
         at 
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
         at 
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
         at 
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
         at 
io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059)
         at 
org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
         at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)


From mposolda at redhat.com  Tue Apr 25 06:41:47 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Apr 2017 12:41:47 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
Message-ID: <4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>

If you don't do "Logout from portal1" at the end of first test, then SSO 
should work and you will be automatically logged into portal2 without a 
need to put your credentials.

The logout is "SSO logout", hence it also kills the SSO session on 
Keycloak side and requires user to re-login.

Marek

On 25/04/17 12:31, Tech wrote:
> Dear experts,
>
> we are working with Moodle, a PHP based platform, where we have been
> able to configure correctly Keycloak to implement OIDC.
>
> To test Keycloak we cloned this application, with different URLs and we
> did the first test:
>
>    * Connect to portal1
>    * User not recognized and redirected to Keycloak through OIDC
>    * Enter credentials stored into Keycloak
>    * User accepted and redirected to portal1
>    * Logout from portal1
>
> After this we tested the second application:
>
>    * Connect to portal2
>    * User not recognized and redirected to Keycloak through OIDC
>    * Enter credentials stored into Keycloak
>    * User accepted and redirected to portal2
>    * Logout from portal2
>
> In this case I know that OIDC is working for the two applications and we
> can expect that also the SSO is working, but after the login in portal1
> we have to login again portal2, and vice-versa.
>
> We attach below here some logs, could you please help?
>
> Thanks
>
>
>
>
>
> *Login to portal1*
>
> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
> Recovery) Send recover request for transaction origin node identifier 1
> to EJB receiver with node name 79051ccf69ac
> 2017-04-25 09:54:45,055 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
> JtaTransactionWrapper
> 2017-04-25 09:54:45,056 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
> existing? false
> 2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-30) RESTEASY002315: PathInfo:
> /realms/demo/protocol/openid-connect/auth
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
> AUTHENTICATE
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
> AUTHENTICATE ONLY
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) processFlow
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) check execution: auth-cookie requirement: ALTERNATIVE
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator: auth-cookie
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) invoke authenticator.authenticate
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-30)
> Could not find cookie: KEYCLOAK_IDENTITY
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator ATTEMPTED: auth-cookie
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) check execution: auth-spnego requirement: DISABLED
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) execution is processed
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) check execution: identity-provider-redirector requirement:
> ALTERNATIVE
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator: identity-provider-redirector
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) invoke authenticator.authenticate
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator ATTEMPTED: identity-provider-redirector
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) check execution: null requirement: ALTERNATIVE
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) execution is flow
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) processFlow
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) check execution: auth-username-password-form requirement: REQUIRED
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator: auth-username-password-form
> 2017-04-25 09:54:45,059 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) invoke authenticator.authenticate
> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
> TemplateLoader.findTemplateSource("template.ftl"): Found
> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
> "template.ftl"("en_US", UTF-8, parsed): using cached since
> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
> 2017-04-25 09:54:45,064 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-30) authenticator CHALLENGE: auth-username-password-form
> 2017-04-25 09:54:45,064 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
> JtaTransactionWrapper  commit
> 2017-04-25 09:54:45,064 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
> JtaTransactionWrapper end
> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
> Recovery) Send recover request for transaction origin node identifier 1
> to EJB receiver with node name 79051ccf69ac
>
>
>
>
> *After authentication to portal1**
> *
> 2017-04-25 09:54:56,041 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
> JtaTransactionWrapper
> 2017-04-25 09:54:56,041 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
> existing? false
> 2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-31) RESTEASY002315: PathInfo:
> /realms/Demo/login-actions/authenticate
> 2017-04-25 09:54:56,042 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-31)
> authenticationAction
> 2017-04-25 09:54:56,042 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check: auth-cookie requirement: ALTERNATIVE
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) execution is processed
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check: auth-spnego requirement: DISABLED
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) execution is processed
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check: identity-provider-redirector requirement: ALTERNATIVE
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) execution is processed
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check: null requirement: ALTERNATIVE
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check: auth-username-password-form requirement: REQUIRED
> 2017-04-25 09:54:56,043 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) action: auth-username-password-form
> 2017-04-25 09:54:56,141 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) authenticator SUCCESS: auth-username-password-form
> 2017-04-25 09:54:56,141 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) processFlow
> 2017-04-25 09:54:56,141 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) check execution: auth-otp-form requirement: OPTIONAL
> 2017-04-25 09:54:56,141 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) authenticator: auth-otp-form
> 2017-04-25 09:54:56,141 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
> task-31) processFlow
> 2017-04-25 09:54:56,141 DEBUG
> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
> (default task-31) Hibernate RegisteredSynchronization successfully
> registered with JTA platform
> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:54:56,142 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
> task-31) MySqlDS: getConnection(null,
> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
> 2017-04-25 09:54:56,143 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-31) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:54:56,144 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-31) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:54:56,144 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-31) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
> type=LOGIN, realmId=Demo, clientId=moodle,
> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
> auth_method=openid-connect, auth_type=code,
> redirect_uri=https://localhost/moodleiam/auth/oidc/,
> consent=no_consent_required,
> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
> 2017-04-25 09:54:56,145 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
> Removing old user session: session: 9a5218f8-aa9c-496c-aa00-780430f19c1b
> 2017-04-25 09:54:56,145 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
> max-age: -1
> 2017-04-25 09:54:56,145 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
> Expiring remember me cookie
> 2017-04-25 09:54:56,145 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
> 2017-04-25 09:54:56,146 DEBUG
> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
> 2017-04-25 09:54:56,146 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
> JtaTransactionWrapper  commit
> 2017-04-25 09:54:56,149 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
> 2017-04-25 09:54:56,149 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-31) Initiating JDBC connection release from afterTransaction
> 2017-04-25 09:54:56,149 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
> JtaTransactionWrapper end
> 2017-04-25 09:54:56,642 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
> JtaTransactionWrapper
> 2017-04-25 09:54:56,642 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
> existing? false
> 2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-24) RESTEASY002315: PathInfo:
> /realms/demo/protocol/openid-connect/token
> 2017-04-25 09:54:56,643 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-24)
> AUTHENTICATE CLIENT
> 2017-04-25 09:54:56,643 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
> client authenticator: client-secret
> 2017-04-25 09:54:56,643 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
> client authenticator SUCCESS: client-secret
> 2017-04-25 09:54:56,643 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
> Client moodle authenticated by client-secret
> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
> grant_type=authorization_code, refresh_token_type=Refresh,
> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
> client_auth_method=client-secret
> 2017-04-25 09:54:56,663 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
> JtaTransactionWrapper  commit
> 2017-04-25 09:54:56,663 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
> JtaTransactionWrapper end
>
>
>
>
> *Login to portal2**
> *
> 2017-04-25 09:56:17,566 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
> JtaTransactionWrapper
> 2017-04-25 09:56:17,566 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
> existing? false
> 2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-6) RESTEASY002315: PathInfo:
> /realms/demo/protocol/openid-connect/auth
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
> AUTHENTICATE
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
> AUTHENTICATE ONLY
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> processFlow
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> check execution: auth-cookie requirement: ALTERNATIVE
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator: auth-cookie
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> invoke authenticator.authenticate
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-6)
> Could not find cookie: KEYCLOAK_IDENTITY
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator ATTEMPTED: auth-cookie
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> check execution: auth-spnego requirement: DISABLED
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> execution is processed
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> check execution: identity-provider-redirector requirement: ALTERNATIVE
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator: identity-provider-redirector
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> invoke authenticator.authenticate
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator ATTEMPTED: identity-provider-redirector
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> check execution: null requirement: ALTERNATIVE
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> execution is flow
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> processFlow
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> check execution: auth-username-password-form requirement: REQUIRED
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator: auth-username-password-form
> 2017-04-25 09:56:17,569 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> invoke authenticator.authenticate
> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
> TemplateLoader.findTemplateSource("template.ftl"): Found
> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
> "template.ftl"("en_US", UTF-8, parsed): using cached since
> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
> 2017-04-25 09:56:17,573 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
> authenticator CHALLENGE: auth-username-password-form
> 2017-04-25 09:56:17,573 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
> JtaTransactionWrapper  commit
> 2017-04-25 09:56:17,573 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
> JtaTransactionWrapper end
>
>
>
>
> *After authentication to portal2**
> *
> 2017-04-25 09:56:29,001 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
> JtaTransactionWrapper
> 2017-04-25 09:56:29,001 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
> existing? false
> 2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-4) RESTEASY002315: PathInfo:
> /realms/Demo/login-actions/authenticate
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-4)
> authenticationAction
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check: auth-cookie requirement: ALTERNATIVE
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> execution is processed
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check: auth-spnego requirement: DISABLED
> 2017-04-25 09:56:29,002 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> execution is processed
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check: identity-provider-redirector requirement: ALTERNATIVE
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> execution is processed
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check: null requirement: ALTERNATIVE
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check: auth-username-password-form requirement: REQUIRED
> 2017-04-25 09:56:29,004 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> action: auth-username-password-form
> 2017-04-25 09:56:29,099 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> authenticator SUCCESS: auth-username-password-form
> 2017-04-25 09:56:29,100 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> processFlow
> 2017-04-25 09:56:29,100 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> check execution: auth-otp-form requirement: OPTIONAL
> 2017-04-25 09:56:29,100 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> authenticator: auth-otp-form
> 2017-04-25 09:56:29,100 DEBUG
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
> processFlow
> 2017-04-25 09:56:29,100 DEBUG
> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
> (default task-4) Hibernate RegisteredSynchronization successfully
> registered with JTA platform
> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:56:29,101 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
> task-4) MySqlDS: getConnection(null,
> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
> 2017-04-25 09:56:29,102 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-4) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:56:29,103 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-4) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>       select
>           roleentity0_.ID as col_0_0_
>       from
>           KEYCLOAK_ROLE roleentity0_
>       where
>           roleentity0_.CLIENT_ROLE=0
>           and roleentity0_.NAME=?
>           and roleentity0_.REALM=?
> 2017-04-25 09:56:29,104 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-4) Initiating JDBC connection release from afterStatement
> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
> type=LOGIN, realmId=Demo, clientId=moodle2,
> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
> auth_method=openid-connect, auth_type=code,
> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
> consent=no_consent_required,
> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
> 2017-04-25 09:56:29,104 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
> Removing old user session: session: 431cecf6-5a6b-4bbc-9467-3f52eff8090f
> 2017-04-25 09:56:29,105 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
> max-age: -1
> 2017-04-25 09:56:29,105 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
> Expiring remember me cookie
> 2017-04-25 09:56:29,105 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
> 2017-04-25 09:56:29,105 DEBUG
> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
> redirectAccessCode: state: WUCTMXokISFDbFN
> 2017-04-25 09:56:29,105 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
> JtaTransactionWrapper  commit
> 2017-04-25 09:56:29,106 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
> 2017-04-25 09:56:29,106 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-4) Initiating JDBC connection release from afterTransaction
> 2017-04-25 09:56:29,106 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
> JtaTransactionWrapper end
> 2017-04-25 09:56:29,626 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
> JtaTransactionWrapper
> 2017-04-25 09:56:29,626 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
> existing? false
> 2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-13) RESTEASY002315: PathInfo:
> /realms/demo/protocol/openid-connect/token
> 2017-04-25 09:56:29,627 DEBUG
> [org.keycloak.authentication.AuthenticationProcessor] (default task-13)
> AUTHENTICATE CLIENT
> 2017-04-25 09:56:29,627 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
> client authenticator: client-secret
> 2017-04-25 09:56:29,627 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
> client authenticator SUCCESS: client-secret
> 2017-04-25 09:56:29,627 DEBUG
> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
> Client moodle2 authenticated by client-secret
> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
> token_id=ff9b3385-1362-4559-ad53-05317755b280,
> grant_type=authorization_code, refresh_token_type=Refresh,
> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
> client_auth_method=client-secret
> 2017-04-25 09:56:29,656 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
> JtaTransactionWrapper  commit
> 2017-04-25 09:56:29,656 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
> JtaTransactionWrapper end
> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
> Error reading request: java.io.IOException: Connection reset by peer
>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>           at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>           at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>           at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>           at
> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>           at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>           at
> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
>           at
> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152)
>           at
> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
>           at
> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
>           at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>           at
> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
>           at
> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059)
>           at
> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From tech at psynd.net  Tue Apr 25 06:53:29 2017
From: tech at psynd.net (Tech)
Date: Tue, 25 Apr 2017 12:53:29 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
Message-ID: <edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>

Hello Marek,

maybe my email was confusing, we run initially two tests were we login 
and logout in both portal to check that the oidc is working on each of them.

Once we know that OIDC is working, then we are expecting to login to 
portal1 and opening portal2, to find us already logged in, but this 
doesn't happen and we are forced to login again




On 25/04/17 12:41, Marek Posolda wrote:
> If you don't do "Logout from portal1" at the end of first test, then 
> SSO should work and you will be automatically logged into portal2 
> without a need to put your credentials.
>
> The logout is "SSO logout", hence it also kills the SSO session on 
> Keycloak side and requires user to re-login.
>
> Marek
>
> On 25/04/17 12:31, Tech wrote:
>> Dear experts,
>>
>> we are working with Moodle, a PHP based platform, where we have been
>> able to configure correctly Keycloak to implement OIDC.
>>
>> To test Keycloak we cloned this application, with different URLs and we
>> did the first test:
>>
>>    * Connect to portal1
>>    * User not recognized and redirected to Keycloak through OIDC
>>    * Enter credentials stored into Keycloak
>>    * User accepted and redirected to portal1
>>    * Logout from portal1
>>
>> After this we tested the second application:
>>
>>    * Connect to portal2
>>    * User not recognized and redirected to Keycloak through OIDC
>>    * Enter credentials stored into Keycloak
>>    * User accepted and redirected to portal2
>>    * Logout from portal2
>>
>> In this case I know that OIDC is working for the two applications and we
>> can expect that also the SSO is working, but after the login in portal1
>> we have to login again portal2, and vice-versa.
>>
>> We attach below here some logs, could you please help?
>>
>> Thanks
>>
>>
>>
>>
>>
>> *Login to portal1*
>>
>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>> Recovery) Send recover request for transaction origin node identifier 1
>> to EJB receiver with node name 79051ccf69ac
>> 2017-04-25 09:54:45,055 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
>> JtaTransactionWrapper
>> 2017-04-25 09:54:45,056 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
>> existing? false
>> 2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-30) RESTEASY002315: PathInfo:
>> /realms/demo/protocol/openid-connect/auth
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
>> AUTHENTICATE
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
>> AUTHENTICATE ONLY
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) processFlow
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator: auth-cookie
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) invoke authenticator.authenticate
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-30)
>> Could not find cookie: KEYCLOAK_IDENTITY
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator ATTEMPTED: auth-cookie
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) check execution: auth-spnego requirement: DISABLED
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) execution is processed
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) check execution: identity-provider-redirector requirement:
>> ALTERNATIVE
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator: identity-provider-redirector
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) invoke authenticator.authenticate
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) check execution: null requirement: ALTERNATIVE
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) execution is flow
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) processFlow
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) check execution: auth-username-password-form requirement: 
>> REQUIRED
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator: auth-username-password-form
>> 2017-04-25 09:54:45,059 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) invoke authenticator.authenticate
>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>> TemplateLoader.findTemplateSource("template.ftl"): Found
>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
>> 2017-04-25 09:54:45,064 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-30) authenticator CHALLENGE: auth-username-password-form
>> 2017-04-25 09:54:45,064 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:54:45,064 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>> JtaTransactionWrapper end
>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>> Recovery) Send recover request for transaction origin node identifier 1
>> to EJB receiver with node name 79051ccf69ac
>>
>>
>>
>>
>> *After authentication to portal1**
>> *
>> 2017-04-25 09:54:56,041 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
>> JtaTransactionWrapper
>> 2017-04-25 09:54:56,041 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
>> existing? false
>> 2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-31) RESTEASY002315: PathInfo:
>> /realms/Demo/login-actions/authenticate
>> 2017-04-25 09:54:56,042 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-31)
>> authenticationAction
>> 2017-04-25 09:54:56,042 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check: auth-cookie requirement: ALTERNATIVE
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) execution is processed
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check: auth-spnego requirement: DISABLED
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) execution is processed
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check: identity-provider-redirector requirement: ALTERNATIVE
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) execution is processed
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check: null requirement: ALTERNATIVE
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check: auth-username-password-form requirement: REQUIRED
>> 2017-04-25 09:54:56,043 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) action: auth-username-password-form
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) authenticator SUCCESS: auth-username-password-form
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) processFlow
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) authenticator: auth-otp-form
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>> task-31) processFlow
>> 2017-04-25 09:54:56,141 DEBUG
>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>
>> (default task-31) Hibernate RegisteredSynchronization successfully
>> registered with JTA platform
>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:54:56,142 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>> task-31) MySqlDS: getConnection(null,
>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>> 2017-04-25 09:54:56,143 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-31) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:54:56,144 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-31) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:54:56,144 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-31) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
>> type=LOGIN, realmId=Demo, clientId=moodle,
>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>> auth_method=openid-connect, auth_type=code,
>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>> consent=no_consent_required,
>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>> 2017-04-25 09:54:56,145 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
>> Removing old user session: session: 9a5218f8-aa9c-496c-aa00-780430f19c1b
>> 2017-04-25 09:54:56,145 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
>> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
>> max-age: -1
>> 2017-04-25 09:54:56,145 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
>> Expiring remember me cookie
>> 2017-04-25 09:54:56,145 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-31)
>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>> 2017-04-25 09:54:56,146 DEBUG
>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>> 2017-04-25 09:54:56,146 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:54:56,149 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>> 2017-04-25 09:54:56,149 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-31) Initiating JDBC connection release from 
>> afterTransaction
>> 2017-04-25 09:54:56,149 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>> JtaTransactionWrapper end
>> 2017-04-25 09:54:56,642 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
>> JtaTransactionWrapper
>> 2017-04-25 09:54:56,642 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
>> existing? false
>> 2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-24) RESTEASY002315: PathInfo:
>> /realms/demo/protocol/openid-connect/token
>> 2017-04-25 09:54:56,643 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-24)
>> AUTHENTICATE CLIENT
>> 2017-04-25 09:54:56,643 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
>> client authenticator: client-secret
>> 2017-04-25 09:54:56,643 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
>> client authenticator SUCCESS: client-secret
>> 2017-04-25 09:54:56,643 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
>> Client moodle authenticated by client-secret
>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>> grant_type=authorization_code, refresh_token_type=Refresh,
>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>> client_auth_method=client-secret
>> 2017-04-25 09:54:56,663 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:54:56,663 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>> JtaTransactionWrapper end
>>
>>
>>
>>
>> *Login to portal2**
>> *
>> 2017-04-25 09:56:17,566 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
>> JtaTransactionWrapper
>> 2017-04-25 09:56:17,566 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
>> existing? false
>> 2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-6) RESTEASY002315: PathInfo:
>> /realms/demo/protocol/openid-connect/auth
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>> AUTHENTICATE
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>> AUTHENTICATE ONLY
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> processFlow
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> check execution: auth-cookie requirement: ALTERNATIVE
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator: auth-cookie
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> invoke authenticator.authenticate
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-6)
>> Could not find cookie: KEYCLOAK_IDENTITY
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator ATTEMPTED: auth-cookie
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> check execution: auth-spnego requirement: DISABLED
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> execution is processed
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> check execution: identity-provider-redirector requirement: ALTERNATIVE
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator: identity-provider-redirector
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> invoke authenticator.authenticate
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator ATTEMPTED: identity-provider-redirector
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> check execution: null requirement: ALTERNATIVE
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> execution is flow
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> processFlow
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> check execution: auth-username-password-form requirement: REQUIRED
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator: auth-username-password-form
>> 2017-04-25 09:56:17,569 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> invoke authenticator.authenticate
>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>> TemplateLoader.findTemplateSource("template.ftl"): Found
>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
>> 2017-04-25 09:56:17,573 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
>> authenticator CHALLENGE: auth-username-password-form
>> 2017-04-25 09:56:17,573 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:56:17,573 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>> JtaTransactionWrapper end
>>
>>
>>
>>
>> *After authentication to portal2**
>> *
>> 2017-04-25 09:56:29,001 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
>> JtaTransactionWrapper
>> 2017-04-25 09:56:29,001 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
>> existing? false
>> 2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-4) RESTEASY002315: PathInfo:
>> /realms/Demo/login-actions/authenticate
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-4)
>> authenticationAction
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check: auth-cookie requirement: ALTERNATIVE
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> execution is processed
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check: auth-spnego requirement: DISABLED
>> 2017-04-25 09:56:29,002 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> execution is processed
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check: identity-provider-redirector requirement: ALTERNATIVE
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> execution is processed
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check: null requirement: ALTERNATIVE
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check: auth-username-password-form requirement: REQUIRED
>> 2017-04-25 09:56:29,004 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> action: auth-username-password-form
>> 2017-04-25 09:56:29,099 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> authenticator SUCCESS: auth-username-password-form
>> 2017-04-25 09:56:29,100 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> processFlow
>> 2017-04-25 09:56:29,100 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> check execution: auth-otp-form requirement: OPTIONAL
>> 2017-04-25 09:56:29,100 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> authenticator: auth-otp-form
>> 2017-04-25 09:56:29,100 DEBUG
>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
>> processFlow
>> 2017-04-25 09:56:29,100 DEBUG
>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>
>> (default task-4) Hibernate RegisteredSynchronization successfully
>> registered with JTA platform
>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:56:29,101 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>> task-4) MySqlDS: getConnection(null,
>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>> 2017-04-25 09:56:29,102 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-4) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:56:29,103 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-4) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>       select
>>           roleentity0_.ID as col_0_0_
>>       from
>>           KEYCLOAK_ROLE roleentity0_
>>       where
>>           roleentity0_.CLIENT_ROLE=0
>>           and roleentity0_.NAME=?
>>           and roleentity0_.REALM=?
>> 2017-04-25 09:56:29,104 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-4) Initiating JDBC connection release from afterStatement
>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
>> type=LOGIN, realmId=Demo, clientId=moodle2,
>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>> auth_method=openid-connect, auth_type=code,
>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>> consent=no_consent_required,
>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>> 2017-04-25 09:56:29,104 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>> Removing old user session: session: 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>> 2017-04-25 09:56:29,105 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
>> max-age: -1
>> 2017-04-25 09:56:29,105 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>> Expiring remember me cookie
>> 2017-04-25 09:56:29,105 DEBUG
>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>> 2017-04-25 09:56:29,105 DEBUG
>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>> redirectAccessCode: state: WUCTMXokISFDbFN
>> 2017-04-25 09:56:29,105 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:56:29,106 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>> 2017-04-25 09:56:29,106 DEBUG
>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>> (default task-4) Initiating JDBC connection release from 
>> afterTransaction
>> 2017-04-25 09:56:29,106 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>> JtaTransactionWrapper end
>> 2017-04-25 09:56:29,626 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
>> JtaTransactionWrapper
>> 2017-04-25 09:56:29,626 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
>> existing? false
>> 2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-13) RESTEASY002315: PathInfo:
>> /realms/demo/protocol/openid-connect/token
>> 2017-04-25 09:56:29,627 DEBUG
>> [org.keycloak.authentication.AuthenticationProcessor] (default task-13)
>> AUTHENTICATE CLIENT
>> 2017-04-25 09:56:29,627 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
>> client authenticator: client-secret
>> 2017-04-25 09:56:29,627 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
>> client authenticator SUCCESS: client-secret
>> 2017-04-25 09:56:29,627 DEBUG
>> [org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
>> Client moodle2 authenticated by client-secret
>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>> grant_type=authorization_code, refresh_token_type=Refresh,
>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>> client_auth_method=client-secret
>> 2017-04-25 09:56:29,656 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>> JtaTransactionWrapper  commit
>> 2017-04-25 09:56:29,656 DEBUG
>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>> JtaTransactionWrapper end
>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
>> Error reading request: java.io.IOException: Connection reset by peer
>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>           at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>           at 
>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>           at 
>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>           at
>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>           at 
>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>           at
>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>
>>           at
>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>
>>           at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>
>>           at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>
>>           at
>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>
>>           at
>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>
>>           at
>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>
>>           at
>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From mposolda at redhat.com  Tue Apr 25 06:56:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Apr 2017 12:56:42 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
Message-ID: <e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>

On 24/04/17 18:55, Hendrik Dev wrote:
> Hi,
>
> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
> Purpose is to provide single sign on for users logging in via IE from
> a windows domain.
> Keycloak itself is running on centOS, Kerberos server is Active
> Directory. The setup is working so far because i can login via 'curl
> --negotiate'. There are also several other java applications running
> in this environment which are capable of doing SPNEGO over Kerberos
> authentication successfully.
>
> If the user access a Keycloak protected application the SPNEGO login
> does not work and the Keycloak login page is displayed instead.
> In the logs i see "Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)" and thats totally right because
> the browser sends
> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>
> For me it looks like the browser never gets either a
> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
> In other words: The browser seems to never gets challenged to do
> SPNEGO over Kerberos.
I will try to summarize if I understand correctly:
1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
2) Your browser replied with the SPNEGO-NTLM token like "Authorization: 
Negotiate ntlm-token-is-here"
3) Keycloak replied with "WWW-Authenticate: Negotiate 
spnego-token-asking-to-send-kerberos-instead-of-ntlm"
4) Your browser didn't reply anything back

Is it correct?

It seems that your browser doesn't have kerberos ticket, hence that's 
why it uses NTLM instead. I think the best would be to fix your 
environment, so that it will send Kerberos token instead of NTLM at the 
step 2.

Marek
>
> I already tried to fix it
> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
> but this oddly just ends up in a Basic Auth popup from the browser.
> For the client app the standard flow as well as direct access grants
> is enabled.
>
> Keycloak is deployed as HA with 3 nodes and runs behind a HW
> loadbalancer and Kerberos is setup within the LDAP Federation ()
>
> Any ideas?
>
> Thanks
> Hendrik
>


From Bettina.Huebner at kvbawue.de  Tue Apr 25 07:13:51 2017
From: Bettina.Huebner at kvbawue.de (=?Windows-1252?Q?H=FCbner=2C_Bettina?=)
Date: Tue, 25 Apr 2017 11:13:51 +0000
Subject: [keycloak-user] Signed JWT and Policy Enforcement
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C262BA4@VMSST107.kvbw.local>

Hi,

we use the Keycloak Spring Security Adapter and fine-grained authorization settings for a Spring Boot App and it works fine. I now tried to use signed JWT for client authentication instead of client secret but get an error message ("Client Secret not provided") when starting our app. It seems the AuthzClient expects to find a ?secret?-entry in the keycloak.json. If I remove the policy enforcer claim, there is no error.

Can anyone help?

Thanks
Bettina


From psilva at redhat.com  Tue Apr 25 07:47:14 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 25 Apr 2017 08:47:14 -0300
Subject: [keycloak-user] Signed JWT and Policy Enforcement
In-Reply-To: <CFD7003E67B95745B1B4349E3E6309802C262BA4@VMSST107.kvbw.local>
References: <CFD7003E67B95745B1B4349E3E6309802C262BA4@VMSST107.kvbw.local>
Message-ID: <CAJrcDBe7Vp539PEG=tEjFPCt935N3rXi9vZ0RjBcyLh=cbq85g@mail.gmail.com>

Hi,

 This is an known issue. We need to support whatever credential you have in
keycloak.json. I have created https://issues.jboss.org/browse/KEYCLOAK-4792.
WIll try to work on it before next release.

Regards.
Pedro Igor

On Tue, Apr 25, 2017 at 8:13 AM, H?bner, Bettina <Bettina.Huebner at kvbawue.de
> wrote:

> Hi,
>
> we use the Keycloak Spring Security Adapter and fine-grained authorization
> settings for a Spring Boot App and it works fine. I now tried to use signed
> JWT for client authentication instead of client secret but get an error
> message ("Client Secret not provided") when starting our app. It seems the
> AuthzClient expects to find a ?secret?-entry in the keycloak.json. If I
> remove the policy enforcer claim, there is no error.
>
> Can anyone help?
>
> Thanks
> Bettina
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tech at psynd.net  Tue Apr 25 08:18:01 2017
From: tech at psynd.net (Tech)
Date: Tue, 25 Apr 2017 14:18:01 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
Message-ID: <9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>

Anybody with any ideas?





On 25/04/17 12:53, Tech wrote:
>
> Hello Marek,
>
> maybe my email was confusing, we run initially two tests were we login 
> and logout in both portal to check that the oidc is working on each of 
> them.
>
> Once we know that OIDC is working, then we are expecting to login to 
> portal1 and opening portal2, to find us already logged in, but this 
> doesn't happen and we are forced to login again
>
>
>
>
> On 25/04/17 12:41, Marek Posolda wrote:
>> If you don't do "Logout from portal1" at the end of first test, then 
>> SSO should work and you will be automatically logged into portal2 
>> without a need to put your credentials.
>>
>> The logout is "SSO logout", hence it also kills the SSO session on 
>> Keycloak side and requires user to re-login.
>>
>> Marek
>>
>> On 25/04/17 12:31, Tech wrote:
>>> Dear experts,
>>>
>>> we are working with Moodle, a PHP based platform, where we have been
>>> able to configure correctly Keycloak to implement OIDC.
>>>
>>> To test Keycloak we cloned this application, with different URLs and we
>>> did the first test:
>>>
>>>    * Connect to portal1
>>>    * User not recognized and redirected to Keycloak through OIDC
>>>    * Enter credentials stored into Keycloak
>>>    * User accepted and redirected to portal1
>>>    * Logout from portal1
>>>
>>> After this we tested the second application:
>>>
>>>    * Connect to portal2
>>>    * User not recognized and redirected to Keycloak through OIDC
>>>    * Enter credentials stored into Keycloak
>>>    * User accepted and redirected to portal2
>>>    * Logout from portal2
>>>
>>> In this case I know that OIDC is working for the two applications 
>>> and we
>>> can expect that also the SSO is working, but after the login in portal1
>>> we have to login again portal2, and vice-versa.
>>>
>>> We attach below here some logs, could you please help?
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>> *Login to portal1*
>>>
>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>> Recovery) Send recover request for transaction origin node identifier 1
>>> to EJB receiver with node name 79051ccf69ac
>>> 2017-04-25 09:54:45,055 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:54:45,056 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
>>> existing? false
>>> 2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-30) RESTEASY002315: PathInfo:
>>> /realms/demo/protocol/openid-connect/auth
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
>>> AUTHENTICATE
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-30)
>>> AUTHENTICATE ONLY
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) processFlow
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator: auth-cookie
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) invoke authenticator.authenticate
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>> task-30)
>>> Could not find cookie: KEYCLOAK_IDENTITY
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator ATTEMPTED: auth-cookie
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) check execution: auth-spnego requirement: DISABLED
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) execution is processed
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) check execution: identity-provider-redirector requirement:
>>> ALTERNATIVE
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator: identity-provider-redirector
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) invoke authenticator.authenticate
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) check execution: null requirement: ALTERNATIVE
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) execution is flow
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) processFlow
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) check execution: auth-username-password-form requirement: 
>>> REQUIRED
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator: auth-username-password-form
>>> 2017-04-25 09:54:45,059 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) invoke authenticator.authenticate
>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
>>> 2017-04-25 09:54:45,064 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>> 2017-04-25 09:54:45,064 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:54:45,064 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>> JtaTransactionWrapper end
>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>> Recovery) Send recover request for transaction origin node identifier 1
>>> to EJB receiver with node name 79051ccf69ac
>>>
>>>
>>>
>>>
>>> *After authentication to portal1**
>>> *
>>> 2017-04-25 09:54:56,041 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:54:56,041 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
>>> existing? false
>>> 2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-31) RESTEASY002315: PathInfo:
>>> /realms/Demo/login-actions/authenticate
>>> 2017-04-25 09:54:56,042 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-31)
>>> authenticationAction
>>> 2017-04-25 09:54:56,042 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) execution is processed
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check: auth-spnego requirement: DISABLED
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) execution is processed
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check: identity-provider-redirector requirement: ALTERNATIVE
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) execution is processed
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check: null requirement: ALTERNATIVE
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>> 2017-04-25 09:54:56,043 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) action: auth-username-password-form
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) authenticator SUCCESS: auth-username-password-form
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) processFlow
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) authenticator: auth-otp-form
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>> task-31) processFlow
>>> 2017-04-25 09:54:56,141 DEBUG
>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>
>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>> registered with JTA platform
>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:54:56,142 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>> task-31) MySqlDS: getConnection(null,
>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>> 2017-04-25 09:54:56,143 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-31) Initiating JDBC connection release from 
>>> afterStatement
>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:54:56,144 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-31) Initiating JDBC connection release from 
>>> afterStatement
>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:54:56,144 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-31) Initiating JDBC connection release from 
>>> afterStatement
>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>> auth_method=openid-connect, auth_type=code,
>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>> consent=no_consent_required,
>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>> 2017-04-25 09:54:56,145 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>> task-31)
>>> Removing old user session: session: 
>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>> 2017-04-25 09:54:56,145 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>> task-31)
>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
>>> max-age: -1
>>> 2017-04-25 09:54:56,145 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>> task-31)
>>> Expiring remember me cookie
>>> 2017-04-25 09:54:56,145 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>> task-31)
>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>> 2017-04-25 09:54:56,146 DEBUG
>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>> 2017-04-25 09:54:56,146 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:54:56,149 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>> 2017-04-25 09:54:56,149 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-31) Initiating JDBC connection release from 
>>> afterTransaction
>>> 2017-04-25 09:54:56,149 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>> JtaTransactionWrapper end
>>> 2017-04-25 09:54:56,642 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:54:56,642 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
>>> existing? false
>>> 2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-24) RESTEASY002315: PathInfo:
>>> /realms/demo/protocol/openid-connect/token
>>> 2017-04-25 09:54:56,643 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-24)
>>> AUTHENTICATE CLIENT
>>> 2017-04-25 09:54:56,643 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-24)
>>> client authenticator: client-secret
>>> 2017-04-25 09:54:56,643 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-24)
>>> client authenticator SUCCESS: client-secret
>>> 2017-04-25 09:54:56,643 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-24)
>>> Client moodle authenticated by client-secret
>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>> client_auth_method=client-secret
>>> 2017-04-25 09:54:56,663 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:54:56,663 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>> JtaTransactionWrapper end
>>>
>>>
>>>
>>>
>>> *Login to portal2**
>>> *
>>> 2017-04-25 09:56:17,566 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:56:17,566 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
>>> existing? false
>>> 2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-6) RESTEASY002315: PathInfo:
>>> /realms/demo/protocol/openid-connect/auth
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>>> AUTHENTICATE
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>>> AUTHENTICATE ONLY
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> processFlow
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> check execution: auth-cookie requirement: ALTERNATIVE
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator: auth-cookie
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> invoke authenticator.authenticate
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default task-6)
>>> Could not find cookie: KEYCLOAK_IDENTITY
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator ATTEMPTED: auth-cookie
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> check execution: auth-spnego requirement: DISABLED
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> execution is processed
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> check execution: identity-provider-redirector requirement: ALTERNATIVE
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator: identity-provider-redirector
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> invoke authenticator.authenticate
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator ATTEMPTED: identity-provider-redirector
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> check execution: null requirement: ALTERNATIVE
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> execution is flow
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> processFlow
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> check execution: auth-username-password-form requirement: REQUIRED
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator: auth-username-password-form
>>> 2017-04-25 09:56:17,569 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> invoke authenticator.authenticate
>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
>>> 2017-04-25 09:56:17,573 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-6)
>>> authenticator CHALLENGE: auth-username-password-form
>>> 2017-04-25 09:56:17,573 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:56:17,573 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>> JtaTransactionWrapper end
>>>
>>>
>>>
>>>
>>> *After authentication to portal2**
>>> *
>>> 2017-04-25 09:56:29,001 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:56:29,001 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
>>> existing? false
>>> 2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-4) RESTEASY002315: PathInfo:
>>> /realms/Demo/login-actions/authenticate
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-4)
>>> authenticationAction
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check: auth-cookie requirement: ALTERNATIVE
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> execution is processed
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check: auth-spnego requirement: DISABLED
>>> 2017-04-25 09:56:29,002 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> execution is processed
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> execution is processed
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check: null requirement: ALTERNATIVE
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check: auth-username-password-form requirement: REQUIRED
>>> 2017-04-25 09:56:29,004 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> action: auth-username-password-form
>>> 2017-04-25 09:56:29,099 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> authenticator SUCCESS: auth-username-password-form
>>> 2017-04-25 09:56:29,100 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> processFlow
>>> 2017-04-25 09:56:29,100 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> check execution: auth-otp-form requirement: OPTIONAL
>>> 2017-04-25 09:56:29,100 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> authenticator: auth-otp-form
>>> 2017-04-25 09:56:29,100 DEBUG
>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>> task-4)
>>> processFlow
>>> 2017-04-25 09:56:29,100 DEBUG
>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>
>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>> registered with JTA platform
>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:56:29,101 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>> task-4) MySqlDS: getConnection(null,
>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>> 2017-04-25 09:56:29,102 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-4) Initiating JDBC connection release from afterStatement
>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:56:29,103 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-4) Initiating JDBC connection release from afterStatement
>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>       select
>>>           roleentity0_.ID as col_0_0_
>>>       from
>>>           KEYCLOAK_ROLE roleentity0_
>>>       where
>>>           roleentity0_.CLIENT_ROLE=0
>>>           and roleentity0_.NAME=?
>>>           and roleentity0_.REALM=?
>>> 2017-04-25 09:56:29,104 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-4) Initiating JDBC connection release from afterStatement
>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>> auth_method=openid-connect, auth_type=code,
>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>> consent=no_consent_required,
>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>> 2017-04-25 09:56:29,104 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>>> Removing old user session: session: 
>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>> 2017-04-25 09:56:29,105 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
>>> max-age: -1
>>> 2017-04-25 09:56:29,105 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>>> Expiring remember me cookie
>>> 2017-04-25 09:56:29,105 DEBUG
>>> [org.keycloak.services.managers.AuthenticationManager] (default task-4)
>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>> 2017-04-25 09:56:29,105 DEBUG
>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>> 2017-04-25 09:56:29,105 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:56:29,106 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>> 2017-04-25 09:56:29,106 DEBUG
>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>> (default task-4) Initiating JDBC connection release from 
>>> afterTransaction
>>> 2017-04-25 09:56:29,106 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>> JtaTransactionWrapper end
>>> 2017-04-25 09:56:29,626 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
>>> JtaTransactionWrapper
>>> 2017-04-25 09:56:29,626 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
>>> existing? false
>>> 2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-13) RESTEASY002315: PathInfo:
>>> /realms/demo/protocol/openid-connect/token
>>> 2017-04-25 09:56:29,627 DEBUG
>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-13)
>>> AUTHENTICATE CLIENT
>>> 2017-04-25 09:56:29,627 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-13)
>>> client authenticator: client-secret
>>> 2017-04-25 09:56:29,627 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-13)
>>> client authenticator SUCCESS: client-secret
>>> 2017-04-25 09:56:29,627 DEBUG
>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>> task-13)
>>> Client moodle2 authenticated by client-secret
>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>> client_auth_method=client-secret
>>> 2017-04-25 09:56:29,656 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>> JtaTransactionWrapper  commit
>>> 2017-04-25 09:56:29,656 DEBUG
>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>> JtaTransactionWrapper end
>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
>>> Error reading request: java.io.IOException: Connection reset by peer
>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>           at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>           at 
>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>           at 
>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>           at
>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>           at 
>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>           at
>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>
>>>           at
>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>
>>>           at
>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>
>>>           at
>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>
>>>           at
>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>
>>>           at
>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>
>>>           at
>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>
>>>           at
>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>


From marc.tempelmeier at flane.de  Tue Apr 25 09:07:19 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 25 Apr 2017 13:07:19 +0000
Subject: [keycloak-user] Realm login screen
Message-ID: <bc8e3731ecee49c8b8c91d5d957c299c@dehamex2013.europe.flane.local>

Hi,

Is there a standard url for a realm login screen? We want to provide back links to it from various error templates.

At the moment we can use:

/auth/realms/fastlane/protocol/openid-connect/auth?client_id=account&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2Fauth%2Frealms%2Ffastlane%2Faccount&response_type=code&scope=openid

That will obviously fail, because our production server is not on 127.0.0.1.

Can we get  the IP address in freemarker template or is there a general URL for it.

Best regards

Marc Tempelmeier



From abhi.raghav007 at gmail.com  Tue Apr 25 09:29:57 2017
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 25 Apr 2017 18:59:57 +0530
Subject: [keycloak-user] Keycloak is throwing invalid_authn_request
 error for SAML Client
In-Reply-To: <CAOi6RbDdt651nyxqYrP-QQYEeGGwcMmvBh=AfSNOaxXmRy1dLA@mail.gmail.com>
References: <CAOi6RbBhW9VkDM_arqeYpCJrNzQuRKPA7ErRUKV+GMEOD5UQ9w@mail.gmail.com>
	<CAOi6RbDdt651nyxqYrP-QQYEeGGwcMmvBh=AfSNOaxXmRy1dLA@mail.gmail.com>
Message-ID: <CAJmz6fs-BOp2q5jPMd=Ki8JpxqOQUwDyFP4iyUams48RTBNC6A@mail.gmail.com>

Hi,

We are also facing similar issue in our infrastructure setup with SAP HANA
as a Service provider.
Did you get any work around on this..?

Cheers
-Abhishek







On Tue, Apr 25, 2017 at 8:59 AM, Jyoti Kumar Singh <
assassin.creed60 at gmail.com> wrote:

> Hi Team,
>
> Is there any suggestion for me to look upon regarding the keycloak
> invalid_authn_request error for SAML client ?
>
> On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
> assassin.creed60 at gmail.com> wrote:
>
> > Hi Team,
> >
> > We have integrated SAP HANA system as a Service Provider with the
> Keycloak
> > 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> > needs to be imported at Service Provider end.
> >
> > But while saving the "SAML Metadata IDPSSODescriptor" at Service Provider
> > end, SingleSignOnService Location is getting saved with addition of 443
> > port number in the Destination URL. For example, If Keycloak is providing
> > IDP SingleSignOnService Location as "https://test.example.com/
> > auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> > https://test.example.com:443/auth/realms/zzz/protocol/saml".
> >
> > Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> > sending Destination URL as "https://test.example.com:443/
> > auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> > destination URL contains ":443" extra, Keycloak is refusing to accept it
> > and throws "error=invalid_authn_request, reason=invalid_destination"
> error.
> >
> > Looks like Keycloak is very strict about destination URL matching which
> is
> > sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> > which will accept the Destination URL with port number in AuthnRequest or
> > is there any work around to handle this?
> >
> > Please let me know for any other information regarding this.
> >
> > --
> >
> >
> > *With Regards, Jyoti Kumar Singh*
> >
>
>
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chardin at shadowforge-computing.com  Tue Apr 25 10:07:05 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Tue, 25 Apr 2017 10:07:05 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
Message-ID: <CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>

I tried turning that off, but the problem seems to persist. I also changed
minimum password age to 0 on the AD site and it still fails to change the
pasword.

The AD configuration is pretty much default outside of password
configuration.

The user gets created in AD with the must change password at next login
flagged, as well as account disabled.

I will keep poking on my end to see what I can find. Any guess when it
might be testable against 2016 on your side?


On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com> wrote:

> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
> same setup as you (Password Policy Hints enabled, Writable edit mode).
>
> After the registration is user's password successfully updated in MSAD and
> I can see that MSAD attributes of user are in expected state (pwdLastSet is
> updated to latest time, userAccountControls are in 512, which corresponds
> to fully created and enabled user).
>
> Not sure if the difference is with your MSAD setup or if this is related
> to MSAD 2016. We don't yet test with this version for now.
>
> The workaround might be to disable "Password Policy Hints". But then some
> advanced password policies won't work (password history etc).
>
> Marek
>
>
> On 21/04/17 15:42, Charles Hardin wrote:
>
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I will try to reproduce that. What's your MSAD version btv?
>>
>> Thanks,
>> Marek
>>
>>
>> On 20/04/17 23:55, Charles Hardin wrote:
>>
>>> Hello All,
>>>
>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>> setup
>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>> Hints
>>> enabled in the MSAD Account Controls mapper. I have user registration
>>> turned on in Keycloak.
>>>
>>> When I register a user in keycloak, it creates the user in a disabled
>>> state
>>> in AD, and prompts the user in keycloak to change the password they just
>>> set during account creation to activate the account. This then fails
>>> because AD is currently configured to enforce a minimum password age of
>>> one
>>> day.
>>>
>>> I am ok with the account being created disabled, but how do I get around
>>> the immediate 2nd password request?
>>>
>>> Thanks,
>>>
>>> Chuck
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>

From chardin at shadowforge-computing.com  Tue Apr 25 10:24:26 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Tue, 25 Apr 2017 10:24:26 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
	<CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
Message-ID: <CAKkoA_M2MaNJ7U8nGSKx4BQawL4c+i-HqUjOenNG5y5RJLjrQA@mail.gmail.com>

The only other thing I can think of would be to downgrade my domain/forest
functional levels to 2012 and try it again.

On Tue, Apr 25, 2017 at 10:07 AM, Charles Hardin <
chardin at shadowforge-computing.com> wrote:

> I tried turning that off, but the problem seems to persist. I also changed
> minimum password age to 0 on the AD site and it still fails to change the
> pasword.
>
> The AD configuration is pretty much default outside of password
> configuration.
>
> The user gets created in AD with the must change password at next login
> flagged, as well as account disabled.
>
> I will keep poking on my end to see what I can find. Any guess when it
> might be testable against 2016 on your side?
>
>
> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
>> same setup as you (Password Policy Hints enabled, Writable edit mode).
>>
>> After the registration is user's password successfully updated in MSAD
>> and I can see that MSAD attributes of user are in expected state
>> (pwdLastSet is updated to latest time, userAccountControls are in 512,
>> which corresponds to fully created and enabled user).
>>
>> Not sure if the difference is with your MSAD setup or if this is related
>> to MSAD 2016. We don't yet test with this version for now.
>>
>> The workaround might be to disable "Password Policy Hints". But then some
>> advanced password policies won't work (password history etc).
>>
>> Marek
>>
>>
>> On 21/04/17 15:42, Charles Hardin wrote:
>>
>> 2016
>>
>> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I will try to reproduce that. What's your MSAD version btv?
>>>
>>> Thanks,
>>> Marek
>>>
>>>
>>> On 20/04/17 23:55, Charles Hardin wrote:
>>>
>>>> Hello All,
>>>>
>>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>>> setup
>>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>>> Hints
>>>> enabled in the MSAD Account Controls mapper. I have user registration
>>>> turned on in Keycloak.
>>>>
>>>> When I register a user in keycloak, it creates the user in a disabled
>>>> state
>>>> in AD, and prompts the user in keycloak to change the password they just
>>>> set during account creation to activate the account. This then fails
>>>> because AD is currently configured to enforce a minimum password age of
>>>> one
>>>> day.
>>>>
>>>> I am ok with the account being created disabled, but how do I get around
>>>> the immediate 2nd password request?
>>>>
>>>> Thanks,
>>>>
>>>> Chuck
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>

From thomas.darimont at googlemail.com  Tue Apr 25 10:26:10 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Tue, 25 Apr 2017 16:26:10 +0200
Subject: [keycloak-user] Realm login screen
In-Reply-To: <bc8e3731ecee49c8b8c91d5d957c299c@dehamex2013.europe.flane.local>
References: <bc8e3731ecee49c8b8c91d5d957c299c@dehamex2013.europe.flane.local>
Message-ID: <CAK-7U1gmC=n3QLHF8G=jaZn-v+dLTd4SPVdv7oSi8yhsWf5zkg@mail.gmail.com>

Hello Marc,

the `org.keycloak.forms.login.freemarker.model.UrlBean` available via
${url...} in the
`FreeMarkerLoginFormsProvider#createResponse(org.keycloak.forms.login.LoginFormsPages)`
seems to provide a getLoginUrl() that you could try.

Cheers,
Thomas

2017-04-25 15:07 GMT+02:00 Marc Tempelmeier <marc.tempelmeier at flane.de>:

> Hi,
>
> Is there a standard url for a realm login screen? We want to provide back
> links to it from various error templates.
>
> At the moment we can use:
>
> /auth/realms/fastlane/protocol/openid-connect/auth?
> client_id=account&redirect_uri=http%3A%2F%2F127.0.0.1%
> 3A8080%2Fauth%2Frealms%2Ffastlane%2Faccount&response_
> type=code&scope=openid
>
> That will obviously fail, because our production server is not on
> 127.0.0.1.
>
> Can we get  the IP address in freemarker template or is there a general
> URL for it.
>
> Best regards
>
> Marc Tempelmeier
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Dana.Danet at Evisions.com  Tue Apr 25 11:56:23 2017
From: Dana.Danet at Evisions.com (Dana Danet)
Date: Tue, 25 Apr 2017 15:56:23 +0000
Subject: [keycloak-user] Cloud (PaaS) Deployments
Message-ID: <CC20468C-EFDF-490C-BB99-F6617170168D@evisions.com>

Any experience out there deploying Keycloak in standalone mode to a Cloud platform container?  Currently we are shopping providers ( Pivotal Cloud Foundry, Heroku, AWS ) in that order.

Initially, and before any real investigation of PCF I was hoping I could use a java build pack, unfortunately I do not see support for deploying a standalone archive, I am assuming Heruko will be the same, which leaves AWS as a bare metal provider.  Not ideal since our cloud implementation will be in PCF.

Any and all suggestions are appreciated..

-dana
dana_dot_danet_at_evisions_dot_com

From RLewis at carbonite.com  Tue Apr 25 11:59:53 2017
From: RLewis at carbonite.com (Reed Lewis)
Date: Tue, 25 Apr 2017 15:59:53 +0000
Subject: [keycloak-user] Where does Keycloak store the RSA private key used
	in JWT signing?
Message-ID: <77E2F4F8-5F90-4C0C-A078-A0F0DE6EE6AE@carbonite.com>

I have Keycloak 3.0.0, and was trying to find where the private/public key pair is store for signing.   I cannot find it anywhere in the database.

Thank you,

Reed
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail

From thomas.darimont at googlemail.com  Tue Apr 25 12:19:58 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Tue, 25 Apr 2017 18:19:58 +0200
Subject: [keycloak-user] Cloud (PaaS) Deployments
In-Reply-To: <CC20468C-EFDF-490C-BB99-F6617170168D@evisions.com>
References: <CC20468C-EFDF-490C-BB99-F6617170168D@evisions.com>
Message-ID: <CAK-7U1h--ucaeyEMLkPuN-MkDj7aHiCy4TNtq+yftazroCFbcg@mail.gmail.com>

Hello Dana,

a while ago I experimented with embedding Keycloak in a spring-boot-app:
https://github.com/thomasdarimont/spring-boot-keycloak-server-example

I'd say this is doable but (IMHO) not supported in any way.

Another option is to create a wildfly-swarm app with the keycloak-server
fraction with (IMHO) similar support...
https://wildfly-swarm.gitbooks.io/wildfly-swarm-users-guide/content/security/keycloak_server.html

The JBoss buildpack for CF / PCF was recently upgraded to use wildfly 10.x
instead of JBoss (I did the initial upgrade) ...
you could now either add Keycloak as a Subsystem to the JBoss Buildpack or
copy the jboss buildpack and create your own Keycloak buildpack adjusted to
your own needs.

Additionally, since PCF supports docker, you can also run Keycloak as a
docker container.

Btw. Keycloak works also on OpenShift:
https://blog.openshift.com/openshift-commons-briefing-35-sso-best-practices-keycloak-integration-openshift/

Cheers,
Thomas

2017-04-25 17:56 GMT+02:00 Dana Danet <Dana.Danet at evisions.com>:

> Any experience out there deploying Keycloak in standalone mode to a Cloud
> platform container?  Currently we are shopping providers ( Pivotal Cloud
> Foundry, Heroku, AWS ) in that order.
>
> Initially, and before any real investigation of PCF I was hoping I could
> use a java build pack, unfortunately I do not see support for deploying a
> standalone archive, I am assuming Heruko will be the same, which leaves AWS
> as a bare metal provider.  Not ideal since our cloud implementation will be
> in PCF.
>
> Any and all suggestions are appreciated..
>
> -dana
> dana_dot_danet_at_evisions_dot_com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Apr 25 16:14:39 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Apr 2017 22:14:39 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
Message-ID: <5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>

Normally SSO between client applications is supposed to work. I would check:

- Are both your clients (portal1 and portal2) using same Keycloak realm? 
SSO will work just with same realm

- Is Cookie authenticator enabled for authentication browser flow of 
your realm? Didn't you accidentally disable it? SSO requires that it is 
enabled

- How does URL to Keycloak login screen looks like? I wonder if your PHP 
adapter uses some parameters, which causes SSO disabled (eg. 
prompt=login or max_age=0)

Marek

On 25/04/17 14:18, Tech wrote:
>
> Anybody with any ideas?
>
>
>
>
>
> On 25/04/17 12:53, Tech wrote:
>>
>> Hello Marek,
>>
>> maybe my email was confusing, we run initially two tests were we 
>> login and logout in both portal to check that the oidc is working on 
>> each of them.
>>
>> Once we know that OIDC is working, then we are expecting to login to 
>> portal1 and opening portal2, to find us already logged in, but this 
>> doesn't happen and we are forced to login again
>>
>>
>>
>>
>> On 25/04/17 12:41, Marek Posolda wrote:
>>> If you don't do "Logout from portal1" at the end of first test, then 
>>> SSO should work and you will be automatically logged into portal2 
>>> without a need to put your credentials.
>>>
>>> The logout is "SSO logout", hence it also kills the SSO session on 
>>> Keycloak side and requires user to re-login.
>>>
>>> Marek
>>>
>>> On 25/04/17 12:31, Tech wrote:
>>>> Dear experts,
>>>>
>>>> we are working with Moodle, a PHP based platform, where we have been
>>>> able to configure correctly Keycloak to implement OIDC.
>>>>
>>>> To test Keycloak we cloned this application, with different URLs 
>>>> and we
>>>> did the first test:
>>>>
>>>>    * Connect to portal1
>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>    * Enter credentials stored into Keycloak
>>>>    * User accepted and redirected to portal1
>>>>    * Logout from portal1
>>>>
>>>> After this we tested the second application:
>>>>
>>>>    * Connect to portal2
>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>    * Enter credentials stored into Keycloak
>>>>    * User accepted and redirected to portal2
>>>>    * Logout from portal2
>>>>
>>>> In this case I know that OIDC is working for the two applications 
>>>> and we
>>>> can expect that also the SSO is working, but after the login in 
>>>> portal1
>>>> we have to login again portal2, and vice-versa.
>>>>
>>>> We attach below here some logs, could you please help?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Login to portal1*
>>>>
>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>> Recovery) Send recover request for transaction origin node 
>>>> identifier 1
>>>> to EJB receiver with node name 79051ccf69ac
>>>> 2017-04-25 09:54:45,055 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:54:45,056 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
>>>> existing? false
>>>> 2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-30) RESTEASY002315: PathInfo:
>>>> /realms/demo/protocol/openid-connect/auth
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>> task-30)
>>>> AUTHENTICATE
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>> task-30)
>>>> AUTHENTICATE ONLY
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) processFlow
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator: auth-cookie
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) invoke authenticator.authenticate
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-30)
>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) execution is processed
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) check execution: identity-provider-redirector requirement:
>>>> ALTERNATIVE
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator: identity-provider-redirector
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) invoke authenticator.authenticate
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) execution is flow
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) processFlow
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) check execution: auth-username-password-form requirement: 
>>>> REQUIRED
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator: auth-username-password-form
>>>> 2017-04-25 09:54:45,059 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) invoke authenticator.authenticate
>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>> changed.
>>>> 2017-04-25 09:54:45,064 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>> 2017-04-25 09:54:45,064 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:54:45,064 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>> JtaTransactionWrapper end
>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>> Recovery) Send recover request for transaction origin node 
>>>> identifier 1
>>>> to EJB receiver with node name 79051ccf69ac
>>>>
>>>>
>>>>
>>>>
>>>> *After authentication to portal1**
>>>> *
>>>> 2017-04-25 09:54:56,041 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:54:56,041 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
>>>> existing? false
>>>> 2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-31) RESTEASY002315: PathInfo:
>>>> /realms/Demo/login-actions/authenticate
>>>> 2017-04-25 09:54:56,042 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>> task-31)
>>>> authenticationAction
>>>> 2017-04-25 09:54:56,042 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) execution is processed
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check: auth-spnego requirement: DISABLED
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) execution is processed
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check: identity-provider-redirector requirement: ALTERNATIVE
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) execution is processed
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check: null requirement: ALTERNATIVE
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>> 2017-04-25 09:54:56,043 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) action: auth-username-password-form
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) processFlow
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) authenticator: auth-otp-form
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>> task-31) processFlow
>>>> 2017-04-25 09:54:56,141 DEBUG
>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>
>>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>>> registered with JTA platform
>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:54:56,142 DEBUG
>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>> task-31) MySqlDS: getConnection(null,
>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>> 2017-04-25 09:54:56,143 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-31) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:54:56,144 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-31) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:54:56,144 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-31) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>> auth_method=openid-connect, auth_type=code,
>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>> consent=no_consent_required,
>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>> 2017-04-25 09:54:56,145 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-31)
>>>> Removing old user session: session: 
>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>> 2017-04-25 09:54:56,145 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-31)
>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>> /auth/realms/Demo,
>>>> max-age: -1
>>>> 2017-04-25 09:54:56,145 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-31)
>>>> Expiring remember me cookie
>>>> 2017-04-25 09:54:56,145 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-31)
>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>> 2017-04-25 09:54:56,146 DEBUG
>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>> 2017-04-25 09:54:56,146 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:54:56,149 DEBUG
>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>> 2017-04-25 09:54:56,149 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-31) Initiating JDBC connection release from 
>>>> afterTransaction
>>>> 2017-04-25 09:54:56,149 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>> JtaTransactionWrapper end
>>>> 2017-04-25 09:54:56,642 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:54:56,642 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
>>>> existing? false
>>>> 2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-24) RESTEASY002315: PathInfo:
>>>> /realms/demo/protocol/openid-connect/token
>>>> 2017-04-25 09:54:56,643 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>> task-24)
>>>> AUTHENTICATE CLIENT
>>>> 2017-04-25 09:54:56,643 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-24)
>>>> client authenticator: client-secret
>>>> 2017-04-25 09:54:56,643 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-24)
>>>> client authenticator SUCCESS: client-secret
>>>> 2017-04-25 09:54:56,643 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-24)
>>>> Client moodle authenticated by client-secret
>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>> ipAddress=153.109.152.213,
>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>> client_auth_method=client-secret
>>>> 2017-04-25 09:54:56,663 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:54:56,663 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>> JtaTransactionWrapper end
>>>>
>>>>
>>>>
>>>>
>>>> *Login to portal2**
>>>> *
>>>> 2017-04-25 09:56:17,566 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:56:17,566 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
>>>> existing? false
>>>> 2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-6) RESTEASY002315: PathInfo:
>>>> /realms/demo/protocol/openid-connect/auth
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>>>> AUTHENTICATE
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-6)
>>>> AUTHENTICATE ONLY
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> processFlow
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator: auth-cookie
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> invoke authenticator.authenticate
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-6)
>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator ATTEMPTED: auth-cookie
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> check execution: auth-spnego requirement: DISABLED
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> execution is processed
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> check execution: identity-provider-redirector requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator: identity-provider-redirector
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> invoke authenticator.authenticate
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> check execution: null requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> execution is flow
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> processFlow
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> check execution: auth-username-password-form requirement: REQUIRED
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator: auth-username-password-form
>>>> 2017-04-25 09:56:17,569 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> invoke authenticator.authenticate
>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>> changed.
>>>> 2017-04-25 09:56:17,573 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-6)
>>>> authenticator CHALLENGE: auth-username-password-form
>>>> 2017-04-25 09:56:17,573 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:56:17,573 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>> JtaTransactionWrapper end
>>>>
>>>>
>>>>
>>>>
>>>> *After authentication to portal2**
>>>> *
>>>> 2017-04-25 09:56:29,001 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:56:29,001 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
>>>> existing? false
>>>> 2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-4) RESTEASY002315: PathInfo:
>>>> /realms/Demo/login-actions/authenticate
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default task-4)
>>>> authenticationAction
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check: auth-cookie requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> execution is processed
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check: auth-spnego requirement: DISABLED
>>>> 2017-04-25 09:56:29,002 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> execution is processed
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> execution is processed
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check: null requirement: ALTERNATIVE
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check: auth-username-password-form requirement: REQUIRED
>>>> 2017-04-25 09:56:29,004 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> action: auth-username-password-form
>>>> 2017-04-25 09:56:29,099 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> authenticator SUCCESS: auth-username-password-form
>>>> 2017-04-25 09:56:29,100 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> processFlow
>>>> 2017-04-25 09:56:29,100 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>> 2017-04-25 09:56:29,100 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> authenticator: auth-otp-form
>>>> 2017-04-25 09:56:29,100 DEBUG
>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>> task-4)
>>>> processFlow
>>>> 2017-04-25 09:56:29,100 DEBUG
>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>
>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>> registered with JTA platform
>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:56:29,101 DEBUG
>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>> task-4) MySqlDS: getConnection(null,
>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>> 2017-04-25 09:56:29,102 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-4) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:56:29,103 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-4) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>       select
>>>>           roleentity0_.ID as col_0_0_
>>>>       from
>>>>           KEYCLOAK_ROLE roleentity0_
>>>>       where
>>>>           roleentity0_.CLIENT_ROLE=0
>>>>           and roleentity0_.NAME=?
>>>>           and roleentity0_.REALM=?
>>>> 2017-04-25 09:56:29,104 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-4) Initiating JDBC connection release from 
>>>> afterStatement
>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>> auth_method=openid-connect, auth_type=code,
>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>> consent=no_consent_required,
>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>> 2017-04-25 09:56:29,104 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-4)
>>>> Removing old user session: session: 
>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>> 2017-04-25 09:56:29,105 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-4)
>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>> /auth/realms/Demo,
>>>> max-age: -1
>>>> 2017-04-25 09:56:29,105 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-4)
>>>> Expiring remember me cookie
>>>> 2017-04-25 09:56:29,105 DEBUG
>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>> task-4)
>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>> 2017-04-25 09:56:29,105 DEBUG
>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>> 2017-04-25 09:56:29,105 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:56:29,106 DEBUG
>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>> 2017-04-25 09:56:29,106 DEBUG
>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>> (default task-4) Initiating JDBC connection release from 
>>>> afterTransaction
>>>> 2017-04-25 09:56:29,106 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>> JtaTransactionWrapper end
>>>> 2017-04-25 09:56:29,626 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
>>>> JtaTransactionWrapper
>>>> 2017-04-25 09:56:29,626 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
>>>> existing? false
>>>> 2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-13) RESTEASY002315: PathInfo:
>>>> /realms/demo/protocol/openid-connect/token
>>>> 2017-04-25 09:56:29,627 DEBUG
>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>> task-13)
>>>> AUTHENTICATE CLIENT
>>>> 2017-04-25 09:56:29,627 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-13)
>>>> client authenticator: client-secret
>>>> 2017-04-25 09:56:29,627 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-13)
>>>> client authenticator SUCCESS: client-secret
>>>> 2017-04-25 09:56:29,627 DEBUG
>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>> task-13)
>>>> Client moodle2 authenticated by client-secret
>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>> ipAddress=153.109.152.213,
>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>> client_auth_method=client-secret
>>>> 2017-04-25 09:56:29,656 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>> JtaTransactionWrapper  commit
>>>> 2017-04-25 09:56:29,656 DEBUG
>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>> JtaTransactionWrapper end
>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
>>>> Error reading request: java.io.IOException: Connection reset by peer
>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>           at 
>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>           at 
>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>           at 
>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>           at
>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>>           at 
>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>           at
>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>
>>>>           at
>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>
>>>>           at
>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>
>>>>           at
>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>
>>>>           at
>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>
>>>>           at
>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>
>>>>           at
>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>
>>>>           at
>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>


From mposolda at redhat.com  Tue Apr 25 16:15:48 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Apr 2017 22:15:48 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
	<CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
Message-ID: <b635c724-a455-f5e5-6d14-4ece66c4456f@redhat.com>

On 25/04/17 16:07, Charles Hardin wrote:
> I tried turning that off, but the problem seems to persist. I also 
> changed minimum password age to 0 on the AD site and it still fails to 
> change the pasword.
>
> The AD configuration is pretty much default outside of password 
> configuration.
>
> The user gets created in AD with the must change password at next 
> login flagged, as well as account disabled.
>
> I will keep poking on my end to see what I can find. Any guess when it 
> might be testable against 2016 on your side?
Not sure. Depends on the priorities and how much customers need that.

Marek
>
>
> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I was not able to simulate the issue with MSAD 2008 or MSAD 2012.
>     I have same setup as you (Password Policy Hints enabled, Writable
>     edit mode).
>
>     After the registration is user's password successfully updated in
>     MSAD and I can see that MSAD attributes of user are in expected
>     state (pwdLastSet is updated to latest time, userAccountControls
>     are in 512, which corresponds to fully created and enabled user).
>
>     Not sure if the difference is with your MSAD setup or if this is
>     related to MSAD 2016. We don't yet test with this version for now.
>
>     The workaround might be to disable "Password Policy Hints". But
>     then some advanced password policies won't work (password history
>     etc).
>
>     Marek
>
>
>     On 21/04/17 15:42, Charles Hardin wrote:
>>     2016
>>
>>     On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         I will try to reproduce that. What's your MSAD version btv?
>>
>>         Thanks,
>>         Marek
>>
>>
>>         On 20/04/17 23:55, Charles Hardin wrote:
>>
>>             Hello All,
>>
>>             I have setup an instance of Keycloak 3 and connected it
>>             to AD. It is setup
>>             to sync users and is writeable edit mode. I also have
>>             Pasword Policy Hints
>>             enabled in the MSAD Account Controls mapper. I have user
>>             registration
>>             turned on in Keycloak.
>>
>>             When I register a user in keycloak, it creates the user
>>             in a disabled state
>>             in AD, and prompts the user in keycloak to change the
>>             password they just
>>             set during account creation to activate the account. This
>>             then fails
>>             because AD is currently configured to enforce a minimum
>>             password age of one
>>             day.
>>
>>             I am ok with the account being created disabled, but how
>>             do I get around
>>             the immediate 2nd password request?
>>
>>             Thanks,
>>
>>             Chuck
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>


From tech at psynd.net  Tue Apr 25 16:36:47 2017
From: tech at psynd.net (Tech)
Date: Tue, 25 Apr 2017 22:36:47 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
Message-ID: <c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>

Hello Marek,

1) yes, they are both using the same Kc realm

2) how can I check this point?

3) I checked already, I don't think that anything like that is enabled, 
but I will send you a screen shot in the coming hours (not in the office 
right now)

Thanks for the support




On 25.04.17 22:14, Marek Posolda wrote:
> Normally SSO between client applications is supposed to work. I would 
> check:
>
> - Are both your clients (portal1 and portal2) using same Keycloak 
> realm? SSO will work just with same realm
>
> - Is Cookie authenticator enabled for authentication browser flow of 
> your realm? Didn't you accidentally disable it? SSO requires that it 
> is enabled
>
> - How does URL to Keycloak login screen looks like? I wonder if your 
> PHP adapter uses some parameters, which causes SSO disabled (eg. 
> prompt=login or max_age=0)
>
> Marek
>
> On 25/04/17 14:18, Tech wrote:
>>
>> Anybody with any ideas?
>>
>>
>>
>>
>>
>> On 25/04/17 12:53, Tech wrote:
>>>
>>> Hello Marek,
>>>
>>> maybe my email was confusing, we run initially two tests were we 
>>> login and logout in both portal to check that the oidc is working on 
>>> each of them.
>>>
>>> Once we know that OIDC is working, then we are expecting to login to 
>>> portal1 and opening portal2, to find us already logged in, but this 
>>> doesn't happen and we are forced to login again
>>>
>>>
>>>
>>>
>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>> If you don't do "Logout from portal1" at the end of first test, 
>>>> then SSO should work and you will be automatically logged into 
>>>> portal2 without a need to put your credentials.
>>>>
>>>> The logout is "SSO logout", hence it also kills the SSO session on 
>>>> Keycloak side and requires user to re-login.
>>>>
>>>> Marek
>>>>
>>>> On 25/04/17 12:31, Tech wrote:
>>>>> Dear experts,
>>>>>
>>>>> we are working with Moodle, a PHP based platform, where we have been
>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>
>>>>> To test Keycloak we cloned this application, with different URLs 
>>>>> and we
>>>>> did the first test:
>>>>>
>>>>>    * Connect to portal1
>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>    * Enter credentials stored into Keycloak
>>>>>    * User accepted and redirected to portal1
>>>>>    * Logout from portal1
>>>>>
>>>>> After this we tested the second application:
>>>>>
>>>>>    * Connect to portal2
>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>    * Enter credentials stored into Keycloak
>>>>>    * User accepted and redirected to portal2
>>>>>    * Logout from portal2
>>>>>
>>>>> In this case I know that OIDC is working for the two applications 
>>>>> and we
>>>>> can expect that also the SSO is working, but after the login in 
>>>>> portal1
>>>>> we have to login again portal2, and vice-versa.
>>>>>
>>>>> We attach below here some logs, could you please help?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Login to portal1*
>>>>>
>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>> Recovery) Send recover request for transaction origin node 
>>>>> identifier 1
>>>>> to EJB receiver with node name 79051ccf69ac
>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) 
>>>>> new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30) 
>>>>> was
>>>>> existing? false
>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>> /realms/demo/protocol/openid-connect/auth
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-30)
>>>>> AUTHENTICATE
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-30)
>>>>> AUTHENTICATE ONLY
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) processFlow
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator: auth-cookie
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) invoke authenticator.authenticate
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-30)
>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) execution is processed
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) check execution: identity-provider-redirector requirement:
>>>>> ALTERNATIVE
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator: identity-provider-redirector
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) invoke authenticator.authenticate
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) execution is flow
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) processFlow
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) check execution: auth-username-password-form requirement: 
>>>>> REQUIRED
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator: auth-username-password-form
>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) invoke authenticator.authenticate
>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>> changed.
>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>> JtaTransactionWrapper end
>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>> Recovery) Send recover request for transaction origin node 
>>>>> identifier 1
>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *After authentication to portal1**
>>>>> *
>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) 
>>>>> new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31) 
>>>>> was
>>>>> existing? false
>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>> /realms/Demo/login-actions/authenticate
>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-31)
>>>>> authenticationAction
>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) execution is processed
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) execution is processed
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check: identity-provider-redirector requirement: ALTERNATIVE
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) execution is processed
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) action: auth-username-password-form
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) processFlow
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) authenticator: auth-otp-form
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>> task-31) processFlow
>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>
>>>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>>>> registered with JTA platform
>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>>> task-31) MySqlDS: getConnection(null,
>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-31) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-31) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-31) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>>> auth_method=openid-connect, auth_type=code,
>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>> consent=no_consent_required,
>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-31)
>>>>> Removing old user session: session: 
>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-31)
>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>> /auth/realms/Demo,
>>>>> max-age: -1
>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-31)
>>>>> Expiring remember me cookie
>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-31)
>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-31) Initiating JDBC connection release from 
>>>>> afterTransaction
>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>> JtaTransactionWrapper end
>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) 
>>>>> new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24) 
>>>>> was
>>>>> existing? false
>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>> /realms/demo/protocol/openid-connect/token
>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-24)
>>>>> AUTHENTICATE CLIENT
>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-24)
>>>>> client authenticator: client-secret
>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-24)
>>>>> client authenticator SUCCESS: client-secret
>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-24)
>>>>> Client moodle authenticated by client-secret
>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>> ipAddress=153.109.152.213,
>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>> client_auth_method=client-secret
>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>> JtaTransactionWrapper end
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Login to portal2**
>>>>> *
>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
>>>>> existing? false
>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>> /realms/demo/protocol/openid-connect/auth
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-6)
>>>>> AUTHENTICATE
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-6)
>>>>> AUTHENTICATE ONLY
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> processFlow
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator: auth-cookie
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> invoke authenticator.authenticate
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-6)
>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator ATTEMPTED: auth-cookie
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> check execution: auth-spnego requirement: DISABLED
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> execution is processed
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> check execution: identity-provider-redirector requirement: 
>>>>> ALTERNATIVE
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator: identity-provider-redirector
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> invoke authenticator.authenticate
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> check execution: null requirement: ALTERNATIVE
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> execution is flow
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> processFlow
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> check execution: auth-username-password-form requirement: REQUIRED
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator: auth-username-password-form
>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> invoke authenticator.authenticate
>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>> changed.
>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-6)
>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>> JtaTransactionWrapper end
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *After authentication to portal2**
>>>>> *
>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
>>>>> existing? false
>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>> /realms/Demo/login-actions/authenticate
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-4)
>>>>> authenticationAction
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> execution is processed
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check: auth-spnego requirement: DISABLED
>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> execution is processed
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> execution is processed
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check: null requirement: ALTERNATIVE
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> action: auth-username-password-form
>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> authenticator SUCCESS: auth-username-password-form
>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> processFlow
>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> authenticator: auth-otp-form
>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>> task-4)
>>>>> processFlow
>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>
>>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>>> registered with JTA platform
>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>>> task-4) MySqlDS: getConnection(null,
>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-4) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-4) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>       select
>>>>>           roleentity0_.ID as col_0_0_
>>>>>       from
>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>       where
>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>           and roleentity0_.NAME=?
>>>>>           and roleentity0_.REALM=?
>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-4) Initiating JDBC connection release from 
>>>>> afterStatement
>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>>> auth_method=openid-connect, auth_type=code,
>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>> consent=no_consent_required,
>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-4)
>>>>> Removing old user session: session: 
>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-4)
>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>> /auth/realms/Demo,
>>>>> max-age: -1
>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-4)
>>>>> Expiring remember me cookie
>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>> task-4)
>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>> (default task-4) Initiating JDBC connection release from 
>>>>> afterTransaction
>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>> JtaTransactionWrapper end
>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) 
>>>>> new
>>>>> JtaTransactionWrapper
>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13) 
>>>>> was
>>>>> existing? false
>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>> /realms/demo/protocol/openid-connect/token
>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>> task-13)
>>>>> AUTHENTICATE CLIENT
>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-13)
>>>>> client authenticator: client-secret
>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-13)
>>>>> client authenticator SUCCESS: client-secret
>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>> task-13)
>>>>> Client moodle2 authenticated by client-secret
>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>> ipAddress=153.109.152.213,
>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>> client_auth_method=client-secret
>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>> JtaTransactionWrapper  commit
>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>> JtaTransactionWrapper end
>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default 
>>>>> I/O-1)
>>>>> Error reading request: java.io.IOException: Connection reset by peer
>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>           at 
>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>           at 
>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>           at 
>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>           at
>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>>>           at 
>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>           at
>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>
>>>>>           at
>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>
>>>>>           at
>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>
>>>>>           at
>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>
>>>>>           at
>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>
>>>>>           at
>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>
>>>>>           at
>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>
>>>>>           at
>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>
>


From Michael.Jacobs at nuance.com  Tue Apr 25 20:04:07 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Wed, 26 Apr 2017 00:04:07 +0000
Subject: [keycloak-user] CatalinaSamlAuthenticator issue using keycloak saml
	eap6 adapter
Message-ID: <BN6PR05MB2964B5D292BE0970EDC507A9F8110@BN6PR05MB2964.namprd05.prod.outlook.com>

I have plugged keycloak-saml-eap6-adapter-dist-2.5.5.Final into JBoss eap-6.4.1 following these instructions:

http://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jboss-adapter.html

I am using Keycloak 2.5.5 as well.  I have my client set up to use POST binding, and was getting into a loop of the client trying to login over and over in loop.

I narrowed it down to the CatalinaSamlAuthenticator which overrides createBrowserHandler() to set up a BrowserHandler, as opposed to the WebBrowserSsoAuthenticationHandler the parent class sets up.

This BrowserHandler overrides handle() in a way that does not read the samlResponse from the fa?ade.  This leads to initiateLogin() in the parent class getting called over and over.

If I comment createBrowserHandler() in CatalinaSamlAuthenticator I get the WebBrowserSsoAuthenticationHandler implementation which has a version of handle() that works.

Am I misconfigured somehow?  Or is this a bug?

Thanks,

MJ



From adam.keily at adelaide.edu.au  Tue Apr 25 20:22:29 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Wed, 26 Apr 2017 00:22:29 +0000
Subject: [keycloak-user] External Role to Role Mapper
In-Reply-To: <CAMvXD=FCdRcf4-WwPKtNFMJNe_vWTKmN_PDkL2eAyzHXvb16AA@mail.gmail.com>
References: <SYXPR01MB1853EC6D8E4384198EFFD117CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
	<SYXPR01MB185394037ED0C9259F298A25CA1B0@SYXPR01MB1853.ausprd01.prod.outlook.com>
	<CAMvXD=FCdRcf4-WwPKtNFMJNe_vWTKmN_PDkL2eAyzHXvb16AA@mail.gmail.com>
Message-ID: <SYXPR01MB1853254AE439CDAEF125CF96CA110@SYXPR01MB1853.ausprd01.prod.outlook.com>

Thanks. In the JIRA for KEYCLOAK-4378 it's mentioned that the same issue would exist with OIDC. I'm just wondering if it's expected behaviour or not for the Role to Role mapper. I'd like to have one keycloak relam act as an IdP for another and would like to map roles between the two.

Thanks

-----Original Message-----
From: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
Sent: Thursday, 20 April 2017 6:06 PM
To: Adam Keily <adam.keily at adelaide.edu.au>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] External Role to Role Mapper

Could you please file a JIRA issue? The External Role to Role mapper is OIDC-specific, while the KEYCLOAK-4378 fixed an issue with SAML attribute mapper.

--Hynek

On Thu, Apr 20, 2017 at 7:48 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Found this and thought it may have been resolved in 2.5.5. Upgraded and tested again but Role mappings are still not being updated correctly.
>
> https://issues.jboss.org/browse/KEYCLOAK-4378?jql=project%20%3D%20keyc
> loak%20and%20fixVersion%20%3D%202.5.4.Final
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
> Sent: Thursday, 20 April 2017 11:59 AM
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] External Role to Role Mapper
>
> Hi All,
>
> I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.
>
> I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".
>
> During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.
>
> If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.
>
> Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.
>
> I have noticed an error though if I try to map to a non-existant role in Realm A.
>
> Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?
>
> Thanks
> Adam
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



--

--Hynek


From chardin at shadowforge-computing.com  Tue Apr 25 22:58:17 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Tue, 25 Apr 2017 22:58:17 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <b635c724-a455-f5e5-6d14-4ece66c4456f@redhat.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
	<CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
	<b635c724-a455-f5e5-6d14-4ece66c4456f@redhat.com>
Message-ID: <CAKkoA_OpV9VUcpGZGEKDPGQg8+YWiYGR9OTvhSQtSpdYpenwLg@mail.gmail.com>

Marek,

I did some more testing on my side. I made the user Keycloak uses to talk
to MSAD a Domain Admin(I was using delegation). I dropped the domain and
forest functional level to 2012R2, and also removed the realm and recreated
to make sure I was as close to defaults as I could be.

I went and dug through the AD events, and it looks like for whatever reason
Keycloak is creating the user with a UAC value of 0x15.

Old UAC Value:        0x0
New UAC Value:        0x15
User Account Control:
        Account Disabled
        'Password Not Required' - Enabled
        'Normal Account' - Enabled

Here is what Keycloak logs when it connects the ldap:

22:12:06,563 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-4) Creating new LDAP Store for the LDAP storage provider:
'ldap', LDAP Configuration: {pagination=[true], fullSyncPeriod=[604800],
usersDn=[<REMOVED>], connectionPooling=[true], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true],
bindDn=[<REMOVED>], changedSyncPeriod=[86400],
usernameLDAPAttribute=[sAMAccountName], lastSync=[1493169877], vendor=[ad],
uuidLDAPAttribute=[objectGUID], connectionUrl=[<REMOVED>],
allowKerberosAuthentication=[false], syncRegistrations=[true],
authType=[simple], debug=[false], searchScope=[1],
useTruststoreSpi=[ldapsOnly], priority=[0], userObjectClasses=[person,
organizationalPerson, user], rdnLDAPAttribute=[cn], editMode=[WRITABLE],
batchSizeForSync=[1000]}, binaryAttributes: []


Not quite sure where to go with this. Is there a way to get keycloak to log
the user creation attempt somewhere?



On Tue, Apr 25, 2017 at 4:15 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 25/04/17 16:07, Charles Hardin wrote:
>
> I tried turning that off, but the problem seems to persist. I also changed
> minimum password age to 0 on the AD site and it still fails to change the
> pasword.
>
> The AD configuration is pretty much default outside of password
> configuration.
>
> The user gets created in AD with the must change password at next login
> flagged, as well as account disabled.
>
> I will keep poking on my end to see what I can find. Any guess when it
> might be testable against 2016 on your side?
>
> Not sure. Depends on the priorities and how much customers need that.
>
> Marek
>
>
>
> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
>> same setup as you (Password Policy Hints enabled, Writable edit mode).
>>
>> After the registration is user's password successfully updated in MSAD
>> and I can see that MSAD attributes of user are in expected state
>> (pwdLastSet is updated to latest time, userAccountControls are in 512,
>> which corresponds to fully created and enabled user).
>>
>> Not sure if the difference is with your MSAD setup or if this is related
>> to MSAD 2016. We don't yet test with this version for now.
>>
>> The workaround might be to disable "Password Policy Hints". But then some
>> advanced password policies won't work (password history etc).
>>
>> Marek
>>
>>
>> On 21/04/17 15:42, Charles Hardin wrote:
>>
>> 2016
>>
>> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I will try to reproduce that. What's your MSAD version btv?
>>>
>>> Thanks,
>>> Marek
>>>
>>>
>>> On 20/04/17 23:55, Charles Hardin wrote:
>>>
>>>> Hello All,
>>>>
>>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>>> setup
>>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>>> Hints
>>>> enabled in the MSAD Account Controls mapper. I have user registration
>>>> turned on in Keycloak.
>>>>
>>>> When I register a user in keycloak, it creates the user in a disabled
>>>> state
>>>> in AD, and prompts the user in keycloak to change the password they just
>>>> set during account creation to activate the account. This then fails
>>>> because AD is currently configured to enforce a minimum password age of
>>>> one
>>>> day.
>>>>
>>>> I am ok with the account being created disabled, but how do I get around
>>>> the immediate 2nd password request?
>>>>
>>>> Thanks,
>>>>
>>>> Chuck
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>
>

From mposolda at redhat.com  Wed Apr 26 00:14:29 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Apr 2017 06:14:29 +0200
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <CAKkoA_OpV9VUcpGZGEKDPGQg8+YWiYGR9OTvhSQtSpdYpenwLg@mail.gmail.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
	<CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
	<b635c724-a455-f5e5-6d14-4ece66c4456f@redhat.com>
	<CAKkoA_OpV9VUcpGZGEKDPGQg8+YWiYGR9OTvhSQtSpdYpenwLg@mail.gmail.com>
Message-ID: <5de5fe9a-92fa-c9cd-cc8b-ee6d10322f95@redhat.com>

Could you try to enable TRACE logging for category 
"org.keycloak.storage.ldap" in standalone.xml and then see what's logged 
into server.log at the moment when you sent request to register new user?

Thanks,
Marek

On 26/04/17 04:58, Charles Hardin wrote:
> Marek,
>
> I did some more testing on my side. I made the user Keycloak uses to 
> talk to MSAD a Domain Admin(I was using delegation). I dropped the 
> domain and forest functional level to 2012R2, and also removed the 
> realm and recreated to make sure I was as close to defaults as I could be.
>
> I went and dug through the AD events, and it looks like for whatever 
> reason Keycloak is creating the user with a UAC value of 0x15.
>
> Old UAC Value:        0x0
> New UAC Value:        0x15
> User Account Control:
>         Account Disabled
>         'Password Not Required' - Enabled
>         'Normal Account' - Enabled
>
> Here is what Keycloak logs when it connects the ldap:
>
> 22:12:06,563 INFO 
> [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-4) 
> Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP 
> Configuration: {pagination=[true], fullSyncPeriod=[604800], 
> usersDn=[<REMOVED>], connectionPooling=[true], cachePolicy=[DEFAULT], 
> useKerberosForPasswordAuthentication=[false], importEnabled=[true], 
> bindDn=[<REMOVED>], changedSyncPeriod=[86400], 
> usernameLDAPAttribute=[sAMAccountName], lastSync=[1493169877], 
> vendor=[ad], uuidLDAPAttribute=[objectGUID], 
> connectionUrl=[<REMOVED>], allowKerberosAuthentication=[false], 
> syncRegistrations=[true], authType=[simple], debug=[false], 
> searchScope=[1], useTruststoreSpi=[ldapsOnly], priority=[0], 
> userObjectClasses=[person, organizationalPerson, user], 
> rdnLDAPAttribute=[cn], editMode=[WRITABLE], batchSizeForSync=[1000]}, 
> binaryAttributes: []
>
>
> Not quite sure where to go with this. Is there a way to get keycloak 
> to log the user creation attempt somewhere?
>
>
>
> On Tue, Apr 25, 2017 at 4:15 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 25/04/17 16:07, Charles Hardin wrote:
>>     I tried turning that off, but the problem seems to persist. I
>>     also changed minimum password age to 0 on the AD site and it
>>     still fails to change the pasword.
>>
>>     The AD configuration is pretty much default outside of password
>>     configuration.
>>
>>     The user gets created in AD with the must change password at next
>>     login flagged, as well as account disabled.
>>
>>     I will keep poking on my end to see what I can find. Any guess
>>     when it might be testable against 2016 on your side?
>     Not sure. Depends on the priorities and how much customers need that.
>
>     Marek
>
>>
>>
>>     On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         I was not able to simulate the issue with MSAD 2008 or MSAD
>>         2012. I have same setup as you (Password Policy Hints
>>         enabled, Writable edit mode).
>>
>>         After the registration is user's password successfully
>>         updated in MSAD and I can see that MSAD attributes of user
>>         are in expected state (pwdLastSet is updated to latest time,
>>         userAccountControls are in 512, which corresponds to fully
>>         created and enabled user).
>>
>>         Not sure if the difference is with your MSAD setup or if this
>>         is related to MSAD 2016. We don't yet test with this version
>>         for now.
>>
>>         The workaround might be to disable "Password Policy Hints".
>>         But then some advanced password policies won't work (password
>>         history etc).
>>
>>         Marek
>>
>>
>>         On 21/04/17 15:42, Charles Hardin wrote:
>>>         2016
>>>
>>>         On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
>>>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>>
>>>             I will try to reproduce that. What's your MSAD version btv?
>>>
>>>             Thanks,
>>>             Marek
>>>
>>>
>>>             On 20/04/17 23:55, Charles Hardin wrote:
>>>
>>>                 Hello All,
>>>
>>>                 I have setup an instance of Keycloak 3 and connected
>>>                 it to AD. It is setup
>>>                 to sync users and is writeable edit mode. I also
>>>                 have Pasword Policy Hints
>>>                 enabled in the MSAD Account Controls mapper. I have
>>>                 user registration
>>>                 turned on in Keycloak.
>>>
>>>                 When I register a user in keycloak, it creates the
>>>                 user in a disabled state
>>>                 in AD, and prompts the user in keycloak to change
>>>                 the password they just
>>>                 set during account creation to activate the account.
>>>                 This then fails
>>>                 because AD is currently configured to enforce a
>>>                 minimum password age of one
>>>                 day.
>>>
>>>                 I am ok with the account being created disabled, but
>>>                 how do I get around
>>>                 the immediate 2nd password request?
>>>
>>>                 Thanks,
>>>
>>>                 Chuck
>>>                 _______________________________________________
>>>                 keycloak-user mailing list
>>>                 keycloak-user at lists.jboss.org
>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>
>>
>>
>
>


From mposolda at redhat.com  Wed Apr 26 00:17:13 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Apr 2017 06:17:13 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
Message-ID: <adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>

On 25/04/17 22:36, Tech wrote:
>
> Hello Marek,
>
> 1) yes, they are both using the same Kc realm
>
> 2) how can I check this point?
>
In Keycloak admin console, there is tab "Authentication" and then flow 
"browser" .

Marek
>
> 3) I checked already, I don't think that anything like that is 
> enabled, but I will send you a screen shot in the coming hours (not in 
> the office right now)
>
> Thanks for the support
>
>
>
>
> On 25.04.17 22:14, Marek Posolda wrote:
>> Normally SSO between client applications is supposed to work. I would 
>> check:
>>
>> - Are both your clients (portal1 and portal2) using same Keycloak 
>> realm? SSO will work just with same realm
>>
>> - Is Cookie authenticator enabled for authentication browser flow of 
>> your realm? Didn't you accidentally disable it? SSO requires that it 
>> is enabled
>>
>> - How does URL to Keycloak login screen looks like? I wonder if your 
>> PHP adapter uses some parameters, which causes SSO disabled (eg. 
>> prompt=login or max_age=0)
>>
>> Marek
>>
>> On 25/04/17 14:18, Tech wrote:
>>>
>>> Anybody with any ideas?
>>>
>>>
>>>
>>>
>>>
>>> On 25/04/17 12:53, Tech wrote:
>>>>
>>>> Hello Marek,
>>>>
>>>> maybe my email was confusing, we run initially two tests were we 
>>>> login and logout in both portal to check that the oidc is working 
>>>> on each of them.
>>>>
>>>> Once we know that OIDC is working, then we are expecting to login 
>>>> to portal1 and opening portal2, to find us already logged in, but 
>>>> this doesn't happen and we are forced to login again
>>>>
>>>>
>>>>
>>>>
>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>> If you don't do "Logout from portal1" at the end of first test, 
>>>>> then SSO should work and you will be automatically logged into 
>>>>> portal2 without a need to put your credentials.
>>>>>
>>>>> The logout is "SSO logout", hence it also kills the SSO session on 
>>>>> Keycloak side and requires user to re-login.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>> Dear experts,
>>>>>>
>>>>>> we are working with Moodle, a PHP based platform, where we have been
>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>
>>>>>> To test Keycloak we cloned this application, with different URLs 
>>>>>> and we
>>>>>> did the first test:
>>>>>>
>>>>>>    * Connect to portal1
>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>    * Enter credentials stored into Keycloak
>>>>>>    * User accepted and redirected to portal1
>>>>>>    * Logout from portal1
>>>>>>
>>>>>> After this we tested the second application:
>>>>>>
>>>>>>    * Connect to portal2
>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>    * Enter credentials stored into Keycloak
>>>>>>    * User accepted and redirected to portal2
>>>>>>    * Logout from portal2
>>>>>>
>>>>>> In this case I know that OIDC is working for the two applications 
>>>>>> and we
>>>>>> can expect that also the SSO is working, but after the login in 
>>>>>> portal1
>>>>>> we have to login again portal2, and vice-versa.
>>>>>>
>>>>>> We attach below here some logs, could you please help?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Login to portal1*
>>>>>>
>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>> identifier 1
>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-30) new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-30) was
>>>>>> existing? false
>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-30)
>>>>>> AUTHENTICATE
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-30)
>>>>>> AUTHENTICATE ONLY
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) processFlow
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator: auth-cookie
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) invoke authenticator.authenticate
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-30)
>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) execution is processed
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) check execution: identity-provider-redirector requirement:
>>>>>> ALTERNATIVE
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) invoke authenticator.authenticate
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) execution is flow
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) processFlow
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) check execution: auth-username-password-form 
>>>>>> requirement: REQUIRED
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator: auth-username-password-form
>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) invoke authenticator.authenticate
>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>> changed.
>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>> JtaTransactionWrapper end
>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>> identifier 1
>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *After authentication to portal1**
>>>>>> *
>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-31) new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-31) was
>>>>>> existing? false
>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>> /realms/Demo/login-actions/authenticate
>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-31)
>>>>>> authenticationAction
>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) execution is processed
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) execution is processed
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>> ALTERNATIVE
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) execution is processed
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) action: auth-username-password-form
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) processFlow
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) authenticator: auth-otp-form
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>> task-31) processFlow
>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>
>>>>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>>>>> registered with JTA platform
>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>> (default
>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>> task-31)
>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>> consent=no_consent_required,
>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-31)
>>>>>> Removing old user session: session: 
>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-31)
>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>> /auth/realms/Demo,
>>>>>> max-age: -1
>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-31)
>>>>>> Expiring remember me cookie
>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-31)
>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>> (default
>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>> afterTransaction
>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>> JtaTransactionWrapper end
>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-24) new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-24) was
>>>>>> existing? false
>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-24)
>>>>>> AUTHENTICATE CLIENT
>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-24)
>>>>>> client authenticator: client-secret
>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-24)
>>>>>> client authenticator SUCCESS: client-secret
>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-24)
>>>>>> Client moodle authenticated by client-secret
>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>> task-24)
>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>> ipAddress=153.109.152.213,
>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>> client_auth_method=client-secret
>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>> JtaTransactionWrapper end
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Login to portal2**
>>>>>> *
>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) 
>>>>>> new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6) 
>>>>>> was
>>>>>> existing? false
>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-6)
>>>>>> AUTHENTICATE
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-6)
>>>>>> AUTHENTICATE ONLY
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> processFlow
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator: auth-cookie
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> invoke authenticator.authenticate
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-6)
>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> execution is processed
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>> ALTERNATIVE
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator: identity-provider-redirector
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> invoke authenticator.authenticate
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> execution is flow
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> processFlow
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> check execution: auth-username-password-form requirement: REQUIRED
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator: auth-username-password-form
>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> invoke authenticator.authenticate
>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>> changed.
>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-6)
>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>> JtaTransactionWrapper end
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *After authentication to portal2**
>>>>>> *
>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) 
>>>>>> new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) 
>>>>>> was
>>>>>> existing? false
>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>> /realms/Demo/login-actions/authenticate
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-4)
>>>>>> authenticationAction
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> execution is processed
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check: auth-spnego requirement: DISABLED
>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> execution is processed
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> execution is processed
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check: null requirement: ALTERNATIVE
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> action: auth-username-password-form
>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> processFlow
>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> authenticator: auth-otp-form
>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>> task-4)
>>>>>> processFlow
>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>
>>>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>>>> registered with JTA platform
>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>> (default
>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>       select
>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>       from
>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>       where
>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>           and roleentity0_.NAME=?
>>>>>>           and roleentity0_.REALM=?
>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>> afterStatement
>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>> consent=no_consent_required,
>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-4)
>>>>>> Removing old user session: session: 
>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-4)
>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>> /auth/realms/Demo,
>>>>>> max-age: -1
>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-4)
>>>>>> Expiring remember me cookie
>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>> task-4)
>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>> (default
>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>> afterTransaction
>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>> JtaTransactionWrapper end
>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-13) new
>>>>>> JtaTransactionWrapper
>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>> task-13) was
>>>>>> existing? false
>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>> task-13)
>>>>>> AUTHENTICATE CLIENT
>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-13)
>>>>>> client authenticator: client-secret
>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-13)
>>>>>> client authenticator SUCCESS: client-secret
>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>> task-13)
>>>>>> Client moodle2 authenticated by client-secret
>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>> task-13)
>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>> ipAddress=153.109.152.213,
>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>> client_auth_method=client-secret
>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>> JtaTransactionWrapper  commit
>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>> JtaTransactionWrapper end
>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default 
>>>>>> I/O-1)
>>>>>> Error reading request: java.io.IOException: Connection reset by peer
>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>           at 
>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>           at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>           at 
>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>           at 
>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>           at
>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>>>>           at 
>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>           at
>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>
>>>>>>           at
>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>
>>>>>>           at
>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>
>>>>>>           at
>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>
>>>>>>           at
>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>
>>>>>>           at
>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>
>>>>>>           at
>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>
>>>>>>           at
>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>
>>
>


From asrafalianwarali.shaikh at gi-de.com  Wed Apr 26 02:14:29 2017
From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali)
Date: Wed, 26 Apr 2017 06:14:29 +0000
Subject: [keycloak-user] Loading user Through Rest Api
Message-ID: <252098c9efdd4f4e85e221052adb038b@DEL1EXMBXP2P.accounts.intern>

Hi ,

Hope you are doing well.
I am currently trying to load as many user through Restapi , and check if there any performance degradation. Is there any example available?.

Thanks in advance.

Regards,
Asraf Shaikh


From tech at psynd.net  Wed Apr 26 03:09:09 2017
From: tech at psynd.net (Tech)
Date: Wed, 26 Apr 2017 09:09:09 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
Message-ID: <6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>

Hello again,

so:
1) they are both using the same kc realm
2) the cookie is not disabled
3) in attach a screenshot, it's identical for the two application, with 
the difference that one the two URL has the "2"




On 26/04/17 06:17, Marek Posolda wrote:
> On 25/04/17 22:36, Tech wrote:
>>
>> Hello Marek,
>>
>> 1) yes, they are both using the same Kc realm
>>
>> 2) how can I check this point?
>>
> In Keycloak admin console, there is tab "Authentication" and then flow 
> "browser" .
>
> Marek
>>
>> 3) I checked already, I don't think that anything like that is 
>> enabled, but I will send you a screen shot in the coming hours (not 
>> in the office right now)
>>
>> Thanks for the support
>>
>>
>>
>>
>> On 25.04.17 22:14, Marek Posolda wrote:
>>> Normally SSO between client applications is supposed to work. I 
>>> would check:
>>>
>>> - Are both your clients (portal1 and portal2) using same Keycloak 
>>> realm? SSO will work just with same realm
>>>
>>> - Is Cookie authenticator enabled for authentication browser flow of 
>>> your realm? Didn't you accidentally disable it? SSO requires that it 
>>> is enabled
>>>
>>> - How does URL to Keycloak login screen looks like? I wonder if your 
>>> PHP adapter uses some parameters, which causes SSO disabled (eg. 
>>> prompt=login or max_age=0)
>>>
>>> Marek
>>>
>>> On 25/04/17 14:18, Tech wrote:
>>>>
>>>> Anybody with any ideas?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 25/04/17 12:53, Tech wrote:
>>>>>
>>>>> Hello Marek,
>>>>>
>>>>> maybe my email was confusing, we run initially two tests were we 
>>>>> login and logout in both portal to check that the oidc is working 
>>>>> on each of them.
>>>>>
>>>>> Once we know that OIDC is working, then we are expecting to login 
>>>>> to portal1 and opening portal2, to find us already logged in, but 
>>>>> this doesn't happen and we are forced to login again
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>> If you don't do "Logout from portal1" at the end of first test, 
>>>>>> then SSO should work and you will be automatically logged into 
>>>>>> portal2 without a need to put your credentials.
>>>>>>
>>>>>> The logout is "SSO logout", hence it also kills the SSO session 
>>>>>> on Keycloak side and requires user to re-login.
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>> Dear experts,
>>>>>>>
>>>>>>> we are working with Moodle, a PHP based platform, where we have 
>>>>>>> been
>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>
>>>>>>> To test Keycloak we cloned this application, with different URLs 
>>>>>>> and we
>>>>>>> did the first test:
>>>>>>>
>>>>>>>    * Connect to portal1
>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>    * User accepted and redirected to portal1
>>>>>>>    * Logout from portal1
>>>>>>>
>>>>>>> After this we tested the second application:
>>>>>>>
>>>>>>>    * Connect to portal2
>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>    * User accepted and redirected to portal2
>>>>>>>    * Logout from portal2
>>>>>>>
>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>> applications and we
>>>>>>> can expect that also the SSO is working, but after the login in 
>>>>>>> portal1
>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>
>>>>>>> We attach below here some logs, could you please help?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Login to portal1*
>>>>>>>
>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>> identifier 1
>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-30) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-30) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-30)
>>>>>>> AUTHENTICATE
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-30)
>>>>>>> AUTHENTICATE ONLY
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) processFlow
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator: auth-cookie
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-30)
>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) execution is processed
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) check execution: identity-provider-redirector requirement:
>>>>>>> ALTERNATIVE
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) execution is flow
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) processFlow
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>> requirement: REQUIRED
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>> changed.
>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>>> JtaTransactionWrapper end
>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>> identifier 1
>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *After authentication to portal1**
>>>>>>> *
>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-31) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-31) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-31)
>>>>>>> authenticationAction
>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) execution is processed
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) execution is processed
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>> ALTERNATIVE
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) execution is processed
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) action: auth-username-password-form
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) processFlow
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>> task-31) processFlow
>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>
>>>>>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>>>>>> registered with JTA platform
>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>> (default
>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>>> task-31)
>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>> ipAddress=192.168.0.27,
>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>> consent=no_consent_required,
>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-31)
>>>>>>> Removing old user session: session: 
>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-31)
>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>> /auth/realms/Demo,
>>>>>>> max-age: -1
>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-31)
>>>>>>> Expiring remember me cookie
>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-31)
>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>> (default
>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>> afterTransaction
>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>>> JtaTransactionWrapper end
>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-24) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-24) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-24)
>>>>>>> AUTHENTICATE CLIENT
>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-24)
>>>>>>> client authenticator: client-secret
>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-24)
>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-24)
>>>>>>> Client moodle authenticated by client-secret
>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>>> task-24)
>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>> ipAddress=153.109.152.213,
>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>> client_auth_method=client-secret
>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>>> JtaTransactionWrapper end
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Login to portal2**
>>>>>>> *
>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-6) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-6) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-6)
>>>>>>> AUTHENTICATE
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-6)
>>>>>>> AUTHENTICATE ONLY
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> processFlow
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator: auth-cookie
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-6)
>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> execution is processed
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>> ALTERNATIVE
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator: identity-provider-redirector
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> execution is flow
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> processFlow
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> check execution: auth-username-password-form requirement: REQUIRED
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator: auth-username-password-form
>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> invoke authenticator.authenticate
>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>> changed.
>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-6)
>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>> JtaTransactionWrapper end
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *After authentication to portal2**
>>>>>>> *
>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-4) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-4) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-4)
>>>>>>> authenticationAction
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> execution is processed
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> execution is processed
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> execution is processed
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> action: auth-username-password-form
>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> processFlow
>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> authenticator: auth-otp-form
>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default 
>>>>>>> task-4)
>>>>>>> processFlow
>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>
>>>>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>>>>> registered with JTA platform
>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>> (default
>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) [0/20]
>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>       select
>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>       from
>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>       where
>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>           and roleentity0_.NAME=?
>>>>>>>           and roleentity0_.REALM=?
>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>> afterStatement
>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default 
>>>>>>> task-4)
>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>> ipAddress=192.168.0.27,
>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>> consent=no_consent_required,
>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-4)
>>>>>>> Removing old user session: session: 
>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-4)
>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>> /auth/realms/Demo,
>>>>>>> max-age: -1
>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-4)
>>>>>>> Expiring remember me cookie
>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>> task-4)
>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>> (default
>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>> afterTransaction
>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>> JtaTransactionWrapper end
>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-13) new
>>>>>>> JtaTransactionWrapper
>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>> task-13) was
>>>>>>> existing? false
>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>> task-13)
>>>>>>> AUTHENTICATE CLIENT
>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-13)
>>>>>>> client authenticator: client-secret
>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-13)
>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>> task-13)
>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>>> task-13)
>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>> ipAddress=153.109.152.213,
>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>> client_auth_method=client-secret
>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>>> JtaTransactionWrapper  commit
>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>>> JtaTransactionWrapper end
>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default 
>>>>>>> I/O-1)
>>>>>>> Error reading request: java.io.IOException: Connection reset by 
>>>>>>> peer
>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>>           at 
>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>           at 
>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>           at 
>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>           at 
>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>           at
>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>>>>>           at 
>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>           at
>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>
>>>>>>>           at
>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>
>>>>>>>           at
>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>
>>>>>>>           at
>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>
>>>>>>>           at
>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>
>>>>>>>           at
>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>
>>>>>>>           at
>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>
>>>>>>>           at
>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>>>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From mr.beel at gmail.com  Wed Apr 26 03:27:08 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Wed, 26 Apr 2017 12:27:08 +0500
Subject: [keycloak-user] Vender is empty in config map when create
 user-storage provider from rest api.
Message-ID: <CABi4XQBe66E3tWiD_ORgcy01OySeJiw-kTyD-1JHCTFbv7OQXQ@mail.gmail.com>

Hi Everyone,

Keycloak - 3.0.Final

I am trying to create user-storage provider by calling POST on /components
with type UserStorageProvider.

I have set vender : ["ad"] as config parameter and able to save it. Also
able to import users.
But when i go to keycloak UI and try to edit it. All other fields are set
but the vender field is empty and readonly.
Since it's required field so cannot update my settings.

Please help...

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

From marc.tempelmeier at flane.de  Wed Apr 26 03:52:42 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 26 Apr 2017 07:52:42 +0000
Subject: [keycloak-user] Admin user in Clustered Domain Mode
In-Reply-To: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>
References: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>
Message-ID: <c0b76d9d5db540feb20eaf69af683f0d@dehamex2013.europe.flane.local>

Hi,

any one an idea?

Tried several ways now:

On master:
/keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration -u admin1 -p lalalala
/keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration -u admin2 -p lalalala \
/keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration -u admin3 -p lalalala --domain

On slave:
/keycloak/bin/add-user-keycloak.sh -u admin4 -p lalalala

No user works :(

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier
Gesendet: Wednesday, April 19, 2017 9:03 AM
An: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] Admin user in Clustered Domain Mode

Hi,

We connected a Domain Controller and 2 Slaves. How can I create an admin user?

There is a "--domain" switch, but the users created with it don?t work. If I create a admin user on a slave it works and after that I can use him on the other slave, because he is in the db. 

How is the intended workflow here?

Greetings

Marc

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Wed Apr 26 04:05:00 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 26 Apr 2017 10:05:00 +0200
Subject: [keycloak-user] Why use keycloak-nodejs-connect instead of
 general OID client?
In-Reply-To: <CABgV3qstOXhzwqdC9rqzothGLvjbd-4A+mG_qwqwiZyBRMOP5Q@mail.gmail.com>
References: <CABgV3qs+wyUyS1PyNy4d7JBWz4jin_0oq=_9eo0K0z6m+im-NQ@mail.gmail.com>
	<CAMZCGg8fOod0VEmp=UXR93NMcq2i1QFfJSd2MUpK301h2Cpd+w@mail.gmail.com>
	<CABgV3qurGcu-T-sv=wxA_niLnbws0nd3SBo_yubwpOEQkSvf3g@mail.gmail.com>
	<CABgV3qstOXhzwqdC9rqzothGLvjbd-4A+mG_qwqwiZyBRMOP5Q@mail.gmail.com>
Message-ID: <CAMZCGg_Qh5NmGjcC2vRCi+UvraUm7-pvrNvb_S1piEX8Zt5Qqw@mail.gmail.com>

(including the mailing list again)
tbh I'm not sure this is related to keycloak, isn't just a matter of using
the right IPs exposed by the container in your keycloak.json files  ?

On Tue, Apr 25, 2017 at 6:25 PM, Alex Berg <chexxor at gmail.com> wrote:

> Here's my problem:
>
> I'm running keycloak, mysql, and my JS app locally in docker containers.
> From inside the container, keycloak is accessible at "keycloak:8080", but
> outside the container (from the browser on localhost), it's available at
> "localhost:8080". My "keycloak.json" file has "auth-server-url" =
> "localhost:8080", so when JS app gets the OIDC authorization token in a
> callback, the Keycloak middleware in my JS app tries to get an access token
> by requesting the auth token to "localhost:8080", but this request fails
> because localhost isn't serving on that port - the "keycloak" container is.
>
> On Sat, Apr 22, 2017 at 2:08 PM, Alex Berg <chexxor at gmail.com> wrote:
>
>> I can't find docs which answer the basic question of what it does and how
>> it is supposed to work. After spending a week trying to discover these
>> answers for myself by reading it's code, I still can't get it to work, so I
>> am curious what I would lose my using a better documented library. Thanks
>> for that answer!
>>
>> I'm doing a SPA-ish app and want to track session on a cookie, and this
>> library does exactly that, but knowing how the redirects should work and
>> what the responses should be is pretty tricky. The errors indicate deeper
>> complexity than just "install this middleware and the rest just works".
>>
>> I can make a PR for doc improvements. I know one of the errors I was
>> seeing is a response of "invalid authorization token", but I don't know why
>> that would be. I can only make a JIRA ticket if I know the problem isn't my
>> lack of knowledge.
>>
>> On Apr 22, 2017 02:32, "Sebastien Blanc" <sblanc at redhat.com> wrote:
>>
>>>
>>>
>>> On Fri, Apr 21, 2017 at 8:16 PM, Alex Berg <chexxor at gmail.com> wrote:
>>>
>>>> I am trying to install the keycloak-nodejs-connect middleware into my
>>>> app.
>>>> It isn't working well, so of course I'm thinking of trying a different
>>>> openid-connect client library.
>>>>
>>> What doesn't work well ? Have you opened tickets for this ?
>>>
>>>>
>>>> What does the keycloak-nodejs-connect library do that other
>>>> openid-connect
>>>> client libraries doesn't do? It looks like one unique thing is that it
>>>> listens for a logout request to be sent from the keycloak admin console,
>>>> but I'm not sure as docs don't exist.
>>>>
>>> It also handles the admin backend channel for revocation, it handles
>>> public key rotation retrieval, role-based authorization. This is documented
>>> in the docs that exists https://keycloak.gitbooks.io/d
>>> ocumentation/content/securing_apps/topics/oidc/nodejs-adapter.html
>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>

From esteffens at rovecom.nl  Wed Apr 26 05:32:34 2017
From: esteffens at rovecom.nl (Erwin Steffens | Rovecom)
Date: Wed, 26 Apr 2017 09:32:34 +0000
Subject: [keycloak-user] SAML response parsing failed
Message-ID: <1493199154452.73006@rovecom.nl>



We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.

The error we get is:

09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /realms/datahub/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"

When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.

Can I somehow attach the XML here?

Erwin?
?



-----------------------------
Rovecom

Erwin Steffens | Rovecom
softwareontwikkelaar

Elbe 2, 7908 HB Hoogeveen
Postbus 2126, 7900 BC Hoogeveen
0528 22 35 35


Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.


-----------------------------



From sthorger at redhat.com  Wed Apr 26 06:49:54 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 26 Apr 2017 12:49:54 +0200
Subject: [keycloak-user] Admin user in Clustered Domain Mode
In-Reply-To: <c0b76d9d5db540feb20eaf69af683f0d@dehamex2013.europe.flane.local>
References: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>
	<c0b76d9d5db540feb20eaf69af683f0d@dehamex2013.europe.flane.local>
Message-ID: <CAJgngAe0_YntT1x3gXGk4Tj22eUAWHBxQQ_foh1uVWJ34zbL4w@mail.gmail.com>

I think the first one is the right one:
/keycloak/bin/add-user-keycloak.sh --sc
/keycloak/domain/servers/slave1/configuration
-u admin1 -p lalalala

Did you restart slave1 afterwards?

On 26 April 2017 at 09:52, Marc Tempelmeier <marc.tempelmeier at flane.de>
wrote:

> Hi,
>
> any one an idea?
>
> Tried several ways now:
>
> On master:
> /keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration
> -u admin1 -p lalalala
> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration -u
> admin2 -p lalalala \
> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration -u
> admin3 -p lalalala --domain
>
> On slave:
> /keycloak/bin/add-user-keycloak.sh -u admin4 -p lalalala
>
> No user works :(
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Im Auftrag von Marc Tempelmeier
> Gesendet: Wednesday, April 19, 2017 9:03 AM
> An: keycloak-user <keycloak-user at lists.jboss.org>
> Betreff: [keycloak-user] Admin user in Clustered Domain Mode
>
> Hi,
>
> We connected a Domain Controller and 2 Slaves. How can I create an admin
> user?
>
> There is a "--domain" switch, but the users created with it don?t work. If
> I create a admin user on a slave it works and after that I can use him on
> the other slave, because he is in the db.
>
> How is the intended workflow here?
>
> Greetings
>
> Marc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Apr 26 06:50:26 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 26 Apr 2017 12:50:26 +0200
Subject: [keycloak-user] Admin user in Clustered Domain Mode
In-Reply-To: <CAJgngAe0_YntT1x3gXGk4Tj22eUAWHBxQQ_foh1uVWJ34zbL4w@mail.gmail.com>
References: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>
	<c0b76d9d5db540feb20eaf69af683f0d@dehamex2013.europe.flane.local>
	<CAJgngAe0_YntT1x3gXGk4Tj22eUAWHBxQQ_foh1uVWJ34zbL4w@mail.gmail.com>
Message-ID: <CAJgngAd88UjqUT44=5wNvdbVdmbiDp=U+W4Kk=eRVegeOgx_Lg@mail.gmail.com>

I think I know - you need to run that on the slave

On 26 April 2017 at 12:49, Stian Thorgersen <sthorger at redhat.com> wrote:

> I think the first one is the right one:
> /keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration
> -u admin1 -p lalalala
>
> Did you restart slave1 afterwards?
>
> On 26 April 2017 at 09:52, Marc Tempelmeier <marc.tempelmeier at flane.de>
> wrote:
>
>> Hi,
>>
>> any one an idea?
>>
>> Tried several ways now:
>>
>> On master:
>> /keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration
>> -u admin1 -p lalalala
>> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration
>> -u admin2 -p lalalala \
>> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration
>> -u admin3 -p lalalala --domain
>>
>> On slave:
>> /keycloak/bin/add-user-keycloak.sh -u admin4 -p lalalala
>>
>> No user works :(
>>
>> -----Urspr?ngliche Nachricht-----
>> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
>> lists.jboss.org] Im Auftrag von Marc Tempelmeier
>> Gesendet: Wednesday, April 19, 2017 9:03 AM
>> An: keycloak-user <keycloak-user at lists.jboss.org>
>> Betreff: [keycloak-user] Admin user in Clustered Domain Mode
>>
>> Hi,
>>
>> We connected a Domain Controller and 2 Slaves. How can I create an admin
>> user?
>>
>> There is a "--domain" switch, but the users created with it don?t work.
>> If I create a admin user on a slave it works and after that I can use him
>> on the other slave, because he is in the db.
>>
>> How is the intended workflow here?
>>
>> Greetings
>>
>> Marc
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sthorger at redhat.com  Wed Apr 26 06:50:57 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 26 Apr 2017 12:50:57 +0200
Subject: [keycloak-user] Admin user in Clustered Domain Mode
In-Reply-To: <CAJgngAd88UjqUT44=5wNvdbVdmbiDp=U+W4Kk=eRVegeOgx_Lg@mail.gmail.com>
References: <12aa0c8c99f541ca9d969236fdc5bce2@dehamex2013.europe.flane.local>
	<c0b76d9d5db540feb20eaf69af683f0d@dehamex2013.europe.flane.local>
	<CAJgngAe0_YntT1x3gXGk4Tj22eUAWHBxQQ_foh1uVWJ34zbL4w@mail.gmail.com>
	<CAJgngAd88UjqUT44=5wNvdbVdmbiDp=U+W4Kk=eRVegeOgx_Lg@mail.gmail.com>
Message-ID: <CAJgngAegqY36FJ0sivsyJa_xREPTjC__oACbdrt4yBhn7vy-=A@mail.gmail.com>

Please add a comment to the documentation that we need to document this

On 26 April 2017 at 12:50, Stian Thorgersen <sthorger at redhat.com> wrote:

> I think I know - you need to run that on the slave
>
> On 26 April 2017 at 12:49, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> I think the first one is the right one:
>> /keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration
>> -u admin1 -p lalalala
>>
>> Did you restart slave1 afterwards?
>>
>> On 26 April 2017 at 09:52, Marc Tempelmeier <marc.tempelmeier at flane.de>
>> wrote:
>>
>>> Hi,
>>>
>>> any one an idea?
>>>
>>> Tried several ways now:
>>>
>>> On master:
>>> /keycloak/bin/add-user-keycloak.sh --sc /keycloak/domain/servers/slave1/configuration
>>> -u admin1 -p lalalala
>>> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration
>>> -u admin2 -p lalalala \
>>> /keycloak/bin/add-user-keycloak.sh --dc /keycloak/domain/configuration
>>> -u admin3 -p lalalala --domain
>>>
>>> On slave:
>>> /keycloak/bin/add-user-keycloak.sh -u admin4 -p lalalala
>>>
>>> No user works :(
>>>
>>> -----Urspr?ngliche Nachricht-----
>>> Von: keycloak-user-bounces at lists.jboss.org [mailto:
>>> keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier
>>> Gesendet: Wednesday, April 19, 2017 9:03 AM
>>> An: keycloak-user <keycloak-user at lists.jboss.org>
>>> Betreff: [keycloak-user] Admin user in Clustered Domain Mode
>>>
>>> Hi,
>>>
>>> We connected a Domain Controller and 2 Slaves. How can I create an admin
>>> user?
>>>
>>> There is a "--domain" switch, but the users created with it don?t work.
>>> If I create a admin user on a slave it works and after that I can use him
>>> on the other slave, because he is in the db.
>>>
>>> How is the intended workflow here?
>>>
>>> Greetings
>>>
>>> Marc
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From esteffens at rovecom.nl  Wed Apr 26 06:51:27 2017
From: esteffens at rovecom.nl (Erwin Steffens | Rovecom)
Date: Wed, 26 Apr 2017 10:51:27 +0000
Subject: [keycloak-user] SAML response parsing failed
In-Reply-To: <CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
References: <1493199154452.73006@rovecom.nl>
	<CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
Message-ID: <943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>


Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml?dl=0



-----------------------------
Rovecom

Erwin Steffens | Rovecom
softwareontwikkelaar

Elbe 2, 7908 HB Hoogeveen
Postbus 2126, 7900 BC Hoogeveen
0528 22 35 35


Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.


-----------------------------

-----Oorspronkelijk bericht-----
Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
Verzonden: woensdag 26 april 2017 11:48
Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
Onderwerp: Re: [keycloak-user] SAML response parsing failed

Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it?

--Hynek

On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>
>
> We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
>
> The error we get is:
>
> 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023:
> Exception handling request to
> /realms/datahub/login-actions/first-broker-login:
> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
> ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
>
> When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
>
> Can I somehow attach the XML here?
>
> Erwin
>
>
>
>
> -----------------------------
> Rovecom
>
> Erwin Steffens | Rovecom
> softwareontwikkelaar
>
> Elbe 2, 7908 HB Hoogeveen
> Postbus 2126, 7900 BC Hoogeveen
> 0528 22 35 35
>
>
> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>
>
> -----------------------------
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



--

--Hynek


From chexxor at gmail.com  Wed Apr 26 09:58:45 2017
From: chexxor at gmail.com (Alex Berg)
Date: Wed, 26 Apr 2017 08:58:45 -0500
Subject: [keycloak-user] Why use keycloak-nodejs-connect instead of
 general OID client?
In-Reply-To: <CAMZCGg_Qh5NmGjcC2vRCi+UvraUm7-pvrNvb_S1piEX8Zt5Qqw@mail.gmail.com>
References: <CABgV3qs+wyUyS1PyNy4d7JBWz4jin_0oq=_9eo0K0z6m+im-NQ@mail.gmail.com>
	<CAMZCGg8fOod0VEmp=UXR93NMcq2i1QFfJSd2MUpK301h2Cpd+w@mail.gmail.com>
	<CABgV3qurGcu-T-sv=wxA_niLnbws0nd3SBo_yubwpOEQkSvf3g@mail.gmail.com>
	<CABgV3qstOXhzwqdC9rqzothGLvjbd-4A+mG_qwqwiZyBRMOP5Q@mail.gmail.com>
	<CAMZCGg_Qh5NmGjcC2vRCi+UvraUm7-pvrNvb_S1piEX8Zt5Qqw@mail.gmail.com>
Message-ID: <CABgV3qvbc-CtdZ-GW6C6Y7LRjwCaN5aLYv-zGeZPQ7fnj_zDqg@mail.gmail.com>

Ah, email is tricky.
Yeah, yeah it could be that, but I've tried various values for the auth
server and still problems. I'll keep working on it.

Thanks!

On Apr 26, 2017 03:05, "Sebastien Blanc" <sblanc at redhat.com> wrote:

> (including the mailing list again)
> tbh I'm not sure this is related to keycloak, isn't just a matter of using
> the right IPs exposed by the container in your keycloak.json files  ?
>
> On Tue, Apr 25, 2017 at 6:25 PM, Alex Berg <chexxor at gmail.com> wrote:
>
>> Here's my problem:
>>
>> I'm running keycloak, mysql, and my JS app locally in docker containers.
>> From inside the container, keycloak is accessible at "keycloak:8080", but
>> outside the container (from the browser on localhost), it's available at
>> "localhost:8080". My "keycloak.json" file has "auth-server-url" =
>> "localhost:8080", so when JS app gets the OIDC authorization token in a
>> callback, the Keycloak middleware in my JS app tries to get an access token
>> by requesting the auth token to "localhost:8080", but this request fails
>> because localhost isn't serving on that port - the "keycloak" container is.
>>
>> On Sat, Apr 22, 2017 at 2:08 PM, Alex Berg <chexxor at gmail.com> wrote:
>>
>>> I can't find docs which answer the basic question of what it does and
>>> how it is supposed to work. After spending a week trying to discover these
>>> answers for myself by reading it's code, I still can't get it to work, so I
>>> am curious what I would lose my using a better documented library. Thanks
>>> for that answer!
>>>
>>> I'm doing a SPA-ish app and want to track session on a cookie, and this
>>> library does exactly that, but knowing how the redirects should work and
>>> what the responses should be is pretty tricky. The errors indicate deeper
>>> complexity than just "install this middleware and the rest just works".
>>>
>>> I can make a PR for doc improvements. I know one of the errors I was
>>> seeing is a response of "invalid authorization token", but I don't know why
>>> that would be. I can only make a JIRA ticket if I know the problem isn't my
>>> lack of knowledge.
>>>
>>> On Apr 22, 2017 02:32, "Sebastien Blanc" <sblanc at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Apr 21, 2017 at 8:16 PM, Alex Berg <chexxor at gmail.com> wrote:
>>>>
>>>>> I am trying to install the keycloak-nodejs-connect middleware into my
>>>>> app.
>>>>> It isn't working well, so of course I'm thinking of trying a different
>>>>> openid-connect client library.
>>>>>
>>>> What doesn't work well ? Have you opened tickets for this ?
>>>>
>>>>>
>>>>> What does the keycloak-nodejs-connect library do that other
>>>>> openid-connect
>>>>> client libraries doesn't do? It looks like one unique thing is that it
>>>>> listens for a logout request to be sent from the keycloak admin
>>>>> console,
>>>>> but I'm not sure as docs don't exist.
>>>>>
>>>> It also handles the admin backend channel for revocation, it handles
>>>> public key rotation retrieval, role-based authorization. This is documented
>>>> in the docs that exists https://keycloak.gitbooks.io/d
>>>> ocumentation/content/securing_apps/topics/oidc/nodejs-adapter.html
>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>
>

From mposolda at redhat.com  Wed Apr 26 10:17:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Apr 2017 16:17:42 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
Message-ID: <a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>

Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser for 
path "/auth/realms/yourrealm" ? Are you using proxy/loadbalancer, which 
may cause that cookies sent to the proxy are not visible on the backend 
server (Keycloak)?

Marek


On 26/04/17 09:09, Tech wrote:
> Hello again,
>
> so:
> 1) they are both using the same kc realm
> 2) the cookie is not disabled
> 3) in attach a screenshot, it's identical for the two application, 
> with the difference that one the two URL has the "2"
>
>
>
>
> On 26/04/17 06:17, Marek Posolda wrote:
>> On 25/04/17 22:36, Tech wrote:
>>>
>>> Hello Marek,
>>>
>>> 1) yes, they are both using the same Kc realm
>>>
>>> 2) how can I check this point?
>>>
>> In Keycloak admin console, there is tab "Authentication" and then 
>> flow "browser" .
>>
>> Marek
>>>
>>> 3) I checked already, I don't think that anything like that is 
>>> enabled, but I will send you a screen shot in the coming hours (not 
>>> in the office right now)
>>>
>>> Thanks for the support
>>>
>>>
>>>
>>>
>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>> Normally SSO between client applications is supposed to work. I 
>>>> would check:
>>>>
>>>> - Are both your clients (portal1 and portal2) using same Keycloak 
>>>> realm? SSO will work just with same realm
>>>>
>>>> - Is Cookie authenticator enabled for authentication browser flow 
>>>> of your realm? Didn't you accidentally disable it? SSO requires 
>>>> that it is enabled
>>>>
>>>> - How does URL to Keycloak login screen looks like? I wonder if 
>>>> your PHP adapter uses some parameters, which causes SSO disabled 
>>>> (eg. prompt=login or max_age=0)
>>>>
>>>> Marek
>>>>
>>>> On 25/04/17 14:18, Tech wrote:
>>>>>
>>>>> Anybody with any ideas?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>
>>>>>> Hello Marek,
>>>>>>
>>>>>> maybe my email was confusing, we run initially two tests were we 
>>>>>> login and logout in both portal to check that the oidc is working 
>>>>>> on each of them.
>>>>>>
>>>>>> Once we know that OIDC is working, then we are expecting to login 
>>>>>> to portal1 and opening portal2, to find us already logged in, but 
>>>>>> this doesn't happen and we are forced to login again
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>> If you don't do "Logout from portal1" at the end of first test, 
>>>>>>> then SSO should work and you will be automatically logged into 
>>>>>>> portal2 without a need to put your credentials.
>>>>>>>
>>>>>>> The logout is "SSO logout", hence it also kills the SSO session 
>>>>>>> on Keycloak side and requires user to re-login.
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>> Dear experts,
>>>>>>>>
>>>>>>>> we are working with Moodle, a PHP based platform, where we have 
>>>>>>>> been
>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>
>>>>>>>> To test Keycloak we cloned this application, with different 
>>>>>>>> URLs and we
>>>>>>>> did the first test:
>>>>>>>>
>>>>>>>>    * Connect to portal1
>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>    * Logout from portal1
>>>>>>>>
>>>>>>>> After this we tested the second application:
>>>>>>>>
>>>>>>>>    * Connect to portal2
>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>    * Logout from portal2
>>>>>>>>
>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>> applications and we
>>>>>>>> can expect that also the SSO is working, but after the login in 
>>>>>>>> portal1
>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>
>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *Login to portal1*
>>>>>>>>
>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>> identifier 1
>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-30) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-30) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-30)
>>>>>>>> AUTHENTICATE
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-30)
>>>>>>>> AUTHENTICATE ONLY
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) processFlow
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-30)
>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) execution is processed
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>> requirement:
>>>>>>>> ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) execution is flow
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) processFlow
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>> requirement: REQUIRED
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>>> changed.
>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>> identifier 1
>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *After authentication to portal1**
>>>>>>>> *
>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-31) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-31) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-31)
>>>>>>>> authenticationAction
>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) execution is processed
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) execution is processed
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>> ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) execution is processed
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) processFlow
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>> task-31) processFlow
>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>
>>>>>>>> (default task-31) Hibernate RegisteredSynchronization successfully
>>>>>>>> registered with JTA platform
>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>> task-31)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>> (default
>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>> [0/20]
>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>> task-31)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>> task-31)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>>>> task-31)
>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>> consent=no_consent_required,
>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-31)
>>>>>>>> Removing old user session: session: 
>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-31)
>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>> /auth/realms/Demo,
>>>>>>>> max-age: -1
>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-31)
>>>>>>>> Expiring remember me cookie
>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-31)
>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>> (default
>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>> afterTransaction
>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-24) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-24) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-24)
>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-24)
>>>>>>>> client authenticator: client-secret
>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-24)
>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-24)
>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>>>> task-24)
>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>> client_auth_method=client-secret
>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *Login to portal2**
>>>>>>>> *
>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-6) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-6) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-6)
>>>>>>>> AUTHENTICATE
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-6)
>>>>>>>> AUTHENTICATE ONLY
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> processFlow
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator: auth-cookie
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-6)
>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> execution is processed
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>> ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> execution is flow
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> processFlow
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> check execution: auth-username-password-form requirement: REQUIRED
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator: auth-username-password-form
>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> invoke authenticator.authenticate
>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>>> changed.
>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-6)
>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *After authentication to portal2**
>>>>>>>> *
>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-4) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-4) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-4)
>>>>>>>> authenticationAction
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> execution is processed
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> execution is processed
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> execution is processed
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> action: auth-username-password-form
>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> processFlow
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> authenticator: auth-otp-form
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>> (default task-4)
>>>>>>>> processFlow
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>
>>>>>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>>>>>> registered with JTA platform
>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>> (default
>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>> [0/20]
>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
>>>>>>>>       select
>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>       from
>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>       where
>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>> afterStatement
>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default 
>>>>>>>> task-4)
>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>> consent=no_consent_required,
>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-4)
>>>>>>>> Removing old user session: session: 
>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-4)
>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>> /auth/realms/Demo,
>>>>>>>> max-age: -1
>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-4)
>>>>>>>> Expiring remember me cookie
>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] (default 
>>>>>>>> task-4)
>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>> (default
>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>
>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>> afterTransaction
>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-13) new
>>>>>>>> JtaTransactionWrapper
>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>> task-13) was
>>>>>>>> existing? false
>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>> task-13)
>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-13)
>>>>>>>> client authenticator: client-secret
>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-13)
>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] (default 
>>>>>>>> task-13)
>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>>>> task-13)
>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>> client_auth_method=client-secret
>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
>>>>>>>> JtaTransactionWrapper end
>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default 
>>>>>>>> I/O-1)
>>>>>>>> Error reading request: java.io.IOException: Connection reset by 
>>>>>>>> peer
>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>>>           at 
>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>           at 
>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>           at 
>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>           at 
>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>           at
>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
>>>>>>>>           at 
>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>>           at
>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>
>>>>>>>>           at
>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>
>>>>>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From hmlnarik at redhat.com  Wed Apr 26 10:48:04 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 26 Apr 2017 16:48:04 +0200
Subject: [keycloak-user] SAML response parsing failed
In-Reply-To: <943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>
References: <1493199154452.73006@rovecom.nl>
	<CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
	<943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>
Message-ID: <CAMvXD=EnZ_k1KRxgVHmdAb-BDyj588r7trsaYymQtZ2ubTYPzQ@mail.gmail.com>

Thank you. This seems to be related to woodstox. With standard JDK's
XML event implementation (in fact xerces) that file is parsed
correctly. Can you try using xerces instead?

--Hynek

On Wed, Apr 26, 2017 at 12:51 PM, Erwin Steffens | Rovecom
<esteffens at rovecom.nl> wrote:
>
> Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml?dl=0
>
>
>
> -----------------------------
> Rovecom
>
> Erwin Steffens | Rovecom
> softwareontwikkelaar
>
> Elbe 2, 7908 HB Hoogeveen
> Postbus 2126, 7900 BC Hoogeveen
> 0528 22 35 35
>
>
> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>
>
> -----------------------------
>
> -----Oorspronkelijk bericht-----
> Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
> Verzonden: woensdag 26 april 2017 11:48
> Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>
> Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it?
>
> --Hynek
>
> On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>>
>>
>> We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
>>
>> The error we get is:
>>
>> 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023:
>> Exception handling request to
>> /realms/datahub/login-actions/first-broker-login:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
>> ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
>>
>> When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
>>
>> Can I somehow attach the XML here?
>>
>> Erwin
>>
>>
>>
>>
>> -----------------------------
>> Rovecom
>>
>> Erwin Steffens | Rovecom
>> softwareontwikkelaar
>>
>> Elbe 2, 7908 HB Hoogeveen
>> Postbus 2126, 7900 BC Hoogeveen
>> 0528 22 35 35
>>
>>
>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>
>>
>> -----------------------------
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek



-- 

--Hynek

From jonathandandries at gmail.com  Wed Apr 26 12:13:23 2017
From: jonathandandries at gmail.com (Jonathan D'Andries)
Date: Wed, 26 Apr 2017 11:13:23 -0500
Subject: [keycloak-user] Multiple access types for a single Spring Boot
	application
Message-ID: <CADRPO0FzXeUtdXc0ux9s0fR=2t91uXCOUhHrkD0N3Gu=+NWiAg@mail.gmail.com>

Here is what I want to do:

I have built REST services in Spring Boot. For the services themselves, I
want to use "bearer-only" access type so that applications are NOT
redirected to a login page if unauthenticated.

However, I want the generated swagger documentation to use the
"confidential" access type so that swagger-ui.html redirects the
user/browser to a login page and capture the token that will then be passed
to the services when testing things out.

It seems like the best way to accomplish this is with two clients similar
to the demo here:

http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html

My concern is that having two client configurations in my spring boot
application.yml doesn't seem possible - am I missing something? I am aware
of the multi-tenant options for Keycloak, but I don't actually want two
different realms:

https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/multi-tenancy.html

For whatever configuration I come up with, I want the user's token to apply
to both the swagger-ui and the services, but with two different access
types.

Here are some things I've learned so far:

I'm aware that swagger-ui offers an option to authenticate it's services
with a token. There are two limitations of this approach:
 1. With springfox generated swagger, it doesn't seem to work. I'd have to
put a lot of effort to fix this, and I'd rather not because
 2. You would still need to get a token from somewhere, and that means
pointing users to another login page that isn't automatically prompted when
you go to swagger-ui. It just seems like a more annoying user experience to
have to take extra steps to generate a token and then paste that into
swagger-ui.

I'm also aware that my spring boot configuration can be more restrictive
than the keycloak client configuration. In other words, I can restrict to
bearer-only in my service even if the client is configured for confidential
access type. If there is a way for different values for
keycloak.bearer-only based on URL pattern in the
keycloak-spring-boot-adapter, this could be a real option.


Thanks for any help/advice you may have.

Jonathan

From sblanc at redhat.com  Wed Apr 26 12:32:30 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 26 Apr 2017 18:32:30 +0200
Subject: [keycloak-user] Multiple access types for a single Spring Boot
	application
In-Reply-To: <CADRPO0FzXeUtdXc0ux9s0fR=2t91uXCOUhHrkD0N3Gu=+NWiAg@mail.gmail.com>
References: <CADRPO0FzXeUtdXc0ux9s0fR=2t91uXCOUhHrkD0N3Gu=+NWiAg@mail.gmail.com>
Message-ID: <CAMZCGg-gCesV6q-LXxXfAON6QevHV1+hZ8i8HtsSF1qLER0vLQ@mail.gmail.com>

Don't make your client "bearer-only" and instead in your config add :
"autodetect-bearer-only" : true

That should solve your issue.



On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:

> Here is what I want to do:
>
> I have built REST services in Spring Boot. For the services themselves, I
> want to use "bearer-only" access type so that applications are NOT
> redirected to a login page if unauthenticated.
>
> However, I want the generated swagger documentation to use the
> "confidential" access type so that swagger-ui.html redirects the
> user/browser to a login page and capture the token that will then be passed
> to the services when testing things out.
>
> It seems like the best way to accomplish this is with two clients similar
> to the demo here:
>
> http://blog.keycloak.org/2015/10/getting-started-with-
> keycloak-securing.html
>
> My concern is that having two client configurations in my spring boot
> application.yml doesn't seem possible - am I missing something? I am aware
> of the multi-tenant options for Keycloak, but I don't actually want two
> different realms:
>
> https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/java/multi-tenancy.html
>
> For whatever configuration I come up with, I want the user's token to apply
> to both the swagger-ui and the services, but with two different access
> types.
>
> Here are some things I've learned so far:
>
> I'm aware that swagger-ui offers an option to authenticate it's services
> with a token. There are two limitations of this approach:
>  1. With springfox generated swagger, it doesn't seem to work. I'd have to
> put a lot of effort to fix this, and I'd rather not because
>  2. You would still need to get a token from somewhere, and that means
> pointing users to another login page that isn't automatically prompted when
> you go to swagger-ui. It just seems like a more annoying user experience to
> have to take extra steps to generate a token and then paste that into
> swagger-ui.
>
> I'm also aware that my spring boot configuration can be more restrictive
> than the keycloak client configuration. In other words, I can restrict to
> bearer-only in my service even if the client is configured for confidential
> access type. If there is a way for different values for
> keycloak.bearer-only based on URL pattern in the
> keycloak-spring-boot-adapter, this could be a real option.
>
>
> Thanks for any help/advice you may have.
>
> Jonathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Wed Apr 26 13:07:10 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Apr 2017 19:07:10 +0200
Subject: [keycloak-user] Vender is empty in config map when create
 user-storage provider from rest api.
In-Reply-To: <CABi4XQBe66E3tWiD_ORgcy01OySeJiw-kTyD-1JHCTFbv7OQXQ@mail.gmail.com>
References: <CABi4XQBe66E3tWiD_ORgcy01OySeJiw-kTyD-1JHCTFbv7OQXQ@mail.gmail.com>
Message-ID: <60528e87-ef94-fc7b-2e98-210aec3b8b57@redhat.com>

The name of the property is "vendor" not "vender". Could it be that?

Marek

On 26/04/17 09:27, Nabeel Ahmed wrote:
> Hi Everyone,
>
> Keycloak - 3.0.Final
>
> I am trying to create user-storage provider by calling POST on /components
> with type UserStorageProvider.
>
> I have set vender : ["ad"] as config parameter and able to save it. Also
> able to import users.
> But when i go to keycloak UI and try to edit it. All other fields are set
> but the vender field is empty and readonly.
> Since it's required field so cannot update my settings.
>
> Please help...
>
> Regards,
>
> Nabeel Ahmed
> Cell # +92 333 540 5542
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From cat at mucius.tk  Wed Apr 26 13:34:51 2017
From: cat at mucius.tk (Cat Mucius)
Date: Wed, 26 Apr 2017 20:34:51 +0300
Subject: [keycloak-user] Keycloak Java adapter & ADFS
Message-ID: <CADLL6JtCvqWw6a-EFJWjRy3Sc3cgtAFVadQCOfyLU4tdTFMpMw@mail.gmail.com>

Good day,

I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood from this article [1], ADFS expects to receive <KeyInfo>
element in <Signature> of SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."

But the Java adapter sends <KeyInfo> in another format ? the <KeyValue>
format [2]:
<dsig:KeyInfo>
    <dsig:KeyValue>
        <dsig:RSAKeyValue>

        <dsig:Modulus>gLOdl9d0CGelhcIkOa?s4Hj4N6xEjQG/bQ==</dsig:Modulus>
            <dsig:Exponent>AQAB</dsig:Exponent>
        </dsig:RSAKeyValue>
    </dsig:KeyValue>
</dsig:KeyInfo>

So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?

Thanks,
Mucius.

Links:
[1]
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html

From sblanc at redhat.com  Wed Apr 26 14:04:17 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 26 Apr 2017 20:04:17 +0200
Subject: [keycloak-user] Multiple access types for a single Spring Boot
	application
In-Reply-To: <CADRPO0HbPFGzfx+z+xP=2x6YrW5yqVfXTcVeurhG75yvRCRugw@mail.gmail.com>
References: <CADRPO0FzXeUtdXc0ux9s0fR=2t91uXCOUhHrkD0N3Gu=+NWiAg@mail.gmail.com>
	<CAMZCGg-gCesV6q-LXxXfAON6QevHV1+hZ8i8HtsSF1qLER0vLQ@mail.gmail.com>
	<CADRPO0HbPFGzfx+z+xP=2x6YrW5yqVfXTcVeurhG75yvRCRugw@mail.gmail.com>
Message-ID: <CAMZCGg-4bk8AdsR0CCVmFfjW-9VkFPK0wwGMH1sT2V2N=C52nA@mail.gmail.com>

On Wed, Apr 26, 2017 at 7:23 PM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:

> Thank you Sebastien,
>
> This is SO close to a perfect solution. It appears that including "Accept:
> application/json" header allows the service to determine if bearer-only
> should be enabled based on well-known HTTP headers. Unfortunately, it still
> doesn't let me call the services via swagger without specifying the
> bearer-token explicitly. This is because swagger is calling the service as
> if it were a machine (by including the Accept header). In a perfect world,
> the auto-detect logic would allow me to use swagger to call the services as
> if it were a web browser even though it's including the headers that
> indicated it's a machine. My hope is that it would detect an existing
> session state that provides authentication/authorization info, and this
> would override the test for the HTTP headers.
>
> Here is how I would like "autodetect-bearer-only" to behave:
>  - If you are accessing with a web browser and not specifying the detected
> headers, it works perfectly as-is. In this case, the user is redirected to
> a login page, and future access is authenticated with a session cookie.
> However,
>  - If you are specifying the headers that indicate you are a machine (even
> if still in a web browser session), then the service will only
> authentication with the "Authentication: bearer ..." header. What I want is
> for this option to respect the session state if it happens to exist.
>
> I'm worried that I may be asking for a code change in the way the
> autodetect logic works. Instead of just looking for the typical headers
> "X-Requested-With, SOAPAction or Accept," could it also check if the user
> is already logged in with existing session state?
>

We have at least another use case where this would be needed (JSF app
making Ajax requests) and where the session state should be honored inside
a bearer-only request. So I think I will open a ticket for this
specifically so we can start planning and discussing around this
enhancement.
Unfortunately until then I don't see a real workaround for this.

>
>
> Is there a way to make this work? Or perhaps there is a reason this is a
> bad idea?
>
>
> Thanks,
>
> Jonathan
>
>
>
> On Wed, Apr 26, 2017 at 11:32 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> Don't make your client "bearer-only" and instead in your config add :
>> "autodetect-bearer-only" : true
>>
>> That should solve your issue.
>>
>>
>>
>> On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
>> jonathandandries at gmail.com> wrote:
>>
>>> Here is what I want to do:
>>>
>>> I have built REST services in Spring Boot. For the services themselves, I
>>> want to use "bearer-only" access type so that applications are NOT
>>> redirected to a login page if unauthenticated.
>>>
>>> However, I want the generated swagger documentation to use the
>>> "confidential" access type so that swagger-ui.html redirects the
>>> user/browser to a login page and capture the token that will then be
>>> passed
>>> to the services when testing things out.
>>>
>>> It seems like the best way to accomplish this is with two clients similar
>>> to the demo here:
>>>
>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>> ak-securing.html
>>>
>>> My concern is that having two client configurations in my spring boot
>>> application.yml doesn't seem possible - am I missing something? I am
>>> aware
>>> of the multi-tenant options for Keycloak, but I don't actually want two
>>> different realms:
>>>
>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>> ics/oidc/java/multi-tenancy.html
>>>
>>> For whatever configuration I come up with, I want the user's token to
>>> apply
>>> to both the swagger-ui and the services, but with two different access
>>> types.
>>>
>>> Here are some things I've learned so far:
>>>
>>> I'm aware that swagger-ui offers an option to authenticate it's services
>>> with a token. There are two limitations of this approach:
>>>  1. With springfox generated swagger, it doesn't seem to work. I'd have
>>> to
>>> put a lot of effort to fix this, and I'd rather not because
>>>  2. You would still need to get a token from somewhere, and that means
>>> pointing users to another login page that isn't automatically prompted
>>> when
>>> you go to swagger-ui. It just seems like a more annoying user experience
>>> to
>>> have to take extra steps to generate a token and then paste that into
>>> swagger-ui.
>>>
>>> I'm also aware that my spring boot configuration can be more restrictive
>>> than the keycloak client configuration. In other words, I can restrict to
>>> bearer-only in my service even if the client is configured for
>>> confidential
>>> access type. If there is a way for different values for
>>> keycloak.bearer-only based on URL pattern in the
>>> keycloak-spring-boot-adapter, this could be a real option.
>>>
>>>
>>> Thanks for any help/advice you may have.
>>>
>>> Jonathan
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From jonathandandries at gmail.com  Wed Apr 26 15:28:55 2017
From: jonathandandries at gmail.com (Jonathan D'Andries)
Date: Wed, 26 Apr 2017 14:28:55 -0500
Subject: [keycloak-user] Multiple access types for a single Spring Boot
	application
In-Reply-To: <CAMZCGg-4bk8AdsR0CCVmFfjW-9VkFPK0wwGMH1sT2V2N=C52nA@mail.gmail.com>
References: <CADRPO0FzXeUtdXc0ux9s0fR=2t91uXCOUhHrkD0N3Gu=+NWiAg@mail.gmail.com>
	<CAMZCGg-gCesV6q-LXxXfAON6QevHV1+hZ8i8HtsSF1qLER0vLQ@mail.gmail.com>
	<CADRPO0HbPFGzfx+z+xP=2x6YrW5yqVfXTcVeurhG75yvRCRugw@mail.gmail.com>
	<CAMZCGg-4bk8AdsR0CCVmFfjW-9VkFPK0wwGMH1sT2V2N=C52nA@mail.gmail.com>
Message-ID: <CADRPO0F9xUivUh7n-3=pUzO7eGpqZp70+7crsOEYxfjGxZKMOg@mail.gmail.com>

I've created issue KEYCLOAK-4806 here: https://issues.jboss.org/
browse/KEYCLOAK-4806


Jonathan


On Wed, Apr 26, 2017 at 1:04 PM, Sebastien Blanc <sblanc at redhat.com> wrote:

>
>
> On Wed, Apr 26, 2017 at 7:23 PM, Jonathan D'Andries <
> jonathandandries at gmail.com> wrote:
>
>> Thank you Sebastien,
>>
>> This is SO close to a perfect solution. It appears that including
>> "Accept: application/json" header allows the service to determine if
>> bearer-only should be enabled based on well-known HTTP headers.
>> Unfortunately, it still doesn't let me call the services via swagger
>> without specifying the bearer-token explicitly. This is because swagger is
>> calling the service as if it were a machine (by including the Accept
>> header). In a perfect world, the auto-detect logic would allow me to use
>> swagger to call the services as if it were a web browser even though it's
>> including the headers that indicated it's a machine. My hope is that it
>> would detect an existing session state that provides
>> authentication/authorization info, and this would override the test for the
>> HTTP headers.
>>
>> Here is how I would like "autodetect-bearer-only" to behave:
>>  - If you are accessing with a web browser and not specifying the
>> detected headers, it works perfectly as-is. In this case, the user is
>> redirected to a login page, and future access is authenticated with a
>> session cookie. However,
>>  - If you are specifying the headers that indicate you are a machine
>> (even if still in a web browser session), then the service will only
>> authentication with the "Authentication: bearer ..." header. What I want is
>> for this option to respect the session state if it happens to exist.
>>
>> I'm worried that I may be asking for a code change in the way the
>> autodetect logic works. Instead of just looking for the typical headers
>> "X-Requested-With, SOAPAction or Accept," could it also check if the user
>> is already logged in with existing session state?
>>
>
> We have at least another use case where this would be needed (JSF app
> making Ajax requests) and where the session state should be honored inside
> a bearer-only request. So I think I will open a ticket for this
> specifically so we can start planning and discussing around this
> enhancement.
> Unfortunately until then I don't see a real workaround for this.
>
>>
>>
>> Is there a way to make this work? Or perhaps there is a reason this is a
>> bad idea?
>>
>>
>> Thanks,
>>
>> Jonathan
>>
>>
>>
>> On Wed, Apr 26, 2017 at 11:32 AM, Sebastien Blanc <sblanc at redhat.com>
>> wrote:
>>
>>> Don't make your client "bearer-only" and instead in your config add :
>>> "autodetect-bearer-only" : true
>>>
>>> That should solve your issue.
>>>
>>>
>>>
>>> On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
>>> jonathandandries at gmail.com> wrote:
>>>
>>>> Here is what I want to do:
>>>>
>>>> I have built REST services in Spring Boot. For the services themselves,
>>>> I
>>>> want to use "bearer-only" access type so that applications are NOT
>>>> redirected to a login page if unauthenticated.
>>>>
>>>> However, I want the generated swagger documentation to use the
>>>> "confidential" access type so that swagger-ui.html redirects the
>>>> user/browser to a login page and capture the token that will then be
>>>> passed
>>>> to the services when testing things out.
>>>>
>>>> It seems like the best way to accomplish this is with two clients
>>>> similar
>>>> to the demo here:
>>>>
>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>> ak-securing.html
>>>>
>>>> My concern is that having two client configurations in my spring boot
>>>> application.yml doesn't seem possible - am I missing something? I am
>>>> aware
>>>> of the multi-tenant options for Keycloak, but I don't actually want two
>>>> different realms:
>>>>
>>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>>> ics/oidc/java/multi-tenancy.html
>>>>
>>>> For whatever configuration I come up with, I want the user's token to
>>>> apply
>>>> to both the swagger-ui and the services, but with two different access
>>>> types.
>>>>
>>>> Here are some things I've learned so far:
>>>>
>>>> I'm aware that swagger-ui offers an option to authenticate it's services
>>>> with a token. There are two limitations of this approach:
>>>>  1. With springfox generated swagger, it doesn't seem to work. I'd have
>>>> to
>>>> put a lot of effort to fix this, and I'd rather not because
>>>>  2. You would still need to get a token from somewhere, and that means
>>>> pointing users to another login page that isn't automatically prompted
>>>> when
>>>> you go to swagger-ui. It just seems like a more annoying user
>>>> experience to
>>>> have to take extra steps to generate a token and then paste that into
>>>> swagger-ui.
>>>>
>>>> I'm also aware that my spring boot configuration can be more restrictive
>>>> than the keycloak client configuration. In other words, I can restrict
>>>> to
>>>> bearer-only in my service even if the client is configured for
>>>> confidential
>>>> access type. If there is a way for different values for
>>>> keycloak.bearer-only based on URL pattern in the
>>>> keycloak-spring-boot-adapter, this could be a real option.
>>>>
>>>>
>>>> Thanks for any help/advice you may have.
>>>>
>>>> Jonathan
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From esteffens at rovecom.nl  Wed Apr 26 16:08:32 2017
From: esteffens at rovecom.nl (Erwin Steffens | Rovecom)
Date: Wed, 26 Apr 2017 20:08:32 +0000
Subject: [keycloak-user] SAML response parsing failed
In-Reply-To: <CAMvXD=EnZ_k1KRxgVHmdAb-BDyj588r7trsaYymQtZ2ubTYPzQ@mail.gmail.com>
References: <1493199154452.73006@rovecom.nl>
	<CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
	<943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>,
	<CAMvXD=EnZ_k1KRxgVHmdAb-BDyj588r7trsaYymQtZ2ubTYPzQ@mail.gmail.com>
Message-ID: <1493237312426.39665@rovecom.nl>


Ok, we did investigate the issue a little bit more. The initial parsing of the response seems ok. The full xml response is parsed successful. When we log the input in the 'serialize' method of the 'SAMLDataMarshaller' we see following XML (see new dropbox link). This piece of XML is invalid because the 'xmlns:ds' is missing. Somewhere the namespace is removed.

https://www.dropbox.com/s/b1bmumdcnvnnlj6/connectis-saml-response.xml?dl=0

Maybe we should post this to the dev mailing list?


-----------------------------
Rovecom

Erwin Steffens | Rovecom
softwareontwikkelaar

Elbe 2, 7908 HB Hoogeveen
Postbus 2126, 7900 BC Hoogeveen
0528 22 35 35


Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.


-----------------------------

________________________________________
Van: Hynek Mlnarik <hmlnarik at redhat.com>
Verzonden: woensdag 26 april 2017 16:48
Aan: Erwin Steffens | Rovecom
CC: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] SAML response parsing failed

Thank you. This seems to be related to woodstox. With standard JDK's
XML event implementation (in fact xerces) that file is parsed
correctly. Can you try using xerces instead?

--Hynek

On Wed, Apr 26, 2017 at 12:51 PM, Erwin Steffens | Rovecom
<esteffens at rovecom.nl> wrote:
>
> Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml?dl=0
>
>
>
> -----------------------------
> Rovecom
>
> Erwin Steffens | Rovecom
> softwareontwikkelaar
>
> Elbe 2, 7908 HB Hoogeveen
> Postbus 2126, 7900 BC Hoogeveen
> 0528 22 35 35
>
>
> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>
>
> -----------------------------
>
> -----Oorspronkelijk bericht-----
> Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
> Verzonden: woensdag 26 april 2017 11:48
> Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>
> Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it?
>
> --Hynek
>
> On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>>
>>
>> We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
>>
>> The error we get is:
>>
>> 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023:
>> Exception handling request to
>> /realms/datahub/login-actions/first-broker-login:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
>> ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
>>
>> When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
>>
>> Can I somehow attach the XML here?
>>
>> Erwin
>>
>>
>>
>>
>> -----------------------------
>> Rovecom
>>
>> Erwin Steffens | Rovecom
>> softwareontwikkelaar
>>
>> Elbe 2, 7908 HB Hoogeveen
>> Postbus 2126, 7900 BC Hoogeveen
>> 0528 22 35 35
>>
>>
>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>
>>
>> -----------------------------
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek



--

--Hynek


From hmlnarik at redhat.com  Wed Apr 26 17:12:23 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 26 Apr 2017 23:12:23 +0200
Subject: [keycloak-user] SAML response parsing failed
In-Reply-To: <1493237312426.39665@rovecom.nl>
References: <1493199154452.73006@rovecom.nl>
	<CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
	<943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>
	<CAMvXD=EnZ_k1KRxgVHmdAb-BDyj588r7trsaYymQtZ2ubTYPzQ@mail.gmail.com>
	<1493237312426.39665@rovecom.nl>
Message-ID: <CAMvXD=HOgB0nCeFacCxJ63xpCALkpimf45FCDH6eUtsiSsgVAQ@mail.gmail.com>

Please file a JIRA issue with your findings (including full stacktraces).

Thanks

--Hynek

On Wed, Apr 26, 2017 at 10:08 PM, Erwin Steffens | Rovecom
<esteffens at rovecom.nl> wrote:
>
> Ok, we did investigate the issue a little bit more. The initial parsing of the response seems ok. The full xml response is parsed successful. When we log the input in the 'serialize' method of the 'SAMLDataMarshaller' we see following XML (see new dropbox link). This piece of XML is invalid because the 'xmlns:ds' is missing. Somewhere the namespace is removed.
>
> https://www.dropbox.com/s/b1bmumdcnvnnlj6/connectis-saml-response.xml?dl=0
>
> Maybe we should post this to the dev mailing list?
>
>
> -----------------------------
> Rovecom
>
> Erwin Steffens | Rovecom
> softwareontwikkelaar
>
> Elbe 2, 7908 HB Hoogeveen
> Postbus 2126, 7900 BC Hoogeveen
> 0528 22 35 35
>
>
> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>
>
> -----------------------------
>
> ________________________________________
> Van: Hynek Mlnarik <hmlnarik at redhat.com>
> Verzonden: woensdag 26 april 2017 16:48
> Aan: Erwin Steffens | Rovecom
> CC: keycloak-user at lists.jboss.org
> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>
> Thank you. This seems to be related to woodstox. With standard JDK's
> XML event implementation (in fact xerces) that file is parsed
> correctly. Can you try using xerces instead?
>
> --Hynek
>
> On Wed, Apr 26, 2017 at 12:51 PM, Erwin Steffens | Rovecom
> <esteffens at rovecom.nl> wrote:
>>
>> Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml?dl=0
>>
>>
>>
>> -----------------------------
>> Rovecom
>>
>> Erwin Steffens | Rovecom
>> softwareontwikkelaar
>>
>> Elbe 2, 7908 HB Hoogeveen
>> Postbus 2126, 7900 BC Hoogeveen
>> 0528 22 35 35
>>
>>
>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>
>>
>> -----------------------------
>>
>> -----Oorspronkelijk bericht-----
>> Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
>> Verzonden: woensdag 26 april 2017 11:48
>> Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
>> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>>
>> Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it?
>>
>> --Hynek
>>
>> On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>>>
>>>
>>> We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
>>>
>>> The error we get is:
>>>
>>> 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023:
>>> Exception handling request to
>>> /realms/datahub/login-actions/first-broker-login:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
>>> ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
>>>
>>> When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
>>>
>>> Can I somehow attach the XML here?
>>>
>>> Erwin
>>>
>>>
>>>
>>>
>>> -----------------------------
>>> Rovecom
>>>
>>> Erwin Steffens | Rovecom
>>> softwareontwikkelaar
>>>
>>> Elbe 2, 7908 HB Hoogeveen
>>> Postbus 2126, 7900 BC Hoogeveen
>>> 0528 22 35 35
>>>
>>>
>>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>>
>>>
>>> -----------------------------
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>
>
>
> --
>
> --Hynek



-- 

--Hynek


From cat at mucius.tk  Wed Apr 26 18:01:54 2017
From: cat at mucius.tk (Cat Mucius)
Date: Thu, 27 Apr 2017 01:01:54 +0300
Subject: [keycloak-user] Keycloak Java adapter & ADFS
In-Reply-To: <063401d2bed8$929c35d0$b7d4a170$@mucius.tk>
References: <063401d2bed8$929c35d0$b7d4a170$@mucius.tk>
Message-ID: <064001d2bed8$b8352630$289f7290$@mucius.tk>

Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html

But the Java adapter sends <KeyInfo> in another format ? the <KeyValue>
format:
<dsig:KeyInfo>
??? <dsig:KeyValue>
??????? <dsig:RSAKeyValue>
?? ??????? <dsig:Modulus>gLOdl9d0CGelhcIkOa?s4Hj4N6xEjQG/bQ==</dsig:Modulus>
??????????? <dsig:Exponent>AQAB</dsig:Exponent>
??????? </dsig:RSAKeyValue>
??? </dsig:KeyValue>
</dsig:KeyInfo>

So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?


Thanks,
Mucius.






From anders.kabell.kristensen at systematic.com  Thu Apr 27 02:58:05 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Wed, 26 Apr 2017 23:58:05 -0700 (MST)
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <1493109302868-3677.post@n6.nabble.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
	<1493103466160-3674.post@n6.nabble.com>
	<CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>
	<1493109302868-3677.post@n6.nabble.com>
Message-ID: <1493276285658-3723.post@n6.nabble.com>

Hi again,

We now experience another problem that seems to be related.

When we create a new SAML v2.0 IdP in KC we would like to import the
metadata file from our IdP (see the attached file). It fails and the log
shows this:
PL00062: Parser : Unknown tag:Attribute::location=[row,col
{unknown-source}]: [207,5]

We have tried to change a few things in the meta data file (i.e. avoiding an
empty last attribute) with no luck.

IdPMetadata_test.xml
<http://keycloak-user.88327.x6.nabble.com/file/n3723/IdPMetadata_test.xml>  

Best regards,
Anders and Ulrik




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3723.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From tech at psynd.net  Thu Apr 27 03:14:02 2017
From: tech at psynd.net (Tech)
Date: Thu, 27 Apr 2017 09:14:02 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
	<a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
Message-ID: <d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>

Hello,

opening the browser the KEYCLOAK_IDENTITY cookie does not appear, but in 
my understanding this is created when you have an active session to 
Keycloak like accessing to the admin interface.

No proxies, cookies or load balancers in the backend server.




On 26/04/17 16:17, Marek Posolda wrote:
> Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser for 
> path "/auth/realms/yourrealm" ? Are you using proxy/loadbalancer, 
> which may cause that cookies sent to the proxy are not visible on the 
> backend server (Keycloak)?
>
> Marek
>
>
> On 26/04/17 09:09, Tech wrote:
>> Hello again,
>>
>> so:
>> 1) they are both using the same kc realm
>> 2) the cookie is not disabled
>> 3) in attach a screenshot, it's identical for the two application, 
>> with the difference that one the two URL has the "2"
>>
>>
>>
>>
>> On 26/04/17 06:17, Marek Posolda wrote:
>>> On 25/04/17 22:36, Tech wrote:
>>>>
>>>> Hello Marek,
>>>>
>>>> 1) yes, they are both using the same Kc realm
>>>>
>>>> 2) how can I check this point?
>>>>
>>> In Keycloak admin console, there is tab "Authentication" and then 
>>> flow "browser" .
>>>
>>> Marek
>>>>
>>>> 3) I checked already, I don't think that anything like that is 
>>>> enabled, but I will send you a screen shot in the coming hours (not 
>>>> in the office right now)
>>>>
>>>> Thanks for the support
>>>>
>>>>
>>>>
>>>>
>>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>>> Normally SSO between client applications is supposed to work. I 
>>>>> would check:
>>>>>
>>>>> - Are both your clients (portal1 and portal2) using same Keycloak 
>>>>> realm? SSO will work just with same realm
>>>>>
>>>>> - Is Cookie authenticator enabled for authentication browser flow 
>>>>> of your realm? Didn't you accidentally disable it? SSO requires 
>>>>> that it is enabled
>>>>>
>>>>> - How does URL to Keycloak login screen looks like? I wonder if 
>>>>> your PHP adapter uses some parameters, which causes SSO disabled 
>>>>> (eg. prompt=login or max_age=0)
>>>>>
>>>>> Marek
>>>>>
>>>>> On 25/04/17 14:18, Tech wrote:
>>>>>>
>>>>>> Anybody with any ideas?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>>
>>>>>>> Hello Marek,
>>>>>>>
>>>>>>> maybe my email was confusing, we run initially two tests were we 
>>>>>>> login and logout in both portal to check that the oidc is 
>>>>>>> working on each of them.
>>>>>>>
>>>>>>> Once we know that OIDC is working, then we are expecting to 
>>>>>>> login to portal1 and opening portal2, to find us already logged 
>>>>>>> in, but this doesn't happen and we are forced to login again
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>>> If you don't do "Logout from portal1" at the end of first test, 
>>>>>>>> then SSO should work and you will be automatically logged into 
>>>>>>>> portal2 without a need to put your credentials.
>>>>>>>>
>>>>>>>> The logout is "SSO logout", hence it also kills the SSO session 
>>>>>>>> on Keycloak side and requires user to re-login.
>>>>>>>>
>>>>>>>> Marek
>>>>>>>>
>>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>>> Dear experts,
>>>>>>>>>
>>>>>>>>> we are working with Moodle, a PHP based platform, where we 
>>>>>>>>> have been
>>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>>
>>>>>>>>> To test Keycloak we cloned this application, with different 
>>>>>>>>> URLs and we
>>>>>>>>> did the first test:
>>>>>>>>>
>>>>>>>>>    * Connect to portal1
>>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>>    * Logout from portal1
>>>>>>>>>
>>>>>>>>> After this we tested the second application:
>>>>>>>>>
>>>>>>>>>    * Connect to portal2
>>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>>    * Logout from portal2
>>>>>>>>>
>>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>>> applications and we
>>>>>>>>> can expect that also the SSO is working, but after the login 
>>>>>>>>> in portal1
>>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>>
>>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Login to portal1*
>>>>>>>>>
>>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>> (Periodic
>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>> identifier 1
>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-30) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-30) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-30)
>>>>>>>>> AUTHENTICATE
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-30)
>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) processFlow
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-30)
>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) execution is processed
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>>> requirement:
>>>>>>>>> ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) execution is flow
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) processFlow
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>>> requirement: REQUIRED
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>> task-30)
>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>> found
>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>> task-30)
>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>> task-30)
>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default 
>>>>>>>>> task-30)
>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>>>> changed.
>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-30)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-30)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>> (Periodic
>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>> identifier 1
>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *After authentication to portal1**
>>>>>>>>> *
>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-31) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-31) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-31)
>>>>>>>>> authenticationAction
>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) execution is processed
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) execution is processed
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>>> ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) execution is processed
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check: auth-username-password-form requirement: REQUIRED
>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) processFlow
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>> task-31) processFlow
>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>
>>>>>>>>> (default task-31) Hibernate RegisteredSynchronization 
>>>>>>>>> successfully
>>>>>>>>> registered with JTA platform
>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-31)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>> (default
>>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>> [0/20]
>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-31)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-31)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>>>>> task-31)
>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>>> consent=no_consent_required,
>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-31)
>>>>>>>>> Removing old user session: session: 
>>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-31)
>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>> /auth/realms/Demo,
>>>>>>>>> max-age: -1
>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-31)
>>>>>>>>> Expiring remember me cookie
>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-31)
>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-31)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>> (default
>>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>> afterTransaction
>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-31)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-24) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-24) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-24)
>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-24)
>>>>>>>>> client authenticator: client-secret
>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-24)
>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-24)
>>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>>>>> task-24)
>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>>> client_auth_method=client-secret
>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-24)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-24)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Login to portal2**
>>>>>>>>> *
>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-6) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-6) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-6)
>>>>>>>>> AUTHENTICATE
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-6)
>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> processFlow
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator: auth-cookie
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-6)
>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> execution is processed
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>>> ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> execution is flow
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> processFlow
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> check execution: auth-username-password-form requirement: 
>>>>>>>>> REQUIRED
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator: auth-username-password-form
>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>> found
>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't 
>>>>>>>>> changed.
>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-6)
>>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *After authentication to portal2**
>>>>>>>>> *
>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-4) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-4) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-4)
>>>>>>>>> authenticationAction
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> execution is processed
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> execution is processed
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> execution is processed
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> action: auth-username-password-form
>>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> processFlow
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> authenticator: auth-otp-form
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>> (default task-4)
>>>>>>>>> processFlow
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>
>>>>>>>>> (default task-4) Hibernate RegisteredSynchronization successfully
>>>>>>>>> registered with JTA platform
>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-4)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>> (default
>>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>> [0/20]
>>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-4)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>> task-4)
>>>>>>>>>       select
>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>       from
>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>       where
>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>> afterStatement
>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default 
>>>>>>>>> task-4)
>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>>> consent=no_consent_required,
>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-4)
>>>>>>>>> Removing old user session: session: 
>>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-4)
>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>> /auth/realms/Demo,
>>>>>>>>> max-age: -1
>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-4)
>>>>>>>>> Expiring remember me cookie
>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>> (default task-4)
>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>> (default
>>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>
>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>> afterTransaction
>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-13) new
>>>>>>>>> JtaTransactionWrapper
>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-13) was
>>>>>>>>> existing? false
>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] (default 
>>>>>>>>> task-13)
>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-13)
>>>>>>>>> client authenticator: client-secret
>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-13)
>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>> (default task-13)
>>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>>>>> task-13)
>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>>> client_auth_method=client-secret
>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-13)
>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>> task-13)
>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] 
>>>>>>>>> (default I/O-1)
>>>>>>>>> Error reading request: java.io.IOException: Connection reset 
>>>>>>>>> by peer
>>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>>>>           at 
>>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>>           at 
>>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>>           at 
>>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>>           at 
>>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>>           at
>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658) 
>>>>>>>>>
>>>>>>>>>           at 
>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>>>           at
>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>>
>>>>>>>>>           at
>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>>
>>>>>>>>>           at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From mposolda at redhat.com  Thu Apr 27 04:02:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 27 Apr 2017 10:02:42 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
	<a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
	<d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>
Message-ID: <a3391e57-da3f-4667-571d-2055fe8183dc@redhat.com>

Yes, KEYCLOAK_IDENTITY cookie should be in the browser after successful 
authentication to your portal1 is fully finished. Are you seeing the 
cookie after this authentication?

Then the portal2 is supposed to be automatically authenticated due to 
this cookie.

Marek

On 27/04/17 09:14, Tech wrote:
>
> Hello,
>
> opening the browser the KEYCLOAK_IDENTITY cookie does not appear, but 
> in my understanding this is created when you have an active session to 
> Keycloak like accessing to the admin interface.
>
> No proxies, cookies or load balancers in the backend server.
>
>
>
>
> On 26/04/17 16:17, Marek Posolda wrote:
>> Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser for 
>> path "/auth/realms/yourrealm" ? Are you using proxy/loadbalancer, 
>> which may cause that cookies sent to the proxy are not visible on the 
>> backend server (Keycloak)?
>>
>> Marek
>>
>>
>> On 26/04/17 09:09, Tech wrote:
>>> Hello again,
>>>
>>> so:
>>> 1) they are both using the same kc realm
>>> 2) the cookie is not disabled
>>> 3) in attach a screenshot, it's identical for the two application, 
>>> with the difference that one the two URL has the "2"
>>>
>>>
>>>
>>>
>>> On 26/04/17 06:17, Marek Posolda wrote:
>>>> On 25/04/17 22:36, Tech wrote:
>>>>>
>>>>> Hello Marek,
>>>>>
>>>>> 1) yes, they are both using the same Kc realm
>>>>>
>>>>> 2) how can I check this point?
>>>>>
>>>> In Keycloak admin console, there is tab "Authentication" and then 
>>>> flow "browser" .
>>>>
>>>> Marek
>>>>>
>>>>> 3) I checked already, I don't think that anything like that is 
>>>>> enabled, but I will send you a screen shot in the coming hours 
>>>>> (not in the office right now)
>>>>>
>>>>> Thanks for the support
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>>>> Normally SSO between client applications is supposed to work. I 
>>>>>> would check:
>>>>>>
>>>>>> - Are both your clients (portal1 and portal2) using same Keycloak 
>>>>>> realm? SSO will work just with same realm
>>>>>>
>>>>>> - Is Cookie authenticator enabled for authentication browser flow 
>>>>>> of your realm? Didn't you accidentally disable it? SSO requires 
>>>>>> that it is enabled
>>>>>>
>>>>>> - How does URL to Keycloak login screen looks like? I wonder if 
>>>>>> your PHP adapter uses some parameters, which causes SSO disabled 
>>>>>> (eg. prompt=login or max_age=0)
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>> On 25/04/17 14:18, Tech wrote:
>>>>>>>
>>>>>>> Anybody with any ideas?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>>>
>>>>>>>> Hello Marek,
>>>>>>>>
>>>>>>>> maybe my email was confusing, we run initially two tests were 
>>>>>>>> we login and logout in both portal to check that the oidc is 
>>>>>>>> working on each of them.
>>>>>>>>
>>>>>>>> Once we know that OIDC is working, then we are expecting to 
>>>>>>>> login to portal1 and opening portal2, to find us already logged 
>>>>>>>> in, but this doesn't happen and we are forced to login again
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>>>> If you don't do "Logout from portal1" at the end of first 
>>>>>>>>> test, then SSO should work and you will be automatically 
>>>>>>>>> logged into portal2 without a need to put your credentials.
>>>>>>>>>
>>>>>>>>> The logout is "SSO logout", hence it also kills the SSO 
>>>>>>>>> session on Keycloak side and requires user to re-login.
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>>>> Dear experts,
>>>>>>>>>>
>>>>>>>>>> we are working with Moodle, a PHP based platform, where we 
>>>>>>>>>> have been
>>>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>>>
>>>>>>>>>> To test Keycloak we cloned this application, with different 
>>>>>>>>>> URLs and we
>>>>>>>>>> did the first test:
>>>>>>>>>>
>>>>>>>>>>    * Connect to portal1
>>>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>>>    * Logout from portal1
>>>>>>>>>>
>>>>>>>>>> After this we tested the second application:
>>>>>>>>>>
>>>>>>>>>>    * Connect to portal2
>>>>>>>>>>    * User not recognized and redirected to Keycloak through OIDC
>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>>>    * Logout from portal2
>>>>>>>>>>
>>>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>>>> applications and we
>>>>>>>>>> can expect that also the SSO is working, but after the login 
>>>>>>>>>> in portal1
>>>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>>>
>>>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *Login to portal1*
>>>>>>>>>>
>>>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>> (Periodic
>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>> identifier 1
>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-30) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-30) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-30)
>>>>>>>>>> AUTHENTICATE
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-30)
>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) processFlow
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-30)
>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) execution is processed
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>>>> requirement:
>>>>>>>>>> ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) execution is flow
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) processFlow
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>>>> requirement: REQUIRED
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>>> found
>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>> hasn't changed.
>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-30)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>> (Periodic
>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>> identifier 1
>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *After authentication to portal1**
>>>>>>>>>> *
>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-31) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-31) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-31)
>>>>>>>>>> authenticationAction
>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) execution is processed
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) execution is processed
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>>>> ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) execution is processed
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check: auth-username-password-form requirement: 
>>>>>>>>>> REQUIRED
>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) processFlow
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] (default
>>>>>>>>>> task-31) processFlow
>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-31) Hibernate RegisteredSynchronization 
>>>>>>>>>> successfully
>>>>>>>>>> registered with JTA platform
>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-31)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>> (default
>>>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>> [0/20]
>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-31)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-31)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>>>>>> task-31)
>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-31)
>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-31)
>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>> max-age: -1
>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-31)
>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-31)
>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
>>>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-31)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>> (default
>>>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>> afterTransaction
>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-31)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-24) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-24) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-24)
>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-24)
>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-24)
>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-24)
>>>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>>>>>> task-24)
>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-24)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-24)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *Login to portal2**
>>>>>>>>>> *
>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-6) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-6) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> AUTHENTICATE
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> processFlow
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator: auth-cookie
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> execution is processed
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>>>> ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> execution is flow
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> processFlow
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> check execution: auth-username-password-form requirement: 
>>>>>>>>>> REQUIRED
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>>> found
>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>> hasn't changed.
>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-6)
>>>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-6)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *After authentication to portal2**
>>>>>>>>>> *
>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-4) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-4) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> authenticationAction
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> execution is processed
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> execution is processed
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> execution is processed
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> action: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> processFlow
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> authenticator: auth-otp-form
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> processFlow
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-4) Hibernate RegisteredSynchronization 
>>>>>>>>>> successfully
>>>>>>>>>> registered with JTA platform
>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-4)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>> (default
>>>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>> [0/20]
>>>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-4)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>> task-4)
>>>>>>>>>>       select
>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>       from
>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>       where
>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>> afterStatement
>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default 
>>>>>>>>>> task-4)
>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>> max-age: -1
>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>> (default task-4)
>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-4)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>> (default
>>>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>
>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>> afterTransaction
>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-4)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-13) new
>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-13) was
>>>>>>>>>> existing? false
>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>> (default task-13)
>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-13)
>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-13)
>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>> (default task-13)
>>>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>>>>>> task-13)
>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-13)
>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>> task-13)
>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] 
>>>>>>>>>> (default I/O-1)
>>>>>>>>>> Error reading request: java.io.IOException: Connection reset 
>>>>>>>>>> by peer
>>>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>>>>>           at 
>>>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>>>           at 
>>>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>>>           at 
>>>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>>>           at 
>>>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>>>           at
>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658) 
>>>>>>>>>>
>>>>>>>>>>           at 
>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>>>>           at
>>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>>>
>>>>>>>>>>           at
>>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>>>
>>>>>>>>>>           at 
>>>>>>>>>> org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From mr.beel at gmail.com  Thu Apr 27 05:00:49 2017
From: mr.beel at gmail.com (Nabeel Ahmed)
Date: Thu, 27 Apr 2017 14:00:49 +0500
Subject: [keycloak-user] Vender is empty in config map when create
 user-storage provider from rest api.
In-Reply-To: <60528e87-ef94-fc7b-2e98-210aec3b8b57@redhat.com>
References: <CABi4XQBe66E3tWiD_ORgcy01OySeJiw-kTyD-1JHCTFbv7OQXQ@mail.gmail.com>
	<60528e87-ef94-fc7b-2e98-210aec3b8b57@redhat.com>
Message-ID: <CABi4XQB5Nn_gESS45OsfT3-1ZxONgiz4=kMKVYSyJnBsihumPQ@mail.gmail.com>

yes, typo mistake.

Thanks,

Regards,

Nabeel Ahmed
Cell # +92 333 540 5542

On Wed, Apr 26, 2017 at 10:07 PM, Marek Posolda <mposolda at redhat.com> wrote:

> The name of the property is "vendor" not "vender". Could it be that?
>
> Marek
>
>
> On 26/04/17 09:27, Nabeel Ahmed wrote:
>
>> Hi Everyone,
>>
>> Keycloak - 3.0.Final
>>
>> I am trying to create user-storage provider by calling POST on /components
>> with type UserStorageProvider.
>>
>> I have set vender : ["ad"] as config parameter and able to save it. Also
>> able to import users.
>> But when i go to keycloak UI and try to edit it. All other fields are set
>> but the vender field is empty and readonly.
>> Since it's required field so cannot update my settings.
>>
>> Please help...
>>
>> Regards,
>>
>> Nabeel Ahmed
>> Cell # +92 333 540 5542
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From hmlnarik at redhat.com  Thu Apr 27 05:11:10 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Thu, 27 Apr 2017 11:11:10 +0200
Subject: [keycloak-user] Keycloak Java adapter & ADFS
In-Reply-To: <064001d2bed8$b8352630$289f7290$@mucius.tk>
References: <063401d2bed8$929c35d0$b7d4a170$@mucius.tk>
	<064001d2bed8$b8352630$289f7290$@mucius.tk>
Message-ID: <CAMvXD=EMow3vChKNfNARcn7uavYYJdycBHocZjwMLhDVVeT=7g@mail.gmail.com>

No, this should not be a problem. Adapters do not set the value of
KeyName element (which is controlled by the SAML Signature Key Name
field). If KeyName is unset, ADFS should be able to determine the
correct certificate for signature validation itself by iterating all
available certificates.

--Hynek

On Thu, Apr 27, 2017 at 12:01 AM, Cat Mucius <cat at mucius.tk> wrote:
> Good day,
> I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
> ADFS (on IdP side).
> As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
> SAMLRequest in specific format:
> "Importantly, then the SAML Signature Key Name field that shows after
> enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
> as AD FS expects the signing key name hint to be the subject of the signing
> certificate."
> blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
>
> But the Java adapter sends <KeyInfo> in another format ? the <KeyValue>
> format:
> <dsig:KeyInfo>
>     <dsig:KeyValue>
>         <dsig:RSAKeyValue>
>            <dsig:Modulus>gLOdl9d0CGelhcIkOa?s4Hj4N6xEjQG/bQ==</dsig:Modulus>
>             <dsig:Exponent>AQAB</dsig:Exponent>
>         </dsig:RSAKeyValue>
>     </dsig:KeyValue>
> </dsig:KeyInfo>
>
> So I have two questions:
> a. Is it really a problem? Has anyone used the Java adapter successfully to
> authenticate against ADFS?
> b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
> some another format?
>
>
> Thanks,
> Mucius.
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


From tech at psynd.net  Thu Apr 27 05:21:11 2017
From: tech at psynd.net (Tech)
Date: Thu, 27 Apr 2017 11:21:11 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <a3391e57-da3f-4667-571d-2055fe8183dc@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
	<a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
	<d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>
	<a3391e57-da3f-4667-571d-2055fe8183dc@redhat.com>
Message-ID: <8f149689-bdd9-d75c-a089-6013bc302212@psynd.net>

We try both with Firefox, Chrome and Internet explorer, in none of these 
cases we have this cookie.

What could it be the reason?




On 27/04/17 10:02, Marek Posolda wrote:
> Yes, KEYCLOAK_IDENTITY cookie should be in the browser after 
> successful authentication to your portal1 is fully finished. Are you 
> seeing the cookie after this authentication?
>
> Then the portal2 is supposed to be automatically authenticated due to 
> this cookie.
>
> Marek
>
> On 27/04/17 09:14, Tech wrote:
>>
>> Hello,
>>
>> opening the browser the KEYCLOAK_IDENTITY cookie does not appear, but 
>> in my understanding this is created when you have an active session 
>> to Keycloak like accessing to the admin interface.
>>
>> No proxies, cookies or load balancers in the backend server.
>>
>>
>>
>>
>> On 26/04/17 16:17, Marek Posolda wrote:
>>> Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser for 
>>> path "/auth/realms/yourrealm" ? Are you using proxy/loadbalancer, 
>>> which may cause that cookies sent to the proxy are not visible on 
>>> the backend server (Keycloak)?
>>>
>>> Marek
>>>
>>>
>>> On 26/04/17 09:09, Tech wrote:
>>>> Hello again,
>>>>
>>>> so:
>>>> 1) they are both using the same kc realm
>>>> 2) the cookie is not disabled
>>>> 3) in attach a screenshot, it's identical for the two application, 
>>>> with the difference that one the two URL has the "2"
>>>>
>>>>
>>>>
>>>>
>>>> On 26/04/17 06:17, Marek Posolda wrote:
>>>>> On 25/04/17 22:36, Tech wrote:
>>>>>>
>>>>>> Hello Marek,
>>>>>>
>>>>>> 1) yes, they are both using the same Kc realm
>>>>>>
>>>>>> 2) how can I check this point?
>>>>>>
>>>>> In Keycloak admin console, there is tab "Authentication" and then 
>>>>> flow "browser" .
>>>>>
>>>>> Marek
>>>>>>
>>>>>> 3) I checked already, I don't think that anything like that is 
>>>>>> enabled, but I will send you a screen shot in the coming hours 
>>>>>> (not in the office right now)
>>>>>>
>>>>>> Thanks for the support
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>>>>> Normally SSO between client applications is supposed to work. I 
>>>>>>> would check:
>>>>>>>
>>>>>>> - Are both your clients (portal1 and portal2) using same 
>>>>>>> Keycloak realm? SSO will work just with same realm
>>>>>>>
>>>>>>> - Is Cookie authenticator enabled for authentication browser 
>>>>>>> flow of your realm? Didn't you accidentally disable it? SSO 
>>>>>>> requires that it is enabled
>>>>>>>
>>>>>>> - How does URL to Keycloak login screen looks like? I wonder if 
>>>>>>> your PHP adapter uses some parameters, which causes SSO disabled 
>>>>>>> (eg. prompt=login or max_age=0)
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>> On 25/04/17 14:18, Tech wrote:
>>>>>>>>
>>>>>>>> Anybody with any ideas?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>>>>
>>>>>>>>> Hello Marek,
>>>>>>>>>
>>>>>>>>> maybe my email was confusing, we run initially two tests were 
>>>>>>>>> we login and logout in both portal to check that the oidc is 
>>>>>>>>> working on each of them.
>>>>>>>>>
>>>>>>>>> Once we know that OIDC is working, then we are expecting to 
>>>>>>>>> login to portal1 and opening portal2, to find us already 
>>>>>>>>> logged in, but this doesn't happen and we are forced to login 
>>>>>>>>> again
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>>>>> If you don't do "Logout from portal1" at the end of first 
>>>>>>>>>> test, then SSO should work and you will be automatically 
>>>>>>>>>> logged into portal2 without a need to put your credentials.
>>>>>>>>>>
>>>>>>>>>> The logout is "SSO logout", hence it also kills the SSO 
>>>>>>>>>> session on Keycloak side and requires user to re-login.
>>>>>>>>>>
>>>>>>>>>> Marek
>>>>>>>>>>
>>>>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>>>>> Dear experts,
>>>>>>>>>>>
>>>>>>>>>>> we are working with Moodle, a PHP based platform, where we 
>>>>>>>>>>> have been
>>>>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>>>>
>>>>>>>>>>> To test Keycloak we cloned this application, with different 
>>>>>>>>>>> URLs and we
>>>>>>>>>>> did the first test:
>>>>>>>>>>>
>>>>>>>>>>>    * Connect to portal1
>>>>>>>>>>>    * User not recognized and redirected to Keycloak through 
>>>>>>>>>>> OIDC
>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>>>>    * Logout from portal1
>>>>>>>>>>>
>>>>>>>>>>> After this we tested the second application:
>>>>>>>>>>>
>>>>>>>>>>>    * Connect to portal2
>>>>>>>>>>>    * User not recognized and redirected to Keycloak through 
>>>>>>>>>>> OIDC
>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>>>>    * Logout from portal2
>>>>>>>>>>>
>>>>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>>>>> applications and we
>>>>>>>>>>> can expect that also the SSO is working, but after the login 
>>>>>>>>>>> in portal1
>>>>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>>>>
>>>>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *Login to portal1*
>>>>>>>>>>>
>>>>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>> (Periodic
>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>> identifier 1
>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-30) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-30) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-30)
>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-30)
>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-30)
>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) execution is processed
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>>>>> requirement:
>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) execution is flow
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>>>>> requirement: REQUIRED
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>>>> found
>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>> hasn't changed.
>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-30)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>> (Periodic
>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>> identifier 1
>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *After authentication to portal1**
>>>>>>>>>>> *
>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-31) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-31) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-31)
>>>>>>>>>>> authenticationAction
>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check: auth-username-password-form requirement: 
>>>>>>>>>>> REQUIRED
>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-31) Hibernate RegisteredSynchronization 
>>>>>>>>>>> successfully
>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>> [0/20]
>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-31)
>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-31)
>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>> max-age: -1
>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-31)
>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-31)
>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>> afterTransaction
>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-31)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-24) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-24) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-24)
>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-24)
>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-24)
>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-24)
>>>>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default 
>>>>>>>>>>> task-24)
>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-24)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-24)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *Login to portal2**
>>>>>>>>>>> *
>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-6) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-6) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> processFlow
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator: auth-cookie
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> execution is processed
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> execution is flow
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> processFlow
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> check execution: auth-username-password-form requirement: 
>>>>>>>>>>> REQUIRED
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): Not 
>>>>>>>>>>> found
>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not found
>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>> hasn't changed.
>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-6)
>>>>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-6)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *After authentication to portal2**
>>>>>>>>>>> *
>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-4) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-4) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> authenticationAction
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> execution is processed
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> execution is processed
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> execution is processed
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> action: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> processFlow
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> authenticator: auth-otp-form
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> processFlow
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-4) Hibernate RegisteredSynchronization 
>>>>>>>>>>> successfully
>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>> [0/20]
>>>>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>>       select
>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>       from
>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>       where
>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>> afterStatement
>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>> max-age: -1
>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>> (default task-4)
>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
>>>>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>> (default
>>>>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>
>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>> afterTransaction
>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-4)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-13) new
>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-13) was
>>>>>>>>>>> existing? false
>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>> (default task-13)
>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-13)
>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-13)
>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>> (default task-13)
>>>>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default 
>>>>>>>>>>> task-13)
>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-13)
>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>> task-13)
>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] 
>>>>>>>>>>> (default I/O-1)
>>>>>>>>>>> Error reading request: java.io.IOException: Connection reset 
>>>>>>>>>>> by peer
>>>>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
>>>>>>>>>>>           at 
>>>>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>>>>           at 
>>>>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>>>>           at 
>>>>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>>>>           at 
>>>>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>>>>           at
>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658) 
>>>>>>>>>>>
>>>>>>>>>>>           at 
>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>>>>>           at
>>>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>>>>
>>>>>>>>>>>           at
>>>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>>>>
>>>>>>>>>>>           at 
>>>>>>>>>>> org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From hmlnarik at redhat.com  Thu Apr 27 05:23:08 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Thu, 27 Apr 2017 11:23:08 +0200
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <1493276285658-3723.post@n6.nabble.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
	<1493103466160-3674.post@n6.nabble.com>
	<CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>
	<1493109302868-3677.post@n6.nabble.com>
	<1493276285658-3723.post@n6.nabble.com>
Message-ID: <CAMvXD=HwpuU1YK6z22z3NBTtXyxRKwbgTeWygM8XSadh2YtRHQ@mail.gmail.com>

In this case you have found a bug in parsing. Keycloak does not handle
AttributeAuthorityDescriptor's Attributes and it parsing is not
implemented. If you want to import that metadata, you need to remove
all <a:Attribute> elements.

Please file a JIRA for this issue.

--Hynek

On Thu, Apr 27, 2017 at 8:58 AM, Anders KK
<anders.kabell.kristensen at systematic.com> wrote:
> Hi again,
>
> We now experience another problem that seems to be related.
>
> When we create a new SAML v2.0 IdP in KC we would like to import the
> metadata file from our IdP (see the attached file). It fails and the log
> shows this:
> PL00062: Parser : Unknown tag:Attribute::location=[row,col
> {unknown-source}]: [207,5]
>
> We have tried to change a few things in the meta data file (i.e. avoiding an
> empty last attribute) with no luck.
>
> IdPMetadata_test.xml
> <http://keycloak-user.88327.x6.nabble.com/file/n3723/IdPMetadata_test.xml>
>
> Best regards,
> Anders and Ulrik
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3723.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From hendrikdev22 at gmail.com  Thu Apr 27 06:35:47 2017
From: hendrikdev22 at gmail.com (Hendrik Dev)
Date: Thu, 27 Apr 2017 12:35:47 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
	<e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
Message-ID: <CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>

On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
> On 24/04/17 18:55, Hendrik Dev wrote:
>>
>> Hi,
>>
>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>> Purpose is to provide single sign on for users logging in via IE from
>> a windows domain.
>> Keycloak itself is running on centOS, Kerberos server is Active
>> Directory. The setup is working so far because i can login via 'curl
>> --negotiate'. There are also several other java applications running
>> in this environment which are capable of doing SPNEGO over Kerberos
>> authentication successfully.
>>
>> If the user access a Keycloak protected application the SPNEGO login
>> does not work and the Keycloak login page is displayed instead.
>> In the logs i see "Defective token detected (Mechanism level:
>> GSSHeader did not find the right tag)" and thats totally right because
>> the browser sends
>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>
>> For me it looks like the browser never gets either a
>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>> In other words: The browser seems to never gets challenged to do
>> SPNEGO over Kerberos.
>
> I will try to summarize if I understand correctly:
> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
> Negotiate ntlm-token-is-here"
> 3) Keycloak replied with "WWW-Authenticate: Negotiate
> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
> 4) Your browser didn't reply anything back
>
> Is it correct?

Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
As i said, the browser does not get a challenge.



>
> It seems that your browser doesn't have kerberos ticket, hence that's why it
> uses NTLM instead. I think the best would be to fix your environment, so
> that it will send Kerberos token instead of NTLM at the step 2.
>
> Marek
>
>>
>> I already tried to fix it
>>
>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
>> but this oddly just ends up in a Basic Auth popup from the browser.
>> For the client app the standard flow as well as direct access grants
>> is enabled.
>>
>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>
>> Any ideas?
>>
>> Thanks
>> Hendrik
>>
>



-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC

From unm at greenbyte.dk  Thu Apr 27 06:51:58 2017
From: unm at greenbyte.dk (Ulrik NM)
Date: Thu, 27 Apr 2017 03:51:58 -0700 (MST)
Subject: [keycloak-user] SAML parsing error
In-Reply-To: <CAMvXD=HwpuU1YK6z22z3NBTtXyxRKwbgTeWygM8XSadh2YtRHQ@mail.gmail.com>
References: <1493043163420-3667.post@n6.nabble.com>
	<CAMvXD=GpghcCn7UzT7gZyYxUX8uXNKAbtJGEuUZGoJzNd0TrzA@mail.gmail.com>
	<1493103466160-3674.post@n6.nabble.com>
	<CAMvXD=FHFpLB4KrPTNHnTLnd0Kz2ctjeN6GiUWm8YibfJ0Z=ZQ@mail.gmail.com>
	<1493109302868-3677.post@n6.nabble.com>
	<1493276285658-3723.post@n6.nabble.com>
	<CAMvXD=HwpuU1YK6z22z3NBTtXyxRKwbgTeWygM8XSadh2YtRHQ@mail.gmail.com>
Message-ID: <1493290318627-3731.post@n6.nabble.com>

Thanks again Hynek,
We get no errors when the <a:Attribute> elements are removed.

Hynek Mlnarik wrote
> Please file a JIRA for this issue.

KEYCLOAK-4809
<https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-4809>   filed.

/Anders + Ulrik



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667p3731.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From rohitchaudhary95 at gmail.com  Thu Apr 27 06:58:32 2017
From: rohitchaudhary95 at gmail.com (rohit chaudhary)
Date: Thu, 27 Apr 2017 16:28:32 +0530
Subject: [keycloak-user] Error while connecting postgres User Storage spi
Message-ID: <CAHJH4F-5DRdvKihu26JWcPRv17u_LyptftBnNzarMoBeAOTnSA@mail.gmail.com>

Hi,

I am trying User storage spi with postgres db. It throws following error:

While running command *mvn clean install wildfly:deploy*

*Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli)
on project user-storage-jpa-example: Failed to execute goal deploy:
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that
failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
{"jboss.persistenceunit.\"user-storage-jpa-example.jar#user-storage-jpa-example\""
=> "org.jboss.msc.service.StartException in service
jboss.persistenceunit.\"user-storage-jpa-example.jar#user-storage-jpa-example\":
javax.persistence.PersistenceException: [PersistenceUnit:
user-storage-jpa-example] Unable to build Hibernate SessionFactory*
*[ERROR] Caused by: javax.persistence.PersistenceException:
[PersistenceUnit: user-storage-jpa-example] Unable to build Hibernate
SessionFactory*
*[ERROR] Caused by:
org.hibernate.tool.schema.spi.SchemaManagementException: Unable to execute
schema management to JDBC target [create table UserEntity (id varchar(255)
not null, email varchar(255), password varchar(255), phone varchar(255),
username varchar(255), primary key (id))]*
*[ERROR] Caused by: org.postgresql.util.PSQLException: ERROR: relation
\"userentity\" already exists"}}}}*


If i drop this table, it will create one but users are not imported.


And do I have to use UserEntity as my tablename or can I have a different
one?


Thanks,
Rohit

From chardin at shadowforge-computing.com  Thu Apr 27 07:33:59 2017
From: chardin at shadowforge-computing.com (Charles Hardin)
Date: Thu, 27 Apr 2017 07:33:59 -0400
Subject: [keycloak-user] Issues with Keycloak and AD
In-Reply-To: <5de5fe9a-92fa-c9cd-cc8b-ee6d10322f95@redhat.com>
References: <CAKkoA_ODAMwdDkVCAYu=QrsrAaFEnEct-sBHctefc=L8heX+vA@mail.gmail.com>
	<b7beef24-663a-6658-aeef-4196a05a08df@redhat.com>
	<CAKkoA_PZTQy6fDQR8DYR9wV8Ufcr3VynVAiZ1xW0SZNKOx2t3Q@mail.gmail.com>
	<05f0937b-daca-fc3a-c348-1b6f68ce398d@redhat.com>
	<CAKkoA_N_QrF3bymeyhAJkM_Os0YOvLxsKpueWFLtBwgPrQC7Gg@mail.gmail.com>
	<b635c724-a455-f5e5-6d14-4ece66c4456f@redhat.com>
	<CAKkoA_OpV9VUcpGZGEKDPGQg8+YWiYGR9OTvhSQtSpdYpenwLg@mail.gmail.com>
	<5de5fe9a-92fa-c9cd-cc8b-ee6d10322f95@redhat.com>
Message-ID: <CAKkoA_Mn2e4E3xQMv6qNvWTn4xAFkGgeq6ifgpXRd+dqNk7nOA@mail.gmail.com>

Marek,

I tried turning that on and it led me to a discovery. When I looked at the
trace log, MSAD was refusing the password, even though I could manually
create a user with the same password.

Some googling lead me to the fact that AD will not allow an ldap connection
to manipulate a password. It requires ldaps. Once I changed my connection
to ldaps and setup the truststore with the cert, its now creating users as
expected.

Thanks!

On Wed, Apr 26, 2017 at 12:14 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Could you try to enable TRACE logging for category "org.keycloak.storage.ldap"
> in standalone.xml and then see what's logged into server.log at the moment
> when you sent request to register new user?
>
> Thanks,
> Marek
>
> On 26/04/17 04:58, Charles Hardin wrote:
>
> Marek,
>
> I did some more testing on my side. I made the user Keycloak uses to talk
> to MSAD a Domain Admin(I was using delegation). I dropped the domain and
> forest functional level to 2012R2, and also removed the realm and recreated
> to make sure I was as close to defaults as I could be.
>
> I went and dug through the AD events, and it looks like for whatever
> reason Keycloak is creating the user with a UAC value of 0x15.
>
> Old UAC Value:        0x0
> New UAC Value:        0x15
> User Account Control:
>         Account Disabled
>         'Password Not Required' - Enabled
>         'Normal Account' - Enabled
>
> Here is what Keycloak logs when it connects the ldap:
>
> 22:12:06,563 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
> (default task-4) Creating new LDAP Store for the LDAP storage provider:
> 'ldap', LDAP Configuration: {pagination=[true], fullSyncPeriod=[604800],
> usersDn=[<REMOVED>], connectionPooling=[true], cachePolicy=[DEFAULT],
> useKerberosForPasswordAuthentication=[false], importEnabled=[true],
> bindDn=[<REMOVED>], changedSyncPeriod=[86400], usernameLDAPAttribute=[sAMAccountName],
> lastSync=[1493169877], vendor=[ad], uuidLDAPAttribute=[objectGUID],
> connectionUrl=[<REMOVED>], allowKerberosAuthentication=[false],
> syncRegistrations=[true], authType=[simple], debug=[false],
> searchScope=[1], useTruststoreSpi=[ldapsOnly], priority=[0],
> userObjectClasses=[person, organizationalPerson, user],
> rdnLDAPAttribute=[cn], editMode=[WRITABLE], batchSizeForSync=[1000]},
> binaryAttributes: []
>
>
> Not quite sure where to go with this. Is there a way to get keycloak to
> log the user creation attempt somewhere?
>
>
>
> On Tue, Apr 25, 2017 at 4:15 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 25/04/17 16:07, Charles Hardin wrote:
>>
>> I tried turning that off, but the problem seems to persist. I also
>> changed minimum password age to 0 on the AD site and it still fails to
>> change the pasword.
>>
>> The AD configuration is pretty much default outside of password
>> configuration.
>>
>> The user gets created in AD with the must change password at next login
>> flagged, as well as account disabled.
>>
>> I will keep poking on my end to see what I can find. Any guess when it
>> might be testable against 2016 on your side?
>>
>> Not sure. Depends on the priorities and how much customers need that.
>>
>> Marek
>>
>>
>>
>> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
>>> same setup as you (Password Policy Hints enabled, Writable edit mode).
>>>
>>> After the registration is user's password successfully updated in MSAD
>>> and I can see that MSAD attributes of user are in expected state
>>> (pwdLastSet is updated to latest time, userAccountControls are in 512,
>>> which corresponds to fully created and enabled user).
>>>
>>> Not sure if the difference is with your MSAD setup or if this is related
>>> to MSAD 2016. We don't yet test with this version for now.
>>>
>>> The workaround might be to disable "Password Policy Hints". But then
>>> some advanced password policies won't work (password history etc).
>>>
>>> Marek
>>>
>>>
>>> On 21/04/17 15:42, Charles Hardin wrote:
>>>
>>> 2016
>>>
>>> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>> I will try to reproduce that. What's your MSAD version btv?
>>>>
>>>> Thanks,
>>>> Marek
>>>>
>>>>
>>>> On 20/04/17 23:55, Charles Hardin wrote:
>>>>
>>>>> Hello All,
>>>>>
>>>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>>>> setup
>>>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>>>> Hints
>>>>> enabled in the MSAD Account Controls mapper. I have user registration
>>>>> turned on in Keycloak.
>>>>>
>>>>> When I register a user in keycloak, it creates the user in a disabled
>>>>> state
>>>>> in AD, and prompts the user in keycloak to change the password they
>>>>> just
>>>>> set during account creation to activate the account. This then fails
>>>>> because AD is currently configured to enforce a minimum password age
>>>>> of one
>>>>> day.
>>>>>
>>>>> I am ok with the account being created disabled, but how do I get
>>>>> around
>>>>> the immediate 2nd password request?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chuck
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

From mitya at cargosoft.ru  Thu Apr 27 07:45:05 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Thu, 27 Apr 2017 14:45:05 +0300
Subject: [keycloak-user] Need info on Keycloak benchmarks & success stories
Message-ID: <1493293505.2855.1.camel@cargosoft.ru>

Hi,

MGTS, Moscow's leading telephony and internet provider with ~4M
subscribers, holds a tender for a web SSO solution to replace their
current OpenAM. Our company participates with Keycloak/RHSSO based
solution. We've successfully passed an RFI phase and advanced to RFP,
where we will be asked to produce the following performance
measurements:
- single node capacity (logins/sec) for a known server configuration;
- capacity increase per each node added to the cluster.

Thus, I wanted to ask if anyone has performed such a sort of
benchmarking for Keycloak, and if the results are available. If not,
what's the best approach to perform benchmarking ourselves? Did anyone
have success with keycloak-benchmark?

Additionally, it would help us much if we could refer to some success
stories of real-world Keycloak deployments, preferably in the telecom
area.

Thanks!
Dmitry

From eduard.matuszak at worldline.com  Thu Apr 27 09:11:46 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Thu, 27 Apr 2017 13:11:46 +0000
Subject: [keycloak-user] Passing information from custom Authenticator
 to a Token
In-Reply-To: <CAK-7U1hgAkBKVhqDz_urpFpEwcs_jDbnqrK7qpAhNFRf-Yxn+g@mail.gmail.com>
References: <CAK-7U1jv5H5HO80S=Nyq5sjSmKENjkrPiTk7KEkG4cuA1XO+iw@mail.gmail.com>
	<b8130fb8-5458-267b-e6bd-ca8a6760f9a6@gmail.com>
	<CAK-7U1hgAkBKVhqDz_urpFpEwcs_jDbnqrK7qpAhNFRf-Yxn+g@mail.gmail.com>
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723EFCD81@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello,

Sounds good, but seems that we are restricted here to implement an authenticator. When fetching the information to be passed into a token by implementation of a user storage provider (which makes sense presuming that this information is to be fetched from the same federated store where also the credentials are deposited), we have no other chance as 1: (automatically) create a permanent user-representation in Keycloak and 2: add the claim-information as user attributes. I would appreciate if someone disagrees and could provide an idea to overcome automatic creation of non-temporary Keycloak-user entries at all.

Best regards, Eduard

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Darimont
Sent: Friday, April 21, 2017 2:08 PM
To: ?????? ????
Cc: keycloak-user
Subject: Re: [keycloak-user] Passing information from custom Authenticator to a Token

Thanks for your reply :)

I think (ab)using user attributes for storing temporary data is not a good idea, e.g. one would need to take care to clear that information etc.

I'm currently using
   context.getClientSession().setUserSessionNote("key","value");
in combination with a user protocol mapper for "user session note".

Cheers,
Thomas

2017-04-21 13:40 GMT+02:00 ?????? ???? <llivezking at gmail.com>:

> First thing that came to my head is to populate required data to 
> attributes of UserModel and use mappers to map attr to AT claim, but 
> your way also look interesting and i don't see any problems here.
>
>
> 21.04.2017 8:32, Thomas Darimont ?????:
> > Hello group,
> >
> > I need to pass some information form a custom Authenticator to the 
> > IDToken/AccessToken.
> > One way I found to do that is by using UserSessionNotes and a "User
> Session
> > Note"
> > Protocol Mapper defined in a client template which is shared by all
> clients.
> >
> > public void authenticate(AuthenticationFlowContext context) {
> >     ...
> >
> >   context.getClientSession().getUserSessionNotes().put("
> someKey","someValue");
> >     ...
> > }
> >
> > is this the intended way to do this sort of things?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Thu Apr 27 09:56:06 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 27 Apr 2017 15:56:06 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <8f149689-bdd9-d75c-a089-6013bc302212@psynd.net>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
	<a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
	<d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>
	<a3391e57-da3f-4667-571d-2055fe8183dc@redhat.com>
	<8f149689-bdd9-d75c-a089-6013bc302212@psynd.net>
Message-ID: <cbf5e255-778e-2d8c-3904-063351437977@redhat.com>

Not sure what could be the reason...

Are you seeing the browser cookie if you login to some Keycloak builtin 
applications (admin console, account management)?

I wonder about something around "http" or "https" . Will it work if you 
switch SSL required for your realm to "ALWAYS" ? Or the other way, will 
it work if you switch everything to "http" instead of "https" ?

Marek


On 27/04/17 11:21, Tech wrote:
>
> We try both with Firefox, Chrome and Internet explorer, in none of 
> these cases we have this cookie.
>
> What could it be the reason?
>
>
>
>
> On 27/04/17 10:02, Marek Posolda wrote:
>> Yes, KEYCLOAK_IDENTITY cookie should be in the browser after 
>> successful authentication to your portal1 is fully finished. Are you 
>> seeing the cookie after this authentication?
>>
>> Then the portal2 is supposed to be automatically authenticated due to 
>> this cookie.
>>
>> Marek
>>
>> On 27/04/17 09:14, Tech wrote:
>>>
>>> Hello,
>>>
>>> opening the browser the KEYCLOAK_IDENTITY cookie does not appear, 
>>> but in my understanding this is created when you have an active 
>>> session to Keycloak like accessing to the admin interface.
>>>
>>> No proxies, cookies or load balancers in the backend server.
>>>
>>>
>>>
>>>
>>> On 26/04/17 16:17, Marek Posolda wrote:
>>>> Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser 
>>>> for path "/auth/realms/yourrealm" ? Are you using 
>>>> proxy/loadbalancer, which may cause that cookies sent to the proxy 
>>>> are not visible on the backend server (Keycloak)?
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 26/04/17 09:09, Tech wrote:
>>>>> Hello again,
>>>>>
>>>>> so:
>>>>> 1) they are both using the same kc realm
>>>>> 2) the cookie is not disabled
>>>>> 3) in attach a screenshot, it's identical for the two application, 
>>>>> with the difference that one the two URL has the "2"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 26/04/17 06:17, Marek Posolda wrote:
>>>>>> On 25/04/17 22:36, Tech wrote:
>>>>>>>
>>>>>>> Hello Marek,
>>>>>>>
>>>>>>> 1) yes, they are both using the same Kc realm
>>>>>>>
>>>>>>> 2) how can I check this point?
>>>>>>>
>>>>>> In Keycloak admin console, there is tab "Authentication" and then 
>>>>>> flow "browser" .
>>>>>>
>>>>>> Marek
>>>>>>>
>>>>>>> 3) I checked already, I don't think that anything like that is 
>>>>>>> enabled, but I will send you a screen shot in the coming hours 
>>>>>>> (not in the office right now)
>>>>>>>
>>>>>>> Thanks for the support
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>>>>>> Normally SSO between client applications is supposed to work. I 
>>>>>>>> would check:
>>>>>>>>
>>>>>>>> - Are both your clients (portal1 and portal2) using same 
>>>>>>>> Keycloak realm? SSO will work just with same realm
>>>>>>>>
>>>>>>>> - Is Cookie authenticator enabled for authentication browser 
>>>>>>>> flow of your realm? Didn't you accidentally disable it? SSO 
>>>>>>>> requires that it is enabled
>>>>>>>>
>>>>>>>> - How does URL to Keycloak login screen looks like? I wonder if 
>>>>>>>> your PHP adapter uses some parameters, which causes SSO 
>>>>>>>> disabled (eg. prompt=login or max_age=0)
>>>>>>>>
>>>>>>>> Marek
>>>>>>>>
>>>>>>>> On 25/04/17 14:18, Tech wrote:
>>>>>>>>>
>>>>>>>>> Anybody with any ideas?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>>>>>
>>>>>>>>>> Hello Marek,
>>>>>>>>>>
>>>>>>>>>> maybe my email was confusing, we run initially two tests were 
>>>>>>>>>> we login and logout in both portal to check that the oidc is 
>>>>>>>>>> working on each of them.
>>>>>>>>>>
>>>>>>>>>> Once we know that OIDC is working, then we are expecting to 
>>>>>>>>>> login to portal1 and opening portal2, to find us already 
>>>>>>>>>> logged in, but this doesn't happen and we are forced to login 
>>>>>>>>>> again
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>>>>>> If you don't do "Logout from portal1" at the end of first 
>>>>>>>>>>> test, then SSO should work and you will be automatically 
>>>>>>>>>>> logged into portal2 without a need to put your credentials.
>>>>>>>>>>>
>>>>>>>>>>> The logout is "SSO logout", hence it also kills the SSO 
>>>>>>>>>>> session on Keycloak side and requires user to re-login.
>>>>>>>>>>>
>>>>>>>>>>> Marek
>>>>>>>>>>>
>>>>>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>>>>>> Dear experts,
>>>>>>>>>>>>
>>>>>>>>>>>> we are working with Moodle, a PHP based platform, where we 
>>>>>>>>>>>> have been
>>>>>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>>>>>
>>>>>>>>>>>> To test Keycloak we cloned this application, with different 
>>>>>>>>>>>> URLs and we
>>>>>>>>>>>> did the first test:
>>>>>>>>>>>>
>>>>>>>>>>>>    * Connect to portal1
>>>>>>>>>>>>    * User not recognized and redirected to Keycloak through 
>>>>>>>>>>>> OIDC
>>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>>>>>    * Logout from portal1
>>>>>>>>>>>>
>>>>>>>>>>>> After this we tested the second application:
>>>>>>>>>>>>
>>>>>>>>>>>>    * Connect to portal2
>>>>>>>>>>>>    * User not recognized and redirected to Keycloak through 
>>>>>>>>>>>> OIDC
>>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>>>>>    * Logout from portal2
>>>>>>>>>>>>
>>>>>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>>>>>> applications and we
>>>>>>>>>>>> can expect that also the SSO is working, but after the 
>>>>>>>>>>>> login in portal1
>>>>>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>>>>>
>>>>>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *Login to portal1*
>>>>>>>>>>>>
>>>>>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>>> (Periodic
>>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>>> identifier 1
>>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-30) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-30) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) execution is processed
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>>>>>> requirement:
>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) execution is flow
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>>>>>> requirement: REQUIRED
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): 
>>>>>>>>>>>> Not found
>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not 
>>>>>>>>>>>> found
>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>>> hasn't changed.
>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-30)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>>> (Periodic
>>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>>> identifier 1
>>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *After authentication to portal1**
>>>>>>>>>>>> *
>>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-31) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-31) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> authenticationAction
>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check: auth-username-password-form requirement: 
>>>>>>>>>>>> REQUIRED
>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-31) Hibernate RegisteredSynchronization 
>>>>>>>>>>>> successfully
>>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>>> [0/20]
>>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, 
>>>>>>>>>>>> username=testuser
>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>>> max-age: -1
>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>> afterTransaction
>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-31)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-24) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-24) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] 
>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-24)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-24)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *Login to portal2**
>>>>>>>>>>>> *
>>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-6) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-6) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> processFlow
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator: auth-cookie
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> execution is processed
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> execution is flow
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> processFlow
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> check execution: auth-username-password-form requirement: 
>>>>>>>>>>>> REQUIRED
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): 
>>>>>>>>>>>> Not found
>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not 
>>>>>>>>>>>> found
>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>>> hasn't changed.
>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-6)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *After authentication to portal2**
>>>>>>>>>>>> *
>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-4) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-4) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> authenticationAction
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> execution is processed
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> execution is processed
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> execution is processed
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> action: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> processFlow
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> authenticator: auth-otp-form
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> processFlow
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-4) Hibernate RegisteredSynchronization 
>>>>>>>>>>>> successfully
>>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>>> [0/20]
>>>>>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>>       select
>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>       from
>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>       where
>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>> afterStatement
>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, 
>>>>>>>>>>>> username=testuser
>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>>> max-age: -1
>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>> (default
>>>>>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>
>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>> afterTransaction
>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-4)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-13) new
>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-13) was
>>>>>>>>>>>> existing? false
>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] 
>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-13)
>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>> task-13)
>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] 
>>>>>>>>>>>> (default I/O-1)
>>>>>>>>>>>> Error reading request: java.io.IOException: Connection 
>>>>>>>>>>>> reset by peer
>>>>>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native 
>>>>>>>>>>>> Method)
>>>>>>>>>>>>           at 
>>>>>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>>>>>           at 
>>>>>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>>>>>           at 
>>>>>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>>>>>           at 
>>>>>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>>>>>           at
>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at 
>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
>>>>>>>>>>>>           at
>>>>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at
>>>>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>>>>>
>>>>>>>>>>>>           at 
>>>>>>>>>>>> org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From jm85martins at gmail.com  Thu Apr 27 13:28:31 2017
From: jm85martins at gmail.com (Jorge M.)
Date: Thu, 27 Apr 2017 18:28:31 +0100
Subject: [keycloak-user] Help with SSO
Message-ID: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>

Hi,

In the past some systems inside my company were using a custom made sso
implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent login
feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we are
trying to implement the silent login again.

So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and authorization
- We are using a custom federation on keycloak over the same users database
that is shared among all the systems.

What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session on
some of the other systems and if that is true, we programatically create a
session on keycloak for a given (Is this possible with the API?).

Thank you,
JM

From sthorger at redhat.com  Thu Apr 27 13:48:09 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 27 Apr 2017 19:48:09 +0200
Subject: [keycloak-user] Keycloak 3.1.0.CR1 Released
Message-ID: <CAJgngAfk8q=qt9tLWxGKv34iG0DcbKBMKHVmoXVEFvSZhtapyw@mail.gmail.com>

Keycloak 3.1.0.CR1 has just been released.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
Highlights

   - *X509 Certificate user authentication* - Thanks to Peter Nalyvayko
   <https://github.com/brat000012001> for the contribution
   - *Proof Key for Code Exchange by OAuth Public Clients* - Thanks to Takashi
   Norimatsu <https://github.com/tnorimat> for the contribution
   - *WildFly Elytron adapters* - Adapters for Elytron, a new security
   subsystem coming in WildFly 11 and EAP 7.1
   - *TypeScript type definitions for keycloak.js* - Simplifies using
   keycloak.js from TypeScript
   - *Identity Provider for Openshift* - Thanks to Bartosz Majsak
   <https://github.com/bartoszmajsak> for the contribution

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.1.0.CR1>
.
Upgrading

Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html>.
Release candidates are not recommended in production and we do not support
upgrading from release candidates.

From g.henkel at cgh-solutions.de  Fri Apr 28 01:51:03 2017
From: g.henkel at cgh-solutions.de (Georg Henkel)
Date: Fri, 28 Apr 2017 07:51:03 +0200
Subject: [keycloak-user] JAX-RS @PermitAll with invalid token fails
Message-ID: <6b96cdef-2fc1-83e7-00bf-3be23d48d889@cgh-solutions.de>

Hi there,

I am trying to setup a JAX-RS webservice with keycloak authentication
and want to use the Java EE security annotations (@PermitAll,
@RolesAllowed).
My current implementation works well with one exception:

If I have set an invalid bearer token in the authorization header the
TokenVerifier throws a VerificationException stating: Token is not active.
I fully understand why it is thrown and that the token is checked before
the routing in JAX-RS starts. But if I use @PermitAll I want that
everyone reagrdless of any authorization header can access the resource.

How can I handle this use case?
P.S.: If I access the resource without a token, than I get the correct
result from the webservice.

Best regards
Georg


From ivan at akvo.org  Fri Apr 28 03:51:53 2017
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Fri, 28 Apr 2017 09:51:53 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
	session?
Message-ID: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>

Hi all,

We're trying to use offline access [1] to retrieve access_tokens on
behalf of the user and access a protected resource in a long running
process.

This protected resource checks the validity of the access_token using
the OAuth2 token introspection.

In our tests we found that the introspection flag "active" true|false
depends on having an active session in the server. Which seems to defeat
the purpose of the offline access capabilities.

I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
is the same.

* Get an offline token via direct grants
* Get an access_token using the offline_token
* We have an active session
* Use the token introspection for the access_token and get the expected
result: active=true
* Wait for SSO Idle timeout (so the session expires)
* Get a new access_token using the "stored" offline_token
* Use the token introspection with the new access_token. Keycloak
returns active=false because we don't have a session. But the
access_token is valid, and not expired.

The following code repository has an isolated test case of this scenario:

https://github.com/iperdomo/keycloak-oauth2-instrospection

The described steps are in this script:

https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh

I tried to look for logged issues regarding token introspection and
didn't found anything related to this problem.

Is this a bug or an expected behavior?

[1]
https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html

Thanks for your support.

-- 
Iv?n


From kevin.berendsen at pharmapartners.nl  Fri Apr 28 04:54:11 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Fri, 28 Apr 2017 08:54:11 +0000
Subject: [keycloak-user] Maintain 300 realms challenge
Message-ID: <f98a75c24c264c64ae9baeca2827541d@PHINEAS.ppg.lan>

Hi community!

I've got a very interesting challenge and I'd like some your opinions. 

We've got to maintain countless separate LDAPs with identical schemas and configurations. The problem is, the users may have identical usernames in the separate LDAP instances so fusing every LDAP into one is not an option at the moment. Maybe in the future but not now.

So I came with a couple solutions:

1) Each LDAP will have its own realm so all the LDAPs keep isolated from each other. Each realm with have identical clients and general configuration. To tackle the issue to lower maintenance time is to develop a tool on the Keycloak Admin Client API to be able to make bulk updates on ALL the realms. As it's quite hard to track which realm has which change/update, I came up with the idea to create a single Realm that will act as a template and every time I update the Realm by adding a new Client for example, it'd perform the very same action on ALL other realms.

Pros: You can manage all realms as one and every LDAP stays isolated.
Cons: Huge load on the Keycloak (I think) and takes quite some time to develop the tool.

2) Create a single realm, have countless User Federations and the username will have a prefix (id of the User Federation). Then again, a tool will be developed to easily maintain the User Federations,

Pros: Single realm to maintain
Cons: I don't like the thought of having countless User Federations but I think that might be a misplaced feeling. 


So what do you guys thinks :)

For those whom reply, thanks in advance, your efforts will be appreciated!

Kind regards,

Fanatic Keycloak User
Kevin 


From anders.kabell.kristensen at systematic.com  Fri Apr 28 07:05:21 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Fri, 28 Apr 2017 04:05:21 -0700 (MST)
Subject: [keycloak-user] Angular2 app (js adapter) https proxy problem
Message-ID: <1493377521837-3742.post@n6.nabble.com>

Hi guys,
We have a problem related to our network setup, proxying and https.

*Our development setup*

Deployed in a docker container:
Keycloak server on address http://192.168.99.100:8180
Resource server on address http://192.168.99.100:8080

Angular2 app on local address https://127.0.0.1 running behind reverse proxy

Hosts file mapping from saml.example.com to 127.0.0.1

We are utilizing the javascript adapter provided by keycloak and the auth
URL is set to https://saml.example.com/auth

The proxy will propagate requests on /auth to http://192.168.99.100:8180

*The problem*

Calling the js adapter init function takes us to:
https://saml.example.com/auth/realms/myrealm/protocol/openid-connect/auth...

however, after typing in the credentials the browser tries to access the
following URL which is not understood by the proxy (http rather then https):
http://saml.example.com/auth/realms/myrealm/login-actions/authenticate...

Any suggestions appreciated :)

Ulrik and Anders




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Angular2-app-js-adapter-https-proxy-problem-tp3742.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From teoreste at gmail.com  Fri Apr 28 10:52:13 2017
From: teoreste at gmail.com (matteo restelli)
Date: Fri, 28 Apr 2017 16:52:13 +0200
Subject: [keycloak-user] Logout endpoint JSON Response
Message-ID: <CABZhS3x+4WFK9TpxwTemwXerGQFijrzgM7pqh0B0XfDdcc4Vug@mail.gmail.com>

Hi all,
calling the logout endpoint returns, if the call succeded, a 204 HTTP CODE
(No-Content). Is that a standard OIDC behaviour? It is possible to return
some sort of JSON and another HTTP CODE (like 200)?

Thank you in advance,
Matteo

From pkboucher801 at gmail.com  Sat Apr 29 15:15:27 2017
From: pkboucher801 at gmail.com (Peter K. Boucher)
Date: Sat, 29 Apr 2017 15:15:27 -0400
Subject: [keycloak-user] Keycloak is throwing invalid_authn_request
	error for SAML Client
In-Reply-To: <CAJmz6fs-BOp2q5jPMd=Ki8JpxqOQUwDyFP4iyUams48RTBNC6A@mail.gmail.com>
References: <CAOi6RbBhW9VkDM_arqeYpCJrNzQuRKPA7ErRUKV+GMEOD5UQ9w@mail.gmail.com>	<CAOi6RbDdt651nyxqYrP-QQYEeGGwcMmvBh=AfSNOaxXmRy1dLA@mail.gmail.com>
	<CAJmz6fs-BOp2q5jPMd=Ki8JpxqOQUwDyFP4iyUams48RTBNC6A@mail.gmail.com>
Message-ID: <001f01d2c11c$f62d61a0$e28824e0$@gmail.com>

See https://issues.jboss.org/browse/KEYCLOAK-4813 and I would also like to
solicit any thoughts on a workaround.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of abhishek raghav
Sent: Tuesday, April 25, 2017 9:30 AM
To: Jyoti Kumar Singh <assassin.creed60 at gmail.com>; keycloak-user
<keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak is throwing invalid_authn_request
error for SAML Client

Hi,

We are also facing similar issue in our infrastructure setup with SAP HANA
as a Service provider.
Did you get any work around on this..?

Cheers
-Abhishek







On Tue, Apr 25, 2017 at 8:59 AM, Jyoti Kumar Singh <
assassin.creed60 at gmail.com> wrote:

> Hi Team,
>
> Is there any suggestion for me to look upon regarding the keycloak
> invalid_authn_request error for SAML client ?
>
> On Mon, Apr 24, 2017 at 12:50 PM, Jyoti Kumar Singh <
> assassin.creed60 at gmail.com> wrote:
>
> > Hi Team,
> >
> > We have integrated SAP HANA system as a Service Provider with the
> Keycloak
> > 2.2.1.Final version and provided "SAML Metadata IDPSSODescriptor" which
> > needs to be imported at Service Provider end.
> >
> > But while saving the "SAML Metadata IDPSSODescriptor" at Service
Provider
> > end, SingleSignOnService Location is getting saved with addition of 443
> > port number in the Destination URL. For example, If Keycloak is
providing
> > IDP SingleSignOnService Location as "https://test.example.com/
> > auth/realms/zzz/protocol/saml", Service Provider is saving it as "
> > https://test.example.com:443/auth/realms/zzz/protocol/saml".
> >
> > Once Service Provider is making a AuthnRequest Call to Keycloak, it is
> > sending Destination URL as "https://test.example.com:443/
> > auth/realms/zzz/protocol/saml" as part of AuthnRequest. As the
> > destination URL contains ":443" extra, Keycloak is refusing to accept it
> > and throws "error=invalid_authn_request, reason=invalid_destination"
> error.
> >
> > Looks like Keycloak is very strict about destination URL matching which
> is
> > sent from SP as part of AuthnRequest. Do we have any option in Keycloak
> > which will accept the Destination URL with port number in AuthnRequest
or
> > is there any work around to handle this?
> >
> > Please let me know for any other information regarding this.
> >
> > --
> >
> >
> > *With Regards, Jyoti Kumar Singh*
> >
>
>
>
> --
>
>
> *With Regards, Jyoti Kumar Singh*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From colem213 at gmail.com  Sat Apr 29 16:25:51 2017
From: colem213 at gmail.com (Marc Coleman)
Date: Sat, 29 Apr 2017 20:25:51 +0000
Subject: [keycloak-user] Integrating with Stripe
Message-ID: <CAG7x2u=3YDFkyzUpeyQBiE-4qjeHxZ-2WRAQFD+Xdu745HYSNA@mail.gmail.com>

Hi,

I would like to extend the registration and account pages to collect
payment details using Stripe. Since I am using the docker container, I
thought it may be easiest to pass the Stripe token and an API endpoint as
environment variables to the container. Then, by extending the themes, I
could collect the card details using Stripe.js and send the token to my API
to create a customer token that I could add to user attributes in Keycloak.
I know that environment variables are not currently accessible in the
freemarker templates so if this is considered a reasonable use-case I'd be
willing to open an enhancement request; otherwise I would be interested in
alternative solutions.

Thanks!
Marc