From akaya at expedia.com  Thu Jun  1 00:28:17 2017
From: akaya at expedia.com (Sarp Kaya)
Date: Thu, 1 Jun 2017 04:28:17 +0000
Subject: [keycloak-user] Password policy for the last used passwords
Message-ID: <D919D4EE-F607-4708-9640-161E2CBA88C7@expedia.com>

Hello,
My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number.
 I have a simple use case:


  1.  I create user
  2.  I set a password for this user
  3.  I delete this user

I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.?
The problem is, I can only have this error on admin API, if I do it on the admin UI then I don?t get it.

Now obviously if it was the same ?user? it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently.

I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code


  1.  Creating user:

keycloak.realm(usersRealm).users().create(someUserRepresentation);

2. Resetting password of the user:
CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation();
representation.setTemporary(false);
representation.setType(PASSWORD);
representation.setValue(password);
UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId);
userResource.resetPassword(passwordCredRepresentation);


3. Deleting the user:
keycloak.realm(usersRealm).users().delete(keycloakId))


I definitely know that delete user works because once I run this, I don?t see any user and when I run create user code, I can see a user account with different ID.

My question is, is this intentional or a bug? If it is intentional, then how can I clear user?s password history? I tried looking that up in admin api but could not find any call.

Thanks,
Sarp

From pulgupta at redhat.com  Thu Jun  1 02:08:58 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Thu, 1 Jun 2017 11:38:58 +0530
Subject: [keycloak-user] How does a bearer only client validate
In-Reply-To: <CAM6wd3rUcEzkc-dWP7MrSCopC8WfZxU+bqRRs+AU9s0E_uJkbg@mail.gmail.com>
References: <CAApADD23oBz+fZ5=-dUesjtARFyZdpSKO=4Fxqp8x7ymR=miaw@mail.gmail.com>
	<CAM6wd3rUcEzkc-dWP7MrSCopC8WfZxU+bqRRs+AU9s0E_uJkbg@mail.gmail.com>
Message-ID: <CAApADD3-ML0OLwQKw3gFaAuXqkQFvZwi6kxQ7uxCv90Ze7fWmw@mail.gmail.com>

Thanks Chris for the explanation. The whole thing is more clear to me now.

Regards,
Pulkit

On Wed, May 31, 2017 at 11:18 PM, Chris Benninger <cbenninger at phemi.com>
wrote:

> Keycloak has a keypair. Clients that trust that Keycloak instance are
> given the public key.  Keycloak uses the private key to sign the tokens it
> generates. The way JWT works is you can validate that tokens were signed by
> a private key as long as you have the corresponding public key. Therefore
> any JWT tokens that a trusted service generates can be validated using only
> it's public key.
>
> The Keycloak libs on the REST backend service talk to Keycloak once (when
> the first request comes in) and pulls down the public key it needs to
> validate the tokens. For all further requests It then uses this public key
> to verify the signature and if it is valid, the timestamp is valid and a
> few other fields are valid, the token facts will be extracted and provided
> to whatever enforcement mechanism you are using.
>
> https://jwt.io/introduction/
>
> On Wed, May 31, 2017 at 5:14 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:
>
>> Hi All,
>>
>> I have two keycloak client one is a public client using implicit flow and
>> authenticating the user via a redirect and then once the user is
>> authenticate the client receives a token.
>> This token is then passed to a REST based backend service which validate
>> it
>> before providing access to the API data.
>>
>> I am looking for more information on how does a bearer only client
>> validates the token which it receives from the JavaScript based public
>> client. I will also be interested to understand more about the
>> relationship
>> of these two clients based on scope to make this setup work
>>
>>
>> --
>>
>> PULKIT
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

From hmlnarik at redhat.com  Thu Jun  1 02:16:30 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Thu, 1 Jun 2017 08:16:30 +0200
Subject: [keycloak-user] Key Rotation for SAML client
In-Reply-To: <CACEM6k8R8SyfH58u3eoVv+1EO4tAb0k6H0LhobkBEm0dTQvDpA@mail.gmail.com>
References: <CACEM6k8R8SyfH58u3eoVv+1EO4tAb0k6H0LhobkBEm0dTQvDpA@mail.gmail.com>
Message-ID: <CAMvXD=HpYVFEqn2xgbHN4x5=pK95QTmLk5HWf83J-x+QwwAjDA@mail.gmail.com>

If the clients are using Keycloak adapters, see [1]. Other clients can
use standard SAML descriptor available at
server-root/auth/realms/{realm}/protocol/saml/descriptor, see [2].

[1] https://keycloak.gitbooks.io/documentation/securing_apps/topics/saml/java/general-config/idp_keys_subelement.html
[2] https://keycloak.gitbooks.io/documentation/server_admin/topics/clients/saml/entity-descriptors.html

On Tue, May 30, 2017 at 9:55 PM, Muein Muzamil
<shmuein+keycloak-dev at gmail.com> wrote:
> Hi all,
>
> We have a business use case, where we'll have a realm with 50+ SAML clients
> configured and we want to update the SAML key for the realm (either for
> security reason or the certificate got expired),
>
> I was reading following section but it seems mostly focused on OIDC.Can
> someone please share how does KeyCloak handle this for SAML? Important
> thing to realize is, we cannot imagine our customer to update realm
> certificate in all 50+ service providers at the same time.
> https://keycloak.gitbooks.io/documentation/server_admin/topics/realms/keys.html
>
> Regards,
> Muein
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From Sebastian.Schuster at bosch-si.com  Thu Jun  1 02:25:00 2017
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1))
Date: Thu, 1 Jun 2017 06:25:00 +0000
Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
In-Reply-To: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>
References: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>
Message-ID: <3d0ff8a98a0f41b19a278725b7c56193@FE-MBX1028.de.bosch.com>

Hi Marcus,

Both should be possible. For 1) have a look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/identity-broker/default-provider.html
and for 2) look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/identity-broker/suggested.html

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

 Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 




> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] On Behalf Of Christie, Marcus Aaron
> Sent: Mittwoch, 31. Mai 2017 21:19
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
> 
> Hello,
> 
> I have two questions about Identity Provider configuration in Keycloak.
> 
> 1) I would like to add an Identity Provider and then have this be the only option
> available to the user for authentication.  Is there a way to disable the
> username/password authentication and not show it on the login screen?
> 
> 2) Is there a way to redirect to Keycloak and have it immediately redirect to an
> Identity Provider?  As an example, let?s say I have two Identity Providers, Google
> and Facebook.  In my web application I know that the user wants to log in via
> Google so I want to redirect to Keycloak and tell Keycloak to select the Google
> Identity Provider and redirect to it immediately.  Maybe something like my web
> application redirects to keycloak like so:
> 
> https://mykeycloak.org/auth/realms/myrealm/protocol/openid-
> connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&s
> elected_identity_provider=google
> 
> and then mykeycloak.org<http://mykeycloak.org> immediately redirects to
> Google.  For the user they don?t see the Keycloak page.
> 
> Is there any functionality like the in Keycloak?
> 
> 
> Thanks,
> 
> Marcus
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Thu Jun  1 05:11:00 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 1 Jun 2017 11:11:00 +0200
Subject: [keycloak-user] How to assign a role at registration?
In-Reply-To: <CABgaDxg1eTFj2R362o89_wdT9P59nG3gowBTV-1_XxC_7gDXfQ@mail.gmail.com>
References: <CABgaDxg1eTFj2R362o89_wdT9P59nG3gowBTV-1_XxC_7gDXfQ@mail.gmail.com>
Message-ID: <CAK-7U1j6BW1FFp1hqGu9kP55pN-qkGpCbFcHPX8vUp-iGj-_Yg@mail.gmail.com>

How about using default composite realm roles which contain the required
client roles?


Cheers,
Thomas

Am 01.06.2017 7:31 vorm. schrieb "mark" <manwoodvice at gmail.com>:

> I have a number of client roles - how can I programmatically set/assign a
> particular role when a user registers with Keycloak?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From supittma at redhat.com  Thu Jun  1 07:53:15 2017
From: supittma at redhat.com (Summers Pittman)
Date: Thu, 1 Jun 2017 07:53:15 -0400
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
Message-ID: <CAEQz2CsvoKiqmK2jom-uM60kcQTFFJrVcVO+QHgoH_zEXnUpsg@mail.gmail.com>

On Wed, May 31, 2017 at 8:23 AM, Raquel J?dez Bello <raqueljudezb at gmail.com>
wrote:

> Hi everyone,
> I am having trouble finding libraries to implement a Keycloak client for
> Android.
> So far, I have found AppAuth and Androgear in keycloak.org, but I am not
> convinced about their simplicity.
>
> Has anyone implemented a simple client for Android?
>

How simple are we talking?

KeyCloak is "basically" OAuth2 so any OAuth2 library on Android should work
for authentication and authorization.  If your use case is further than
than we can work from there.

As an example with AeroGear : http://bit.ly/2rX4z4o

`AuthorizationManager.config` sets up the OAuth 2 session.
 `PipeManage.config` connects your authorization to a RESTful API.
 'authzModule.requestAccess' starts the sign in, and then you can use the
Pipe methods and AeroGear handles the rest.*


*Where the rest is key exchange, refresh tokens, object serialization, etc.


> Thank you very much.
>
> --
> Raquel J?dez.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From machrist at iu.edu  Thu Jun  1 08:49:27 2017
From: machrist at iu.edu (Christie, Marcus Aaron)
Date: Thu, 1 Jun 2017 12:49:27 +0000
Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
Message-ID: <81c9bbfc1b094ed192b24782a48a8861@bl-cci-exch0g.ads.iu.edu>

Hi Sebastian,

Thanks, this looks perfect for my use case.

Thanks again,

Marcus

On Jun 1, 2017 2:25 AM, "Schuster Sebastian (INST/ESY1)" <Sebastian.Schuster at bosch-si.com> wrote:
Hi Marcus,

Both should be possible. For 1) have a look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/identity-broker/default-provider.html
and for 2) look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/identity-broker/suggested.html

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

 Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn




> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] On Behalf Of Christie, Marcus Aaron
> Sent: Mittwoch, 31. Mai 2017 21:19
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
>
> Hello,
>
> I have two questions about Identity Provider configuration in Keycloak.
>
> 1) I would like to add an Identity Provider and then have this be the only option
> available to the user for authentication.  Is there a way to disable the
> username/password authentication and not show it on the login screen?
>
> 2) Is there a way to redirect to Keycloak and have it immediately redirect to an
> Identity Provider?  As an example, let?s say I have two Identity Providers, Google
> and Facebook.  In my web application I know that the user wants to log in via
> Google so I want to redirect to Keycloak and tell Keycloak to select the Google
> Identity Provider and redirect to it immediately.  Maybe something like my web
> application redirects to keycloak like so:
>
> https://mykeycloak.org/auth/realms/myrealm/protocol/openid-
> connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&s
> elected_identity_provider=google
>
> and then mykeycloak.org<http://mykeycloak.org> immediately redirects to
> Google.  For the user they don?t see the Keycloak page.
>
> Is there any functionality like the in Keycloak?
>
>
> Thanks,
>
> Marcus
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From shmuein+keycloak-dev at gmail.com  Thu Jun  1 09:13:35 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Thu, 1 Jun 2017 08:13:35 -0500
Subject: [keycloak-user] Key Rotation for SAML client
In-Reply-To: <CAMvXD=HpYVFEqn2xgbHN4x5=pK95QTmLk5HWf83J-x+QwwAjDA@mail.gmail.com>
References: <CACEM6k8R8SyfH58u3eoVv+1EO4tAb0k6H0LhobkBEm0dTQvDpA@mail.gmail.com>
	<CAMvXD=HpYVFEqn2xgbHN4x5=pK95QTmLk5HWf83J-x+QwwAjDA@mail.gmail.com>
Message-ID: <CACEM6k_txVQjNFcGH0C7zF-A10JDbNTKgeZJoRPxwZH1WgM8Zw@mail.gmail.com>

Thanks for your response, our SAML clients are mostly third-party SaaS
services like Salesforce, AWS, Office 365 etc. So they won't be using the
KeyCloak adapters.

Maybe I was not clear in my question, the scenario is that for a realm we
already have  50+ SAML clients configured, now if we decide to update the
realm, my understanding is that SAML authentication will start failing for
end users unless as admin I go and update the certificates on all of those
service provider settings. In case you have 2,3 client, it is probably
still possible to go and manually update those certificates without
impacting end users. But for 50+ applications, it is not humanly possible
to update certificates for all SPs at the same moment to avoid impact on
end users.

Ideally, there should be a mechanism, to support both old and new
certificates at the same time for some grace period, so that customers can
update configuration for SPs during that period. I am not sure if SAML
protocol supports anything to facilitate this but we can imagine having a
client property to mention which key to use. So until admin updates
certificate on the Service provider side, he can still use the old key.
Does it make sense?

Regards,
Muein

On Thu, Jun 1, 2017 at 1:16 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> If the clients are using Keycloak adapters, see [1]. Other clients can
> use standard SAML descriptor available at
> server-root/auth/realms/{realm}/protocol/saml/descriptor, see [2].
>
> [1] https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/saml/java/general-config/idp_keys_subelement.html
> [2] https://keycloak.gitbooks.io/documentation/server_admin/
> topics/clients/saml/entity-descriptors.html
>
> On Tue, May 30, 2017 at 9:55 PM, Muein Muzamil
> <shmuein+keycloak-dev at gmail.com> wrote:
> > Hi all,
> >
> > We have a business use case, where we'll have a realm with 50+ SAML
> clients
> > configured and we want to update the SAML key for the realm (either for
> > security reason or the certificate got expired),
> >
> > I was reading following section but it seems mostly focused on OIDC.Can
> > someone please share how does KeyCloak handle this for SAML? Important
> > thing to realize is, we cannot imagine our customer to update realm
> > certificate in all 50+ service providers at the same time.
> > https://keycloak.gitbooks.io/documentation/server_admin/
> topics/realms/keys.html
> >
> > Regards,
> > Muein
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>

From janek.bartosz at gmail.com  Thu Jun  1 10:29:31 2017
From: janek.bartosz at gmail.com (Jan Bartosz)
Date: Thu, 1 Jun 2017 16:29:31 +0200
Subject: [keycloak-user] backchannel logout, Logout-all-sessions as user
Message-ID: <CA+v2Sq2SeUStHFBX9hcMLua64tNAmZN=Qu3Q01ocCEqA2GfX=w@mail.gmail.com>

Hi,

My concern is about logging 'logout-all-sessions' action as a user. I see
AdminEvent is raised in case admin invokes it.
I assume it was done by purpose - is there some rule/specification behind,
like "backchannel logouts shouldn't be exposed to the outside world"?
Is there a way I can create some provider/broker/... maybe aspect, or
extend some behaviour to catch this backchannel-logout?

Many Thanks in advance!

From rafterjiang at hotmail.com  Thu Jun  1 11:01:45 2017
From: rafterjiang at hotmail.com (rafterjiang)
Date: Thu, 1 Jun 2017 08:01:45 -0700 (MST)
Subject: [keycloak-user] Same user with multiple sessions/tokens?
Message-ID: <1496329305273-3937.post@n6.nabble.com>

Hello,

I am using Keycloak openID endpoint to retrieve access token from keycloak
server using Direct Access Grant mode. I found each time a NEW request is
made using SAME user account/credential, Keycloak returns a *NEW *access
token. (So I can see the same user with multiple sessions)

In this way, I am not sure if a refresh token is still needed, because we
can basically get a new token for each request and NOT care about the
expiration?

Is this expected? Is same user supposed to have many access tokens? Is there
any potential issues to work in this way?

thanks,
R



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Same-user-with-multiple-sessions-tokens-tp3937.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From bburke at redhat.com  Thu Jun  1 11:08:11 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 1 Jun 2017 11:08:11 -0400
Subject: [keycloak-user] Key Rotation for SAML client
In-Reply-To: <CACEM6k_txVQjNFcGH0C7zF-A10JDbNTKgeZJoRPxwZH1WgM8Zw@mail.gmail.com>
References: <CACEM6k8R8SyfH58u3eoVv+1EO4tAb0k6H0LhobkBEm0dTQvDpA@mail.gmail.com>
	<CAMvXD=HpYVFEqn2xgbHN4x5=pK95QTmLk5HWf83J-x+QwwAjDA@mail.gmail.com>
	<CACEM6k_txVQjNFcGH0C7zF-A10JDbNTKgeZJoRPxwZH1WgM8Zw@mail.gmail.com>
Message-ID: <286a9854-022e-aebb-648c-9fc0c527dd19@redhat.com>

I'll bring this discussion to keycloak-dev, but we should probably 
expand on centralized adapter management in the admin console and have 
apps download their configuration from the realm at boot time.


On 6/1/17 9:13 AM, Muein Muzamil wrote:
> Thanks for your response, our SAML clients are mostly third-party SaaS
> services like Salesforce, AWS, Office 365 etc. So they won't be using the
> KeyCloak adapters.
>
> Maybe I was not clear in my question, the scenario is that for a realm we
> already have  50+ SAML clients configured, now if we decide to update the
> realm, my understanding is that SAML authentication will start failing for
> end users unless as admin I go and update the certificates on all of those
> service provider settings. In case you have 2,3 client, it is probably
> still possible to go and manually update those certificates without
> impacting end users. But for 50+ applications, it is not humanly possible
> to update certificates for all SPs at the same moment to avoid impact on
> end users.
>
> Ideally, there should be a mechanism, to support both old and new
> certificates at the same time for some grace period, so that customers can
> update configuration for SPs during that period. I am not sure if SAML
> protocol supports anything to facilitate this but we can imagine having a
> client property to mention which key to use. So until admin updates
> certificate on the Service provider side, he can still use the old key.
> Does it make sense?
>
> Regards,
> Muein
>
> On Thu, Jun 1, 2017 at 1:16 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>
>> If the clients are using Keycloak adapters, see [1]. Other clients can
>> use standard SAML descriptor available at
>> server-root/auth/realms/{realm}/protocol/saml/descriptor, see [2].
>>
>> [1] https://keycloak.gitbooks.io/documentation/securing_apps/
>> topics/saml/java/general-config/idp_keys_subelement.html
>> [2] https://keycloak.gitbooks.io/documentation/server_admin/
>> topics/clients/saml/entity-descriptors.html
>>
>> On Tue, May 30, 2017 at 9:55 PM, Muein Muzamil
>> <shmuein+keycloak-dev at gmail.com> wrote:
>>> Hi all,
>>>
>>> We have a business use case, where we'll have a realm with 50+ SAML
>> clients
>>> configured and we want to update the SAML key for the realm (either for
>>> security reason or the certificate got expired),
>>>
>>> I was reading following section but it seems mostly focused on OIDC.Can
>>> someone please share how does KeyCloak handle this for SAML? Important
>>> thing to realize is, we cannot imagine our customer to update realm
>>> certificate in all 50+ service providers at the same time.
>>> https://keycloak.gitbooks.io/documentation/server_admin/
>> topics/realms/keys.html
>>> Regards,
>>> Muein
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>>
>> --Hynek
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mike.hills at sematree.com  Thu Jun  1 12:09:13 2017
From: mike.hills at sematree.com (Mike Hills)
Date: Thu, 1 Jun 2017 12:09:13 -0400
Subject: [keycloak-user] Understanding Offline Tokens
Message-ID: <CAFfNJaXHXco2DrpDJTgPN8VRrZ4BBk61Rb=4wzNtzVrvjmVXoQ@mail.gmail.com>

Hi All,

I need to implement offline tokens (
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sessions/offline.html)
for a number of our REST services.

I followed the instructions provided and it seems to work well. I do have a
couple of questions to confirm my approach please.


   1. The generated offline refresh token is used to return a valid token
   using the grant_type of refresh_token. Does this mean that the
   refresh_token call must be made each time (assuming previous token has
   timed out)?
   2. Is it best practice to hand out the same token for each client that
   needs to authenticate against the service or create a new client for each
   client service?


Any help is appreciated,

Regards,
mike


-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree

From bburke at redhat.com  Thu Jun  1 12:15:57 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 1 Jun 2017 12:15:57 -0400
Subject: [keycloak-user] backchannel logout, Logout-all-sessions as user
In-Reply-To: <CA+v2Sq2SeUStHFBX9hcMLua64tNAmZN=Qu3Q01ocCEqA2GfX=w@mail.gmail.com>
References: <CA+v2Sq2SeUStHFBX9hcMLua64tNAmZN=Qu3Q01ocCEqA2GfX=w@mail.gmail.com>
Message-ID: <d64a8d2e-6e7a-1872-1298-74739ced7963@redhat.com>

backchannel logouts require authenticated and authorized requests.  So 
what's the problem?  don't understand


On 6/1/17 10:29 AM, Jan Bartosz wrote:
> Hi,
>
> My concern is about logging 'logout-all-sessions' action as a user. I see
> AdminEvent is raised in case admin invokes it.
> I assume it was done by purpose - is there some rule/specification behind,
> like "backchannel logouts shouldn't be exposed to the outside world"?
> Is there a way I can create some provider/broker/... maybe aspect, or
> extend some behaviour to catch this backchannel-logout?
>
> Many Thanks in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From nirmal.kumar at impetus.co.in  Thu Jun  1 14:21:39 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Thu, 1 Jun 2017 18:21:39 +0000
Subject: [keycloak-user] Kerberos Credential Delegation : Using
 GSSCredential to call other kerberos-secured services
Message-ID: <96c0050e3bfe4d998b542aac3673fc0c@impetus.co.in>

Hello Keycloak,

I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.

I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.

FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.

GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);

As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.

Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?

Many Thanks,
-Nirmal


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

From amaeztu at tesicnor.com  Thu Jun  1 14:37:31 2017
From: amaeztu at tesicnor.com (Amaeztu)
Date: Thu, 01 Jun 2017 20:37:31 +0200
Subject: [keycloak-user] Same user with multiple sessions/tokens?
In-Reply-To: <1496329305273-3937.post@n6.nabble.com>
References: <1496329305273-3937.post@n6.nabble.com>
Message-ID: <pkoarki2vr00ln00fl8cocjt.1496342251868@email.android.com>

Hello, 

I guess you should use the refresh token. The more you send the credentials over the network the worse for security as you increase the chances of somebody obtaining them. 

Nire Sony Xperia? telefonotik bidalita

---- rafterjiang igorleak idatzi du ----

>Hello,
>
>I am using Keycloak openID endpoint to retrieve access token from keycloak
>server using Direct Access Grant mode. I found each time a NEW request is
>made using SAME user account/credential, Keycloak returns a *NEW *access
>token. (So I can see the same user with multiple sessions)
>
>In this way, I am not sure if a refresh token is still needed, because we
>can basically get a new token for each request and NOT care about the
>expiration?
>
>Is this expected? Is same user supposed to have many access tokens? Is there
>any potential issues to work in this way?
>
>thanks,
>R
>
>
>
>--
>View this message in context: http://keycloak-user.88327.x6.nabble.com/Same-user-with-multiple-sessions-tokens-tp3937.html
>Sent from the keycloak-user mailing list archive at Nabble.com.
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

From nirmal.kumar at impetus.co.in  Fri Jun  2 01:48:09 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Fri, 2 Jun 2017 05:48:09 +0000
Subject: [keycloak-user] Kerberos Credential Delegation : Using
 GSSCredential to call other kerberos-secured services
Message-ID: <cdd5b3eaaf9647cf874a10a99274db6a@impetus.co.in>

Hello Keycloak,

I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.

I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.

FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.

GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);

As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.

Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?

Many Thanks,
-Nirmal


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

From janek.bartosz at gmail.com  Fri Jun  2 01:58:49 2017
From: janek.bartosz at gmail.com (Jan Bartosz)
Date: Fri, 2 Jun 2017 07:58:49 +0200
Subject: [keycloak-user] backchannel logout, Logout-all-sessions as user
In-Reply-To: <d64a8d2e-6e7a-1872-1298-74739ced7963@redhat.com>
References: <CA+v2Sq2SeUStHFBX9hcMLua64tNAmZN=Qu3Q01ocCEqA2GfX=w@mail.gmail.com>
	<d64a8d2e-6e7a-1872-1298-74739ced7963@redhat.com>
Message-ID: <CA+v2Sq2VjJpoCStKXNSKQtD=TfPTRtcAZdedvREeanqPSR4EWw@mail.gmail.com>

HI,

Many Thanks for reply!
The issue is that I've created EventListener in order to do some audit
logging from caught events. So , for example when user performs
frontend/browser login/logout actions, corresponding
events(EventType.LOGIN/LOGOUT) are sent, so I can log that info to my audit
log. However,  on  'Mange account '-> 'Sessions' I can 'Log out all
sessions' and this action does not send any event, so I'm not able to log
via my EventListener anything.
So, the lack of event is done by purpose, or do you plan maybe to introduce
it?

Kind Regards!


2017-06-01 18:15 GMT+02:00 Bill Burke <bburke at redhat.com>:

> backchannel logouts require authenticated and authorized requests.  So
> what's the problem?  don't understand
>
>
> On 6/1/17 10:29 AM, Jan Bartosz wrote:
> > Hi,
> >
> > My concern is about logging 'logout-all-sessions' action as a user. I see
> > AdminEvent is raised in case admin invokes it.
> > I assume it was done by purpose - is there some rule/specification
> behind,
> > like "backchannel logouts shouldn't be exposed to the outside world"?
> > Is there a way I can create some provider/broker/... maybe aspect, or
> > extend some behaviour to catch this backchannel-logout?
> >
> > Many Thanks in advance!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jun  2 03:35:32 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 2 Jun 2017 09:35:32 +0200
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
Message-ID: <CAJgngAf9QsMaumUw-NYUxyHA-=XWK+O8Aan8EEmfVJaYMUVKeQ@mail.gmail.com>

What's wrong with AppAuth? It's Google's answer to OpenID Connect on
Android. I can't see how that can be wrong ;)

I haven't tried it though, but it's the first thing I would look at if I
was trying to secure an Android app with Keycloak.

On 31 May 2017 at 14:23, Raquel J?dez Bello <raqueljudezb at gmail.com> wrote:

> Hi everyone,
> I am having trouble finding libraries to implement a Keycloak client for
> Android.
> So far, I have found AppAuth and Androgear in keycloak.org, but I am not
> convinced about their simplicity.
>
> Has anyone implemented a simple client for Android?
> Thank you very much.
>
> --
> Raquel J?dez.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Jun  2 03:37:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 2 Jun 2017 09:37:23 +0200
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CAJgngAf9QsMaumUw-NYUxyHA-=XWK+O8Aan8EEmfVJaYMUVKeQ@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
	<CAJgngAf9QsMaumUw-NYUxyHA-=XWK+O8Aan8EEmfVJaYMUVKeQ@mail.gmail.com>
Message-ID: <CAJgngAdkN-_qehE_z_vCtf3TRa1HYJmjY-2CPCUmxQXo6gZGAw@mail.gmail.com>

Custom tabs is the way to go on Android, not direct grant. Custom tabs
allows using the system browser which means all the security from the
system browser, SSO support between multiple apps, all nice flows from
Keycloak, etc..

On 2 June 2017 at 09:35, Stian Thorgersen <sthorger at redhat.com> wrote:

> What's wrong with AppAuth? It's Google's answer to OpenID Connect on
> Android. I can't see how that can be wrong ;)
>
> I haven't tried it though, but it's the first thing I would look at if I
> was trying to secure an Android app with Keycloak.
>
> On 31 May 2017 at 14:23, Raquel J?dez Bello <raqueljudezb at gmail.com>
> wrote:
>
>> Hi everyone,
>> I am having trouble finding libraries to implement a Keycloak client for
>> Android.
>> So far, I have found AppAuth and Androgear in keycloak.org, but I am not
>> convinced about their simplicity.
>>
>> Has anyone implemented a simple client for Android?
>> Thank you very much.
>>
>> --
>> Raquel J?dez.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From sthorger at redhat.com  Fri Jun  2 08:32:31 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 2 Jun 2017 14:32:31 +0200
Subject: [keycloak-user] Password policy for the last used passwords
In-Reply-To: <D919D4EE-F607-4708-9640-161E2CBA88C7@expedia.com>
References: <D919D4EE-F607-4708-9640-161E2CBA88C7@expedia.com>
Message-ID: <CAJgngAfzw3Rtgi42jgvB7b6UsfFHDJVZJwi-y5y2CtPuS9MTKQ@mail.gmail.com>

This is certainly not intentional. When you re-create the user through the
admin api is it with the same user id? If so it could seem credentials are
not deleted properly when the user is and that the "old" credentials are
then associated with the new user.

On 1 June 2017 at 06:28, Sarp Kaya <akaya at expedia.com> wrote:

> Hello,
> My keycloak configuration has password policy enabled for all users and it
> also has the Not Recently Used part specified to some number.
>  I have a simple use case:
>
>
>   1.  I create user
>   2.  I set a password for this user
>   3.  I delete this user
>
> I repeat this step again, with the same username and password and I get an
> error on 2nd step which is "Invalid password: must not be equal to any of
> last x passwords.?
> The problem is, I can only have this error on admin API, if I do it on the
> admin UI then I don?t get it.
>
> Now obviously if it was the same ?user? it would make sense, but since I
> delete this username and create a new user, which has different user ID;
> then I would expect it to behave differently.
>
> I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The
> below are the code
>
>
>   1.  Creating user:
>
> keycloak.realm(usersRealm).users().create(someUserRepresentation);
>
> 2. Resetting password of the user:
> CredentialRepresentation passwordCredRepresentation = new
> CredentialRepresentation();
> representation.setTemporary(false);
> representation.setType(PASSWORD);
> representation.setValue(password);
> UserResource userResource = keycloak.realm(usersRealm).
> users().get(keycloakId);
> userResource.resetPassword(passwordCredRepresentation);
>
>
> 3. Deleting the user:
> keycloak.realm(usersRealm).users().delete(keycloakId))
>
>
> I definitely know that delete user works because once I run this, I don?t
> see any user and when I run create user code, I can see a user account with
> different ID.
>
> My question is, is this intentional or a bug? If it is intentional, then
> how can I clear user?s password history? I tried looking that up in admin
> api but could not find any call.
>
> Thanks,
> Sarp
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From shanonvl at gmail.com  Fri Jun  2 09:03:41 2017
From: shanonvl at gmail.com (Shanon Levenherz)
Date: Fri, 2 Jun 2017 09:03:41 -0400
Subject: [keycloak-user] Multiple tenants in a single realm
Message-ID: <E08D353F-C560-49D7-A212-D1DF75D12576@gmail.com>

Hi there,

I?m looking to leverage Keycloak as the primary IdP for our SaaS platform.   We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc).     Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms.    My current thinking is that I?d like to use a single realm as I?d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.

Something like this:

REALM
|
|- User 1 (user-admin role)
|
|- Tenant 1 Group
|  |
|  |- User 1.1 (user-admin role)
|  |- User 1.2
|  |- ?
|  |- User 1.n
|
|- Tenant 2 Group
|  |
|  |- User 2.1 (user-admin role)
|  |- User 2.1
|  |- ?
|  |- User 2.n
|  |
|  |- Tenant 3 Group
|  |
|  |- User 3.1 (user-admin role)
|  |- User 3.2
|  |- ?
|  |- User 3.n

From the above we?re looking for:

* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3

I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea.  A better alternative might be that each group has an 
>"user-admin" role.  If a user has the "user-admin" role of the group, it 
>can administer users in that group and assign roles defined in that 
>group.  One thing to really think about is, what about sub-groups.  Can 
>an admin of the parent group administer sub groups?
This post is from October 2015, so I?m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all?   I can?t find anything about it in the docs.  I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it?s the same thing.   

Disclaimer:  I?m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly? please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.   

Thank you! 

Best,
Shanon


From mposolda at redhat.com  Fri Jun  2 10:56:58 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 2 Jun 2017 16:56:58 +0200
Subject: [keycloak-user] Kerberos Credential Delegation : Using
 GSSCredential to call other kerberos-secured services
In-Reply-To: <cdd5b3eaaf9647cf874a10a99274db6a@impetus.co.in>
References: <cdd5b3eaaf9647cf874a10a99274db6a@impetus.co.in>
Message-ID: <c00cbad2-4eeb-d50b-aaec-f13bf1d194d6@redhat.com>

Hi,

I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in 
the moment, when you are successfully authenticated in your app and you 
have GSS Credential. The exact way how to use that credential further to 
access other service is specific to that service. So you would need to 
ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation 
for details.

As you can see, the example itself uses delegated authentication to 
Apache Directory server, which supports authentication through the 
GSSAPI Sasl mechanism. But that's specific to the Apache Directory itself.

Btv. still if you find the way, it will be good if you can reply here 
and share. Might be useful for the reference in future for other users 
with same issue.

Marek


On 02/06/17 07:48, Nirmal Kumar wrote:
> Hello Keycloak,
>
> I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.
>
> I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
>
> FLOW:
> -------
> Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.
>
> GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
> // Create GSSContext to call other kerberos-secured services
> GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
>
> As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
>
> Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?
>
> Many Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Jun  2 11:06:09 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 2 Jun 2017 17:06:09 +0200
Subject: [keycloak-user] backchannel logout, Logout-all-sessions as user
In-Reply-To: <CA+v2Sq2VjJpoCStKXNSKQtD=TfPTRtcAZdedvREeanqPSR4EWw@mail.gmail.com>
References: <CA+v2Sq2SeUStHFBX9hcMLua64tNAmZN=Qu3Q01ocCEqA2GfX=w@mail.gmail.com>
	<d64a8d2e-6e7a-1872-1298-74739ced7963@redhat.com>
	<CA+v2Sq2VjJpoCStKXNSKQtD=TfPTRtcAZdedvREeanqPSR4EWw@mail.gmail.com>
Message-ID: <008d300b-8bc5-f4a2-4b12-fc1d6efb1516@redhat.com>

You're right. It seems we somehow missing the event for Account 
management logout. Could you please create JIRA for it?

Eventually if you want to submit PR, feel free to do that. The code is 
in AccountService.processSessionsLogout . The test is already in 
AccountTest.sessions() and it is calling events.expectLogout(), but 
doesn't call "assertEvent()" in the end, so the assertion error is 
currently not thrown even if it doesn't work.

Thanks,
Marek

On 02/06/17 07:58, Jan Bartosz wrote:
> HI,
>
> Many Thanks for reply!
> The issue is that I've created EventListener in order to do some audit
> logging from caught events. So , for example when user performs
> frontend/browser login/logout actions, corresponding
> events(EventType.LOGIN/LOGOUT) are sent, so I can log that info to my audit
> log. However,  on  'Mange account '-> 'Sessions' I can 'Log out all
> sessions' and this action does not send any event, so I'm not able to log
> via my EventListener anything.
> So, the lack of event is done by purpose, or do you plan maybe to introduce
> it?
>
> Kind Regards!
>
>
> 2017-06-01 18:15 GMT+02:00 Bill Burke <bburke at redhat.com>:
>
>> backchannel logouts require authenticated and authorized requests.  So
>> what's the problem?  don't understand
>>
>>
>> On 6/1/17 10:29 AM, Jan Bartosz wrote:
>>> Hi,
>>>
>>> My concern is about logging 'logout-all-sessions' action as a user. I see
>>> AdminEvent is raised in case admin invokes it.
>>> I assume it was done by purpose - is there some rule/specification
>> behind,
>>> like "backchannel logouts shouldn't be exposed to the outside world"?
>>> Is there a way I can create some provider/broker/... maybe aspect, or
>>> extend some behaviour to catch this backchannel-logout?
>>>
>>> Many Thanks in advance!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Jun  2 11:14:04 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 2 Jun 2017 17:14:04 +0200
Subject: [keycloak-user] Understanding Offline Tokens
In-Reply-To: <CAFfNJaXHXco2DrpDJTgPN8VRrZ4BBk61Rb=4wzNtzVrvjmVXoQ@mail.gmail.com>
References: <CAFfNJaXHXco2DrpDJTgPN8VRrZ4BBk61Rb=4wzNtzVrvjmVXoQ@mail.gmail.com>
Message-ID: <fb60563c-a2fc-b968-0e23-83ba852f5ddf@redhat.com>

On 01/06/17 18:09, Mike Hills wrote:
> Hi All,
>
> I need to implement offline tokens (
> https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sessions/offline.html)
> for a number of our REST services.
>
> I followed the instructions provided and it seems to work well. I do have a
> couple of questions to confirm my approach please.
>
>
>     1. The generated offline refresh token is used to return a valid token
>     using the grant_type of refresh_token. Does this mean that the
>     refresh_token call must be made each time (assuming previous token has
>     timed out)?
Yes. Access token timeout is supposed to be short (1-5 mins or so), so 
once it is expired, you may need to use offline token for refresh 
request and retrieve new access token.
>     2. Is it best practice to hand out the same token for each client that
>     needs to authenticate against the service or create a new client for each
>     client service?
There are 2 main types of applications:
1. Frontend clients: Those are applications, which are authenticated 
against Keycloak and they are retrieve any tokens dedicated to them
2. REST clients: Those are usually bearer-only clients, which doesn't 
authenticate directly against Keycloak. They just wait once some other 
service of type of type 1 send them the access token.

The best is that you have dedicated client (and tokens) for every client 
of type 1. Then you use the token to call the backend REST services of 
type 2 from this client. If client wants to access 5 different REST 
services, you still use same token to authenticate against them. You may 
just need scope roles to be available in the token, so that REST service 
can access them.

For more details, see our documentation and examples.

Marek
>
>
> Any help is appreciated,
>
> Regards,
> mike
>
>


From nirmal.kumar at impetus.co.in  Fri Jun  2 11:27:24 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Fri, 2 Jun 2017 15:27:24 +0000
Subject: [keycloak-user] Kerberos Credential Delegation : Using
 GSSCredential to call other kerberos-secured services
In-Reply-To: <c00cbad2-4eeb-d50b-aaec-f13bf1d194d6@redhat.com>
References: <cdd5b3eaaf9647cf874a10a99274db6a@impetus.co.in>
	<c00cbad2-4eeb-d50b-aaec-f13bf1d194d6@redhat.com>
Message-ID: <91ef3f728bba47838721d39e8684458d@impetus.co.in>

Thanks Marek for the reply.

I am currently delving into Hive Server 2 to find ways to access it and will surely share my findings here.

-Nirmal

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Friday, June 2, 2017 8:27 PM
To: Nirmal Kumar <nirmal.kumar at impetus.co.in>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

Hi,

I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in the moment, when you are successfully authenticated in your app and you have GSS Credential. The exact way how to use that credential further to access other service is specific to that service. So you would need to ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation for details.

As you can see, the example itself uses delegated authentication to Apache Directory server, which supports authentication through the GSSAPI Sasl mechanism. But that's specific to the Apache Directory itself.

Btv. still if you find the way, it will be good if you can reply here and share. Might be useful for the reference in future for other users with same issue.

Marek


On 02/06/17 07:48, Nirmal Kumar wrote:
> Hello Keycloak,
>
> I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.
>
> I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
>
> FLOW:
> -------
> Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.
>
> GSSCredential deserializedGssCredential =
> org.keycloak.common.util.KerberosSerializationUtils.deserializeCredent
> ial(serializedGssCredential); // Create GSSContext to call other
> kerberos-secured services GSSContext context =
> gssManager.createContext(serviceName,
> krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
>
> As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
>
> Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?
>
> Many Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.


From celso.agra at gmail.com  Fri Jun  2 16:47:38 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Fri, 2 Jun 2017 17:47:38 -0300
Subject: [keycloak-user] How to store "UserPassword" in LDAP through
	Keycloak Admin Client?
Message-ID: <CAOFYJDt5afhJOgO9=7SjyjqqJcbc5uw7QiOu8Uyxmi+h5_OMCQ@mail.gmail.com>

Hi all,

Please, need some help! I'm trying to create an user through Keycloak Admin
Client.
So, When I add an user from Keycloak register page my LDAP stores a tag
called "userPassword" with the password stored.
But When I add an user from Keycloak Admin Client, all informations are
stored in LDAP, except "userPassword". Am I doing something wrong?

Here is my code below:

public Response createUserKeycloak(UserKeycloak userKeycloak) {
> CredentialRepresentation credential = new CredentialRepresentation();
> credential.setType(CredentialRepresentation.PASSWORD);
> credential.setValue(userKeycloak.getPassword());
> credential.setTemporary(false);



> UserRepresentation user = new UserRepresentation();
> user.setUsername(userKeycloak.getUsername());
> user.setFirstName(userKeycloak.getFirstName());
> user.setLastName(userKeycloak.getLastName());
> user.setEnabled(true);
> if (userKeycloak.getEmail() != null)
> user.setEmail(userKeycloak.getEmail());
> user.setCredentials(Arrays.asList(credential));
>


> RealmResource realmResource = keycloak.realm(realmProperties.getRealm());
> UsersResource userRessource = realmResource.users();
> return userRessource.create(user);
> }



Best Regards,

-- 
---
*Celso Agra*

From stephane.granger at gmail.com  Fri Jun  2 17:22:06 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Fri, 2 Jun 2017 17:22:06 -0400
Subject: [keycloak-user] Authorization settings can't be exported more than
	once on 3.1.0.Final
Message-ID: <CAHX=cdULfOFM3parjsmYidETUmmJaKa0UU25MNrCBnuyPWUEcA@mail.gmail.com>

I am running into a weird issue.  After creating a client which uses the
Authorization settings, the settings can only be exported 1 time.
Rebooting the key cloak server doesn't clear the problem.

Steps to reproduce.

Create TEST realm

Create TEST client, make sure the Authorization Enabled slider is set to
ON, click save.

Create the following Roles for the client
role1
role2
role3

Go on the Authorization tab
create 3 policies: policy1, policy2, policy3 with corresponding required
 role1...3 from the TEST client

create Authorization Scopes: scope1, scope2, scope3

create Resources: resource1 with scope2, resource2/scope2 and
resource3/scope3

finally, create the permissions
resource based: permission1/resource1/policy1
resource based: permission2/resource2/policy2
scope based: permission3/scope3/policy3

On the Authorization tab of the TEST client, click on the Export button.
This will work.
Navigate back to a different realm, and back again to the Authorization tab
of the TEST client, try exporting again, this time it will fail.
Restarting the Keycloak server does not clear the problem.


Here are the logs:

2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
UT005023: Exception handling request to
/auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-1c6afb22f7a5/authz/resource-server/settings:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
Error while exporting policy [policy1].
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Error while exporting policy
[policy1].
at
org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(ExportUtils.java:386)
at
org.keycloak.exportimport.util.ExportUtils.lambda$exportAuthorizationSettings$3(ExportUtils.java:313)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
at
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at
org.keycloak.exportimport.util.ExportUtils.exportAuthorizationSettings(ExportUtils.java:313)
at
org.keycloak.authorization.admin.ResourceServerService.exportSettings(ResourceServerService.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: java.lang.NullPointerException
at
org.keycloak.exportimport.util.ExportUtils.lambda$createPolicyRepresentation$7(ExportUtils.java:351)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at
org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(ExportUtils.java:353)
... 68 more

From kyle.swensson at tasktop.com  Fri Jun  2 17:27:43 2017
From: kyle.swensson at tasktop.com (Kyle Swensson)
Date: Fri, 2 Jun 2017 14:27:43 -0700
Subject: [keycloak-user] User sessions not ending upon automatic logout
Message-ID: <CAP0XCm6pkVevP1GzwT=z4NcmY3gdsPOhrW00KdPNx9R_7BztjA@mail.gmail.com>

Hello,


I am having an issue with refresh tokens while using keycloak with the
Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7

The issue arises when I authenticate with keycloak as a basic user using
tomcat. When this happens a session is started for my basic user, which I
believe means that I am given a refresh token. Then, I navigate to the
Keycloak Admin Console page on a different window. Since I am authenticated
as a basic user, since Keycloak uses SSO it will try to automatically log
my current user into the Admin Console, but it will fail since my basic
user is not configured to be able to use the admin console. After it fails,
Keycloak "logs out" my current user because I don't have permissions to
access the admin console.

The problem is that this "logout" that Keycloak just did doesn't end the
basic user's session for some reason, and thus it doesn't invalidate their
refresh token. This is a problem because it means that if I go back to my
basic user's application, even though keycloak supposedly logged me out, I
can still use the refresh token to get more access tokens for the
application, and thus continue using the application as normal even though
I'm not technically logged in. Worse still, the logout functionality ceases
to work because since Keycloak thinks my user isn't logged in, telling
Keycloak to log my user out doesn't work. This makes it so that the only
way to actually invalidate my current refresh token is by going to "My
Account" as the basic user, and ending all current sessions for them.

It's worth noting that this *only *happens when the basic user is
automatically logged out when Keycloak tries to sign it in to the admin
console automatically. For example, if I have the admin console window open
before I log my basic user in, and then while I am logged in with my basic
user I log in normally to the admin console with a different user, Keycloak
will successfully log out my basic user and end their session, invalidating
their refresh token, like it should.


I'm wondering if this is an actual bug with Keycloak, or if this is just
being caused by some user error on my side, because I can't really figure
out a workaround for this issue. One potential workaround that I have found
is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm
Settings" section of the Keycloak admin console, however this is making my
application run quite strangely, and I'm not certain why.

If upgrading to Keycloak 3.0 would fix the problem I can do that, however
it will likely be a fair bit of work so I don't really want to upgrade
unless I'm certain it will fix the problem.

From rationull at gmail.com  Sat Jun  3 00:25:52 2017
From: rationull at gmail.com (Jonathan Little)
Date: Fri, 2 Jun 2017 21:25:52 -0700
Subject: [keycloak-user] Allowing multiple JWT issuers in a devel environment
Message-ID: <CALLLnfW27dWhN1W4CQzcdviFdwcBULbQex+nJxzj37Ovdx7GoQ@mail.gmail.com>

I'm trying to set up a devel environment with Keycloak in a Docker
container, a back-end service in a separate linked Docker container, and a
front end web app that authenticates against Keycloak and then uses a
bearer token with the back end service. Bearer token validation is failing
in this case due to the JWT's iss field not matching the realm URL: the
realm URL is based on a hostname in the Docker network but the login
occurred against localhost from the browser running outside Docker via a
host port mapping.

This is obviously a devel specific scenario and I'd like to be able to opt
in to multiple allowed issuers, an issuer regex, skipping issuer
verification, or some other workaround. AFAIKT there is no mechanism for
this and the options are:

1) Add an entry to the devel machine's hosts file so that the browser can
use the same hostname as the Keycloak container has in the Docker network.
This is simple but undesirable because I'd rather not have to globally
modify the devel machine configuration for this.

2) Run the devel Keycloak server outside of Docker at a known externally
accessible hostname. This is potentially the cleanest solution (although it
may have redirect issues with locally hosted devel websites -- I haven't
tried yet) but I'd really like to be able to run Keycloak locally.

3) Somehow hack or customize the token validation code. The issuer check is
fairly deep and I don't see any convenient or palatable hacks though.


This seems to me like it'd be a common situation but is it legitimate or am
I thinking about this wrong? Does anyone else have any ideas or think this
would be a worthwhile addition to the library? Seems to me that multiple
issuers or an issuer regex would be clean solutions.

If this makes sense I will file a feature request (not sure if PRs are
accepted on this project), but it seems like such an ordinary situation
that I feel like I must be missing something!

From bburke at redhat.com  Sat Jun  3 10:18:37 2017
From: bburke at redhat.com (Bill Burke)
Date: Sat, 3 Jun 2017 10:18:37 -0400
Subject: [keycloak-user] User sessions not ending upon automatic logout
In-Reply-To: <CAP0XCm6pkVevP1GzwT=z4NcmY3gdsPOhrW00KdPNx9R_7BztjA@mail.gmail.com>
References: <CAP0XCm6pkVevP1GzwT=z4NcmY3gdsPOhrW00KdPNx9R_7BztjA@mail.gmail.com>
Message-ID: <e9b7d752-18ef-43fb-0f06-50512afcd478@redhat.com>

The admin console should not be logging you out if your logged in user 
doesn't have permission to access it.  Are you sure it is logging you 
out and not just displaying an error page?  The behavior you specify 
sounds correct as we do not initiate an SSO logout if a user fails 
authorization for one application

On 6/2/17 5:27 PM, Kyle Swensson wrote:
> Hello,
>
>
> I am having an issue with refresh tokens while using keycloak with the
> Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7
>
> The issue arises when I authenticate with keycloak as a basic user using
> tomcat. When this happens a session is started for my basic user, which I
> believe means that I am given a refresh token. Then, I navigate to the
> Keycloak Admin Console page on a different window. Since I am authenticated
> as a basic user, since Keycloak uses SSO it will try to automatically log
> my current user into the Admin Console, but it will fail since my basic
> user is not configured to be able to use the admin console. After it fails,
> Keycloak "logs out" my current user because I don't have permissions to
> access the admin console.
>
> The problem is that this "logout" that Keycloak just did doesn't end the
> basic user's session for some reason, and thus it doesn't invalidate their
> refresh token. This is a problem because it means that if I go back to my
> basic user's application, even though keycloak supposedly logged me out, I
> can still use the refresh token to get more access tokens for the
> application, and thus continue using the application as normal even though
> I'm not technically logged in. Worse still, the logout functionality ceases
> to work because since Keycloak thinks my user isn't logged in, telling
> Keycloak to log my user out doesn't work. This makes it so that the only
> way to actually invalidate my current refresh token is by going to "My
> Account" as the basic user, and ending all current sessions for them.
>
> It's worth noting that this *only *happens when the basic user is
> automatically logged out when Keycloak tries to sign it in to the admin
> console automatically. For example, if I have the admin console window open
> before I log my basic user in, and then while I am logged in with my basic
> user I log in normally to the admin console with a different user, Keycloak
> will successfully log out my basic user and end their session, invalidating
> their refresh token, like it should.
>
>
> I'm wondering if this is an actual bug with Keycloak, or if this is just
> being caused by some user error on my side, because I can't really figure
> out a workaround for this issue. One potential workaround that I have found
> is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm
> Settings" section of the Keycloak admin console, however this is making my
> application run quite strangely, and I'm not certain why.
>
> If upgrading to Keycloak 3.0 would fix the problem I can do that, however
> it will likely be a fair bit of work so I don't really want to upgrade
> unless I'm certain it will fix the problem.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From juanjo.diaz at intopalo.com  Mon Jun  5 03:26:35 2017
From: juanjo.diaz at intopalo.com (=?UTF-8?B?SnVhbiBKb3PDqSBEw61heiBNb250YcOxYQ==?=)
Date: Mon, 5 Jun 2017 10:26:35 +0300
Subject: [keycloak-user] Allowing multiple JWT issuers in a devel
	environment
In-Reply-To: <CALLLnfW27dWhN1W4CQzcdviFdwcBULbQex+nJxzj37Ovdx7GoQ@mail.gmail.com>
References: <CALLLnfW27dWhN1W4CQzcdviFdwcBULbQex+nJxzj37Ovdx7GoQ@mail.gmail.com>
Message-ID: <CACaGtfwf9Xx+kSCuPcw51MuN6m87rqsHbFLfYhC4fBpZsEngsA@mail.gmail.com>

Hi Jonathan,

This is not only a development issue. Anyone running in NAT'd environments
and/or more complex network setups will face this.
I raised the same issue few days ago (
http://lists.jboss.org/pipermail/keycloak-user/2017-May/010788.html) and
there is plenty of previous post highlighting the issue dating even few
years back.
I even offered myself to implement whatever changes are necessary to
Keycloak adapters since this is an important feature for one of my clients.
Unfortunately, it doesn't seem that the Keycloak maintainers/community
really care about this issue or have any intention of doing something about
it :/

Regards,


-- 
*Juanjo D?az*
Software Architect  @Intopalo Oy <https://intopalo.com>
+358 50 4667571 <+358+50+4667571> | juanjo.diaz at intopalo.com

On 3 June 2017 at 07:25, Jonathan Little <rationull at gmail.com> wrote:

> I'm trying to set up a devel environment with Keycloak in a Docker
> container, a back-end service in a separate linked Docker container, and a
> front end web app that authenticates against Keycloak and then uses a
> bearer token with the back end service. Bearer token validation is failing
> in this case due to the JWT's iss field not matching the realm URL: the
> realm URL is based on a hostname in the Docker network but the login
> occurred against localhost from the browser running outside Docker via a
> host port mapping.
>
> This is obviously a devel specific scenario and I'd like to be able to opt
> in to multiple allowed issuers, an issuer regex, skipping issuer
> verification, or some other workaround. AFAIKT there is no mechanism for
> this and the options are:
>
> 1) Add an entry to the devel machine's hosts file so that the browser can
> use the same hostname as the Keycloak container has in the Docker network.
> This is simple but undesirable because I'd rather not have to globally
> modify the devel machine configuration for this.
>
> 2) Run the devel Keycloak server outside of Docker at a known externally
> accessible hostname. This is potentially the cleanest solution (although it
> may have redirect issues with locally hosted devel websites -- I haven't
> tried yet) but I'd really like to be able to run Keycloak locally.
>
> 3) Somehow hack or customize the token validation code. The issuer check is
> fairly deep and I don't see any convenient or palatable hacks though.
>
>
> This seems to me like it'd be a common situation but is it legitimate or am
> I thinking about this wrong? Does anyone else have any ideas or think this
> would be a worthwhile addition to the library? Seems to me that multiple
> issuers or an issuer regex would be clean solutions.
>
> If this makes sense I will file a feature request (not sure if PRs are
> accepted on this project), but it seems like such an ordinary situation
> that I feel like I must be missing something!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Gregoire.Jeanmart at ai-london.com  Mon Jun  5 03:33:53 2017
From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart)
Date: Mon, 5 Jun 2017 07:33:53 +0000
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
Message-ID: <6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>

Hello, 
Sorry for chasing up. Does anybody face the same problem? 
Thanks, 
________________________________________
From: Gregoire Jeanmart
Sent: 31 May 2017 18:36
To: keycloak-user at lists.jboss.org
Subject: Browser tries to store the username "This is not a login form" after updating a temporary password

Hello,
One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to ?This is not a login form? / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn?t accepted by my users as it is very unusual and not user friendly.

Is there a way to fix this issue ?

Information:
- Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
- Browser: Google Chrome and Mozilla Firefox
- Similar issue: https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-being-stored-when-updating-a-password-in-keycloak

Thanks in advance.

Gregoire Jeanmart


From mposolda at redhat.com  Mon Jun  5 03:43:25 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Jun 2017 09:43:25 +0200
Subject: [keycloak-user] How to store "UserPassword" in LDAP through
 Keycloak Admin Client?
In-Reply-To: <CAOFYJDt5afhJOgO9=7SjyjqqJcbc5uw7QiOu8Uyxmi+h5_OMCQ@mail.gmail.com>
References: <CAOFYJDt5afhJOgO9=7SjyjqqJcbc5uw7QiOu8Uyxmi+h5_OMCQ@mail.gmail.com>
Message-ID: <6b2dd9c9-06a5-5f83-1304-5ca62a871245@redhat.com>

Hi,

once you create user, you need to use separate REST endpoint for update 
user credentials. The best is to look at our testsuite and how it uses 
REST endpoints (eg. see UserTest class from keycloak codebase) or 
eventually explore admin console with some tool like firebug, which will 
show you what REST endpoints is our admin console calling (KC admin 
console is just an angular application calling admin REST endpoints 
under the covers)

Marek

On 02/06/17 22:47, Celso Agra wrote:
> Hi all,
>
> Please, need some help! I'm trying to create an user through Keycloak Admin
> Client.
> So, When I add an user from Keycloak register page my LDAP stores a tag
> called "userPassword" with the password stored.
> But When I add an user from Keycloak Admin Client, all informations are
> stored in LDAP, except "userPassword". Am I doing something wrong?
>
> Here is my code below:
>
> public Response createUserKeycloak(UserKeycloak userKeycloak) {
>> CredentialRepresentation credential = new CredentialRepresentation();
>> credential.setType(CredentialRepresentation.PASSWORD);
>> credential.setValue(userKeycloak.getPassword());
>> credential.setTemporary(false);
>
>
>> UserRepresentation user = new UserRepresentation();
>> user.setUsername(userKeycloak.getUsername());
>> user.setFirstName(userKeycloak.getFirstName());
>> user.setLastName(userKeycloak.getLastName());
>> user.setEnabled(true);
>> if (userKeycloak.getEmail() != null)
>> user.setEmail(userKeycloak.getEmail());
>> user.setCredentials(Arrays.asList(credential));
>>
>
>> RealmResource realmResource = keycloak.realm(realmProperties.getRealm());
>> UsersResource userRessource = realmResource.users();
>> return userRessource.create(user);
>> }
>
>
> Best Regards,
>


From mposolda at redhat.com  Mon Jun  5 03:58:07 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Jun 2017 09:58:07 +0200
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
Message-ID: <737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>

Hi,

This seem like the environment specific issue. I never saw this.

It seems that it happens under some special circumstances (eg. specific 
browser with some specific browser plugins enabled etc). Feel free to 
create JIRA if you manage to figure some more details how to reproduce it.

Marek

On 05/06/17 09:33, Gregoire Jeanmart wrote:
> Hello,
> Sorry for chasing up. Does anybody face the same problem?
> Thanks,
> ________________________________________
> From: Gregoire Jeanmart
> Sent: 31 May 2017 18:36
> To: keycloak-user at lists.jboss.org
> Subject: Browser tries to store the username "This is not a login form" after updating a temporary password
>
> Hello,
> One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to ?This is not a login form? / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn?t accepted by my users as it is very unusual and not user friendly.
>
> Is there a way to fix this issue ?
>
> Information:
> - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> - Browser: Google Chrome and Mozilla Firefox
> - Similar issue: https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-being-stored-when-updating-a-password-in-keycloak
>
> Thanks in advance.
>
> Gregoire Jeanmart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Martin.Plank at softec.sk  Mon Jun  5 04:06:30 2017
From: Martin.Plank at softec.sk (Plank Martin)
Date: Mon, 5 Jun 2017 08:06:30 +0000
Subject: [keycloak-user] E-mail as username with LDAP federation
Message-ID: <e4a65884e2e24fb99c3bcd3d84c78e7b@softec.sk>

Hello,

I have a realm with this configuration:

-       User registration allowed, E-mail as username enabled

-       LDAP user federation with Kerberos enabled, sAMAccountName attribute mapped to username, mail attribute mapped to user's e-mail

The problem is that when user updates his profile through account form, username is rewritten and the value of e-mail address is set to the username attribute.
User is then invalidated and deleted, because the usernames in Keycloak and LDAP do not match.

Is my realm configuration supposed to work correctly? Or I must have mail attribute from LDAP mapped to both username and e-mail in Keycloak to keep it consistent?

Thanks
Martin


From Gregoire.Jeanmart at ai-london.com  Mon Jun  5 04:59:29 2017
From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart)
Date: Mon, 5 Jun 2017 08:59:29 +0000
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
Message-ID: <c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>

Hello Marek,

Thank you for your response. I don't know if it's an environment issue.

I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1) installed on a Linux CentOS and Windows Server OS, even a fresh install and I still getting the issue.

Please find below the steps to reproduce the bug:
1. Update a user by adding "Update Password" as Required User Actions

2. Login with this user (in my case "test123"). When you click on submit, Keycloak should redirect to the Change Password screen

3. I enter the new password (twice) and click on submit
Screenshot: http://imgur.com/a/ueCxU
As you can see on the screenshot, the browser (both GoogleChrome or Firefox latest version) try to store "This is not a login form"

I found this in the Keycloak source code: [ https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/login-update-password.ftl ]
<form id="kc-passwd-update-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
            <input type="text" readonly value="this is not a login form" style="display: none;">
            <input type="password" readonly value="this is not a login form" style="display: none;">

            <div class="${properties.kcFormGroupClass!}">
                <div class="${properties.kcLabelWrapperClass!}">
                    <label for="password-new" class="${properties.kcLabelClass!}">${msg("passwordNew")}</label>
                </div>
                <div class="${properties.kcInputWrapperClass!}">
                    <input type="password" id="password-new" name="password-new" class="${properties.kcInputClass!}" autofocus autocomplete="off" />
                </div>
            </div>
         (...)

It looks like this code is interpreted by the browser and is being store in the Password vault.

I will considerer your suggestion and raise a JIRA issue.

Best regards,

Gregoire Jeanmart

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: 05 June 2017 08:58
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Hi,

This seem like the environment specific issue. I never saw this.

It seems that it happens under some special circumstances (eg. specific browser with some specific browser plugins enabled etc). Feel free to create JIRA if you manage to figure some more details how to reproduce it.

Marek

On 05/06/17 09:33, Gregoire Jeanmart wrote:
> Hello,
> Sorry for chasing up. Does anybody face the same problem?
> Thanks,
> ________________________________________
> From: Gregoire Jeanmart
> Sent: 31 May 2017 18:36
> To: keycloak-user at lists.jboss.org
> Subject: Browser tries to store the username "This is not a login 
> form" after updating a temporary password
>
> Hello,
> One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly.
>
> Is there a way to fix this issue ?
>
> Information:
> - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> - Browser: Google Chrome and Mozilla Firefox
> - Similar issue: 
> https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> is-being-stored-when-updating-a-password-in-keycloak
>
> Thanks in advance.
>
> Gregoire Jeanmart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From bruno at abstractj.org  Mon Jun  5 06:18:19 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 05 Jun 2017 10:18:19 +0000
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
Message-ID: <CAM5SUC5-X5vifFEqU01gpcOTK9oMJRD+tdNyg2gEVzt2HrtCNg@mail.gmail.com>

Like Marek mentioned, it seems related with the environment. I tried to
reproduce your steps here with Chrome and Firefox on Fedora. Couldn't see
the issue you mentioned.

On Mon, Jun 5, 2017 at 4:58 AM Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> This seem like the environment specific issue. I never saw this.
>
> It seems that it happens under some special circumstances (eg. specific
> browser with some specific browser plugins enabled etc). Feel free to
> create JIRA if you manage to figure some more details how to reproduce it.
>
> Marek
>
> On 05/06/17 09:33, Gregoire Jeanmart wrote:
> > Hello,
> > Sorry for chasing up. Does anybody face the same problem?
> > Thanks,
> > ________________________________________
> > From: Gregoire Jeanmart
> > Sent: 31 May 2017 18:36
> > To: keycloak-user at lists.jboss.org
> > Subject: Browser tries to store the username "This is not a login form"
> after updating a temporary password
> >
> > Hello,
> > One of my users raised an issue after he has been asked to change his
> password [action: Update password]. The browser asked him to store a couple
> username/password equals to ?This is not a login form? / %new password%
> [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour
> isn?t accepted by my users as it is very unusual and not user friendly.
> >
> > Is there a way to fix this issue ?
> >
> > Information:
> > - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> > - Browser: Google Chrome and Mozilla Firefox
> > - Similar issue:
> https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-being-stored-when-updating-a-password-in-keycloak
> >
> > Thanks in advance.
> >
> > Gregoire Jeanmart
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Jun  5 08:17:07 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 5 Jun 2017 09:17:07 -0300
Subject: [keycloak-user] Authorization settings can't be exported more
 than once on 3.1.0.Final
In-Reply-To: <CAHX=cdULfOFM3parjsmYidETUmmJaKa0UU25MNrCBnuyPWUEcA@mail.gmail.com>
References: <CAHX=cdULfOFM3parjsmYidETUmmJaKa0UU25MNrCBnuyPWUEcA@mail.gmail.com>
Message-ID: <CAJrcDBeVGKncvknPec2w3t7Pe09S-zN3t-DQ9j6nYb2F0JpfPQ@mail.gmail.com>

This is a known issue. We have it fixed in upstream already as well tests
to make sure we don't break anything when exporting settings.

The problem is that during export your role policies are updated with the
role names and not kept intact with role identifiers.

Regards.
Pedro Igor

On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <stephane.granger at gmail.com
> wrote:

> I am running into a weird issue.  After creating a client which uses the
> Authorization settings, the settings can only be exported 1 time.
> Rebooting the key cloak server doesn't clear the problem.
>
> Steps to reproduce.
>
> Create TEST realm
>
> Create TEST client, make sure the Authorization Enabled slider is set to
> ON, click save.
>
> Create the following Roles for the client
> role1
> role2
> role3
>
> Go on the Authorization tab
> create 3 policies: policy1, policy2, policy3 with corresponding required
>  role1...3 from the TEST client
>
> create Authorization Scopes: scope1, scope2, scope3
>
> create Resources: resource1 with scope2, resource2/scope2 and
> resource3/scope3
>
> finally, create the permissions
> resource based: permission1/resource1/policy1
> resource based: permission2/resource2/policy2
> scope based: permission3/scope3/policy3
>
> On the Authorization tab of the TEST client, click on the Export button.
> This will work.
> Navigate back to a different realm, and back again to the Authorization tab
> of the TEST client, try exporting again, this time it will fail.
> Restarting the Keycloak server does not clear the problem.
>
>
> Here are the logs:
>
> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
> UT005023: Exception handling request to
> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-
> ac4a-1c6afb22f7a5/authz/resource-server/settings:
> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
> Error while exporting policy [policy1].
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(
> ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(
> SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> er.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
> NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: Error while exporting policy
> [policy1].
> at
> org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(
> ExportUtils.java:386)
> at
> org.keycloak.exportimport.util.ExportUtils.lambda$
> exportAuthorizationSettings$3(ExportUtils.java:313)
> at java.util.stream.ReferencePipeline$3$1.accept(
> ReferencePipeline.java:193)
> at java.util.stream.ReferencePipeline$2$1.accept(
> ReferencePipeline.java:175)
> at
> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.
> java:1374)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(
> AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
> org.keycloak.exportimport.util.ExportUtils.exportAuthorizationSettings(
> ExportUtils.java:313)
> at
> org.keycloak.authorization.admin.ResourceServerService.exportSettings(
> ResourceServerService.java:133)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> ... 37 more
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.exportimport.util.ExportUtils.lambda$
> createPolicyRepresentation$7(ExportUtils.java:351)
> at java.util.stream.ReferencePipeline$3$1.accept(
> ReferencePipeline.java:193)
> at
> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.
> java:1374)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(
> AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
> org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(
> ExportUtils.java:353)
> ... 68 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From celso.agra at gmail.com  Mon Jun  5 10:44:31 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Mon, 5 Jun 2017 11:44:31 -0300
Subject: [keycloak-user] How to store "UserPassword" in LDAP through
 Keycloak Admin Client?
In-Reply-To: <6b2dd9c9-06a5-5f83-1304-5ca62a871245@redhat.com>
References: <CAOFYJDt5afhJOgO9=7SjyjqqJcbc5uw7QiOu8Uyxmi+h5_OMCQ@mail.gmail.com>
	<6b2dd9c9-06a5-5f83-1304-5ca62a871245@redhat.com>
Message-ID: <CAOFYJDuF_oE_v0jFsckc-mhp3HzddYRCqK1ZOwdVAX76Mv1P+w@mail.gmail.com>

I just add a new method and I call this method after create user:

public void resetUserPassword(String id, String password) {
RealmResource realmResource = keycloak.realm(realmProperties.getRealm());
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue(password);
credential.setTemporary(false);

    realmResource.users().get(id).resetPassword(credential);
}

This solve my problem. Now my password is being stored in the database.

Thanks Marek!

2017-06-05 4:43 GMT-03:00 Marek Posolda <mposolda at redhat.com>:

> Hi,
>
> once you create user, you need to use separate REST endpoint for update
> user credentials. The best is to look at our testsuite and how it uses REST
> endpoints (eg. see UserTest class from keycloak codebase) or eventually
> explore admin console with some tool like firebug, which will show you what
> REST endpoints is our admin console calling (KC admin console is just an
> angular application calling admin REST endpoints under the covers)
>
> Marek
>
>
> On 02/06/17 22:47, Celso Agra wrote:
>
>> Hi all,
>>
>> Please, need some help! I'm trying to create an user through Keycloak
>> Admin
>> Client.
>> So, When I add an user from Keycloak register page my LDAP stores a tag
>> called "userPassword" with the password stored.
>> But When I add an user from Keycloak Admin Client, all informations are
>> stored in LDAP, except "userPassword". Am I doing something wrong?
>>
>> Here is my code below:
>>
>> public Response createUserKeycloak(UserKeycloak userKeycloak) {
>>
>>> CredentialRepresentation credential = new CredentialRepresentation();
>>> credential.setType(CredentialRepresentation.PASSWORD);
>>> credential.setValue(userKeycloak.getPassword());
>>> credential.setTemporary(false);
>>>
>>
>>
>> UserRepresentation user = new UserRepresentation();
>>> user.setUsername(userKeycloak.getUsername());
>>> user.setFirstName(userKeycloak.getFirstName());
>>> user.setLastName(userKeycloak.getLastName());
>>> user.setEnabled(true);
>>> if (userKeycloak.getEmail() != null)
>>> user.setEmail(userKeycloak.getEmail());
>>> user.setCredentials(Arrays.asList(credential));
>>>
>>>
>> RealmResource realmResource = keycloak.realm(realmProperties.getRealm());
>>> UsersResource userRessource = realmResource.users();
>>> return userRessource.create(user);
>>> }
>>>
>>
>>
>> Best Regards,
>>
>>
>


-- 
---
*Celso Agra*

From java at neposoft.com  Mon Jun  5 12:26:06 2017
From: java at neposoft.com (java_os)
Date: Mon, 5 Jun 2017 12:26:06 -0400
Subject: [keycloak-user] spring-sec-adapter - impersonating
Message-ID: <ad91a056d13497b69faf216e68b2f4f7.squirrel@neposoft.com>

Would has any pointers on implementing sso where admin could impersonate
an existing user.
Flow: ng-client(aquires the token - public client) -> rest api (Keycloak
bearer client)
Read this thread but was left out :
http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html

Appreciate it.



From sam.davis at tasktop.com  Mon Jun  5 12:43:15 2017
From: sam.davis at tasktop.com (Sam Davis)
Date: Mon, 5 Jun 2017 09:43:15 -0700
Subject: [keycloak-user] running multiple instances without clustering
In-Reply-To: <b1c3854c-29c1-0eeb-2966-23e4f0919b61@redhat.com>
References: <CAKS_sO347D2Pht=NhiAUDoOSLdmnCPc=b99z-R=yV4B-_maAzQ@mail.gmail.com>
	<b1c3854c-29c1-0eeb-2966-23e4f0919b61@redhat.com>
Message-ID: <CAKS_sO1dkYKa94R40VnMJC4A2LmFJhfeUQw2Kg+0Ns8zNM7K+w@mail.gmail.com>

Thanks for the response. What would happen if someone logs into the backup
instance and tries to change the configuration (e.g. adding users) while
someone else is making configuration changes on the primary instance?


-- 
Sam Davis
Senior Software Engineer, Tasktop
Committer, Eclipse Mylyn
http://tasktop.com

On Mon, May 29, 2017 at 6:45 PM, Bill Burke <bburke at redhat.com> wrote:

> If you do not load balance, but instead just have a hot backup, this
> will work so long as its ok that somebody has to relogin.  If you do
> load balance, then this will not work because OIDC has non-browser
> requests ( code-to-token and refresh token).
>
>
> On 5/29/17 8:37 PM, Sam Davis wrote:
> > Hi,
> >
> > I understand that Keycloak supports clustering, but I am wondering if it
> is
> > possible to run multiple instances of Keycloak using the same
> configuration
> > database *without* using clustering, i.e. using the standalone
> > <https://keycloak.gitbooks.io/documentation/server_
> installation/topics/operating-mode/standalone.html>
> > operating mode.
> >
> > It looks like the only difference between this and using the standalone
> > clustered mode is that the caches will not be synchronized between the
> > instances. I understand that it could cause some weird behaviour with
> user
> > sessions (e.g. a user logs out on one instance but is still logged in on
> > another, or vice versa). Would it cause any more serious problems (e.g.
> > corrupt configuration database) or create security vulnerabilities?
> >
> > The use case is that my application bundles Keycloak and the application
> > and Keycloak run on the same server. If the server goes down, another
> > instance of the application on another server will take over, and that
> > instance will redirect users to another keycloak instance running on that
> > server. So I don't really need clustering, since normally only a single
> > Keycloak instance will actually be used at a time and will only be used
> by
> > a single application.
> >
> > Thanks,
> > Sam
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rationull at gmail.com  Mon Jun  5 14:06:54 2017
From: rationull at gmail.com (Jonathan Little)
Date: Mon, 5 Jun 2017 11:06:54 -0700
Subject: [keycloak-user] Allowing multiple JWT issuers in a devel
	environment
In-Reply-To: <CACaGtfwf9Xx+kSCuPcw51MuN6m87rqsHbFLfYhC4fBpZsEngsA@mail.gmail.com>
References: <CALLLnfW27dWhN1W4CQzcdviFdwcBULbQex+nJxzj37Ovdx7GoQ@mail.gmail.com>
	<CACaGtfwf9Xx+kSCuPcw51MuN6m87rqsHbFLfYhC4fBpZsEngsA@mail.gmail.com>
Message-ID: <CALLLnfX=28wYKNaxTa+_ERUwYRWL_rAVv9Vo0p+jBpyi7dHOZg@mail.gmail.com>

Well, that's too bad. The Auth0 JWT library for Node.JS at least seems to
allow checking against an array of issuers which would be ideal, but I
don't think that library will automatically retrieve public keys for
signature verification (not a deal breaker but that is a nice feature of
the Keycloak library) and of course it's nice in theory to be using the
library maintained specifically to work with the Keycloak backend.

I just filed a feature request on Keycloak's Jira project covering this:
https://issues.jboss.org/browse/KEYCLOAK-5014. Hopefully it can gain some
traction.

On Mon, Jun 5, 2017 at 12:26 AM, Juan Jos? D?az Monta?a <
juanjo.diaz at intopalo.com> wrote:

> Hi Jonathan,
>
> This is not only a development issue. Anyone running in NAT'd environments
> and/or more complex network setups will face this.
> I raised the same issue few days ago (http://lists.jboss.org/
> pipermail/keycloak-user/2017-May/010788.html) and there is plenty of
> previous post highlighting the issue dating even few years back.
> I even offered myself to implement whatever changes are necessary to
> Keycloak adapters since this is an important feature for one of my clients.
> Unfortunately, it doesn't seem that the Keycloak maintainers/community
> really care about this issue or have any intention of doing something about
> it :/
>
> Regards,
>
>
> --
> *Juanjo D?az*
> Software Architect  @Intopalo Oy <https://intopalo.com>
> +358 50 4667571 <+358+50+4667571> | juanjo.diaz at intopalo.com
>
> On 3 June 2017 at 07:25, Jonathan Little <rationull at gmail.com> wrote:
>
>> I'm trying to set up a devel environment with Keycloak in a Docker
>> container, a back-end service in a separate linked Docker container, and a
>> front end web app that authenticates against Keycloak and then uses a
>> bearer token with the back end service. Bearer token validation is failing
>> in this case due to the JWT's iss field not matching the realm URL: the
>> realm URL is based on a hostname in the Docker network but the login
>> occurred against localhost from the browser running outside Docker via a
>> host port mapping.
>>
>> This is obviously a devel specific scenario and I'd like to be able to opt
>> in to multiple allowed issuers, an issuer regex, skipping issuer
>> verification, or some other workaround. AFAIKT there is no mechanism for
>> this and the options are:
>>
>> 1) Add an entry to the devel machine's hosts file so that the browser can
>> use the same hostname as the Keycloak container has in the Docker network.
>> This is simple but undesirable because I'd rather not have to globally
>> modify the devel machine configuration for this.
>>
>> 2) Run the devel Keycloak server outside of Docker at a known externally
>> accessible hostname. This is potentially the cleanest solution (although
>> it
>> may have redirect issues with locally hosted devel websites -- I haven't
>> tried yet) but I'd really like to be able to run Keycloak locally.
>>
>> 3) Somehow hack or customize the token validation code. The issuer check
>> is
>> fairly deep and I don't see any convenient or palatable hacks though.
>>
>>
>> This seems to me like it'd be a common situation but is it legitimate or
>> am
>> I thinking about this wrong? Does anyone else have any ideas or think this
>> would be a worthwhile addition to the library? Seems to me that multiple
>> issuers or an issuer regex would be clean solutions.
>>
>> If this makes sense I will file a feature request (not sure if PRs are
>> accepted on this project), but it seems like such an ordinary situation
>> that I feel like I must be missing something!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From chexxor at gmail.com  Mon Jun  5 14:56:54 2017
From: chexxor at gmail.com (Alex Berg)
Date: Mon, 5 Jun 2017 13:56:54 -0500
Subject: [keycloak-user] How to change link to verify-email in email
	template?
Message-ID: <CABgV3qs+9jNUW5MXS8zmQGhNO7OdRJF+VXTRLnK4aYMoQWVx0w@mail.gmail.com>

I have a proxy running which proxies "www.mydomain.com/auth/" to
"mykeycloakhost/auth/realms/MyApp/". I think it's less noisy for users of
my website.

In dev, when I have keycloak send a "verify email" action, the URI in the
email is "localhost:8080/auth/realms/MyApp/login-actions/
execute-actions?key=the-key"

How do I change this URI in the "verify email" email to be
"localhost:8080/auth/login-actions/execute-actions?key=the-key"?

I see it's calculated like:

UriInfo uriInfo = session.getContext().getUri();
UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(),
token.serialize(session, realm, uriInfo));
String link = builder.build(realm.getName()).toString();

- Source:
/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java#L139
<https://github.com/keycloak/keycloak/blob/70d7e07526546cd20d8cbbc6d0557597ba1540fb/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java#L139>

I'm not great at understanding Java and OO, so I can't figure how where
"session.getContext()" is defined.

How are other people solving this? Should I just remove the link variable
in the email template and use a hardcoded link?

From mposolda at redhat.com  Mon Jun  5 15:19:36 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 5 Jun 2017 21:19:36 +0200
Subject: [keycloak-user] E-mail as username with LDAP federation
In-Reply-To: <e4a65884e2e24fb99c3bcd3d84c78e7b@softec.sk>
References: <e4a65884e2e24fb99c3bcd3d84c78e7b@softec.sk>
Message-ID: <0e544fa5-28cd-a8a2-c7ec-cb925da29e2f@redhat.com>

On 05/06/17 10:06, Plank Martin wrote:
> Hello,
>
> I have a realm with this configuration:
>
> -       User registration allowed, E-mail as username enabled
>
> -       LDAP user federation with Kerberos enabled, sAMAccountName attribute mapped to username, mail attribute mapped to user's e-mail
>
> The problem is that when user updates his profile through account form, username is rewritten and the value of e-mail address is set to the username attribute.
> User is then invalidated and deleted, because the usernames in Keycloak and LDAP do not match.
>
> Is my realm configuration supposed to work correctly? Or I must have mail attribute from LDAP mapped to both username and e-mail in Keycloak to keep it consistent?
Yes, if you want to use "Email as username", you should likely map both 
username and email to LDAP "mail" attribute. Otherwise you will face 
inconsistencies like this.

Marek
>
> Thanks
> Martin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From shanonvl at gmail.com  Mon Jun  5 15:52:38 2017
From: shanonvl at gmail.com (Shanon Levenherz)
Date: Mon, 5 Jun 2017 15:52:38 -0400
Subject: [keycloak-user] User Group Admins
Message-ID: <CBBB590F-3595-40E1-8A21-B0C0CAA84074@gmail.com>

Hi all,

I?ve come across this post [1] which describes user group admins.   I followed the thread to here [2] but don?t think it went further?    I?m curious if this feature is in the roadmap or JIRA as I couldn?t find it.   Implementing user group admins would be a huge step to supporting my requirements/desired architecture (some of which were summarized in my previous mail [3]).   Thanks! 

Best,
Shanon

[1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html>

[2] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html>

[3] http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html <http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html>

From matt at woolnough.com.au  Mon Jun  5 16:30:52 2017
From: matt at woolnough.com.au (Matthew Woolnough)
Date: Tue, 6 Jun 2017 06:30:52 +1000
Subject: [keycloak-user] Could not find artifact
	org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
Message-ID: <CAKTcrg7r+xzPCscAFRyvKVR5L0w_drO-gm4a=bONzHSE=iZM1g@mail.gmail.com>

?Trying to compile Keycloak and running into numerous issues.


Skipping tests like so currently as too many issues
mvn -Dmaven.test.skip=true install -e

How can I resolve this & whats the recommended environment for compiling? I
need to code an SPI.  I've tried all the major OS, a few variants of Linux,
numerous branches, but they all throw errors during compilation.


?[ERROR] Failed to execute goal on project keycloak-testsuite-tomcat8:
Could not resolve dependencies for project
org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not
find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT ->
[Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute
goal on project keycloak-testsuite-tomcat8: Could not resolve dependencies
for project org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT:
Could not find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
at
org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:221)
at
org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies(LifecycleDependencyResolver.java:127)
at
org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved(MojoExecutor.java:246)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:200)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
at
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at
org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at
org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.project.DependencyResolutionException: Could
not resolve dependencies for project
org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not
find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
at
org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:208)
at
org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:195)
... 23 more
Caused by: org.eclipse.aether.resolution.DependencyResolutionException:
Could not find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
at
org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:393)
at
org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:202)
... 24 more
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could
not find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
at
org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:453)
at
org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:255)
at
org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:376)
... 25 more
Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not
find artifact
org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
at
org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:443)
... 27 more
[ERROR]
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the
command
[ERROR]   mvn <goals> -rf :keycloak-testsuite-tomcat8

From chexxor at gmail.com  Mon Jun  5 16:30:58 2017
From: chexxor at gmail.com (Alex Berg)
Date: Mon, 5 Jun 2017 15:30:58 -0500
Subject: [keycloak-user] Email template used by Admin API's
	"send-verify-email" endpoint
Message-ID: <CABgV3qsDSG=J-puVoeBz3pLKoDcNpDqHkcNBS4EYa9yZKkcsuA@mail.gmail.com>

Looks like the "PUT /admin/realms/{realm}/users/{id}/send-verify-email"
Admin REST API endpoint doesn't use the "email-verification.ftl" template.
Rather, it uses the "executeActions.ftl" template. Is this intended?

From bburke at redhat.com  Mon Jun  5 16:50:21 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 5 Jun 2017 16:50:21 -0400
Subject: [keycloak-user] running multiple instances without clustering
In-Reply-To: <CAKS_sO1dkYKa94R40VnMJC4A2LmFJhfeUQw2Kg+0Ns8zNM7K+w@mail.gmail.com>
References: <CAKS_sO347D2Pht=NhiAUDoOSLdmnCPc=b99z-R=yV4B-_maAzQ@mail.gmail.com>
	<b1c3854c-29c1-0eeb-2966-23e4f0919b61@redhat.com>
	<CAKS_sO1dkYKa94R40VnMJC4A2LmFJhfeUQw2Kg+0Ns8zNM7K+w@mail.gmail.com>
Message-ID: <579bd8ba-67af-dbc2-fb8f-c8c1834fbd0e@redhat.com>

Adding users isn't an issue, but adding other metadata is as you'll 
possibly get stale cache entries.


On 6/5/17 12:43 PM, Sam Davis wrote:
> Thanks for the response. What would happen if someone logs into the backup
> instance and tries to change the configuration (e.g. adding users) while
> someone else is making configuration changes on the primary instance?
>
>


From bburke at redhat.com  Mon Jun  5 16:55:00 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 5 Jun 2017 16:55:00 -0400
Subject: [keycloak-user] User Group Admins
In-Reply-To: <CBBB590F-3595-40E1-8A21-B0C0CAA84074@gmail.com>
References: <CBBB590F-3595-40E1-8A21-B0C0CAA84074@gmail.com>
Message-ID: <9026eea5-c0a4-a552-8bf6-0e78b6a26918@redhat.com>

I'm actually working on fine-grain within Realm admin permissions that I 
will hopefully be merging soon to master.  You'll be able to:

* admin can be restricted to managing only users that belong to a 
specific group

* admin can be restricted on what roles they can assign to a user

* admin can be restricted on what clients they can manage



On 6/5/17 3:52 PM, Shanon Levenherz wrote:
> Hi all,
>
> I?ve come across this post [1] which describes user group admins.   I followed the thread to here [2] but don?t think it went further?    I?m curious if this feature is in the roadmap or JIRA as I couldn?t find it.   Implementing user group admins would be a huge step to supporting my requirements/desired architecture (some of which were summarized in my previous mail [3]).   Thanks!
>
> Best,
> Shanon
>
> [1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html>
>
> [2] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html>
>
> [3] http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html <http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From jakob at jttl.se  Mon Jun  5 19:00:42 2017
From: jakob at jttl.se (Jakob Thun)
Date: Mon, 05 Jun 2017 23:00:42 +0000
Subject: [keycloak-user] Not before policy in accesstoken uses
	dash-separator (in json), why?
Message-ID: <CAFimPZQrzx+bnVyA-yTBCkqVehWQBhz4CPoUzyF2hku4maFKsw@mail.gmail.com>

Hello Keycloak gurus,

Quick simple question out of curiosity.

Since all other AccessToken fields use a underscore_separator, why is the
not-before-policy with dashes.

See:
https://github.com/keycloak/keycloak/blob/3.1.x/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java

Anyone have a clue?

Regards
Jakob

From sthorger at redhat.com  Tue Jun  6 01:12:51 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 6 Jun 2017 07:12:51 +0200
Subject: [keycloak-user] How to change link to verify-email in email
	template?
In-Reply-To: <CABgV3qs+9jNUW5MXS8zmQGhNO7OdRJF+VXTRLnK4aYMoQWVx0w@mail.gmail.com>
References: <CABgV3qs+9jNUW5MXS8zmQGhNO7OdRJF+VXTRLnK4aYMoQWVx0w@mail.gmail.com>
Message-ID: <CAJgngAc6xqQJMOX9WSZXnc0Cz3wemQT4r3MBEe6gZeWrazBk1w@mail.gmail.com>

Take a look at
https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html.
You need to configure the proxy and Keycloak server correctly. You
certainly don't need to hack away at the code.

On 5 June 2017 at 20:56, Alex Berg <chexxor at gmail.com> wrote:

> I have a proxy running which proxies "www.mydomain.com/auth/" to
> "mykeycloakhost/auth/realms/MyApp/". I think it's less noisy for users of
> my website.
>
> In dev, when I have keycloak send a "verify email" action, the URI in the
> email is "localhost:8080/auth/realms/MyApp/login-actions/
> execute-actions?key=the-key"
>
> How do I change this URI in the "verify email" email to be
> "localhost:8080/auth/login-actions/execute-actions?key=the-key"?
>
> I see it's calculated like:
>
> UriInfo uriInfo = session.getContext().getUri();
> UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(),
> token.serialize(session, realm, uriInfo));
> String link = builder.build(realm.getName()).toString();
>
> - Source:
> /services/src/main/java/org/keycloak/authentication/
> requiredactions/VerifyEmail.java#L139
> <https://github.com/keycloak/keycloak/blob/70d7e07526546cd20d8cbbc6d05575
> 97ba1540fb/services/src/main/java/org/keycloak/authentication/
> requiredactions/VerifyEmail.java#L139>
>
> I'm not great at understanding Java and OO, so I can't figure how where
> "session.getContext()" is defined.
>
> How are other people solving this? Should I just remove the link variable
> in the email template and use a hardcoded link?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From manfred.duchrow at caprica.biz  Tue Jun  6 02:08:18 2017
From: manfred.duchrow at caprica.biz (Manfred Duchrow)
Date: Tue, 6 Jun 2017 08:08:18 +0200
Subject: [keycloak-user] Different URLs for front-end redirect and
	back-channel
Message-ID: <170a9361-570c-a644-f097-1f96a68935e6@caprica.biz>

Hi,

we're having a scenario with a Keycloak (OIDC) protected classic web
application (no SPA) which has the
restriction that it is not allowed to do any internet requests from its
server within the DMZ it is located.
Due to this restriction it cannot execute any back-channel requests
(e.g. /token, /userinfo) to Keycloak
because the configured "auth-server-url" is the front-end URL which is
only visible through internet and
actually points to Firewall/Loadbalancer component.

Now the question:
What do you think about an enhancement request for Keycloak (server and
OIDC adapter) to allow different URLs
for front-end (browser redirect) and back-channel URLs?

That would imply several changes:
1. The server side endpoint implementations (UserInfoEndpoint,
TokenIntrospectionEndpoint) are using TokenVerifier
    which by default checks the token issuer.
    This check will fail because the realmUrl of the back-channel
request will be unequal to the token's issuer URL,
    which comes from the session created at login with the front-end URL.
   
    There are several variants to handle this:
    a) There is already a boolean varibale "checkRealmUrl" in
TokenVerifier to disable this check, but no way to set it to false.
        It might be an option to support a switch per client to
disable/enable this check.
    b) Instead of deriving the issuer name from the current request URL
it might be possible to (optionally) provide
        an explicit issuer name field per realm. That would allow
setting issuer names that are completely independent
        of any network infrastructure.
    c) When issuing a token through TokenEndpoint, set the issuer to the
current /token request URI rather than using
        the one from the associated session.      
        see TokenManager.initToken():
token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));

2. The OIDC adapters must support a new (optional) configuration
parameter (e.g. "auth-server-redirect-url") to
    allow setting a separate front-end URL.

Do you see any security issue with such an enhancement?
   
Cheers,
   Manfred

From mposolda at redhat.com  Tue Jun  6 02:46:15 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Jun 2017 08:46:15 +0200
Subject: [keycloak-user] Not before policy in accesstoken uses
 dash-separator (in json), why?
In-Reply-To: <CAFimPZQrzx+bnVyA-yTBCkqVehWQBhz4CPoUzyF2hku4maFKsw@mail.gmail.com>
References: <CAFimPZQrzx+bnVyA-yTBCkqVehWQBhz4CPoUzyF2hku4maFKsw@mail.gmail.com>
Message-ID: <8432bb78-974b-fa98-9179-008ae9c557b6@redhat.com>

Hi,

All the other fields are part of OAuth2 or OpenID Connect specification 
. The "not-before-policy" is Keycloak specific extension. Any specific 
issue with dashes in this field?

Marek

On 06/06/17 01:00, Jakob Thun wrote:
> Hello Keycloak gurus,
>
> Quick simple question out of curiosity.
>
> Since all other AccessToken fields use a underscore_separator, why is the
> not-before-policy with dashes.
>
> See:
> https://github.com/keycloak/keycloak/blob/3.1.x/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
>
> Anyone have a clue?
>
> Regards
> Jakob
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jun  6 02:50:59 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Jun 2017 08:50:59 +0200
Subject: [keycloak-user] Could not find artifact
 org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
In-Reply-To: <CAKTcrg7r+xzPCscAFRyvKVR5L0w_drO-gm4a=bONzHSE=iZM1g@mail.gmail.com>
References: <CAKTcrg7r+xzPCscAFRyvKVR5L0w_drO-gm4a=bONzHSE=iZM1g@mail.gmail.com>
Message-ID: <abff5428-298f-916d-d8bc-df401b696fd0@redhat.com>

You can rather use "-DskipTests=true" instead of 
"-Dmaven.test.skip=true" . That will work as it compiles test 
dependencies, it just won't run the test.

Some more hints: 
https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md 
and in maven documentation for the "skipTests vs. maven.test.skip" 
difference.

Marek


On 05/06/17 22:30, Matthew Woolnough wrote:
> ?Trying to compile Keycloak and running into numerous issues.
>
>
> Skipping tests like so currently as too many issues
> mvn -Dmaven.test.skip=true install -e
>
> How can I resolve this & whats the recommended environment for compiling? I
> need to code an SPI.  I've tried all the major OS, a few variants of Linux,
> numerous branches, but they all throw errors during compilation.
>
>
> ?[ERROR] Failed to execute goal on project keycloak-testsuite-tomcat8:
> Could not resolve dependencies for project
> org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not
> find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT ->
> [Help 1]
> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute
> goal on project keycloak-testsuite-tomcat8: Could not resolve dependencies
> for project org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT:
> Could not find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
> at
> org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:221)
> at
> org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies(LifecycleDependencyResolver.java:127)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved(MojoExecutor.java:246)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:200)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
> at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
> at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
> at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
> at
> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
> at
> org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
> at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
> at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
> at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
> at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
> at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
> at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
> at
> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
> at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
> Caused by: org.apache.maven.project.DependencyResolutionException: Could
> not resolve dependencies for project
> org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not
> find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
> at
> org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:208)
> at
> org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:195)
> ... 23 more
> Caused by: org.eclipse.aether.resolution.DependencyResolutionException:
> Could not find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
> at
> org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:393)
> at
> org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:202)
> ... 24 more
> Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could
> not find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
> at
> org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:453)
> at
> org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:255)
> at
> org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:376)
> ... 25 more
> Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not
> find artifact
> org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT
> at
> org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:443)
> ... 27 more
> [ERROR]
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions,
> please read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
> [ERROR]
> [ERROR] After correcting the problems, you can resume the build with the
> command
> [ERROR]   mvn <goals> -rf :keycloak-testsuite-tomcat8
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jakob at jttl.se  Tue Jun  6 03:52:54 2017
From: jakob at jttl.se (Jakob Thun)
Date: Tue, 06 Jun 2017 07:52:54 +0000
Subject: [keycloak-user] Not before policy in accesstoken uses
 dash-separator (in json), why?
In-Reply-To: <8432bb78-974b-fa98-9179-008ae9c557b6@redhat.com>
References: <CAFimPZQrzx+bnVyA-yTBCkqVehWQBhz4CPoUzyF2hku4maFKsw@mail.gmail.com>
	<8432bb78-974b-fa98-9179-008ae9c557b6@redhat.com>
Message-ID: <CAFimPZQszzfqeVKZSJG5rJj_sx0jAaaSbWe5xEPubSC_6myMsA@mail.gmail.com>

Ok. Thanks!

No issues, only curiosity about why it wasn't consistent with the other
fields naming style. :)

Kind Regards,
Jakob




Den tis 6 juni 2017 08:46Marek Posolda <mposolda at redhat.com> skrev:

> Hi,
>
> All the other fields are part of OAuth2 or OpenID Connect specification
> . The "not-before-policy" is Keycloak specific extension. Any specific
> issue with dashes in this field?
>
> Marek
>
> On 06/06/17 01:00, Jakob Thun wrote:
> > Hello Keycloak gurus,
> >
> > Quick simple question out of curiosity.
> >
> > Since all other AccessToken fields use a underscore_separator, why is the
> > not-before-policy with dashes.
> >
> > See:
> >
> https://github.com/keycloak/keycloak/blob/3.1.x/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
> >
> > Anyone have a clue?
> >
> > Regards
> > Jakob
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From mstrukel at redhat.com  Tue Jun  6 04:28:51 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 6 Jun 2017 10:28:51 +0200
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <CAM5SUC5-X5vifFEqU01gpcOTK9oMJRD+tdNyg2gEVzt2HrtCNg@mail.gmail.com>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
	<CAM5SUC5-X5vifFEqU01gpcOTK9oMJRD+tdNyg2gEVzt2HrtCNg@mail.gmail.com>
Message-ID: <CA+1OW+iX9tTQoDCsgxOUwxoDK90132B8P0V8q+zzrMyJpLbWkQ@mail.gmail.com>

I've seen this once using Chrome on macOS. Didn't explore further, and
don't know how to reproduce.

On Mon, Jun 5, 2017 at 12:18 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Like Marek mentioned, it seems related with the environment. I tried to
> reproduce your steps here with Chrome and Firefox on Fedora. Couldn't see
> the issue you mentioned.
>
> On Mon, Jun 5, 2017 at 4:58 AM Marek Posolda <mposolda at redhat.com> wrote:
>
> > Hi,
> >
> > This seem like the environment specific issue. I never saw this.
> >
> > It seems that it happens under some special circumstances (eg. specific
> > browser with some specific browser plugins enabled etc). Feel free to
> > create JIRA if you manage to figure some more details how to reproduce
> it.
> >
> > Marek
> >
> > On 05/06/17 09:33, Gregoire Jeanmart wrote:
> > > Hello,
> > > Sorry for chasing up. Does anybody face the same problem?
> > > Thanks,
> > > ________________________________________
> > > From: Gregoire Jeanmart
> > > Sent: 31 May 2017 18:36
> > > To: keycloak-user at lists.jboss.org
> > > Subject: Browser tries to store the username "This is not a login form"
> > after updating a temporary password
> > >
> > > Hello,
> > > One of my users raised an issue after he has been asked to change his
> > password [action: Update password]. The browser asked him to store a
> couple
> > username/password equals to ?This is not a login form? / %new password%
> > [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour
> > isn?t accepted by my users as it is very unusual and not user friendly.
> > >
> > > Is there a way to fix this issue ?
> > >
> > > Information:
> > > - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> > > - Browser: Google Chrome and Mozilla Firefox
> > > - Similar issue:
> > https://stackoverflow.com/questions/43062703/this-is-
> not-a-login-form-is-being-stored-when-updating-a-password-in-keycloak
> > >
> > > Thanks in advance.
> > >
> > > Gregoire Jeanmart
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Tue Jun  6 04:30:55 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 6 Jun 2017 10:30:55 +0200
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
	<c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>
Message-ID: <CAMZCGg8m99ZSrH9SJegYT+DwHnucNw6g14wRoh+YB2Rb5RVUvQ@mail.gmail.com>

I can reproduce this, please open a JIRA.

On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <
Gregoire.Jeanmart at ai-london.com> wrote:

> Hello Marek,
>
> Thank you for your response. I don't know if it's an environment issue.
>
> I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1)
> installed on a Linux CentOS and Windows Server OS, even a fresh install and
> I still getting the issue.
>
> Please find below the steps to reproduce the bug:
> 1. Update a user by adding "Update Password" as Required User Actions
>
> 2. Login with this user (in my case "test123"). When you click on submit,
> Keycloak should redirect to the Change Password screen
>
> 3. I enter the new password (twice) and click on submit
> Screenshot: http://imgur.com/a/ueCxU
> As you can see on the screenshot, the browser (both GoogleChrome or
> Firefox latest version) try to store "This is not a login form"
>
> I found this in the Keycloak source code: [ https://github.com/keycloak/
> keycloak/blob/master/themes/src/main/resources/theme/base/
> login/login-update-password.ftl ]
> <form id="kc-passwd-update-form" class="${properties.kcFormClass!}"
> action="${url.loginAction}" method="post">
>             <input type="text" readonly value="this is not a login form"
> style="display: none;">
>             <input type="password" readonly value="this is not a login
> form" style="display: none;">
>
>             <div class="${properties.kcFormGroupClass!}">
>                 <div class="${properties.kcLabelWrapperClass!}">
>                     <label for="password-new" class="${properties.
> kcLabelClass!}">${msg("passwordNew")}</label>
>                 </div>
>                 <div class="${properties.kcInputWrapperClass!}">
>                     <input type="password" id="password-new"
> name="password-new" class="${properties.kcInputClass!}" autofocus
> autocomplete="off" />
>                 </div>
>             </div>
>          (...)
>
> It looks like this code is interpreted by the browser and is being store
> in the Password vault.
>
> I will considerer your suggestion and raise a JIRA issue.
>
> Best regards,
>
> Gregoire Jeanmart
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: 05 June 2017 08:58
> To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>;
> keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Browser tries to store the username "This is
> not a login form" after updating a temporary password
>
> Hi,
>
> This seem like the environment specific issue. I never saw this.
>
> It seems that it happens under some special circumstances (eg. specific
> browser with some specific browser plugins enabled etc). Feel free to
> create JIRA if you manage to figure some more details how to reproduce it.
>
> Marek
>
> On 05/06/17 09:33, Gregoire Jeanmart wrote:
> > Hello,
> > Sorry for chasing up. Does anybody face the same problem?
> > Thanks,
> > ________________________________________
> > From: Gregoire Jeanmart
> > Sent: 31 May 2017 18:36
> > To: keycloak-user at lists.jboss.org
> > Subject: Browser tries to store the username "This is not a login
> > form" after updating a temporary password
> >
> > Hello,
> > One of my users raised an issue after he has been asked to change his
> password [action: Update password]. The browser asked him to store a couple
> username/password equals to "This is not a login form" / %new password%
> [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour
> isn't accepted by my users as it is very unusual and not user friendly.
> >
> > Is there a way to fix this issue ?
> >
> > Information:
> > - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> > - Browser: Google Chrome and Mozilla Firefox
> > - Similar issue:
> > https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> > is-being-stored-when-updating-a-password-in-keycloak
> >
> > Thanks in advance.
> >
> > Gregoire Jeanmart
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Gregoire.Jeanmart at ai-london.com  Tue Jun  6 04:36:42 2017
From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart)
Date: Tue, 6 Jun 2017 08:36:42 +0000
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <CAMZCGg8m99ZSrH9SJegYT+DwHnucNw6g14wRoh+YB2Rb5RVUvQ@mail.gmail.com>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
	<c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>
	<CAMZCGg8m99ZSrH9SJegYT+DwHnucNw6g14wRoh+YB2Rb5RVUvQ@mail.gmail.com>
Message-ID: <0514a87d4c494930ae996eda1f0305d1@EXCHANGE.airas.lan>

OK Will do. Thanks.

Best regards

Gregoire Jeanmart

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: 06 June 2017 09:31
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>
Cc: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

I can reproduce this, please open a JIRA.

On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>> wrote:
Hello Marek,

Thank you for your response. I don't know if it's an environment issue.

I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1) installed on a Linux CentOS and Windows Server OS, even a fresh install and I still getting the issue.

Please find below the steps to reproduce the bug:
1. Update a user by adding "Update Password" as Required User Actions

2. Login with this user (in my case "test123"). When you click on submit, Keycloak should redirect to the Change Password screen

3. I enter the new password (twice) and click on submit
Screenshot: http://imgur.com/a/ueCxU
As you can see on the screenshot, the browser (both GoogleChrome or Firefox latest version) try to store "This is not a login form"

I found this in the Keycloak source code: [ https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/login-update-password.ftl ]
<form id="kc-passwd-update-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
            <input type="text" readonly value="this is not a login form" style="display: none;">
            <input type="password" readonly value="this is not a login form" style="display: none;">

            <div class="${properties.kcFormGroupClass!}">
                <div class="${properties.kcLabelWrapperClass!}">
                    <label for="password-new" class="${properties.kcLabelClass!}">${msg("passwordNew")}</label>
                </div>
                <div class="${properties.kcInputWrapperClass!}">
                    <input type="password" id="password-new" name="password-new" class="${properties.kcInputClass!}" autofocus autocomplete="off" />
                </div>
            </div>
         (...)

It looks like this code is interpreted by the browser and is being store in the Password vault.

I will considerer your suggestion and raise a JIRA issue.

Best regards,

Gregoire Jeanmart

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com<mailto:mposolda at redhat.com>]
Sent: 05 June 2017 08:58
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Hi,

This seem like the environment specific issue. I never saw this.

It seems that it happens under some special circumstances (eg. specific browser with some specific browser plugins enabled etc). Feel free to create JIRA if you manage to figure some more details how to reproduce it.

Marek

On 05/06/17 09:33, Gregoire Jeanmart wrote:
> Hello,
> Sorry for chasing up. Does anybody face the same problem?
> Thanks,
> ________________________________________
> From: Gregoire Jeanmart
> Sent: 31 May 2017 18:36
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Browser tries to store the username "This is not a login
> form" after updating a temporary password
>
> Hello,
> One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly.
>
> Is there a way to fix this issue ?
>
> Information:
> - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> - Browser: Google Chrome and Mozilla Firefox
> - Similar issue:
> https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> is-being-stored-when-updating-a-password-in-keycloak
>
> Thanks in advance.
>
> Gregoire Jeanmart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Tue Jun  6 04:53:52 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Tue, 6 Jun 2017 10:53:52 +0200
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <0514a87d4c494930ae996eda1f0305d1@EXCHANGE.airas.lan>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
	<c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>
	<CAMZCGg8m99ZSrH9SJegYT+DwHnucNw6g14wRoh+YB2Rb5RVUvQ@mail.gmail.com>
	<0514a87d4c494930ae996eda1f0305d1@EXCHANGE.airas.lan>
Message-ID: <CAK-7U1gqdcK9JXy5w4OJ5EuesfVsogzZBuGfbgMvd59=L_4k8w@mail.gmail.com>

I've also seen that from time to time... this was introduced in March last
year:
http://lists.jboss.org/pipermail/keycloak-dev/2016-April/006973.html

Cheers,
Thomas

2017-06-06 10:36 GMT+02:00 Gregoire Jeanmart <
Gregoire.Jeanmart at ai-london.com>:

> OK Will do. Thanks.
>
> Best regards
>
> Gregoire Jeanmart
>
> From: Sebastien Blanc [mailto:sblanc at redhat.com]
> Sent: 06 June 2017 09:31
> To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com>
> Cc: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Browser tries to store the username "This is
> not a login form" after updating a temporary password
>
> I can reproduce this, please open a JIRA.
>
> On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <
> Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>>
> wrote:
> Hello Marek,
>
> Thank you for your response. I don't know if it's an environment issue.
>
> I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1)
> installed on a Linux CentOS and Windows Server OS, even a fresh install and
> I still getting the issue.
>
> Please find below the steps to reproduce the bug:
> 1. Update a user by adding "Update Password" as Required User Actions
>
> 2. Login with this user (in my case "test123"). When you click on submit,
> Keycloak should redirect to the Change Password screen
>
> 3. I enter the new password (twice) and click on submit
> Screenshot: http://imgur.com/a/ueCxU
> As you can see on the screenshot, the browser (both GoogleChrome or
> Firefox latest version) try to store "This is not a login form"
>
> I found this in the Keycloak source code: [ https://github.com/keycloak/
> keycloak/blob/master/themes/src/main/resources/theme/base/
> login/login-update-password.ftl ]
> <form id="kc-passwd-update-form" class="${properties.kcFormClass!}"
> action="${url.loginAction}" method="post">
>             <input type="text" readonly value="this is not a login form"
> style="display: none;">
>             <input type="password" readonly value="this is not a login
> form" style="display: none;">
>
>             <div class="${properties.kcFormGroupClass!}">
>                 <div class="${properties.kcLabelWrapperClass!}">
>                     <label for="password-new" class="${properties.
> kcLabelClass!}">${msg("passwordNew")}</label>
>                 </div>
>                 <div class="${properties.kcInputWrapperClass!}">
>                     <input type="password" id="password-new"
> name="password-new" class="${properties.kcInputClass!}" autofocus
> autocomplete="off" />
>                 </div>
>             </div>
>          (...)
>
> It looks like this code is interpreted by the browser and is being store
> in the Password vault.
>
> I will considerer your suggestion and raise a JIRA issue.
>
> Best regards,
>
> Gregoire Jeanmart
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com<mailto:mposolda at redhat.com
> >]
> Sent: 05 June 2017 08:58
> To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:
> Gregoire.Jeanmart at ai-london.com>>; keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Browser tries to store the username "This is
> not a login form" after updating a temporary password
>
> Hi,
>
> This seem like the environment specific issue. I never saw this.
>
> It seems that it happens under some special circumstances (eg. specific
> browser with some specific browser plugins enabled etc). Feel free to
> create JIRA if you manage to figure some more details how to reproduce it.
>
> Marek
>
> On 05/06/17 09:33, Gregoire Jeanmart wrote:
> > Hello,
> > Sorry for chasing up. Does anybody face the same problem?
> > Thanks,
> > ________________________________________
> > From: Gregoire Jeanmart
> > Sent: 31 May 2017 18:36
> > To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> > Subject: Browser tries to store the username "This is not a login
> > form" after updating a temporary password
> >
> > Hello,
> > One of my users raised an issue after he has been asked to change his
> password [action: Update password]. The browser asked him to store a couple
> username/password equals to "This is not a login form" / %new password%
> [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour
> isn't accepted by my users as it is very unusual and not user friendly.
> >
> > Is there a way to fix this issue ?
> >
> > Information:
> > - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> > - Browser: Google Chrome and Mozilla Firefox
> > - Similar issue:
> > https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> > is-being-stored-when-updating-a-password-in-keycloak
> >
> > Thanks in advance.
> >
> > Gregoire Jeanmart
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Gregoire.Jeanmart at ai-london.com  Tue Jun  6 07:11:39 2017
From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart)
Date: Tue, 6 Jun 2017 11:11:39 +0000
Subject: [keycloak-user] Browser tries to store the username "This is
 not a login form" after updating a temporary password
In-Reply-To: <0514a87d4c494930ae996eda1f0305d1@EXCHANGE.airas.lan>
References: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>
	<6155971da9f04ad187d3d6d2b8146c70@EXCHANGE.airas.lan>
	<737b3a1c-ef67-5303-2399-eaa05880b66e@redhat.com>
	<c7a40bb4e78040258138ab39f2acd577@EXCHANGE.airas.lan>
	<CAMZCGg8m99ZSrH9SJegYT+DwHnucNw6g14wRoh+YB2Rb5RVUvQ@mail.gmail.com>
	<0514a87d4c494930ae996eda1f0305d1@EXCHANGE.airas.lan>
Message-ID: <37b8f04a8121456cb2fb8686735ee764@EXCHANGE.airas.lan>

Hello,
I submitted the JIRA ticket: https://issues.jboss.org/browse/KEYCLOAK-5019

Regards,
Gregoire

From: Gregoire Jeanmart
Sent: 06 June 2017 09:37
To: Sebastien Blanc <sblanc at redhat.com>
Cc: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

OK Will do. Thanks.

Best regards

Gregoire Jeanmart

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: 06 June 2017 09:31
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>>
Cc: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

I can reproduce this, please open a JIRA.

On Mon, Jun 5, 2017 at 10:59 AM, Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>> wrote:
Hello Marek,

Thank you for your response. I don't know if it's an environment issue.

I've actually tried on many browsers, 2 versions of Keycloak (2.4 and 3.1) installed on a Linux CentOS and Windows Server OS, even a fresh install and I still getting the issue.

Please find below the steps to reproduce the bug:
1. Update a user by adding "Update Password" as Required User Actions

2. Login with this user (in my case "test123"). When you click on submit, Keycloak should redirect to the Change Password screen

3. I enter the new password (twice) and click on submit
Screenshot: http://imgur.com/a/ueCxU
As you can see on the screenshot, the browser (both GoogleChrome or Firefox latest version) try to store "This is not a login form"

I found this in the Keycloak source code: [ https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/login-update-password.ftl ]
<form id="kc-passwd-update-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
            <input type="text" readonly value="this is not a login form" style="display: none;">
            <input type="password" readonly value="this is not a login form" style="display: none;">

            <div class="${properties.kcFormGroupClass!}">
                <div class="${properties.kcLabelWrapperClass!}">
                    <label for="password-new" class="${properties.kcLabelClass!}">${msg("passwordNew")}</label>
                </div>
                <div class="${properties.kcInputWrapperClass!}">
                    <input type="password" id="password-new" name="password-new" class="${properties.kcInputClass!}" autofocus autocomplete="off" />
                </div>
            </div>
         (...)

It looks like this code is interpreted by the browser and is being store in the Password vault.

I will considerer your suggestion and raise a JIRA issue.

Best regards,

Gregoire Jeanmart

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com<mailto:mposolda at redhat.com>]
Sent: 05 June 2017 08:58
To: Gregoire Jeanmart <Gregoire.Jeanmart at ai-london.com<mailto:Gregoire.Jeanmart at ai-london.com>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Browser tries to store the username "This is not a login form" after updating a temporary password

Hi,

This seem like the environment specific issue. I never saw this.

It seems that it happens under some special circumstances (eg. specific browser with some specific browser plugins enabled etc). Feel free to create JIRA if you manage to figure some more details how to reproduce it.

Marek

On 05/06/17 09:33, Gregoire Jeanmart wrote:
> Hello,
> Sorry for chasing up. Does anybody face the same problem?
> Thanks,
> ________________________________________
> From: Gregoire Jeanmart
> Sent: 31 May 2017 18:36
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Browser tries to store the username "This is not a login
> form" after updating a temporary password
>
> Hello,
> One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly.
>
> Is there a way to fix this issue ?
>
> Information:
> - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
> - Browser: Google Chrome and Mozilla Firefox
> - Similar issue:
> https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-
> is-being-stored-when-updating-a-password-in-keycloak
>
> Thanks in advance.
>
> Gregoire Jeanmart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From john.kalantzis at drugdev.com  Tue Jun  6 07:58:06 2017
From: john.kalantzis at drugdev.com (John Kalantzis)
Date: Tue, 6 Jun 2017 12:58:06 +0100
Subject: [keycloak-user] Access client session in Freemarker template
Message-ID: <CANEPCb9cRr132u9JU9NBSTnxcMCkkKHPh6nR52xsvhmgx0c2Kw@mail.gmail.com>

Hello,

Is there a way to access the client session in the FreeMarker login
template?

I'm looking for a way to display redirect_uri and possibly an extra
parameter in the page (which are stored in the client session, if I'm not
mistaken) but I don't see them anywhere in the available beans.

Thanks!

From marc.tempelmeier at flane.de  Tue Jun  6 09:44:41 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 6 Jun 2017 13:44:41 +0000
Subject: [keycloak-user] UTF8 encoding prior v2.5
Message-ID: <cae899f40dc243e0afa7152feb644738@dehamex2013.europe.flane.local>

Hi,

we updated our Keycloak 2.4 to 3.1, there was a bug in 2.4:

https://issues.jboss.org/browse/KEYCLOAK-3439

Our database is still latin 1 though after the update, does anyone know what we should change that the data gets correctly into mysql?

Best regards

Marc

From vikrant02.work at gmail.com  Tue Jun  6 09:59:17 2017
From: vikrant02.work at gmail.com (Vikrant Singh)
Date: Tue, 6 Jun 2017 19:29:17 +0530
Subject: [keycloak-user] NoRouteToHostException - Using external Infinispan
 with Keycloak on OpenShift platform
Message-ID: <CACackcvM0UbcHPW6Wxp4GR+cxu77oZZHHEo9Accfkk16LYFFJQ@mail.gmail.com>

Hi,

I am running Keycloak(3.1.0.Final) on Openshift platform. I am using
external infinispan(9.0.1-Final) for sessions, work and offlineSessions
cache to achieve multi datacenter failover.

Below is configuration for infinispan remote-store in Keycloak

> <local-cache name="sessions">
>     <remote-store passivation="false" fetch-state="false" purge="false"
> preload="false" shared="true" cache="sessions"
> remote-servers="remote-cache">
> <property name="rawValues">true</property>
> <property
> name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
>     </remote-store>
> </local-cache>


 <outbound-socket-binding name="remote-cache">
>    <remote-destination host="${env.INFINISPAN_HOST}"
> port="${env.INFINISPAN_PORT:11222}"/>
> </outbound-socket-binding>


External Infinispan cluster is front ended by a load-balancer(kubernetes
service) which provides a static hostname for infinispan and this hostname
is configured in keycloak for keycloak to infinispan communication.

The setup work fine but if all instances(pods) in external infinispan goes
down and we bring up the cluster again, keycloak is not able to get to new
infinispan instance and it keeps trying on old ip address with below error.

The issue seems to be keycloak trying to use ip address instead of load
balancer hostname provided in configuration. As we are running on
openshift, infinispan instances will get new ip address each time it is
restarted.

 ERROR
[org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation]
(persistence-thread--p8-t108) ISPN004007: Exception encountered. Retry 10
out of 10: org.infinispan.client.hotrod.exceptions.TransportException::
Could not fetch transport
at
org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.borrowTransportFromPool(TcpTransportFactory.java:405)
at
org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.getTransport(TcpTransportFactory.java:244)
at
org.infinispan.client.hotrod.impl.operations.BulkGetKeysOperation.getTransport(BulkGetKeysOperation.java:29)
at
org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:53)
at
org.infinispan.client.hotrod.impl.RemoteCacheImpl.keySet(RemoteCacheImpl.java:670)
at
org.infinispan.persistence.remote.RemoteStore.process(RemoteStore.java:135)
at
org.infinispan.persistence.manager.PersistenceManagerImpl.processOnAllStores(PersistenceManagerImpl.java:447)
at
org.infinispan.persistence.manager.PersistenceManagerImpl.processOnAllStores(PersistenceManagerImpl.java:432)
at
org.infinispan.persistence.util.PersistenceManagerCloseableSupplier.lambda$get$261(PersistenceManagerCloseableSupplier.java:115)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.infinispan.client.hotrod.exceptions.TransportException::
Could not connect to server: /10.0.34.100:11222
at
org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.<init>(TcpTransport.java:78)
at
org.infinispan.client.hotrod.impl.transport.tcp.TransportObjectFactory.makeObject(TransportObjectFactory.java:37)
at
org.infinispan.client.hotrod.impl.transport.tcp.TransportObjectFactory.makeObject(TransportObjectFactory.java:16)
at
org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:1220)
at
org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.borrowTransportFromPool(TcpTransportFactory.java:400)
... 11 more
Caused by: java.net.NoRouteToHostException: No route to host
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
at sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source)
at sun.nio.ch.SocketAdaptor.connect(Unknown Source)
at
org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.<init>(TcpTransport.java:68)
... 15 more

Is there anyway we can force keycloak to use hostname instead of resolving
to ip address?

Thanks,
Vikrant

From antoine at saagie.com  Tue Jun  6 11:36:33 2017
From: antoine at saagie.com (Antoine Carton)
Date: Tue, 6 Jun 2017 17:36:33 +0200
Subject: [keycloak-user] Keycloak / FreeIPA: "Sync registration"
Message-ID: <CAMghK0a1deh6y_3RfbUr-BNdNykYQBJH1huzrh2QDrKFEWDkgQ@mail.gmail.com>

Hello,

Is there any news regarding user creation support from Keycloak to FreeIPA
LDAP (i.e. "Sync registration" feature in Keycloak) ?

Last thread seems to be
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html

Thanks!

From stephane.granger at gmail.com  Tue Jun  6 11:50:30 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Tue, 6 Jun 2017 11:50:30 -0400
Subject: [keycloak-user] Authorization settings can't be exported more
 than once on 3.1.0.Final
In-Reply-To: <CAJrcDBeVGKncvknPec2w3t7Pe09S-zN3t-DQ9j6nYb2F0JpfPQ@mail.gmail.com>
References: <CAHX=cdULfOFM3parjsmYidETUmmJaKa0UU25MNrCBnuyPWUEcA@mail.gmail.com>
	<CAJrcDBeVGKncvknPec2w3t7Pe09S-zN3t-DQ9j6nYb2F0JpfPQ@mail.gmail.com>
Message-ID: <CAHX=cdUikcC7L9+1uCuRGOkcXUPoKXFk43mY2-6We6nm-85azA@mail.gmail.com>

Thanks Pedro Igor,

will the fix be available in 3.2.0.Final?  This is a pretty serious bug for
us, we do have a workaround but it's complicated.

Stephane

On Mon, Jun 5, 2017 at 8:17 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> This is a known issue. We have it fixed in upstream already as well tests
> to make sure we don't break anything when exporting settings.
>
> The problem is that during export your role policies are updated with the
> role names and not kept intact with role identifiers.
>
> Regards.
> Pedro Igor
>
> On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <
> stephane.granger at gmail.com> wrote:
>
>> I am running into a weird issue.  After creating a client which uses the
>> Authorization settings, the settings can only be exported 1 time.
>> Rebooting the key cloak server doesn't clear the problem.
>>
>> Steps to reproduce.
>>
>> Create TEST realm
>>
>> Create TEST client, make sure the Authorization Enabled slider is set to
>> ON, click save.
>>
>> Create the following Roles for the client
>> role1
>> role2
>> role3
>>
>> Go on the Authorization tab
>> create 3 policies: policy1, policy2, policy3 with corresponding required
>>  role1...3 from the TEST client
>>
>> create Authorization Scopes: scope1, scope2, scope3
>>
>> create Resources: resource1 with scope2, resource2/scope2 and
>> resource3/scope3
>>
>> finally, create the permissions
>> resource based: permission1/resource1/policy1
>> resource based: permission2/resource2/policy2
>> scope based: permission3/scope3/policy3
>>
>> On the Authorization tab of the TEST client, click on the Export button.
>> This will work.
>> Navigate back to a different realm, and back again to the Authorization
>> tab
>> of the TEST client, try exporting again, this time it will fail.
>> Restarting the Keycloak server does not clear the problem.
>>
>>
>> Here are the logs:
>>
>> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
>> UT005023: Exception handling request to
>> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-
>> 1c6afb22f7a5/authz/resource-server/settings:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>> Error while exporting policy [policy1].
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>> ception(ExceptionHandler.java:76)
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>> eptionHandler.java:212)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException
>> (SynchronousDispatcher.java:168)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:411)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.lang.RuntimeException: Error while exporting policy
>> [policy1].
>> at
>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>> sentation(ExportUtils.java:386)
>> at
>> org.keycloak.exportimport.util.ExportUtils.lambda$exportAuth
>> orizationSettings$3(ExportUtils.java:313)
>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>> ine.java:193)
>> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipel
>> ine.java:175)
>> at
>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(
>> ArrayList.java:1374)
>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>> at
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>> peline.java:471)
>> at
>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>> eOps.java:708)
>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
>> at
>> org.keycloak.exportimport.util.ExportUtils.exportAuthorizati
>> onSettings(ExportUtils.java:313)
>> at
>> org.keycloak.authorization.admin.ResourceServerService.expor
>> tSettings(ResourceServerService.java:133)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> ... 37 more
>> Caused by: java.lang.NullPointerException
>> at
>> org.keycloak.exportimport.util.ExportUtils.lambda$createPoli
>> cyRepresentation$7(ExportUtils.java:351)
>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>> ine.java:193)
>> at
>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(
>> ArrayList.java:1374)
>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>> at
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>> peline.java:471)
>> at
>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>> eOps.java:708)
>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
>> at
>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>> sentation(ExportUtils.java:353)
>> ... 68 more
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jun  6 14:39:48 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 6 Jun 2017 15:39:48 -0300
Subject: [keycloak-user] Authorization settings can't be exported more
 than once on 3.1.0.Final
In-Reply-To: <CAHX=cdUikcC7L9+1uCuRGOkcXUPoKXFk43mY2-6We6nm-85azA@mail.gmail.com>
References: <CAHX=cdULfOFM3parjsmYidETUmmJaKa0UU25MNrCBnuyPWUEcA@mail.gmail.com>
	<CAJrcDBeVGKncvknPec2w3t7Pe09S-zN3t-DQ9j6nYb2F0JpfPQ@mail.gmail.com>
	<CAHX=cdUikcC7L9+1uCuRGOkcXUPoKXFk43mY2-6We6nm-85azA@mail.gmail.com>
Message-ID: <CAJrcDBfGeR6EN4h1WKab63Lrm7fZLdwu_ms4RGWqvss6WuYKag@mail.gmail.com>

Yes, it would be. It is already in upstream.

Indeed, it is a very nasty issue .... We have added more tests to make sure
we don't break anything else in the future.

On Tue, Jun 6, 2017 at 12:50 PM, Stephane Granger <
stephane.granger at gmail.com> wrote:

> Thanks Pedro Igor,
>
> will the fix be available in 3.2.0.Final?  This is a pretty serious bug
> for us, we do have a workaround but it's complicated.
>
> Stephane
>
> On Mon, Jun 5, 2017 at 8:17 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> This is a known issue. We have it fixed in upstream already as well tests
>> to make sure we don't break anything when exporting settings.
>>
>> The problem is that during export your role policies are updated with the
>> role names and not kept intact with role identifiers.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <
>> stephane.granger at gmail.com> wrote:
>>
>>> I am running into a weird issue.  After creating a client which uses the
>>> Authorization settings, the settings can only be exported 1 time.
>>> Rebooting the key cloak server doesn't clear the problem.
>>>
>>> Steps to reproduce.
>>>
>>> Create TEST realm
>>>
>>> Create TEST client, make sure the Authorization Enabled slider is set to
>>> ON, click save.
>>>
>>> Create the following Roles for the client
>>> role1
>>> role2
>>> role3
>>>
>>> Go on the Authorization tab
>>> create 3 policies: policy1, policy2, policy3 with corresponding required
>>>  role1...3 from the TEST client
>>>
>>> create Authorization Scopes: scope1, scope2, scope3
>>>
>>> create Resources: resource1 with scope2, resource2/scope2 and
>>> resource3/scope3
>>>
>>> finally, create the permissions
>>> resource based: permission1/resource1/policy1
>>> resource based: permission2/resource2/policy2
>>> scope based: permission3/scope3/policy3
>>>
>>> On the Authorization tab of the TEST client, click on the Export button.
>>> This will work.
>>> Navigate back to a different realm, and back again to the Authorization
>>> tab
>>> of the TEST client, try exporting again, this time it will fail.
>>> Restarting the Keycloak server does not clear the problem.
>>>
>>>
>>> Here are the logs:
>>>
>>> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
>>> UT005023: Exception handling request to
>>> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-1c6a
>>> fb22f7a5/authz/resource-server/settings:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>>> Error while exporting policy [policy1].
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>>> ception(ExceptionHandler.java:76)
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>>> eptionHandler.java:212)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException
>>> (SynchronousDispatcher.java:168)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:411)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:202)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>> spatcher.service(ServletContainerDispatcher.java:221)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:56)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>> rvletHandler.java:85)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:129)
>>> at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>> oFilter(KeycloakSessionServletFilter.java:90)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>> r.java:60)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>> terHandler.java:84)
>>> at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>> eRequest(ServletDispatchingHandler.java:36)
>>> at
>>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at
>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at
>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at
>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:793)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: java.lang.RuntimeException: Error while exporting policy
>>> [policy1].
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>>> sentation(ExportUtils.java:386)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.lambda$exportAuth
>>> orizationSettings$3(ExportUtils.java:313)
>>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>>> ine.java:193)
>>> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipel
>>> ine.java:175)
>>> at
>>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Ar
>>> rayList.java:1374)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>>> at
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>>> peline.java:471)
>>> at
>>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>>> eOps.java:708)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline
>>> .java:499)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.exportAuthorizati
>>> onSettings(ExportUtils.java:313)
>>> at
>>> org.keycloak.authorization.admin.ResourceServerService.expor
>>> tSettings(ResourceServerService.java:133)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>>> ctorImpl.java:139)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>>> (ResourceMethodInvoker.java:295)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>>> eMethodInvoker.java:249)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:138)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:101)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:395)
>>> ... 37 more
>>> Caused by: java.lang.NullPointerException
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.lambda$createPoli
>>> cyRepresentation$7(ExportUtils.java:351)
>>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>>> ine.java:193)
>>> at
>>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Ar
>>> rayList.java:1374)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>>> at
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>>> peline.java:471)
>>> at
>>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>>> eOps.java:708)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline
>>> .java:499)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>>> sentation(ExportUtils.java:353)
>>> ... 68 more
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From java at neposoft.com  Tue Jun  6 20:18:22 2017
From: java at neposoft.com (java_os)
Date: Tue, 6 Jun 2017 20:18:22 -0400
Subject: [keycloak-user] spring-sec-adapter - impersonating
In-Reply-To: <ad91a056d13497b69faf216e68b2f4f7.squirrel@neposoft.com>
References: <ad91a056d13497b69faf216e68b2f4f7.squirrel@neposoft.com>
Message-ID: <1092389d5046686037e5ec4aa0db1635.squirrel@neposoft.com>

Anyone has any pointers on impersonating and how it that supported by
Keycloak if anything?
I do not want to go in admin console and click button to impersonate - I
want to be able to trigger a call to Keycloak and exchange the token of
the logged in user with the one is being impersonating.
Anyone share if Keycloak supports it and how - any pointers?
Thanks

> Would has any pointers on implementing sso where admin could impersonate
> an existing user.
> Flow: ng-client(aquires the token - public client) -> rest api (Keycloak
> bearer client)
> Read this thread but was left out :
> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html
>
> Appreciate it.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



From sblanc at redhat.com  Wed Jun  7 01:58:40 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 7 Jun 2017 07:58:40 +0200
Subject: [keycloak-user] spring-sec-adapter - impersonating
In-Reply-To: <1092389d5046686037e5ec4aa0db1635.squirrel@neposoft.com>
References: <ad91a056d13497b69faf216e68b2f4f7.squirrel@neposoft.com>
	<1092389d5046686037e5ec4aa0db1635.squirrel@neposoft.com>
Message-ID: <CAMZCGg-4chEHD=a2EKv9_mHsO8VHiOdztFzKr6kymeYee0WxyA@mail.gmail.com>

If you don't want to use the button from the console use the Admin REST
call (check http://www.keycloak.org/docs-api/3.1/rest-api/index.html and
search for "impersonation")

On Wed, Jun 7, 2017 at 2:18 AM, java_os <java at neposoft.com> wrote:

> Anyone has any pointers on impersonating and how it that supported by
> Keycloak if anything?
> I do not want to go in admin console and click button to impersonate - I
> want to be able to trigger a call to Keycloak and exchange the token of
> the logged in user with the one is being impersonating.
> Anyone share if Keycloak supports it and how - any pointers?
> Thanks
>
> > Would has any pointers on implementing sso where admin could impersonate
> > an existing user.
> > Flow: ng-client(aquires the token - public client) -> rest api (Keycloak
> > bearer client)
> > Read this thread but was left out :
> > http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html
> >
> > Appreciate it.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hmlnarik at redhat.com  Wed Jun  7 06:04:38 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 7 Jun 2017 12:04:38 +0200
Subject: [keycloak-user] UTF8 encoding prior v2.5
In-Reply-To: <cae899f40dc243e0afa7152feb644738@dehamex2013.europe.flane.local>
References: <cae899f40dc243e0afa7152feb644738@dehamex2013.europe.flane.local>
Message-ID: <CAMvXD=EqU70W704mYsBTNdS6t5VCvhhUF8prqG_yD=ONTjn8Xg@mail.gmail.com>

You don't need to change DB if latin1 satisfies your needs. Otherwise,
there are few ways to change encoding in MySQL, see e.g.
https://stackoverflow.com/questions/6115612/how-to-convert-an-entire-mysql-database-characterset-and-collation-to-utf-8

--Hynek

On Tue, Jun 6, 2017 at 3:44 PM, Marc Tempelmeier
<marc.tempelmeier at flane.de> wrote:
> Hi,
>
> we updated our Keycloak 2.4 to 3.1, there was a bug in 2.4:
>
> https://issues.jboss.org/browse/KEYCLOAK-3439
>
> Our database is still latin 1 though after the update, does anyone know what we should change that the data gets correctly into mysql?
>
> Best regards
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From marc.tempelmeier at flane.de  Wed Jun  7 06:16:38 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 7 Jun 2017 10:16:38 +0000
Subject: [keycloak-user] UTF8 encoding prior v2.5
In-Reply-To: <CAMvXD=EqU70W704mYsBTNdS6t5VCvhhUF8prqG_yD=ONTjn8Xg@mail.gmail.com>
References: <cae899f40dc243e0afa7152feb644738@dehamex2013.europe.flane.local>
	<CAMvXD=EqU70W704mYsBTNdS6t5VCvhhUF8prqG_yD=ONTjn8Xg@mail.gmail.com>
Message-ID: <e7822a19c6af4afca3dd57ce7a8bca6f@derzex2013.europe.flane.local>

We are still facing the issue in the bug description, so we have the need :)

Is the answer on so everything we have to change?

-----Urspr?ngliche Nachricht-----
Von: Hynek Mlnarik [mailto:hmlnarik at redhat.com] 
Gesendet: Wednesday, June 7, 2017 12:05 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] UTF8 encoding prior v2.5

You don't need to change DB if latin1 satisfies your needs. Otherwise, there are few ways to change encoding in MySQL, see e.g.
https://stackoverflow.com/questions/6115612/how-to-convert-an-entire-mysql-database-characterset-and-collation-to-utf-8

--Hynek

On Tue, Jun 6, 2017 at 3:44 PM, Marc Tempelmeier <marc.tempelmeier at flane.de> wrote:
> Hi,
>
> we updated our Keycloak 2.4 to 3.1, there was a bug in 2.4:
>
> https://issues.jboss.org/browse/KEYCLOAK-3439
>
> Our database is still latin 1 though after the update, does anyone know what we should change that the data gets correctly into mysql?
>
> Best regards
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


From hmlnarik at redhat.com  Wed Jun  7 06:26:06 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 7 Jun 2017 12:26:06 +0200
Subject: [keycloak-user] UTF8 encoding prior v2.5
In-Reply-To: <e7822a19c6af4afca3dd57ce7a8bca6f@derzex2013.europe.flane.local>
References: <cae899f40dc243e0afa7152feb644738@dehamex2013.europe.flane.local>
	<CAMvXD=EqU70W704mYsBTNdS6t5VCvhhUF8prqG_yD=ONTjn8Xg@mail.gmail.com>
	<e7822a19c6af4afca3dd57ce7a8bca6f@derzex2013.europe.flane.local>
Message-ID: <CAMvXD=H_Cvq+U=rqWigmXvRDEs8RxZ0RjrHDiW_+-TpqsroxMw@mail.gmail.com>

It depends on what bug you are facing. Database encoding is one.
Another is that you need to pass the characterEncoding parameter to
the JDBC driver as described at Mysql section of [1].

[1] https://keycloak.gitbooks.io/documentation/server_installation/topics/database/unicode-considerations.html

On Wed, Jun 7, 2017 at 12:16 PM, Marc Tempelmeier
<marc.tempelmeier at flane.de> wrote:
> We are still facing the issue in the bug description, so we have the need :)
>
> Is the answer on so everything we have to change?
>
> -----Urspr?ngliche Nachricht-----
> Von: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
> Gesendet: Wednesday, June 7, 2017 12:05 PM
> An: Marc Tempelmeier <marc.tempelmeier at flane.de>
> Cc: keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] UTF8 encoding prior v2.5
>
> You don't need to change DB if latin1 satisfies your needs. Otherwise, there are few ways to change encoding in MySQL, see e.g.
> https://stackoverflow.com/questions/6115612/how-to-convert-an-entire-mysql-database-characterset-and-collation-to-utf-8
>
> --Hynek
>
> On Tue, Jun 6, 2017 at 3:44 PM, Marc Tempelmeier <marc.tempelmeier at flane.de> wrote:
>> Hi,
>>
>> we updated our Keycloak 2.4 to 3.1, there was a bug in 2.4:
>>
>> https://issues.jboss.org/browse/KEYCLOAK-3439
>>
>> Our database is still latin 1 though after the update, does anyone know what we should change that the data gets correctly into mysql?
>>
>> Best regards
>>
>> Marc
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek



-- 

--Hynek


From adrianmatei at gmail.com  Wed Jun  7 07:11:03 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 7 Jun 2017 13:11:03 +0200
Subject: [keycloak-user] Default Realm Roles Not Set When role-ldap-mapper
	is configured for AD
Message-ID: <CAG=THF3bLY1V0FB9eVdAX_fUPZXEfqD1j6GFVyB8Sd5H179Yyg@mail.gmail.com>

Hi everyone,

When I configure an LDAP Role Mapper for Active Directory the Default Roles
of the Realm are not set anymore when a user registers himself or if I
create one via the Keycloak Admin Console.

Configuration:

Mapper type: role-ldap-mapper
LDAP Roles DN: subtree in AD
Role LDAP Attribute: cn
Role Object Classes: group
Membership LDAP Attribute: member
Membership Attribute Type: DN
Membership User LDAP Attribute: uid
Mode: LDAP_ONLY
User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute
Use Realm Roles Mapping: ON


Does anyone have a solution, or should I create a Jira Issue for that?

Best regards,
Adrian

From adrianmatei at gmail.com  Wed Jun  7 07:22:53 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 7 Jun 2017 13:22:53 +0200
Subject: [keycloak-user] Default Realm Roles Not Set When
 role-ldap-mapper is configured for AD
In-Reply-To: <CAG=THF3bLY1V0FB9eVdAX_fUPZXEfqD1j6GFVyB8Sd5H179Yyg@mail.gmail.com>
References: <CAG=THF3bLY1V0FB9eVdAX_fUPZXEfqD1j6GFVyB8Sd5H179Yyg@mail.gmail.com>
Message-ID: <CAG=THF2QJBxO0u42UQv=P3T=sdytgvT7zrd-VMiK1GbE=42rYg@mail.gmail.com>

I forgot to mention - this is valid for both 2.5.1 and 3.1 Versions

Best regards,
Adrian

On Wed, Jun 7, 2017 at 1:11 PM, Adrian Matei <adrianmatei at gmail.com> wrote:

> Hi everyone,
>
> When I configure an LDAP Role Mapper for Active Directory the Default
> Roles of the Realm are not set anymore when a user registers himself or if
> I create one via the Keycloak Admin Console.
>
> Configuration:
>
> Mapper type: role-ldap-mapper
> LDAP Roles DN: subtree in AD
> Role LDAP Attribute: cn
> Role Object Classes: group
> Membership LDAP Attribute: member
> Membership Attribute Type: DN
> Membership User LDAP Attribute: uid
> Mode: LDAP_ONLY
> User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute
> Use Realm Roles Mapping: ON
>
>
> Does anyone have a solution, or should I create a Jira Issue for that?
>
> Best regards,
> Adrian
>
>

From nirmal.kumar at impetus.co.in  Wed Jun  7 07:37:15 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Wed, 7 Jun 2017 11:37:15 +0000
Subject: [keycloak-user] Exception in Kerberos Credential Delegation example
Message-ID: <aa20ea8970c14cf5bef6d769bf024372@impetus.co.in>

Hi Keycloak,

I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/  and the login page is bypassed as expected.

However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.

2017-06-07 10:46:04,332 INFO  [stdout] (default task-42) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO  [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO  [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO  [stdout] (default task-42)                [Krb5LoginModule]: Entering logout
2017-06-07 10:46:04,338 INFO  [stdout] (default task-42)                [Krb5LoginModule]: logged out Subject

I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?

Thanks,
-Nirmal


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

From bruno at abstractj.org  Wed Jun  7 08:49:39 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 07 Jun 2017 12:49:39 +0000
Subject: [keycloak-user] Keycloak / FreeIPA: "Sync registration"
In-Reply-To: <CAMghK0a1deh6y_3RfbUr-BNdNykYQBJH1huzrh2QDrKFEWDkgQ@mail.gmail.com>
References: <CAMghK0a1deh6y_3RfbUr-BNdNykYQBJH1huzrh2QDrKFEWDkgQ@mail.gmail.com>
Message-ID: <CAM5SUC56YSdhGoOuO9QJ8zqwWjJvYKmjTY36QU_ku85h66ATpg@mail.gmail.com>

Hi Antoine, I believe the status remains the same like Marek stated. See
this thread:
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008555.html.
The preferred way to integrate Keycloak and FreeIPA is through SSSD
federation provider, although SSSD is a readonly interface.

On Tue, Jun 6, 2017 at 2:42 PM Antoine Carton <antoine at saagie.com> wrote:

> Hello,
>
> Is there any news regarding user creation support from Keycloak to FreeIPA
> LDAP (i.e. "Sync registration" feature in Keycloak) ?
>
> Last thread seems to be
> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From antoine at saagie.com  Wed Jun  7 08:52:45 2017
From: antoine at saagie.com (Antoine Carton)
Date: Wed, 7 Jun 2017 14:52:45 +0200
Subject: [keycloak-user] Keycloak / FreeIPA: "Sync registration"
In-Reply-To: <CAM5SUC56YSdhGoOuO9QJ8zqwWjJvYKmjTY36QU_ku85h66ATpg@mail.gmail.com>
References: <CAMghK0a1deh6y_3RfbUr-BNdNykYQBJH1huzrh2QDrKFEWDkgQ@mail.gmail.com>
	<CAM5SUC56YSdhGoOuO9QJ8zqwWjJvYKmjTY36QU_ku85h66ATpg@mail.gmail.com>
Message-ID: <CAMghK0YSWpppZAtE5Sk4fvLMNq=BE6EvB86V6OCdzavXnaNC_w@mail.gmail.com>

Hello Bruno,

Thanks for the feedback!

Best regards

2017-06-07 14:49 GMT+02:00 Bruno Oliveira <bruno at abstractj.org>:

> Hi Antoine, I believe the status remains the same like Marek stated. See
> this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-
> December/008555.html. The preferred way to integrate Keycloak and FreeIPA
> is through SSSD federation provider, although SSSD is a readonly interface.
>
> On Tue, Jun 6, 2017 at 2:42 PM Antoine Carton <antoine at saagie.com> wrote:
>
>> Hello,
>>
>> Is there any news regarding user creation support from Keycloak to FreeIPA
>> LDAP (i.e. "Sync registration" feature in Keycloak) ?
>>
>> Last thread seems to be
>> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
>>
>> Thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From finjunk at gmx.de  Wed Jun  7 09:13:49 2017
From: finjunk at gmx.de (Malte Finsterwalder)
Date: Wed, 7 Jun 2017 15:13:49 +0200
Subject: [keycloak-user] Login a Java Fat Client with Windows Kerberos Token
 agains Keycloak backed by AD?
Message-ID: <CALS12-PjteMGv7j545OvG+5K=DGAmAWBgcq6dw9uSLrhQaxh8g@mail.gmail.com>

Hi,

I have the following setup:

I'm programming a Java Fat Client application. I want to integrate it into
SSO with Keycloak.
Our Keycloak is connected to our Windows Active Directory (AD).

So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and
sends that to Keycloak. Keycloak should authorize the token agains the AD
and send back an authorization token to the Fat Client, so I can later use
this Keycloak token to access other Rest-Services.

Fat Client (with Kerberos Token) -> Keycloak -> AD
Fat Client (with Keycloak Token) -> REST-Service

I can't find anything in the documentation regarding this szenario.
Is this possible? And if so, how?

Greetings,
   Malte

From DBoutin at voyages-sncf.com  Wed Jun  7 10:09:40 2017
From: DBoutin at voyages-sncf.com (Boutin Damien)
Date: Wed, 7 Jun 2017 14:09:40 +0000
Subject: [keycloak-user] Unable to set proxy on identity brokering (apache
	http client)
Message-ID: <af895380aea345a5b0606ea6825997eb@EREP.groupevsc.com>

Hello,

We are hardly trying to configure our access to our IDP, using a proxy.
After quick look in the source code, it looks that some changes have been done in the SimpleHttp class, used to access token endpoint of the idp, to use the Apache Http Client. (jira https://issues.jboss.org/browse/KEYCLOAK-2486)

Looking in the "org.keycloak.connections.httpclient.HttpClientBuilder" class, I don't see any configuration in RequestConfig that could allow to use system properties, or explicit proxy configuration.

Could you tell me if I'm looking at the wrong place or if I missed something ?

Thanks in advance.


From jyoti.tech90 at gmail.com  Wed Jun  7 10:17:56 2017
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Wed, 7 Jun 2017 19:47:56 +0530
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate user
	sessions in cluster
Message-ID: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>

Hi Team,

We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
user sessions replication in a cloud system, i.e. when one node goes down
then user will keep logged in on other node.

I have setup cluster by using standalone-ha.xml and having infinispan cache
as mentioned below:-

<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
                <transport lock-timeout="60000"/>
                <invalidation-cache name="realms" mode="SYNC"/>
                <invalidation-cache name="users" mode="SYNC"/>
                <distributed-cache name="sessions" mode="SYNC" owners="2"/>
                <distributed-cache name="loginFailures" mode="SYNC"
owners="2"/>
</cache-container>

Every thing works fine except below use case:-

1. Node 1 and Node 2 both are up and user logged in - User session is
getting generated by Node 1
2. Node 1 is now stopped and user session is getting replicated in Node 2 -
User is still able to use the Keycloak console
3. Node 1 is up again and request is being transferred from LB to Node 1 -
User is asked to log in again because session cache is not replicated to
    Node 1 immediately once it is up

I saw one option to add *start="EAGER" *in cache-container to fix this but
looks like with latest version of WildFly it is no longer supported. Do we
have any other way to fix this issue ?


-- 

*With Regards, Jyoti Kumar Singh*

From denny.israel at googlemail.com  Wed Jun  7 11:00:17 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Wed, 7 Jun 2017 17:00:17 +0200
Subject: [keycloak-user] Java Admin client with signed JWT
Message-ID: <CAF7cocEO7dHpa68cWBERpam5kAkiadbGtyd9FxA7JQRrYMkHiA@mail.gmail.com>

Hi,

i am using the java admin client to configure my keycloak instance. At the
moment i use client secrets to authenticate against keycloak but want to
use a signed JWT. I know how to enable the signed JWT Auth in Keycloak and
how to pass a JWT via authorization() method to KeycloakBuilder (at least i
think it would work ;-)).

Is there a convenient way to create such a token? What should such a token
contain?

The javadoc of KeycloakBuilder gives example usages of username/password
and client secret authentication but not of JWT authentications.

best regards
Denny

From kedward777 at gmail.com  Wed Jun  7 12:56:18 2017
From: kedward777 at gmail.com (ken edward)
Date: Wed, 7 Jun 2017 12:56:18 -0400
Subject: [keycloak-user] Is there a SAML SP valve for tomcat and ADFS?
Message-ID: <CAAqgmoOcH68U300guYWXDt97ZPNGYpmEq_xnq-QZ-KR7Br==Ww@mail.gmail.com>

Hello,

I have an Idp (my ADFS) and I have a tomcat server with a simple j2ee
web application.  I know I can stand up a key cloak sever, and use an
SP adapter for tomcat, BUT is there a way to simply install a tomcat
SP valve/libs that would talk to the IdP and bypass having to install
the keycloak server ? Kinda like this picketlink implementation:

https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink

Ken

From chexxor at gmail.com  Wed Jun  7 15:38:24 2017
From: chexxor at gmail.com (Alex Berg)
Date: Wed, 7 Jun 2017 14:38:24 -0500
Subject: [keycloak-user] How to change link to verify-email in email
	template?
In-Reply-To: <CAJgngAc6xqQJMOX9WSZXnc0Cz3wemQT4r3MBEe6gZeWrazBk1w@mail.gmail.com>
References: <CABgV3qs+9jNUW5MXS8zmQGhNO7OdRJF+VXTRLnK4aYMoQWVx0w@mail.gmail.com>
	<CAJgngAc6xqQJMOX9WSZXnc0Cz3wemQT4r3MBEe6gZeWrazBk1w@mail.gmail.com>
Message-ID: <CABgV3qt=8b2F0cn6h6riHpo+_Xr_yE1NRmGgYQkCSQN+0zbZ3A@mail.gmail.com>

Nice! I didn't think to look there! I configured my proxy to use the proxy
headers and when I access the ".well-known/openid-configuration" it uses
the host:port of the proxy instead of its own host:port.

I still have a problem with the path, though.

When I hit http://localhost:3000/auth/.well-known/openid-configuration

It gives me paths like

"issuer":"http://localhost:3000/auth/realms/MyRealm"

when I want

"issuer":"http://localhost:3000/auth"

So, I need to pass the originally requested path, "/auth", so Keycloak will
know that it lives at this path, rather than at "/auth/realms/MyRealm". I
can't find a standard header used by reverse proxies which preserves the
originally requested path. Does anyone have any suggestions for this?


On Tue, Jun 6, 2017 at 12:12 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Take a look at https://keycloak.gitbooks.io/documentation/server_
> installation/topics/clustering/load-balancer.html. You need to configure
> the proxy and Keycloak server correctly. You certainly don't need to hack
> away at the code.
>
> On 5 June 2017 at 20:56, Alex Berg <chexxor at gmail.com> wrote:
>
>> I have a proxy running which proxies "www.mydomain.com/auth/" to
>> "mykeycloakhost/auth/realms/MyApp/". I think it's less noisy for users of
>> my website.
>>
>> In dev, when I have keycloak send a "verify email" action, the URI in the
>> email is "localhost:8080/auth/realms/MyApp/login-actions/
>> execute-actions?key=the-key"
>>
>> How do I change this URI in the "verify email" email to be
>> "localhost:8080/auth/login-actions/execute-actions?key=the-key"?
>>
>> I see it's calculated like:
>>
>> UriInfo uriInfo = session.getContext().getUri();
>> UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(),
>> token.serialize(session, realm, uriInfo));
>> String link = builder.build(realm.getName()).toString();
>>
>> - Source:
>> /services/src/main/java/org/keycloak/authentication/required
>> actions/VerifyEmail.java#L139
>> <https://github.com/keycloak/keycloak/blob/70d7e07526546cd20
>> d8cbbc6d0557597ba1540fb/services/src/main/java/org/
>> keycloak/authentication/requiredactions/VerifyEmail.java#L139>
>>
>> I'm not great at understanding Java and OO, so I can't figure how where
>> "session.getContext()" is defined.
>>
>> How are other people solving this? Should I just remove the link variable
>> in the email template and use a hardcoded link?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From mposolda at redhat.com  Wed Jun  7 16:04:19 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 7 Jun 2017 22:04:19 +0200
Subject: [keycloak-user] Login a Java Fat Client with Windows Kerberos
 Token agains Keycloak backed by AD?
In-Reply-To: <CALS12-PjteMGv7j545OvG+5K=DGAmAWBgcq6dw9uSLrhQaxh8g@mail.gmail.com>
References: <CALS12-PjteMGv7j545OvG+5K=DGAmAWBgcq6dw9uSLrhQaxh8g@mail.gmail.com>
Message-ID: <f3343f94-63f7-20be-fc5a-44fe7d77fcc6@redhat.com>

It's not yet supported OOTB. There is already JIRA opened for the long 
time. Feel free to add a vote :)

However it should be already possible to implement it if you write 
custom authenticator and put it into the "Direct Grant Flow" 
authentication flow for the realm. Then your Java Fat Client will be 
able to send the token in the "Authorization: Negotiate token" header 
and your authenticator can then authenticate this request. Feel free to 
send PR if you manage to have it working.

See our docs and examples for Authentication SPI for more details.

Marek

On 07/06/17 15:13, Malte Finsterwalder wrote:
> Hi,
>
> I have the following setup:
>
> I'm programming a Java Fat Client application. I want to integrate it into
> SSO with Keycloak.
> Our Keycloak is connected to our Windows Active Directory (AD).
>
> So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and
> sends that to Keycloak. Keycloak should authorize the token agains the AD
> and send back an authorization token to the Fat Client, so I can later use
> this Keycloak token to access other Rest-Services.
>
> Fat Client (with Kerberos Token) -> Keycloak -> AD
> Fat Client (with Keycloak Token) -> REST-Service
>
> I can't find anything in the documentation regarding this szenario.
> Is this possible? And if so, how?
>
> Greetings,
>     Malte
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Jun  7 16:12:50 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 7 Jun 2017 22:12:50 +0200
Subject: [keycloak-user] Exception in Kerberos Credential Delegation
 example
In-Reply-To: <aa20ea8970c14cf5bef6d769bf024372@impetus.co.in>
References: <aa20ea8970c14cf5bef6d769bf024372@impetus.co.in>
Message-ID: <24d3d748-26e4-90a5-474e-e803c5cc06b8@redhat.com>

You can try to enable some additional logging as mentioned in the 
"troubleshooting" section of the Kerberos docs.

One thing, which looks a bit strange to me, is the name of HTTP 
principal with the IP address in it. Does it work with same principal 
for your N1 and N2 machines? I would try to use the name instead of IP 
address instead. But not 100% sure the issue is really this...

Marek

On 07/06/17 13:37, Nirmal Kumar wrote:
> Hi Keycloak,
>
> I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
> Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/  and the login page is bypassed as expected.
>
> However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
> The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
>
> 2017-06-07 10:46:04,332 INFO  [stdout] (default task-42) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) Will use keytab
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42) Commit Succeeded
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42)
> *2017-06-07 10:46:04,337 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
> 2017-06-07 10:46:04,337 INFO  [stdout] (default task-42)                [Krb5LoginModule]: Entering logout
> 2017-06-07 10:46:04,338 INFO  [stdout] (default task-42)                [Krb5LoginModule]: logged out Subject
>
> I troubles hooted for quite a long time but cannot understand where the problem is.
> Can you please give me some pointers to look for?
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Jun  7 16:15:39 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 7 Jun 2017 22:15:39 +0200
Subject: [keycloak-user] Default Realm Roles Not Set When
 role-ldap-mapper is configured for AD
In-Reply-To: <CAG=THF2QJBxO0u42UQv=P3T=sdytgvT7zrd-VMiK1GbE=42rYg@mail.gmail.com>
References: <CAG=THF3bLY1V0FB9eVdAX_fUPZXEfqD1j6GFVyB8Sd5H179Yyg@mail.gmail.com>
	<CAG=THF2QJBxO0u42UQv=P3T=sdytgvT7zrd-VMiK1GbE=42rYg@mail.gmail.com>
Message-ID: <274284bc-cf4f-0c50-fa9c-eacdd316f8b7@redhat.com>

JIRA already exists for this issue :/ You can find it in KEYCLOAK 
project in component "Federation - LDAP". Feel free to add a vote.

Marek


On 07/06/17 13:22, Adrian Matei wrote:
> I forgot to mention - this is valid for both 2.5.1 and 3.1 Versions
>
> Best regards,
> Adrian
>
> On Wed, Jun 7, 2017 at 1:11 PM, Adrian Matei <adrianmatei at gmail.com> wrote:
>
>> Hi everyone,
>>
>> When I configure an LDAP Role Mapper for Active Directory the Default
>> Roles of the Realm are not set anymore when a user registers himself or if
>> I create one via the Keycloak Admin Console.
>>
>> Configuration:
>>
>> Mapper type: role-ldap-mapper
>> LDAP Roles DN: subtree in AD
>> Role LDAP Attribute: cn
>> Role Object Classes: group
>> Membership LDAP Attribute: member
>> Membership Attribute Type: DN
>> Membership User LDAP Attribute: uid
>> Mode: LDAP_ONLY
>> User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute
>> Use Realm Roles Mapping: ON
>>
>>
>> Does anyone have a solution, or should I create a Jira Issue for that?
>>
>> Best regards,
>> Adrian
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sintes at amitel.fr  Wed Jun  7 19:30:35 2017
From: sintes at amitel.fr (Fabien SINTES)
Date: Thu, 8 Jun 2017 01:30:35 +0200
Subject: [keycloak-user] Log as a group feature
Message-ID: <2174137542-4716@SRVMAIL2.amitel.fr>


Hello,


I'm looking for an IAM SSO system with the following?feature, I'm just Learning about open id connect...?:


I need to allow a user to "log as a group" and inform the client (remote web site). 


It seems not possible with keyloak but I would happy to find?a solution (other iam allow this feature but?I would prefere?redhat support).


I think I could add an information in the json token witch would mean "I am fabien, I am member of this groups and I want you to?identify me as FinancialGroup". With json information like user:fabien, impersonation:FinancialGroup....


The client (remote web site) would read json information and will authenticate the user fabien but using his group to identify the user for different internal actions.


Do you think it is Something possible and a good practice ?!


In this case, it is also needed to custom login page to permit the user to choose this option "user:... , pwd..., login as...". And the combo box for "login as" should list the user groups available.?Is it possible ?


Sorry for my English...


Thank you very much.


Fabien

From sthorger at redhat.com  Thu Jun  8 02:46:31 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 8 Jun 2017 08:46:31 +0200
Subject: [keycloak-user] spring-sec-adapter - impersonating
In-Reply-To: <1092389d5046686037e5ec4aa0db1635.squirrel@neposoft.com>
References: <ad91a056d13497b69faf216e68b2f4f7.squirrel@neposoft.com>
	<1092389d5046686037e5ec4aa0db1635.squirrel@neposoft.com>
Message-ID: <CAJgngAe9eaUFZz2=4RBeTO+xmUUfrt1gOCWQpSu7PZQvsb66kg@mail.gmail.com>

We don't support that. Impersonation? works at the cookie level and changes
the logged-in session. It doesn't work at the token level like what you
want.

On 7 Jun 2017 5:55 am, "java_os" <java at neposoft.com> wrote:

> Anyone has any pointers on impersonating and how it that supported by
> Keycloak if anything?
> I do not want to go in admin console and click button to impersonate - I
> want to be able to trigger a call to Keycloak and exchange the token of
> the logged in user with the one is being impersonating.
> Anyone share if Keycloak supports it and how - any pointers?
> Thanks
>
> > Would has any pointers on implementing sso where admin could impersonate
> > an existing user.
> > Flow: ng-client(aquires the token - public client) -> rest api (Keycloak
> > bearer client)
> > Read this thread but was left out :
> > http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html
> >
> > Appreciate it.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From adrianmatei at gmail.com  Thu Jun  8 02:52:49 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Thu, 8 Jun 2017 08:52:49 +0200
Subject: [keycloak-user] Default Realm Roles Not Set When
 role-ldap-mapper is configured for AD
In-Reply-To: <274284bc-cf4f-0c50-fa9c-eacdd316f8b7@redhat.com>
References: <CAG=THF3bLY1V0FB9eVdAX_fUPZXEfqD1j6GFVyB8Sd5H179Yyg@mail.gmail.com>
	<CAG=THF2QJBxO0u42UQv=P3T=sdytgvT7zrd-VMiK1GbE=42rYg@mail.gmail.com>
	<274284bc-cf4f-0c50-fa9c-eacdd316f8b7@redhat.com>
Message-ID: <CAG=THF09zV5ZtBJpJYNu0t2ZjFw7MDSYsb-7MV3_ekrmLLSE7Q@mail.gmail.com>

Thanks Marek,

I added my comment and vote to the https://issues.jboss.org/
browse/KEYCLOAK-4828 issue under the "User Federation - LDAP"

Best regards,
Adrian

On Wed, Jun 7, 2017 at 10:15 PM, Marek Posolda <mposolda at redhat.com> wrote:

> JIRA already exists for this issue :/ You can find it in KEYCLOAK project
> in component "Federation - LDAP". Feel free to add a vote.
>
> Marek
>
>
>
> On 07/06/17 13:22, Adrian Matei wrote:
>
>> I forgot to mention - this is valid for both 2.5.1 and 3.1 Versions
>>
>> Best regards,
>> Adrian
>>
>> On Wed, Jun 7, 2017 at 1:11 PM, Adrian Matei <adrianmatei at gmail.com>
>> wrote:
>>
>> Hi everyone,
>>>
>>> When I configure an LDAP Role Mapper for Active Directory the Default
>>> Roles of the Realm are not set anymore when a user registers himself or
>>> if
>>> I create one via the Keycloak Admin Console.
>>>
>>> Configuration:
>>>
>>> Mapper type: role-ldap-mapper
>>> LDAP Roles DN: subtree in AD
>>> Role LDAP Attribute: cn
>>> Role Object Classes: group
>>> Membership LDAP Attribute: member
>>> Membership Attribute Type: DN
>>> Membership User LDAP Attribute: uid
>>> Mode: LDAP_ONLY
>>> User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute
>>> Use Realm Roles Mapping: ON
>>>
>>>
>>> Does anyone have a solution, or should I create a Jira Issue for that?
>>>
>>> Best regards,
>>> Adrian
>>>
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From hmlnarik at redhat.com  Thu Jun  8 08:27:49 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Thu, 8 Jun 2017 14:27:49 +0200
Subject: [keycloak-user] Is there a SAML SP valve for tomcat and ADFS?
In-Reply-To: <CAAqgmoOcH68U300guYWXDt97ZPNGYpmEq_xnq-QZ-KR7Br==Ww@mail.gmail.com>
References: <CAAqgmoOcH68U300guYWXDt97ZPNGYpmEq_xnq-QZ-KR7Br==Ww@mail.gmail.com>
Message-ID: <CAMvXD=Hh=0aBU-pupXEFnVE7pQCZ9GCtVCVmWee28SFf9ftmhQ@mail.gmail.com>

I've never tested that myself but you should be able to install Tomcat
SAML adapter (https://keycloak.gitbooks.io/documentation/securing_apps/topics/saml/java/tomcat-adapter.html)
and configure it to use your IdP regardless of its vendor.

--Hynek

On Wed, Jun 7, 2017 at 6:56 PM, ken edward <kedward777 at gmail.com> wrote:
> Hello,
>
> I have an Idp (my ADFS) and I have a tomcat server with a simple j2ee
> web application.  I know I can stand up a key cloak sever, and use an
> SP adapter for tomcat, BUT is there a way to simply install a tomcat
> SP valve/libs that would talk to the IdP and bypass having to install
> the keycloak server ? Kinda like this picketlink implementation:
>
> https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From sintes at amitel.fr  Thu Jun  8 09:36:46 2017
From: sintes at amitel.fr (Fabien SINTES)
Date: Thu, 8 Jun 2017 15:36:46 +0200
Subject: [keycloak-user] Activate only features needed using cluster
Message-ID: <2224791020-3500@SRVMAIL2.amitel.fr>


Hello,


I need to design a secure infrastructure with many zones (vlan, fw filtering...). Is it possible to separate this roles : 
?- URI for token Delivery, authentification (openid connect, oauth)
?- internal?user database (or is it possible only if external ldap server is used ?)
?- Admin UI
?- Admin Rest API


This diff?rents servers would?be in cluster (sync allowed by filtering between zones).


I have understand it is possible to configure "localhost" for this services but is it possible to disable it ? and having all this roles working fine in cluster ?


Thank you.


Fabien.

From kedward777 at gmail.com  Thu Jun  8 10:36:10 2017
From: kedward777 at gmail.com (ken edward)
Date: Thu, 8 Jun 2017 10:36:10 -0400
Subject: [keycloak-user] Is there a form/basic fallback option for Keycloak
	SAML adaptor for Tomcat?
Message-ID: <CAAqgmoOONHRGv1OqLb--SN+vpnitD6Sr36GaEevnE1K8tTU50Q@mail.gmail.com>

Hello,

Looking at the Keycloak SAML adaptor for Tomcat I see that it seems to
say the login authentication parameter from the web.xml are "ignored"
(can't say SPNEGO, BASIC). Is there any way to implement FORM based
authentication fallback for the Keycloack SAML Adaptor?

 <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

https://keycloak.gitbooks.io/documentation/securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.html

Can something like this be done:

<login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>SPNEGO</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
   </login-config>


Ken

From inofi at gmx.net  Thu Jun  8 10:47:11 2017
From: inofi at gmx.net (Malte Finsterwalder)
Date: Thu, 8 Jun 2017 16:47:11 +0200
Subject: [keycloak-user] Fwd: Login a Java Fat Client with Windows Kerberos
 Token agains Keycloak backed by AD?
In-Reply-To: <CALS12-OAG32_eiesH8o-HNg-FJ3jwDd-skH3kZu2gbQNd7mc5Q@mail.gmail.com>
References: <CALS12-PjteMGv7j545OvG+5K=DGAmAWBgcq6dw9uSLrhQaxh8g@mail.gmail.com>
	<f3343f94-63f7-20be-fc5a-44fe7d77fcc6@redhat.com>
	<CALS12-OAG32_eiesH8o-HNg-FJ3jwDd-skH3kZu2gbQNd7mc5Q@mail.gmail.com>
Message-ID: <CALS12-O-19Mgh=5BUDe_6vi-3gC+n9nkhJgqmXYY4DXRxf782A@mail.gmail.com>

Hi Marek,

thanks for the quick response.

Do you have an ID for the Jira bug? I couldn't find it.

I must say I'm completely new to Keycloak and Kerberos etc.

I noticed, that the keycloak-authz-client uses an http-client under the
hood. Do I understand correctly, that the server still recognizes this type
of client as something different and uses the "Direct Grant" Authentication
flow and not the "Browser" flow?

So I would have to create a new Authenticator SPI implementation, that is
then deployed on the Keycloak server and integrated into the "Direct
Grant"-Flow to integrate Kerberos Authentication into this flow?

And do I also have to program something into the client?

Would it also be feasible to access Keycloak like a browser instead? Since
then Keycloak already supports Kerberos SSO, as far as I know.
Or why is the Fat Client using a completely different flow in the first
place?

Greetings,
   Malte

On 7 June 2017 at 22:04, Marek Posolda <mposolda at redhat.com> wrote:

> It's not yet supported OOTB. There is already JIRA opened for the long
> time. Feel free to add a vote :)
>
> However it should be already possible to implement it if you write custom
> authenticator and put it into the "Direct Grant Flow" authentication flow
> for the realm. Then your Java Fat Client will be able to send the token in
> the "Authorization: Negotiate token" header and your authenticator can then
> authenticate this request. Feel free to send PR if you manage to have it
> working.
>
> See our docs and examples for Authentication SPI for more details.
>
> Marek
>
>
> On 07/06/17 15:13, Malte Finsterwalder wrote:
>
>> Hi,
>>
>> I have the following setup:
>>
>> I'm programming a Java Fat Client application. I want to integrate it into
>> SSO with Keycloak.
>> Our Keycloak is connected to our Windows Active Directory (AD).
>>
>> So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and
>> sends that to Keycloak. Keycloak should authorize the token agains the AD
>> and send back an authorization token to the Fat Client, so I can later use
>> this Keycloak token to access other Rest-Services.
>>
>> Fat Client (with Kerberos Token) -> Keycloak -> AD
>> Fat Client (with Keycloak Token) -> REST-Service
>>
>> I can't find anything in the documentation regarding this szenario.
>> Is this possible? And if so, how?
>>
>> Greetings,
>>     Malte
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From csalazar at devsu.com  Thu Jun  8 10:51:37 2017
From: csalazar at devsu.com (Cesar Salazar)
Date: Thu, 8 Jun 2017 09:51:37 -0500
Subject: [keycloak-user] Login to Admin REST API from client
Message-ID: <CAJzRJ5KvgxdTvdqkGucMDJp6x9fNVVRO1FT2D8jhH4FBmAmiPA@mail.gmail.com>

Hi,

I'm trying to access the admin REST API from a microservice, in order to
create a realm. In the documentation says that I should get a an access
token in order to be able to make calls to the rest API.

The problem is: I wouldn't like to use a username and password to get it,
is it possible to get it from the clientId and clientSecret?

I mean, how do I make calls to the admin REST API using client credentials?
I couldn't find anything in the documentation.
https://keycloak.gitbooks.io/documentation/server_development/topics/admin-rest-api.html

Or is the documentation somewhere else?

Thanks!

-- 
*Cesar Salazar*
Development Manager
DEVSU | www.devsu.com

From kedward777 at gmail.com  Thu Jun  8 11:07:17 2017
From: kedward777 at gmail.com (kedward777)
Date: Thu, 8 Jun 2017 08:07:17 -0700 (MST)
Subject: [keycloak-user] Keycloak Java adapter & ADFS
In-Reply-To: <CADLL6JtCvqWw6a-EFJWjRy3Sc3cgtAFVadQCOfyLU4tdTFMpMw@mail.gmail.com>
References: <CADLL6JtCvqWw6a-EFJWjRy3Sc3cgtAFVadQCOfyLU4tdTFMpMw@mail.gmail.com>
Message-ID: <1496934437473-3938.post@n6.nabble.com>

Did you ever get the Keycloak java adapter working with the ADFS? Lessons
learned?



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Keycloak-Java-adapter-ADFS-tp3716p3938.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From michel.laporte at essencedigital.com  Thu Jun  8 11:24:36 2017
From: michel.laporte at essencedigital.com (Michel Laporte)
Date: Thu, 8 Jun 2017 16:24:36 +0100
Subject: [keycloak-user] Whitelisting Google Domain
Message-ID: <CALAiTM1MFQ1-jt47RshdFxASPSDhZ+_2U_iO+oUOLBnUAA3VsQ@mail.gmail.com>

Hi there,
We have Keycloak set up and we have 2 business Google Apps domain
registered.

How do we whitelist the 2 domains we have for Keycloak Authentication. We
have it working using SAML but it allows all Google domains to be
authenticated.
Thanks

-- 

*Michel Laporte*
DevOps Engineer

T: +44 20 7758 7162
UK House ? 180 Oxford Street ? London ? W1D 1NN

-- 
-------------------------------------
essencedigital.com <http://www.essencedigital.com/>
Google+ <https://plus.google.com/102138558390623994587/about> ? Facebook 
<http://www.facebook.com/essencedigital> ? Twitter 
<https://twitter.com/essencedigital> ? YouTube 
<http://www.youtube.com/essencedigitalvideos>

From chexxor at gmail.com  Thu Jun  8 15:18:34 2017
From: chexxor at gmail.com (Alex Berg)
Date: Thu, 8 Jun 2017 14:18:34 -0500
Subject: [keycloak-user] "Verify Email" email isn't sent on initial login
	when using OIC
Message-ID: <CABgV3qsC-opYKMSKLS4AwD251jff9cec_t430M_iQ1xzaiu6wA@mail.gmail.com>

I create a new user via the Admin REST API, then I immediately try to login
as that use via OpenID Connect protocol. I get a login error, saying
"invalid_grant" and "Account is not fully set up", which I expect, but
Keycloak doesn't perform the "Verify Email" required action.

If I login via the Keycloak-provided account login - "
http://localhost:8080/auth/realms/MyRealm/account/" - Keycloak *does* send
a "Verify Email" email with the appropriate email template.

Has anyone else experienced this issue?

From chexxor at gmail.com  Thu Jun  8 21:19:49 2017
From: chexxor at gmail.com (Alex Berg)
Date: Thu, 8 Jun 2017 20:19:49 -0500
Subject: [keycloak-user] Login to Admin REST API from client
In-Reply-To: <CAJzRJ5KvgxdTvdqkGucMDJp6x9fNVVRO1FT2D8jhH4FBmAmiPA@mail.gmail.com>
References: <CAJzRJ5KvgxdTvdqkGucMDJp6x9fNVVRO1FT2D8jhH4FBmAmiPA@mail.gmail.com>
Message-ID: <CABgV3qsOHRzPTT-WPAGXh048UBxcyYMmCNiJhjnifxSSN-8EfQ@mail.gmail.com>

It's in the docs if you search for client credentials.

Use "$CLIENT_NAME:$CLIENT_SECRET" as the username and password, and
grant_type=client_credentials, and ensure the client has a role of
"realm-admin" or similar to enable it to use the Admin API.

Practice by crafting a curl command. There's a curl command example in the
docs.

On Jun 8, 2017 18:32, "Cesar Salazar" <csalazar at devsu.com> wrote:

> Hi,
>
> I'm trying to access the admin REST API from a microservice, in order to
> create a realm. In the documentation says that I should get a an access
> token in order to be able to make calls to the rest API.
>
> The problem is: I wouldn't like to use a username and password to get it,
> is it possible to get it from the clientId and clientSecret?
>
> I mean, how do I make calls to the admin REST API using client credentials?
> I couldn't find anything in the documentation.
> https://keycloak.gitbooks.io/documentation/server_
> development/topics/admin-rest-api.html
>
> Or is the documentation somewhere else?
>
> Thanks!
>
> --
> *Cesar Salazar*
> Development Manager
> DEVSU | www.devsu.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hylton.peimer at datos-health.com  Thu Jun  8 23:22:35 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Fri, 9 Jun 2017 06:22:35 +0300
Subject: [keycloak-user] Get Access Token to service account using Java code
Message-ID: <CACGrZesUvJWnR=_bg2ocA+Og8G9X95U_2V=nDyOEHwyR37sQ-g@mail.gmail.com>

I have written a provider which implements the UserStorageProviderFactory
to connect Keycloak to a legacy system.

I need to get an AccessToken (for a realm service account) in the Java code.

Is there a way to achieve this in Java, without a network call to
"/protocol/openid-connect/token"?

From sthorger at redhat.com  Fri Jun  9 00:58:27 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 9 Jun 2017 06:58:27 +0200
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate
 user sessions in cluster
In-Reply-To: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
References: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
Message-ID: <CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>

Your configuration is not correct and seems to be from an older version of
Keycloak. Please take a look at default standalone-ha.xml from 3.1 for the
correct cache configs.

You also need to get cluster communication working properly. Make sure the
nodes see each other. When you start new nodes something should happen in
the log in other nodes. In a cloud environment this can be tricky (you
haven't said which one) as multicasting usually doesn't work and you need
to use a different discovery protocol.

On 7 June 2017 at 16:17, Jyoti Kumar Singh <jyoti.tech90 at gmail.com> wrote:

> Hi Team,
>
> We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
> user sessions replication in a cloud system, i.e. when one node goes down
> then user will keep logged in on other node.
>
> I have setup cluster by using standalone-ha.xml and having infinispan cache
> as mentioned below:-
>
> <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>                 <transport lock-timeout="60000"/>
>                 <invalidation-cache name="realms" mode="SYNC"/>
>                 <invalidation-cache name="users" mode="SYNC"/>
>                 <distributed-cache name="sessions" mode="SYNC" owners="2"/>
>                 <distributed-cache name="loginFailures" mode="SYNC"
> owners="2"/>
> </cache-container>
>
> Every thing works fine except below use case:-
>
> 1. Node 1 and Node 2 both are up and user logged in - User session is
> getting generated by Node 1
> 2. Node 1 is now stopped and user session is getting replicated in Node 2 -
> User is still able to use the Keycloak console
> 3. Node 1 is up again and request is being transferred from LB to Node 1 -
> User is asked to log in again because session cache is not replicated to
>     Node 1 immediately once it is up
>
> I saw one option to add *start="EAGER" *in cache-container to fix this but
> looks like with latest version of WildFly it is no longer supported. Do we
> have any other way to fix this issue ?
>
>
> --
>
> *With Regards, Jyoti Kumar Singh*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From nirmal.kumar at impetus.co.in  Fri Jun  9 01:53:04 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Fri, 9 Jun 2017 05:53:04 +0000
Subject: [keycloak-user] Exception in Kerberos Credential Delegation
 example
In-Reply-To: <24d3d748-26e4-90a5-474e-e803c5cc06b8@redhat.com>
References: <aa20ea8970c14cf5bef6d769bf024372@impetus.co.in>,
	<24d3d748-26e4-90a5-474e-e803c5cc06b8@redhat.com>
Message-ID: <9252c35db4364c8da1f45a345c3e1097@impetus.co.in>

Hi Mark,


Thanks for the reply.


I now used the following MIT Kerberos Client on Windows 10 and things started working [?]

https://web.mit.edu/kerberos/dist/kfw/4.1/kfw-4.1-amd64.msi


One thing though I had to change on Firefox was network.auth.use-sspi to set as false to get rid of the below exceptions:

: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
        at org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate(KerberosFederationProvider.java:194)
        at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
        at sun.reflect.GeneratedMethodAccessor327.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)

Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
        ... 60 more

Earlier I had problem with Windows 8.1 and kfw-4.0.1-amd64.msi combination, not sure why, may some environment issue at my end?


Thanks,

-Nirmal

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Thursday, June 8, 2017 1:42:50 AM
To: Nirmal Kumar; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Exception in Kerberos Credential Delegation example

You can try to enable some additional logging as mentioned in the
"troubleshooting" section of the Kerberos docs.

One thing, which looks a bit strange to me, is the name of HTTP
principal with the IP address in it. Does it work with same principal
for your N1 and N2 machines? I would try to use the name instead of IP
address instead. But not 100% sure the issue is really this...

Marek

On 07/06/17 13:37, Nirmal Kumar wrote:
> Hi Keycloak,
>
> I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
> Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/  and the login page is bypassed as expected.
>
> However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
> The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
>
> 2017-06-07 10:46:04,332 INFO  [stdout] (default task-42) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) Will use keytab
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42) Commit Succeeded
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42)
> *2017-06-07 10:46:04,337 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
> 2017-06-07 10:46:04,337 INFO  [stdout] (default task-42)                [Krb5LoginModule]: Entering logout
> 2017-06-07 10:46:04,338 INFO  [stdout] (default task-42)                [Krb5LoginModule]: logged out Subject
>
> I troubles hooted for quite a long time but cannot understand where the problem is.
> Can you please give me some pointers to look for?
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

From pulgupta at redhat.com  Fri Jun  9 03:28:14 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 9 Jun 2017 12:58:14 +0530
Subject: [keycloak-user] XML parsing issues after upgrading RH_SSO from 7.0
	to 7.1
Message-ID: <CAApADD2_Zb-YpW=r_BJ7xa+7tR-eXALzP1R-6dkB5KW00T+fJg@mail.gmail.com>

Hi Team, We have a bunch of application working with RH_SSO. The
applications were using SAML adapter 7.0 for EAP6 and all was working fine.
However we upgraded the SAML adapter to 7.1 at out SP side. Soon after the
upgrade we are now seeing XML parsing exceptions in the /wapps/xxx/saml
endpoint created by the adapter. These are also not consistent and most of
the applications works fine most of the time however we get this mostly
with one of our SP. Please find the stack trace below 2017-06-09
03:17:42,370 [wapps-external-exec-threads - 161] ERROR
[org.keycloak.saml.common] Error in base64 decoding saml message:
java.lang.RuntimeException: javax.xml.stream.XMLStreamException:
java.net.MalformedURLException 2017-06-09 03:17:42,370
[wapps-external-exec-threads - 161] ERROR [org.apache.catalina.connector]
JBWEB001018: An exception or error occurred in the container during the
request processing: java.lang.NullPointerException at
org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:179)
at
org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44)
at
org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:224)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:174)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at
org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:356)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at
com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61)
at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511)
at
org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)
at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808) at
org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45) at
org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849) at
java.lang.Thread.run(Thread.java:745) at
org.jboss.threads.JBossThread.run(JBossThread.java:122)

-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

From tomas at intrahouse.com  Fri Jun  9 05:25:49 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Fri, 09 Jun 2017 09:25:49 +0000
Subject: [keycloak-user] Development help
Message-ID: <CALgk1PLZbDvC+do6CQK2dpnBTpxFR-NbOcmrQk7Hb0Z6Ug74pg@mail.gmail.com>

Hi,

I've developed an API service for Keycloak. It's a bit complex algorithm
where the clientSession needs to be recovered later if something happens,
so I put a note in the style of HMAC + Session ID as Keycloak does in other
places and then next, when the algorithm needs to continue in the following
request to the same endpoint, I recover the session. Inside the API
service, I'm adding users so I have to commit the transaction just in case
a ModelDuplicateException happens, as I've seen in other places of
Keycloak's code.

So I'm receiving this exception when I recover the client session from the
note (note: a user was added and committed previously). I've tried to start
a new transaction after committing, but yet I still get the same exception.

Any help or ideas will be welcome. Thanks.

09:06:48,748 ERROR [io.undertow.request] (default task-5) UT005023:
Exception handling request to /auth/realms/test/testApi/speciallogin
: org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalStateException: Cannot access delegate without a
transaction
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
va:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:4
3)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: Cannot access delegate without
a transaction
        at
org.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:97)
        at
org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:182)
        at
org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:282)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:794)
        at
com.test.keycloak.api.services.specialLogin(TestAPIService.java:157)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
        ... 37 more

From john.d.ament at gmail.com  Fri Jun  9 06:43:56 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Fri, 09 Jun 2017 10:43:56 +0000
Subject: [keycloak-user] Global vs per realm SMTP
Message-ID: <CAOqetn-kjQcS18Di-QO0rcEyOi0JR0pet9c8z6_gCJHZwXP1Zw@mail.gmail.com>

Hi

I was wondering if the SMTP configuration can be done on a global basis,
instead of a per realm?

John

From chexxor at gmail.com  Fri Jun  9 18:25:28 2017
From: chexxor at gmail.com (Alex Berg)
Date: Fri, 9 Jun 2017 17:25:28 -0500
Subject: [keycloak-user] Manage VerifyEmail outside Keycloak?
Message-ID: <CABgV3qspzt1QN=_S-rkzmqA0j+wrROdUYZ_t8LWzKP7XHnABUw@mail.gmail.com>

Is anyone else managing email verification outside Keycloak? I'm
considering doing it, so I'd like past experience reports.

It seems like I could
- Create a user in Keycloak using the Admin REST API when a user registers
in my app's UI, then immediately craft a "verify email" email to send to
them with a key I craft and a link back to my app.
- My app later receives this key, gets the associated email ownership
claim, and updates the user's record in Keycloak to remove the "Verify
Email" required action and set the "Email Verified" field to true.

Should work, right?

From jyoti.tech90 at gmail.com  Sat Jun 10 01:17:27 2017
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Sat, 10 Jun 2017 10:47:27 +0530
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate
 user sessions in cluster
In-Reply-To: <CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>
References: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
	<CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>
Message-ID: <CA+37Sd519s3hw8_DXYn_EODvRScY9-DErThcjUV1pFBZyT1AZQ@mail.gmail.com>

Hi Stian,

Thanks for the reply. I am using below configuration of the
standalone-ha.xml from 3.1.0 version. I just added owners="2" in
"infinispan/Keycloak" for cluster-wide replicas for each cache entry.

#standalone-ha.xml:- attached

Also I am using DC/OS as a container platform, which includes Marathon as a
load balancer (LB) and two container runtimes (Docker and Mesos) for the
deployment on cloud.

I could see below logs are rolling in Node#2(nodeagent16) once
Node#1(nodeagent15) goes down. But when I am bringing Node#1 again, request
is being transferred from LB to Node#1 again and I am not seeing any logs
related to Cache session are rolling in Node#1, hence user's session is not
recognized by Node#1 and he is asked to login again.

Currently I am not very sure whether multicasting is not working or
discovery protocol is having some issue. Your inputs will help me to
understand the issue in a better way.

#Logs:-

2017-06-10 04:41:56,330 WARN
 [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
(transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
Cache authorization lost at least half of the stable members, possible
split brain causing data inconsistency. Current members are [nodeagent16],
lost members are [nodeagent15], stable members are [nodeagent15,
nodeagent16]
2017-06-10 04:41:56,332 WARN
 [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
(transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
Cache sessions lost at least half of the stable members, possible split
brain causing data inconsistency. Current members are [nodeagent16], lost
members are [nodeagent15], stable members are [nodeagent15, nodeagent16]
2017-06-10 04:41:56,333 WARN
 [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
(transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
Cache work lost at least half of the stable members, possible split brain
causing data inconsistency. Current members are [nodeagent16], lost members
are [nodeagent15], stable members are [nodeagent16, nodeagent15]
2017-06-10 04:41:56,334 WARN
 [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
(transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
Cache offlineSessions lost at least half of the stable members, possible
split brain causing data inconsistency. Current members are [nodeagent16],
lost members are [nodeagent15], stable members are [nodeagent15,
nodeagent16]
2017-06-10 04:41:56,336 WARN
 [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
(transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
Cache loginFailures lost at least half of the stable members, possible
split brain causing data inconsistency. Current members are [nodeagent16],
lost members are [nodeagent15], stable members are [nodeagent15,
nodeagent16]
2017-06-10 04:41:56,509 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
Received new cluster view for channel web: [nodeagent16|10] (1)
[nodeagent16]
2017-06-10 04:41:56,512 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
Received new cluster view for channel ejb: [nodeagent16|10] (1)
[nodeagent16]
2017-06-10 04:41:56,513 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
Received new cluster view for channel hibernate: [nodeagent16|10] (1)
[nodeagent16]



On Fri, Jun 9, 2017 at 10:28 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Your configuration is not correct and seems to be from an older version of
> Keycloak. Please take a look at default standalone-ha.xml from 3.1 for the
> correct cache configs.
>
> You also need to get cluster communication working properly. Make sure the
> nodes see each other. When you start new nodes something should happen in
> the log in other nodes. In a cloud environment this can be tricky (you
> haven't said which one) as multicasting usually doesn't work and you need
> to use a different discovery protocol.
>
> On 7 June 2017 at 16:17, Jyoti Kumar Singh <jyoti.tech90 at gmail.com> wrote:
>
>> Hi Team,
>>
>> We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
>> user sessions replication in a cloud system, i.e. when one node goes down
>> then user will keep logged in on other node.
>>
>> I have setup cluster by using standalone-ha.xml and having infinispan
>> cache
>> as mentioned below:-
>>
>> <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>>                 <transport lock-timeout="60000"/>
>>                 <invalidation-cache name="realms" mode="SYNC"/>
>>                 <invalidation-cache name="users" mode="SYNC"/>
>>                 <distributed-cache name="sessions" mode="SYNC"
>> owners="2"/>
>>                 <distributed-cache name="loginFailures" mode="SYNC"
>> owners="2"/>
>> </cache-container>
>>
>> Every thing works fine except below use case:-
>>
>> 1. Node 1 and Node 2 both are up and user logged in - User session is
>> getting generated by Node 1
>> 2. Node 1 is now stopped and user session is getting replicated in Node 2
>> -
>> User is still able to use the Keycloak console
>> 3. Node 1 is up again and request is being transferred from LB to Node 1 -
>> User is asked to log in again because session cache is not replicated to
>>     Node 1 immediately once it is up
>>
>> I saw one option to add *start="EAGER" *in cache-container to fix this but
>> looks like with latest version of WildFly it is no longer supported. Do we
>> have any other way to fix this issue ?
>>
>>
>> --
>>
>> *With Regards, Jyoti Kumar Singh*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 

*With Regards, Jyoti Kumar Singh*

From braun.tom at web.de  Sat Jun 10 09:30:25 2017
From: braun.tom at web.de (Tom Braun)
Date: Sat, 10 Jun 2017 15:30:25 +0200
Subject: [keycloak-user] Invalid token issuer when running as docker service
Message-ID: <49468ea5-122a-5720-af07-db88a63556d9@web.de>

Hello,

got the follwing setup:
- frontend (oauth, angular2)
- rest-backend (bearerOnly, spring-boot with spring-security)
- keycloak (standalone)

If I run the three as "ordinary" processes, everything works fine.
However, if I try to run them as services within a docker (swarm mode)
the rest-backend keeps complaining about:

org.keycloak.common.VerificationException: Invalid token issuer. 
Expected 'http://myhost:8180/auth/realms/myrealm', but was 
'http://localhost:8180/auth/realms/myrealm'


I inserted myhost into my /etc/hosts to point to the IP of docker0. So 
far it works, I can access the frontend on port 80 and keycloak on port 
8180.

Is there a way to make keycloak report as myhost in the issuer token and 
not as localhost?

Tried running keycloak behind a reverse-proxy - no change.




From shimin_q at yahoo.com  Mon Jun 12 10:07:09 2017
From: shimin_q at yahoo.com (shimin q)
Date: Mon, 12 Jun 2017 14:07:09 +0000 (UTC)
Subject: [keycloak-user] Keycloak Tomcat 7 adaptor - Java version
	requirement?
In-Reply-To: <552966330.515120.1495814645292@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
Message-ID: <665622394.7365199.1497276429078@mail.yahoo.com>

Hi,
I am trying to use keycloak to secure six web apps deployed in Tomcat 7. ?Is there a Java version requirement for the keycloak client adaptor? ?We are running Tomcat 7 with Java 7. ?The keycloak version is 2.1.0. ?The strange thing is that not every web app under the tomcat 7 has this error. ?They are all compiled similarly and running in the same Tomcat with JRE 7. ? Any ideas?
Jun 08, 2017 1:03:17 AM org.apache.catalina.startup.HostConfig deployDirectory?560 SEVERE: Error deploying web application directory /var/lib/tomcat/webapps/nara?561 java.lang.UnsupportedClassVersionError: org/keycloak/authorization/client/Configuration : Unsupported major.minor version 52.0?562 ? ? at java.lang.ClassLoader.defineClass1(Native Method)?563 ? ? at java.lang.ClassLoader.defineClass(Unknown Source)?564 ? ? at java.security.SecureClassLoader.defineClass(Unknown Source)?565 ? ? at java.net.URLClassLoader.defineClass(Unknown Source)?566 ? ? at java.net.URLClassLoader.access$100(Unknown Source)?567 ? ? at java.net.URLClassLoader$1.run(Unknown Source)?568 ? ? at java.net.URLClassLoader$1.run(Unknown Source)?569 ? ? at java.security.AccessController.doPrivileged(Native Method)?570 ? ? at java.net.URLClassLoader.findClass(Unknown Source)?571 ? ? at java.lang.ClassLoader.loadClass(Unknown Source)?572 ? ? at java.lang.ClassLoader.loadClass(Unknown Source)?573 ? ? at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:55)?574 ? ? at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java ? ? :118)?575 ? ? at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127)?576 ? ? at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloa ? ? kAuthenticatorValve.java:133)?577 ? ? at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycl ? ? oakAuthenticatorValve.java:75)?578 ? ? at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)?579 ? ? at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)?580 ? ? at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)?581 ? ? at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:165)?582 ? ? at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)?583 ? ? at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)?584 ? ? at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)?585 ? ? at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1260)?586 ? ? at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:2002)?587 ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)?588 ? ? at java.util.concurrent.FutureTask.run(Unknown Source)?589 ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)?590 ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)?591 ? ? at java.lang.Thread.run(Unknown Source)

From teoreste at gmail.com  Mon Jun 12 10:13:38 2017
From: teoreste at gmail.com (matteo restelli)
Date: Mon, 12 Jun 2017 16:13:38 +0200
Subject: [keycloak-user] Adding permissions programmatically
Message-ID: <CABZhS3wg7wp5KhGQuGJFbp3nPztCtnM3bB-DGUtQuvE+m40cPQ@mail.gmail.com>

Hi guys,
how can I add permissions programmatically for a specific resource?

Thank you in advance,
Matteo

From okianl at yahoo.com  Mon Jun 12 11:48:43 2017
From: okianl at yahoo.com (Lucian Ochian)
Date: Mon, 12 Jun 2017 15:48:43 +0000 (UTC)
Subject: [keycloak-user] Adding permissions programmatically
In-Reply-To: <CABZhS3wg7wp5KhGQuGJFbp3nPztCtnM3bB-DGUtQuvE+m40cPQ@mail.gmail.com>
References: <CABZhS3wg7wp5KhGQuGJFbp3nPztCtnM3bB-DGUtQuvE+m40cPQ@mail.gmail.com>
Message-ID: <1817037026.8013615.1497282523033@mail.yahoo.com>

You can use the REST Admin API or if you use Java, you can use the Admin Client library.You have to decide how you want to assign the permissions. 
In my case, I decided to have for each resource scopes and when I want to assign a user to a resource with a given scope, I check if the user has a user policy, if not create one and then create a scope permission for each user policy/resource combination where the scopes are set.
I have some code in here just to give you an idea... This is for keycloak 2.5.x
You can get to the permissions API by using the ClientResource....


public class KeycloakGateway {

    @Autowired
    private KeycloakIdentityUtils identityUtils;

    @Autowired
    private ScopedPermissionMapper scopedPermissionMapper;

    private KeycloakDeployment deployment;



    /**
     * the client scopes; the key is the scope name, the value is the representation
     */
    private Map<String, ScopeRepresentation> clientScopes = Collections.synchronizedMap(new HashMap<>());

    /**
     * this field needs to be lazy loaded so that we can do testing when the realm is added after the framework starts
     */
    private Keycloak _keycloak;

    

    /**
     * lazy loads the keycloak; double check idiom
     * http://www.javaworld.com/article/2077568/learn-java/java-tip-67--lazy-instantiation.html
     *
     * @return
     */
    private Keycloak keycloak() {
        if (this._keycloak == null) {
            synchronized (KeycloakGatewayImpl.class) {
                if (this._keycloak == null) {
                    this._keycloak = KeycloakBuilder.builder()
                            .serverUrl(getDeployment().getAuthServerBaseUrl())
                            .realm(getDeployment().getRealm())
                            .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
                            .clientId(getDeployment().getResourceName())
                            .clientSecret((String) deployment.getResourceCredentials().get("secret"))
                            .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(20).build())
                            .build();
                }
            }
        }
        return _keycloak;
    }

    public void removeKeycloakForServiceAccount() {
        this._keycloak = null;
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public CreateUserResult createUser(String username, String firstName, String lastName, String email, boolean enabled) {

        Response response;
        Response.StatusType statusInfo;
        ErrorRepresentation message;
        UserRepresentation representation = new UserRepresentation();
        representation.setUsername(username);
        representation.setFirstName(firstName);
        representation.setLastName(lastName);
        representation.setEmail(email);
        representation.setEnabled(enabled);

        response = realm(getUserToken()).users().create(representation);
        statusInfo = response.getStatusInfo();

        message = null;
        if (statusInfo.getStatusCode() != Response.Status.CREATED.getStatusCode()) {
            message = response.readEntity(ErrorRepresentation.class);
        }
        response.close();

        if (statusInfo.getStatusCode() == Response.Status.CREATED.getStatusCode()) {
            String userUuid = ApiUtil.getCreatedId(response);


            return CreateUserResult.success(userUuid);
        }

        //noinspection ConstantConditions
        return CreateUserResult.failure(message.getErrorMessage());

    }

    private RealmResource realm() {
        return keycloak().realm(getDeployment().getRealm());
    }

    private RealmResource realm(String token) {
        KeycloakDeployment deployment = getDeployment();
        return Keycloak.getInstance(deployment.getAuthServerBaseUrl(), deployment.getRealm(), deployment.getResourceName(), token).realm(deployment.getRealm());
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public UpdateUserResult updateUser(String idmId, String username, String firstName, String lastName, String email, boolean enabled, Set<String> roles) {

        UserRepresentation representation = new UserRepresentation();
        representation.setUsername(username);
        representation.setFirstName(firstName);
        representation.setLastName(lastName);
        representation.setEmail(email);
        representation.setEnabled(enabled);

        try {
            realm(getUserToken()).users().get(idmId).update(representation);
        } catch (ClientErrorException e) {
//                String s = e.getResponse().readEntity(String.class);
//                return UpdateUserResult.failure(idmId, s);
            ErrorRepresentation error = e.getResponse().readEntity(ErrorRepresentation.class);
            return UpdateUserResult.failure(idmId, error.getErrorMessage());
        }

        updateRoles(idmId, roles, realm());
        return UpdateUserResult.success(idmId);
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public UpdateUserResult enable(String idmId, boolean enabled) {
        try {
            UserResource userResource = realm(getUserToken()).users().get(idmId);
            UserRepresentation userRepresentation = userResource.toRepresentation();
            userRepresentation.setEnabled(enabled);
            userResource.update(userRepresentation);
        } catch (ClientErrorException e) {
            ErrorRepresentation error = e.getResponse().readEntity(ErrorRepresentation.class);
            return UpdateUserResult.failure(idmId, error.getErrorMessage());
        }
        return UpdateUserResult.success(idmId);
    }

    @Override
    public void updateRoles(String idmId, Set<String> roles) {
        updateRoles(idmId, roles, getUserToken());
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public void updateScopePermission(ScopePermission permission) {
        ResourceRepresentation resource = findResource(permission.getResourceUri(), permission.getResourceType());
        setPermission(permission.getUserId(), resource.getId(), permission.getScopeNames());
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public void updatePermissions(List<ScopePermission> permissions) {
        permissions.forEach(this::updateScopePermission);
    }

    @Override
    public List<ScopePermission> userScopePermissions(String userId) {
        List<PolicyRepresentation> scopePermissions = findScopePermissions(userId);
        List<ScopePermission> result = scopePermissions.stream().map(policy -> {
            ScopePermission permission2 = new ScopePermission();
            permission2.setUserId(scopedPermissionMapper.userId(policy.getName()));
            String resourceId = scopedPermissionMapper.resourceId(policy.getName());
            ResourceRepresentation resource = findResource(resourceId);
            permission2.setResourceUri(resource.getUri());
            permission2.setResourceType(resource.getType());

            List<String> scopeNames = authorizationResource().policies().policy(policy.getId()).scopes()
                    .stream().map(ScopeRepresentation::getName).collect(Collectors.toList());

            permission2.setScopeNames(scopeNames);
            return permission2;
        }).collect(Collectors.toList());
        return result;
    }

    private String getUserToken() {
        RefreshableKeycloakSecurityContext context = identityUtils.getRefreshableKeycloakSecurityContext();
        return context.getTokenString();
    }

    
    private synchronized void setDeployment(KeycloakDeployment deployment) {
        this.deployment = deployment;
    }


    public KeycloakDeployment getDeployment() {
        //http://www.javaworld.com/article/2077568/learn-java/java-tip-67--lazy-instantiation.html
        if (deployment == null) {
            synchronized (KeycloakGatewayImpl.class) {
                if (deployment == null) {
                    setDeployment(identityUtils.getDeployment());
                }
            }
        }
        return deployment;
    }

    private String getRealmName() {
        return getDeployment().getRealm();
    }

    

    private List<ScopeRepresentation> getScopeRepresentations(List<String> scopeNames) {
        return scopeNames.stream()
                .map(scopeId -> scopesMap().get(scopeId)).collect(Collectors.toList());
    }

    @Override
    public ResourceRepresentation findResource(String id) {
        //noinspection UnnecessaryLocalVariable
        ResourceRepresentation representation = getClientResources().resource(id).toRepresentation();
        return representation;
    }

    @Override
    public ResourceRepresentation findResource(String uri, String type) {
        List<ResourceRepresentation> representations = getClientResources().find(null, uri, null, type, null, 0, 10);
        Preconditions.checkState(representations.size() < 2, String.format("More than 1 resource was found with type:%s and uri:%s ", type, uri));
        return representations.isEmpty() ? null : representations.get(0);
    }

    @Override
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public String createOrUpdateResource(CreateUpdateResourceRequest request) {
        ResourceRepresentation existing = findResource(request.getUri(), request.getType());
        Set<ScopeRepresentation> scopeRepresentations = new HashSet<>(getScopeRepresentations(request.getScopeNames()));

        ResourceRepresentation representation = new ResourceRepresentation(request.getName(), scopeRepresentations, request.getUri(), request.getType());
        if (existing == null) {
            Response response = getClientResources().create(representation);
            representation = response.readEntity(ResourceRepresentation.class);
            response.close();
        } else {
            representation.setId(existing.getId());
            getClientResources().resource(representation.getId()).update(representation);
        }
        return representation.getId();
    }

    private String getClientId() {
        //noinspection ConstantConditions
        return ApiUtil.findClientByClientId(realm(), getDeployment().getResourceName()).toRepresentation().getId();
    }

    private ResourcesResource getClientResources() {
        //noinspection ConstantConditions
        return ApiUtil.findClientByClientId(realm(), getDeployment().getResourceName())
                .authorization().resources();
    }

    private AuthorizationResource getClientResources(String clientName) {
        //noinspection ConstantConditions
        return ApiUtil.findClientByClientId(realm(), clientName)
                .authorization();
    }

    public AuthorizationResource authorizationResource() {
        //noinspection ConstantConditions
        return getClientResources(getDeployment().getResourceName());
    }

    public Map<String, ScopeRepresentation> scopesMap() {
        if (clientScopes.isEmpty()) {
            loadScopes();
        }
        return Collections.unmodifiableMap(clientScopes);
    }

    @Override
    public List<ScopeRepresentation> clientScopes() {
        if (clientScopes.isEmpty()) {
            loadScopes();
        }
        return new ArrayList<>(clientScopes.values());
    }

    @Override
    public void setPermission(String userId, String resourceId, List<String> scopeNames) {
        UserRepresentation user = findApplicationUser(userId);
        ResourceRepresentation resource = findResource(resourceId);

        PolicyRepresentation permission = findOrCreateUserPermission(user, resource, scopeNames);
        //create if new and it has scopes
        if (permission.getId() == null && !scopeNames.isEmpty()) {
            Response response = authorizationResource().policies().create(permission);
            permission = response.readEntity(PolicyRepresentation.class);
            response.close();
            return;
        }

        //do nothing if it's new and no scopes
        if (scopeNames.isEmpty() && permission.getId() == null) {
            return;
        }
        // remove if it exists and has no scopes
        if (scopeNames.isEmpty() && permission.getId() != null) {
            authorizationResource().policies().policy(permission.getId()).remove();
            return;
        }

        // update scopes if it exists
        if (!scopeNames.isEmpty() && permission.getId() != null) {
            permission.setConfig(buildPermissionConfig(resource, findOrCreateUserPolicy(user), scopeNames));
            authorizationResource().policies().policy(permission.getId()).update(permission);
            return;
        }

    }

    /**
     * @param user       the user
     * @param resource   the resource
     * @param scopeNames the scope names
     * @return a policy representation if it exists, or it will create a new one that is not in the IAM yet
     */
    public PolicyRepresentation findOrCreateUserPermission(UserRepresentation user, ResourceRepresentation resource, List<String> scopeNames) {
        PolicyRepresentation permission = findScopePermission(user, resource);

        if (permission == null) {
            PolicyRepresentation policy = findOrCreateUserPolicy(user);

            permission = new PolicyRepresentation();
            permission.setType("scope");
            permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
            permission.setLogic(Logic.POSITIVE);
            permission.setName(scopedPermissionMapper.scopePermissionName(user, resource));
            permission.setDescription(String.format("User(%s) permission for resource(%s)", user.getId(), resource.getId()));
            permission.setConfig(buildPermissionConfig(resource, policy, scopeNames));
        }
        return permission;
    }

    private Map<String, String> buildPermissionConfig(ResourceRepresentation resource, PolicyRepresentation userPolicy, List<String> scopeNames) {
        Map<String, String> config = new HashMap<>();
        config.put("applyPolicies", String.format("[\"%s\"]", userPolicy.getId()));
        config.put("resources", String.format("[\"%s\"]", resource.getId()));
        List<String> scopeIds = scopeNames.stream().map(s -> String.format("\"%s\"", scopesMap().get(s).getId())).collect(Collectors.toList());
        config.put("scopes", scopeIds.toString());
        return config;
    }

    public PolicyRepresentation findOrCreateUserPolicy(UserRepresentation user) {
        PolicyRepresentation policy = findUserPolicy(user.getId());
        if (policy == null) {
            policy = new PolicyRepresentation();
            policy.setName(user.getId());
            policy.setDescription(String.format("User policy for userId=%s", user.getId()));
            policy.setType("user");
            policy.setLogic(Logic.POSITIVE);
            Map<String, String> config = new HashMap<>();
            config.put("users", String.format("[%s]", user.getId()));
            policy.setConfig(config);
            Response response = authorizationResource().policies().create(policy);
            policy = response.readEntity(PolicyRepresentation.class);
            response.close();
        }
        return policy;
    }

    /**
     * @param name the name used in the search(the user id is used here)
     * @return a "user policy" that includes in the name the id of the user, or null otherwise
     */
    public PolicyRepresentation findUserPolicy(String name) {
        RestTemplate template = new RestTemplate();
        HttpHeaders headers = new HttpHeaders();
        headers.add("Content-Type", "application/json");
        headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager().getAccessTokenString()));

        final HttpEntity<PolicyRepresentation> entity = new HttpEntity<>(headers);
        String urlBase = getDeployment().getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
                "/clients/" + getClientId() +
                "/authz/resource-server/policy";

        String url = UriComponentsBuilder.fromUriString(urlBase)
                .queryParam("first", 0)
                .queryParam("max", 20)
                .queryParam("permission", "false")
                .queryParam("type", "user")
                .queryParam("name", name)
//                .queryParam("name", "default")
//                .queryParam("resource", "")
                .build().toUri().toString();

        ResponseEntity<PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
        PolicyRepresentation[] body = response.getBody();
        List<PolicyRepresentation> policies = Arrays.asList(body);
        Preconditions.checkState(policies.size() < 2, String.format("User %s has more than 1 user policies", name));
        return policies.size() == 0 ? null : policies.get(0);
    }

    /**
     * @param user     IAM user
     * @param resource IAM resource
     * @return a scope permission that has the name in the format of "userId-resourceId-scoped"(max 1), or null if none found
     */
    public PolicyRepresentation findScopePermission(UserRepresentation user, ResourceRepresentation resource) {
        RestTemplate template = new RestTemplate();
        HttpHeaders headers = new HttpHeaders();
        headers.add("Content-Type", "application/json");
        headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager().getAccessTokenString()));

        final HttpEntity<PolicyRepresentation> entity = new HttpEntity<>(headers);
        //I believed this URL changed in Keycloak 3
        String urlBase = getDeployment().getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
                "/clients/" + getClientId() +
                "/authz/resource-server/policy";

        String url = UriComponentsBuilder.fromUriString(urlBase)
                .queryParam("first", 0)
                .queryParam("max", 20)
                .queryParam("permission", "true")
                .queryParam("type", "scope")
                .queryParam("name", scopedPermissionMapper.scopePermissionName(user, resource))
                .build().toUri().toString();

        ResponseEntity<PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
        PolicyRepresentation[] body = response.getBody();
        List<PolicyRepresentation> policies = Arrays.asList(body);
        Preconditions.checkState(policies.size() < 2, String.format("User %s has more than 1 resource permissions", user.getId()));
        return policies.size() == 0 ? null : policies.get(0);
    }


    /**
     * @param userId IAM user
     * @return all scope permission that has the name in the format of "userId-resourceId-scoped"
     */
    public List<PolicyRepresentation> findScopePermissions(String userId) {
        RestTemplate template = new RestTemplate();
        HttpHeaders headers = new HttpHeaders();
        headers.add("Content-Type", "application/json");
        headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager().getAccessTokenString()));

        final HttpEntity<PolicyRepresentation> entity = new HttpEntity<>(headers);
        //I believed this URL changed in Keycloak 3
        String urlBase = getDeployment().getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
                "/clients/" + getClientId() +
                "/authz/resource-server/policy";

        String url = UriComponentsBuilder.fromUriString(urlBase)
                .queryParam("first", 0)
                .queryParam("max", 1001)
                .queryParam("permission", "true")
                .queryParam("type", "scope")
                .queryParam("name", userId)
                .build().toUri().toString();

        ResponseEntity<PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
        PolicyRepresentation[] body = response.getBody();
        //noinspection UnnecessaryLocalVariable
        List<PolicyRepresentation> policies = Arrays.asList(body);
        Preconditions.checkState(policies.size() <= 1000, "Too many scoped permissions for user:" + userId);
        return policies;
    }


    public void loadScopes() {
        ClientResource clientResource = ApiUtil.findClientByClientId(realm(), deployment.getResourceName());
        //noinspection ConstantConditions
        List<ScopeRepresentation> scopes = clientResource.authorization().scopes().scopes();
        Map<String, ScopeRepresentation> scopesAsMap = scopes.stream().collect(Collectors.toMap(ScopeRepresentation::getName, s -> s));
        clientScopes.clear();
        clientScopes.putAll(scopesAsMap);
    }

    /**
     * @return all the user's realm roles using the service account.
     */
    @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
    public List<RoleRepresentation> getUserRealmRoles(String userId) {
        List<RoleRepresentation> userAppRoles;
        userAppRoles = realm().users().get(userId).roles().realmLevel().listAll();
        return userAppRoles;
    }
}

On Monday, June 12, 2017, 10:16:13 AM CDT, matteo restelli <teoreste at gmail.com> wrote:

Hi guys,
how can I add permissions programmatically for a specific resource?

Thank you in advance,
Matteo
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Mon Jun 12 13:46:58 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 12 Jun 2017 14:46:58 -0300
Subject: [keycloak-user] Adding permissions programmatically
In-Reply-To: <1817037026.8013615.1497282523033@mail.yahoo.com>
References: <CABZhS3wg7wp5KhGQuGJFbp3nPztCtnM3bB-DGUtQuvE+m40cPQ@mail.gmail.com>
	<1817037026.8013615.1497282523033@mail.yahoo.com>
Message-ID: <CAJrcDBesxcC-t78F2oM+t2-=ss7c3jzKngTzq4Gn5KcScv5YoQ@mail.gmail.com>

In the next release, we should get a better REST API for this. We have
added specific types for each permission/policy type and also updated the
Keycloak Java Admin Client.

On Mon, Jun 12, 2017 at 12:48 PM, Lucian Ochian <okianl at yahoo.com> wrote:

> You can use the REST Admin API or if you use Java, you can use the Admin
> Client library.You have to decide how you want to assign the permissions.
> In my case, I decided to have for each resource scopes and when I want to
> assign a user to a resource with a given scope, I check if the user has a
> user policy, if not create one and then create a scope permission for each
> user policy/resource combination where the scopes are set.
> I have some code in here just to give you an idea... This is for keycloak
> 2.5.x
> You can get to the permissions API by using the ClientResource....
>
>
> public class KeycloakGateway {
>
>     @Autowired
>     private KeycloakIdentityUtils identityUtils;
>
>     @Autowired
>     private ScopedPermissionMapper scopedPermissionMapper;
>
>     private KeycloakDeployment deployment;
>
>
>
>     /**
>      * the client scopes; the key is the scope name, the value is the
> representation
>      */
>     private Map<String, ScopeRepresentation> clientScopes =
> Collections.synchronizedMap(new HashMap<>());
>
>     /**
>      * this field needs to be lazy loaded so that we can do testing when
> the realm is added after the framework starts
>      */
>     private Keycloak _keycloak;
>
>
>
>     /**
>      * lazy loads the keycloak; double check idiom
>      * http://www.javaworld.com/article/2077568/learn-java/
> java-tip-67--lazy-instantiation.html
>      *
>      * @return
>      */
>     private Keycloak keycloak() {
>         if (this._keycloak == null) {
>             synchronized (KeycloakGatewayImpl.class) {
>                 if (this._keycloak == null) {
>                     this._keycloak = KeycloakBuilder.builder()
>                             .serverUrl(getDeployment().
> getAuthServerBaseUrl())
>                             .realm(getDeployment().getRealm())
>                             .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
>                             .clientId(getDeployment().getResourceName())
>                             .clientSecret((String) deployment.
> getResourceCredentials().get("secret"))
>                             .resteasyClient(new ResteasyClientBuilder().
> connectionPoolSize(20).build())
>                             .build();
>                 }
>             }
>         }
>         return _keycloak;
>     }
>
>     public void removeKeycloakForServiceAccount() {
>         this._keycloak = null;
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public CreateUserResult createUser(String username, String firstName,
> String lastName, String email, boolean enabled) {
>
>         Response response;
>         Response.StatusType statusInfo;
>         ErrorRepresentation message;
>         UserRepresentation representation = new UserRepresentation();
>         representation.setUsername(username);
>         representation.setFirstName(firstName);
>         representation.setLastName(lastName);
>         representation.setEmail(email);
>         representation.setEnabled(enabled);
>
>         response = realm(getUserToken()).users().create(representation);
>         statusInfo = response.getStatusInfo();
>
>         message = null;
>         if (statusInfo.getStatusCode() != Response.Status.CREATED.getStatusCode())
> {
>             message = response.readEntity(ErrorRepresentation.class);
>         }
>         response.close();
>
>         if (statusInfo.getStatusCode() == Response.Status.CREATED.getStatusCode())
> {
>             String userUuid = ApiUtil.getCreatedId(response);
>
>
>             return CreateUserResult.success(userUuid);
>         }
>
>         //noinspection ConstantConditions
>         return CreateUserResult.failure(message.getErrorMessage());
>
>     }
>
>     private RealmResource realm() {
>         return keycloak().realm(getDeployment().getRealm());
>     }
>
>     private RealmResource realm(String token) {
>         KeycloakDeployment deployment = getDeployment();
>         return Keycloak.getInstance(deployment.getAuthServerBaseUrl(),
> deployment.getRealm(), deployment.getResourceName(),
> token).realm(deployment.getRealm());
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public UpdateUserResult updateUser(String idmId, String username,
> String firstName, String lastName, String email, boolean enabled,
> Set<String> roles) {
>
>         UserRepresentation representation = new UserRepresentation();
>         representation.setUsername(username);
>         representation.setFirstName(firstName);
>         representation.setLastName(lastName);
>         representation.setEmail(email);
>         representation.setEnabled(enabled);
>
>         try {
>             realm(getUserToken()).users().get(idmId).update(
> representation);
>         } catch (ClientErrorException e) {
> //                String s = e.getResponse().readEntity(String.class);
> //                return UpdateUserResult.failure(idmId, s);
>             ErrorRepresentation error = e.getResponse().readEntity(
> ErrorRepresentation.class);
>             return UpdateUserResult.failure(idmId,
> error.getErrorMessage());
>         }
>
>         updateRoles(idmId, roles, realm());
>         return UpdateUserResult.success(idmId);
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public UpdateUserResult enable(String idmId, boolean enabled) {
>         try {
>             UserResource userResource = realm(getUserToken()).users().
> get(idmId);
>             UserRepresentation userRepresentation =
> userResource.toRepresentation();
>             userRepresentation.setEnabled(enabled);
>             userResource.update(userRepresentation);
>         } catch (ClientErrorException e) {
>             ErrorRepresentation error = e.getResponse().readEntity(
> ErrorRepresentation.class);
>             return UpdateUserResult.failure(idmId,
> error.getErrorMessage());
>         }
>         return UpdateUserResult.success(idmId);
>     }
>
>     @Override
>     public void updateRoles(String idmId, Set<String> roles) {
>         updateRoles(idmId, roles, getUserToken());
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public void updateScopePermission(ScopePermission permission) {
>         ResourceRepresentation resource = findResource(permission.getResourceUri(),
> permission.getResourceType());
>         setPermission(permission.getUserId(), resource.getId(),
> permission.getScopeNames());
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public void updatePermissions(List<ScopePermission> permissions) {
>         permissions.forEach(this::updateScopePermission);
>     }
>
>     @Override
>     public List<ScopePermission> userScopePermissions(String userId) {
>         List<PolicyRepresentation> scopePermissions =
> findScopePermissions(userId);
>         List<ScopePermission> result = scopePermissions.stream().map(policy
> -> {
>             ScopePermission permission2 = new ScopePermission();
>             permission2.setUserId(scopedPermissionMapper.userId(
> policy.getName()));
>             String resourceId = scopedPermissionMapper.
> resourceId(policy.getName());
>             ResourceRepresentation resource = findResource(resourceId);
>             permission2.setResourceUri(resource.getUri());
>             permission2.setResourceType(resource.getType());
>
>             List<String> scopeNames = authorizationResource().
> policies().policy(policy.getId()).scopes()
>                     .stream().map(ScopeRepresentation::getName).
> collect(Collectors.toList());
>
>             permission2.setScopeNames(scopeNames);
>             return permission2;
>         }).collect(Collectors.toList());
>         return result;
>     }
>
>     private String getUserToken() {
>         RefreshableKeycloakSecurityContext context = identityUtils.
> getRefreshableKeycloakSecurityContext();
>         return context.getTokenString();
>     }
>
>
>     private synchronized void setDeployment(KeycloakDeployment
> deployment) {
>         this.deployment = deployment;
>     }
>
>
>     public KeycloakDeployment getDeployment() {
>         //http://www.javaworld.com/article/2077568/learn-java/
> java-tip-67--lazy-instantiation.html
>         if (deployment == null) {
>             synchronized (KeycloakGatewayImpl.class) {
>                 if (deployment == null) {
>                     setDeployment(identityUtils.getDeployment());
>                 }
>             }
>         }
>         return deployment;
>     }
>
>     private String getRealmName() {
>         return getDeployment().getRealm();
>     }
>
>
>
>     private List<ScopeRepresentation> getScopeRepresentations(List<String>
> scopeNames) {
>         return scopeNames.stream()
>                 .map(scopeId -> scopesMap().get(scopeId)).
> collect(Collectors.toList());
>     }
>
>     @Override
>     public ResourceRepresentation findResource(String id) {
>         //noinspection UnnecessaryLocalVariable
>         ResourceRepresentation representation =
> getClientResources().resource(id).toRepresentation();
>         return representation;
>     }
>
>     @Override
>     public ResourceRepresentation findResource(String uri, String type) {
>         List<ResourceRepresentation> representations =
> getClientResources().find(null, uri, null, type, null, 0, 10);
>         Preconditions.checkState(representations.size() < 2,
> String.format("More than 1 resource was found with type:%s and uri:%s ",
> type, uri));
>         return representations.isEmpty() ? null : representations.get(0);
>     }
>
>     @Override
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public String createOrUpdateResource(CreateUpdateResourceRequest
> request) {
>         ResourceRepresentation existing = findResource(request.getUri(),
> request.getType());
>         Set<ScopeRepresentation> scopeRepresentations = new HashSet<>(
> getScopeRepresentations(request.getScopeNames()));
>
>         ResourceRepresentation representation = new ResourceRepresentation(request.getName(),
> scopeRepresentations, request.getUri(), request.getType());
>         if (existing == null) {
>             Response response = getClientResources().create(
> representation);
>             representation = response.readEntity(
> ResourceRepresentation.class);
>             response.close();
>         } else {
>             representation.setId(existing.getId());
>             getClientResources().resource(representation.getId()).
> update(representation);
>         }
>         return representation.getId();
>     }
>
>     private String getClientId() {
>         //noinspection ConstantConditions
>         return ApiUtil.findClientByClientId(realm(), getDeployment().
> getResourceName()).toRepresentation().getId();
>     }
>
>     private ResourcesResource getClientResources() {
>         //noinspection ConstantConditions
>         return ApiUtil.findClientByClientId(realm(), getDeployment().
> getResourceName())
>                 .authorization().resources();
>     }
>
>     private AuthorizationResource getClientResources(String clientName) {
>         //noinspection ConstantConditions
>         return ApiUtil.findClientByClientId(realm(), clientName)
>                 .authorization();
>     }
>
>     public AuthorizationResource authorizationResource() {
>         //noinspection ConstantConditions
>         return getClientResources(getDeployment().getResourceName());
>     }
>
>     public Map<String, ScopeRepresentation> scopesMap() {
>         if (clientScopes.isEmpty()) {
>             loadScopes();
>         }
>         return Collections.unmodifiableMap(clientScopes);
>     }
>
>     @Override
>     public List<ScopeRepresentation> clientScopes() {
>         if (clientScopes.isEmpty()) {
>             loadScopes();
>         }
>         return new ArrayList<>(clientScopes.values());
>     }
>
>     @Override
>     public void setPermission(String userId, String resourceId,
> List<String> scopeNames) {
>         UserRepresentation user = findApplicationUser(userId);
>         ResourceRepresentation resource = findResource(resourceId);
>
>         PolicyRepresentation permission = findOrCreateUserPermission(user,
> resource, scopeNames);
>         //create if new and it has scopes
>         if (permission.getId() == null && !scopeNames.isEmpty()) {
>             Response response = authorizationResource().
> policies().create(permission);
>             permission = response.readEntity(PolicyRepresentation.class);
>             response.close();
>             return;
>         }
>
>         //do nothing if it's new and no scopes
>         if (scopeNames.isEmpty() && permission.getId() == null) {
>             return;
>         }
>         // remove if it exists and has no scopes
>         if (scopeNames.isEmpty() && permission.getId() != null) {
>             authorizationResource().policies().policy(permission.
> getId()).remove();
>             return;
>         }
>
>         // update scopes if it exists
>         if (!scopeNames.isEmpty() && permission.getId() != null) {
>             permission.setConfig(buildPermissionConfig(resource,
> findOrCreateUserPolicy(user), scopeNames));
>             authorizationResource().policies().policy(permission.
> getId()).update(permission);
>             return;
>         }
>
>     }
>
>     /**
>      * @param user       the user
>      * @param resource   the resource
>      * @param scopeNames the scope names
>      * @return a policy representation if it exists, or it will create a
> new one that is not in the IAM yet
>      */
>     public PolicyRepresentation findOrCreateUserPermission(UserRepresentation
> user, ResourceRepresentation resource, List<String> scopeNames) {
>         PolicyRepresentation permission = findScopePermission(user,
> resource);
>
>         if (permission == null) {
>             PolicyRepresentation policy = findOrCreateUserPolicy(user);
>
>             permission = new PolicyRepresentation();
>             permission.setType("scope");
>             permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
>             permission.setLogic(Logic.POSITIVE);
>             permission.setName(scopedPermissionMapper.scopePermissionName(user,
> resource));
>             permission.setDescription(String.format("User(%s) permission
> for resource(%s)", user.getId(), resource.getId()));
>             permission.setConfig(buildPermissionConfig(resource, policy,
> scopeNames));
>         }
>         return permission;
>     }
>
>     private Map<String, String> buildPermissionConfig(ResourceRepresentation
> resource, PolicyRepresentation userPolicy, List<String> scopeNames) {
>         Map<String, String> config = new HashMap<>();
>         config.put("applyPolicies", String.format("[\"%s\"]",
> userPolicy.getId()));
>         config.put("resources", String.format("[\"%s\"]",
> resource.getId()));
>         List<String> scopeIds = scopeNames.stream().map(s ->
> String.format("\"%s\"", scopesMap().get(s).getId())).
> collect(Collectors.toList());
>         config.put("scopes", scopeIds.toString());
>         return config;
>     }
>
>     public PolicyRepresentation findOrCreateUserPolicy(UserRepresentation
> user) {
>         PolicyRepresentation policy = findUserPolicy(user.getId());
>         if (policy == null) {
>             policy = new PolicyRepresentation();
>             policy.setName(user.getId());
>             policy.setDescription(String.format("User policy for
> userId=%s", user.getId()));
>             policy.setType("user");
>             policy.setLogic(Logic.POSITIVE);
>             Map<String, String> config = new HashMap<>();
>             config.put("users", String.format("[%s]", user.getId()));
>             policy.setConfig(config);
>             Response response = authorizationResource().
> policies().create(policy);
>             policy = response.readEntity(PolicyRepresentation.class);
>             response.close();
>         }
>         return policy;
>     }
>
>     /**
>      * @param name the name used in the search(the user id is used here)
>      * @return a "user policy" that includes in the name the id of the
> user, or null otherwise
>      */
>     public PolicyRepresentation findUserPolicy(String name) {
>         RestTemplate template = new RestTemplate();
>         HttpHeaders headers = new HttpHeaders();
>         headers.add("Content-Type", "application/json");
>         headers.add("Authorization", String.format("Bearer %s",
> keycloak().tokenManager().getAccessTokenString()));
>
>         final HttpEntity<PolicyRepresentation> entity = new
> HttpEntity<>(headers);
>         String urlBase = getDeployment().getAuthServerBaseUrl() +
> "/admin/realms/" + getDeployment().getRealm() +
>                 "/clients/" + getClientId() +
>                 "/authz/resource-server/policy";
>
>         String url = UriComponentsBuilder.fromUriString(urlBase)
>                 .queryParam("first", 0)
>                 .queryParam("max", 20)
>                 .queryParam("permission", "false")
>                 .queryParam("type", "user")
>                 .queryParam("name", name)
> //                .queryParam("name", "default")
> //                .queryParam("resource", "")
>                 .build().toUri().toString();
>
>         ResponseEntity<PolicyRepresentation[]> response =
> template.exchange(url, HttpMethod.GET, entity,
> PolicyRepresentation[].class);
>         PolicyRepresentation[] body = response.getBody();
>         List<PolicyRepresentation> policies = Arrays.asList(body);
>         Preconditions.checkState(policies.size() < 2, String.format("User
> %s has more than 1 user policies", name));
>         return policies.size() == 0 ? null : policies.get(0);
>     }
>
>     /**
>      * @param user     IAM user
>      * @param resource IAM resource
>      * @return a scope permission that has the name in the format of
> "userId-resourceId-scoped"(max 1), or null if none found
>      */
>     public PolicyRepresentation findScopePermission(UserRepresentation
> user, ResourceRepresentation resource) {
>         RestTemplate template = new RestTemplate();
>         HttpHeaders headers = new HttpHeaders();
>         headers.add("Content-Type", "application/json");
>         headers.add("Authorization", String.format("Bearer %s",
> keycloak().tokenManager().getAccessTokenString()));
>
>         final HttpEntity<PolicyRepresentation> entity = new
> HttpEntity<>(headers);
>         //I believed this URL changed in Keycloak 3
>         String urlBase = getDeployment().getAuthServerBaseUrl() +
> "/admin/realms/" + getDeployment().getRealm() +
>                 "/clients/" + getClientId() +
>                 "/authz/resource-server/policy";
>
>         String url = UriComponentsBuilder.fromUriString(urlBase)
>                 .queryParam("first", 0)
>                 .queryParam("max", 20)
>                 .queryParam("permission", "true")
>                 .queryParam("type", "scope")
>                 .queryParam("name", scopedPermissionMapper.scopePermissionName(user,
> resource))
>                 .build().toUri().toString();
>
>         ResponseEntity<PolicyRepresentation[]> response =
> template.exchange(url, HttpMethod.GET, entity,
> PolicyRepresentation[].class);
>         PolicyRepresentation[] body = response.getBody();
>         List<PolicyRepresentation> policies = Arrays.asList(body);
>         Preconditions.checkState(policies.size() < 2, String.format("User
> %s has more than 1 resource permissions", user.getId()));
>         return policies.size() == 0 ? null : policies.get(0);
>     }
>
>
>     /**
>      * @param userId IAM user
>      * @return all scope permission that has the name in the format of
> "userId-resourceId-scoped"
>      */
>     public List<PolicyRepresentation> findScopePermissions(String userId) {
>         RestTemplate template = new RestTemplate();
>         HttpHeaders headers = new HttpHeaders();
>         headers.add("Content-Type", "application/json");
>         headers.add("Authorization", String.format("Bearer %s",
> keycloak().tokenManager().getAccessTokenString()));
>
>         final HttpEntity<PolicyRepresentation> entity = new
> HttpEntity<>(headers);
>         //I believed this URL changed in Keycloak 3
>         String urlBase = getDeployment().getAuthServerBaseUrl() +
> "/admin/realms/" + getDeployment().getRealm() +
>                 "/clients/" + getClientId() +
>                 "/authz/resource-server/policy";
>
>         String url = UriComponentsBuilder.fromUriString(urlBase)
>                 .queryParam("first", 0)
>                 .queryParam("max", 1001)
>                 .queryParam("permission", "true")
>                 .queryParam("type", "scope")
>                 .queryParam("name", userId)
>                 .build().toUri().toString();
>
>         ResponseEntity<PolicyRepresentation[]> response =
> template.exchange(url, HttpMethod.GET, entity,
> PolicyRepresentation[].class);
>         PolicyRepresentation[] body = response.getBody();
>         //noinspection UnnecessaryLocalVariable
>         List<PolicyRepresentation> policies = Arrays.asList(body);
>         Preconditions.checkState(policies.size() <= 1000, "Too many
> scoped permissions for user:" + userId);
>         return policies;
>     }
>
>
>     public void loadScopes() {
>         ClientResource clientResource = ApiUtil.findClientByClientId(realm(),
> deployment.getResourceName());
>         //noinspection ConstantConditions
>         List<ScopeRepresentation> scopes = clientResource.authorization()
> .scopes().scopes();
>         Map<String, ScopeRepresentation> scopesAsMap =
> scopes.stream().collect(Collectors.toMap(ScopeRepresentation::getName, s
> -> s));
>         clientScopes.clear();
>         clientScopes.putAll(scopesAsMap);
>     }
>
>     /**
>      * @return all the user's realm roles using the service account.
>      */
>     @Retryable(value = RuntimeException.class, backoff = @Backoff(delay =
> 1000, multiplier = 2))
>     public List<RoleRepresentation> getUserRealmRoles(String userId) {
>         List<RoleRepresentation> userAppRoles;
>         userAppRoles = realm().users().get(userId).
> roles().realmLevel().listAll();
>         return userAppRoles;
>     }
> }
>
> On Monday, June 12, 2017, 10:16:13 AM CDT, matteo restelli <
> teoreste at gmail.com> wrote:
>
> Hi guys,
> how can I add permissions programmatically for a specific resource?
>
> Thank you in advance,
> Matteo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From okianl at yahoo.com  Mon Jun 12 13:53:25 2017
From: okianl at yahoo.com (Lucian Ochian)
Date: Mon, 12 Jun 2017 17:53:25 +0000 (UTC)
Subject: [keycloak-user] Adding permissions programmatically
In-Reply-To: <CAJrcDBesxcC-t78F2oM+t2-=ss7c3jzKngTzq4Gn5KcScv5YoQ@mail.gmail.com>
References: <CABZhS3wg7wp5KhGQuGJFbp3nPztCtnM3bB-DGUtQuvE+m40cPQ@mail.gmail.com>
	<1817037026.8013615.1497282523033@mail.yahoo.com>
	<CAJrcDBesxcC-t78F2oM+t2-=ss7c3jzKngTzq4Gn5KcScv5YoQ@mail.gmail.com>
Message-ID: <1578159044.8098363.1497290005098@mail.yahoo.com>

Matteo,
This is the method where you can start to navigate some of this code:

public void setPermission(String userId, String resourceId, List<String> scopeNames)


On Monday, June 12, 2017, 12:47:01 PM CDT, Pedro Igor Silva <psilva at redhat.com> wrote:

In the next release, we should get a better REST API for this. We have added specific types for each permission/policy type and also updated the Keycloak Java Admin Client.?
On Mon, Jun 12, 2017 at 12:48 PM, Lucian Ochian <okianl at yahoo.com> wrote:

You can use the REST Admin API or if you use Java, you can use the Admin Client library.You have to decide how you want to assign the permissions.
In my case, I decided to have for each resource scopes and when I want to assign a user to a resource with a given scope, I check if the user has a user policy, if not create one and then create a scope permission for each user policy/resource combination where the scopes are set.
I have some code in here just to give you an idea... This is for keycloak 2.5.x
You can get to the permissions API by using the ClientResource....


public class KeycloakGateway {

? ? @Autowired
? ? private KeycloakIdentityUtils identityUtils;

? ? @Autowired
? ? private ScopedPermissionMapper scopedPermissionMapper;

? ? private KeycloakDeployment deployment;



? ? /**
? ? ?* the client scopes; the key is the scope name, the value is the representation
? ? ?*/
? ? private Map<String, ScopeRepresentation> clientScopes = Collections.synchronizedMap( new HashMap<>());

? ? /**
? ? ?* this field needs to be lazy loaded so that we can do testing when the realm is added after the framework starts
? ? ?*/
? ? private Keycloak _keycloak;



? ? /**
? ? ?* lazy loads the keycloak; double check idiom
? ? ?* http://www.javaworld.com/ article/2077568/learn-java/ java-tip-67--lazy- instantiation.html
? ? ?*
? ? ?* @return
? ? ?*/
? ? private Keycloak keycloak() {
? ? ? ? if (this._keycloak == null) {
? ? ? ? ? ? synchronized (KeycloakGatewayImpl.class) {
? ? ? ? ? ? ? ? if (this._keycloak == null) {
? ? ? ? ? ? ? ? ? ? this._keycloak = KeycloakBuilder.builder()
? ? ? ? ? ? ? ? ? ? ? ? ? ? .serverUrl(getDeployment(). getAuthServerBaseUrl())
? ? ? ? ? ? ? ? ? ? ? ? ? ? .realm(getDeployment(). getRealm())
? ? ? ? ? ? ? ? ? ? ? ? ? ? .grantType(OAuth2Constants. CLIENT_CREDENTIALS)
? ? ? ? ? ? ? ? ? ? ? ? ? ? .clientId(getDeployment(). getResourceName())
? ? ? ? ? ? ? ? ? ? ? ? ? ? .clientSecret((String) deployment. getResourceCredentials().get(" secret"))
? ? ? ? ? ? ? ? ? ? ? ? ? ? .resteasyClient(new ResteasyClientBuilder(). connectionPoolSize(20).build() )
? ? ? ? ? ? ? ? ? ? ? ? ? ? .build();
? ? ? ? ? ? ? ? }
? ? ? ? ? ? }
? ? ? ? }
? ? ? ? return _keycloak;
? ? }

? ? public void removeKeycloakForServiceAccoun t() {
? ? ? ? this._keycloak = null;
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public CreateUserResult createUser(String username, String firstName, String lastName, String email, boolean enabled) {

? ? ? ? Response response;
? ? ? ? Response.StatusType statusInfo;
? ? ? ? ErrorRepresentation message;
? ? ? ? UserRepresentation representation = new UserRepresentation();
? ? ? ? representation.setUsername( username);
? ? ? ? representation.setFirstName( firstName);
? ? ? ? representation.setLastName( lastName);
? ? ? ? representation.setEmail(email) ;
? ? ? ? representation.setEnabled( enabled);

? ? ? ? response = realm(getUserToken()).users(). create(representation);
? ? ? ? statusInfo = response.getStatusInfo();

? ? ? ? message = null;
? ? ? ? if (statusInfo.getStatusCode() != Response.Status.CREATED. getStatusCode()) {
? ? ? ? ? ? message = response.readEntity( ErrorRepresentation.class);
? ? ? ? }
? ? ? ? response.close();

? ? ? ? if (statusInfo.getStatusCode() == Response.Status.CREATED. getStatusCode()) {
? ? ? ? ? ? String userUuid = ApiUtil.getCreatedId(response) ;


? ? ? ? ? ? return CreateUserResult.success( userUuid);
? ? ? ? }

? ? ? ? //noinspection ConstantConditions
? ? ? ? return CreateUserResult.failure( message.getErrorMessage());

? ? }

? ? private RealmResource realm() {
? ? ? ? return keycloak().realm( getDeployment().getRealm());
? ? }

? ? private RealmResource realm(String token) {
? ? ? ? KeycloakDeployment deployment = getDeployment();
? ? ? ? return Keycloak.getInstance( deployment. getAuthServerBaseUrl(), deployment.getRealm(), deployment.getResourceName(), token).realm(deployment. getRealm());
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public UpdateUserResult updateUser(String idmId, String username, String firstName, String lastName, String email, boolean enabled, Set<String> roles) {

? ? ? ? UserRepresentation representation = new UserRepresentation();
? ? ? ? representation.setUsername( username);
? ? ? ? representation.setFirstName( firstName);
? ? ? ? representation.setLastName( lastName);
? ? ? ? representation.setEmail(email) ;
? ? ? ? representation.setEnabled( enabled);

? ? ? ? try {
? ? ? ? ? ? realm(getUserToken()).users(). get(idmId).update( representation);
? ? ? ? } catch (ClientErrorException e) {
//? ? ? ? ? ? ? ? String s = e.getResponse().readEntity( String.class);
//? ? ? ? ? ? ? ? return UpdateUserResult.failure( idmId, s);
? ? ? ? ? ? ErrorRepresentation error = e.getResponse().readEntity( ErrorRepresentation.class);
? ? ? ? ? ? return UpdateUserResult.failure( idmId, error.getErrorMessage());
? ? ? ? }

? ? ? ? updateRoles(idmId, roles, realm());
? ? ? ? return UpdateUserResult.success( idmId);
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public UpdateUserResult enable(String idmId, boolean enabled) {
? ? ? ? try {
? ? ? ? ? ? UserResource userResource = realm(getUserToken()).users(). get(idmId);
? ? ? ? ? ? UserRepresentation userRepresentation = userResource.toRepresentation( );
? ? ? ? ? ? userRepresentation.setEnabled( enabled);
? ? ? ? ? ? userResource.update( userRepresentation);
? ? ? ? } catch (ClientErrorException e) {
? ? ? ? ? ? ErrorRepresentation error = e.getResponse().readEntity( ErrorRepresentation.class);
? ? ? ? ? ? return UpdateUserResult.failure( idmId, error.getErrorMessage());
? ? ? ? }
? ? ? ? return UpdateUserResult.success( idmId);
? ? }

? ? @Override
? ? public void updateRoles(String idmId, Set<String> roles) {
? ? ? ? updateRoles(idmId, roles, getUserToken());
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public void updateScopePermission( ScopePermission permission) {
? ? ? ? ResourceRepresentation resource = findResource(permission. getResourceUri(), permission.getResourceType());
? ? ? ? setPermission(permission. getUserId(), resource.getId(), permission.getScopeNames());
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public void updatePermissions(List< ScopePermission> permissions) {
? ? ? ? permissions.forEach(this:: updateScopePermission);
? ? }

? ? @Override
? ? public List<ScopePermission> userScopePermissions(String userId) {
? ? ? ? List<PolicyRepresentation> scopePermissions = findScopePermissions(userId);
? ? ? ? List<ScopePermission> result = scopePermissions.stream().map( policy -> {
? ? ? ? ? ? ScopePermission permission2 = new ScopePermission();
? ? ? ? ? ? permission2.setUserId( scopedPermissionMapper.userId( policy.getName()));
? ? ? ? ? ? String resourceId = scopedPermissionMapper. resourceId(policy.getName());
? ? ? ? ? ? ResourceRepresentation resource = findResource(resourceId);
? ? ? ? ? ? permission2.setResourceUri( resource.getUri());
? ? ? ? ? ? permission2.setResourceType( resource.getType());

? ? ? ? ? ? List<String> scopeNames = authorizationResource(). policies().policy(policy. getId()).scopes()
? ? ? ? ? ? ? ? ? ? .stream().map( ScopeRepresentation::getName). collect(Collectors.toList());

? ? ? ? ? ? permission2.setScopeNames( scopeNames);
? ? ? ? ? ? return permission2;
? ? ? ? }).collect(Collectors.toList() );
? ? ? ? return result;
? ? }

? ? private String getUserToken() {
? ? ? ? RefreshableKeycloakSecurityCon text context = identityUtils. getRefreshableKeycloakSecurity Context();
? ? ? ? return context.getTokenString();
? ? }


? ? private synchronized void setDeployment( KeycloakDeployment deployment) {
? ? ? ? this.deployment = deployment;
? ? }


? ? public KeycloakDeployment getDeployment() {
? ? ? ? //http://www.javaworld.com/ article/2077568/learn-java/ java-tip-67--lazy- instantiation.html
? ? ? ? if (deployment == null) {
? ? ? ? ? ? synchronized (KeycloakGatewayImpl.class) {
? ? ? ? ? ? ? ? if (deployment == null) {
? ? ? ? ? ? ? ? ? ? setDeployment(identityUtils. getDeployment());
? ? ? ? ? ? ? ? }
? ? ? ? ? ? }
? ? ? ? }
? ? ? ? return deployment;
? ? }

? ? private String getRealmName() {
? ? ? ? return getDeployment().getRealm();
? ? }



? ? private List<ScopeRepresentation> getScopeRepresentations(List< String> scopeNames) {
? ? ? ? return scopeNames.stream()
? ? ? ? ? ? ? ? .map(scopeId -> scopesMap().get(scopeId)). collect(Collectors.toList());
? ? }

? ? @Override
? ? public ResourceRepresentation findResource(String id) {
? ? ? ? //noinspection UnnecessaryLocalVariable
? ? ? ? ResourceRepresentation representation = getClientResources().resource( id).toRepresentation();
? ? ? ? return representation;
? ? }

? ? @Override
? ? public ResourceRepresentation findResource(String uri, String type) {
? ? ? ? List<ResourceRepresentation> representations = getClientResources().find( null, uri, null, type, null, 0, 10);
? ? ? ? Preconditions.checkState( representations.size() < 2, String.format("More than 1 resource was found with type:%s and uri:%s ", type, uri));
? ? ? ? return representations.isEmpty() ? null : representations.get(0);
? ? }

? ? @Override
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public String createOrUpdateResource( CreateUpdateResourceRequest request) {
? ? ? ? ResourceRepresentation existing = findResource(request.getUri(), request.getType());
? ? ? ? Set<ScopeRepresentation> scopeRepresentations = new HashSet<>( getScopeRepresentations( request.getScopeNames()));

? ? ? ? ResourceRepresentation representation = new ResourceRepresentation( request.getName(), scopeRepresentations, request.getUri(), request.getType());
? ? ? ? if (existing == null) {
? ? ? ? ? ? Response response = getClientResources().create( representation);
? ? ? ? ? ? representation = response.readEntity( ResourceRepresentation.class);
? ? ? ? ? ? response.close();
? ? ? ? } else {
? ? ? ? ? ? representation.setId(existing. getId());
? ? ? ? ? ? getClientResources().resource( representation.getId()). update(representation);
? ? ? ? }
? ? ? ? return representation.getId();
? ? }

? ? private String getClientId() {
? ? ? ? //noinspection ConstantConditions
? ? ? ? return ApiUtil.findClientByClientId( realm(), getDeployment(). getResourceName()). toRepresentation().getId();
? ? }

? ? private ResourcesResource getClientResources() {
? ? ? ? //noinspection ConstantConditions
? ? ? ? return ApiUtil.findClientByClientId( realm(), getDeployment(). getResourceName())
? ? ? ? ? ? ? ? .authorization().resources();
? ? }

? ? private AuthorizationResource getClientResources(String clientName) {
? ? ? ? //noinspection ConstantConditions
? ? ? ? return ApiUtil.findClientByClientId( realm(), clientName)
? ? ? ? ? ? ? ? .authorization();
? ? }

? ? public AuthorizationResource authorizationResource() {
? ? ? ? //noinspection ConstantConditions
? ? ? ? return getClientResources( getDeployment(). getResourceName());
? ? }

? ? public Map<String, ScopeRepresentation> scopesMap() {
? ? ? ? if (clientScopes.isEmpty()) {
? ? ? ? ? ? loadScopes();
? ? ? ? }
? ? ? ? return Collections.unmodifiableMap( clientScopes);
? ? }

? ? @Override
? ? public List<ScopeRepresentation> clientScopes() {
? ? ? ? if (clientScopes.isEmpty()) {
? ? ? ? ? ? loadScopes();
? ? ? ? }
? ? ? ? return new ArrayList<>(clientScopes. values());
? ? }

? ? @Override
? ? public void setPermission(String userId, String resourceId, List<String> scopeNames) {
? ? ? ? UserRepresentation user = findApplicationUser(userId);
? ? ? ? ResourceRepresentation resource = findResource(resourceId);

? ? ? ? PolicyRepresentation permission = findOrCreateUserPermission( user, resource, scopeNames);
? ? ? ? //create if new and it has scopes
? ? ? ? if (permission.getId() == null && !scopeNames.isEmpty()) {
? ? ? ? ? ? Response response = authorizationResource(). policies().create(permission);
? ? ? ? ? ? permission = response.readEntity( PolicyRepresentation.class);
? ? ? ? ? ? response.close();
? ? ? ? ? ? return;
? ? ? ? }

? ? ? ? //do nothing if it's new and no scopes
? ? ? ? if (scopeNames.isEmpty() && permission.getId() == null) {
? ? ? ? ? ? return;
? ? ? ? }
? ? ? ? // remove if it exists and has no scopes
? ? ? ? if (scopeNames.isEmpty() && permission.getId() != null) {
? ? ? ? ? ? authorizationResource(). policies().policy(permission. getId()).remove();
? ? ? ? ? ? return;
? ? ? ? }

? ? ? ? // update scopes if it exists
? ? ? ? if (!scopeNames.isEmpty() && permission.getId() != null) {
? ? ? ? ? ? permission.setConfig( buildPermissionConfig( resource, findOrCreateUserPolicy(user), scopeNames));
? ? ? ? ? ? authorizationResource(). policies().policy(permission. getId()).update(permission);
? ? ? ? ? ? return;
? ? ? ? }

? ? }

? ? /**
? ? ?* @param user? ? ? ?the user
? ? ?* @param resource? ?the resource
? ? ?* @param scopeNames the scope names
? ? ?* @return a policy representation if it exists, or it will create a new one that is not in the IAM yet
? ? ?*/
? ? public PolicyRepresentation findOrCreateUserPermission( UserRepresentation user, ResourceRepresentation resource, List<String> scopeNames) {
? ? ? ? PolicyRepresentation permission = findScopePermission(user, resource);

? ? ? ? if (permission == null) {
? ? ? ? ? ? PolicyRepresentation policy = findOrCreateUserPolicy(user);

? ? ? ? ? ? permission = new PolicyRepresentation();
? ? ? ? ? ? permission.setType("scope");
? ? ? ? ? ? permission. setDecisionStrategy( DecisionStrategy.UNANIMOUS);
? ? ? ? ? ? permission.setLogic(Logic. POSITIVE);
? ? ? ? ? ? permission.setName( scopedPermissionMapper. scopePermissionName(user, resource));
? ? ? ? ? ? permission.setDescription( String.format("User(%s) permission for resource(%s)", user.getId(), resource.getId()));
? ? ? ? ? ? permission.setConfig( buildPermissionConfig( resource, policy, scopeNames));
? ? ? ? }
? ? ? ? return permission;
? ? }

? ? private Map<String, String> buildPermissionConfig( ResourceRepresentation resource, PolicyRepresentation userPolicy, List<String> scopeNames) {
? ? ? ? Map<String, String> config = new HashMap<>();
? ? ? ? config.put("applyPolicies", String.format("[\"%s\"]", userPolicy.getId()));
? ? ? ? config.put("resources", String.format("[\"%s\"]", resource.getId()));
? ? ? ? List<String> scopeIds = scopeNames.stream().map(s -> String.format("\"%s\"", scopesMap().get(s).getId())). collect(Collectors.toList());
? ? ? ? config.put("scopes", scopeIds.toString());
? ? ? ? return config;
? ? }

? ? public PolicyRepresentation findOrCreateUserPolicy( UserRepresentation user) {
? ? ? ? PolicyRepresentation policy = findUserPolicy(user.getId());
? ? ? ? if (policy == null) {
? ? ? ? ? ? policy = new PolicyRepresentation();
? ? ? ? ? ? policy.setName(user.getId());
? ? ? ? ? ? policy.setDescription(String. format("User policy for userId=%s", user.getId()));
? ? ? ? ? ? policy.setType("user");
? ? ? ? ? ? policy.setLogic(Logic. POSITIVE);
? ? ? ? ? ? Map<String, String> config = new HashMap<>();
? ? ? ? ? ? config.put("users", String.format("[%s]", user.getId()));
? ? ? ? ? ? policy.setConfig(config);
? ? ? ? ? ? Response response = authorizationResource(). policies().create(policy);
? ? ? ? ? ? policy = response.readEntity( PolicyRepresentation.class);
? ? ? ? ? ? response.close();
? ? ? ? }
? ? ? ? return policy;
? ? }

? ? /**
? ? ?* @param name the name used in the search(the user id is used here)
? ? ?* @return a "user policy" that includes in the name the id of the user, or null otherwise
? ? ?*/
? ? public PolicyRepresentation findUserPolicy(String name) {
? ? ? ? RestTemplate template = new RestTemplate();
? ? ? ? HttpHeaders headers = new HttpHeaders();
? ? ? ? headers.add("Content-Type", "application/json");
? ? ? ? headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager(). getAccessTokenString()));

? ? ? ? final HttpEntity< PolicyRepresentation> entity = new HttpEntity<>(headers);
? ? ? ? String urlBase = getDeployment(). getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
? ? ? ? ? ? ? ? "/clients/" + getClientId() +
? ? ? ? ? ? ? ? "/authz/resource-server/ policy";

? ? ? ? String url = UriComponentsBuilder. fromUriString(urlBase)
? ? ? ? ? ? ? ? .queryParam("first", 0)
? ? ? ? ? ? ? ? .queryParam("max", 20)
? ? ? ? ? ? ? ? .queryParam("permission", "false")
? ? ? ? ? ? ? ? .queryParam("type", "user")
? ? ? ? ? ? ? ? .queryParam("name", name)
//? ? ? ? ? ? ? ? .queryParam("name", "default")
//? ? ? ? ? ? ? ? .queryParam("resource", "")
? ? ? ? ? ? ? ? .build().toUri().toString();

? ? ? ? ResponseEntity< PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
? ? ? ? PolicyRepresentation[] body = response.getBody();
? ? ? ? List<PolicyRepresentation> policies = Arrays.asList(body);
? ? ? ? Preconditions.checkState( policies.size() < 2, String.format("User %s has more than 1 user policies", name));
? ? ? ? return policies.size() == 0 ? null : policies.get(0);
? ? }

? ? /**
? ? ?* @param user? ? ?IAM user
? ? ?* @param resource IAM resource
? ? ?* @return a scope permission that has the name in the format of "userId-resourceId-scoped"(max 1), or null if none found
? ? ?*/
? ? public PolicyRepresentation findScopePermission( UserRepresentation user, ResourceRepresentation resource) {
? ? ? ? RestTemplate template = new RestTemplate();
? ? ? ? HttpHeaders headers = new HttpHeaders();
? ? ? ? headers.add("Content-Type", "application/json");
? ? ? ? headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager(). getAccessTokenString()));

? ? ? ? final HttpEntity< PolicyRepresentation> entity = new HttpEntity<>(headers);
? ? ? ? //I believed this URL changed in Keycloak 3
? ? ? ? String urlBase = getDeployment(). getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
? ? ? ? ? ? ? ? "/clients/" + getClientId() +
? ? ? ? ? ? ? ? "/authz/resource-server/ policy";

? ? ? ? String url = UriComponentsBuilder. fromUriString(urlBase)
? ? ? ? ? ? ? ? .queryParam("first", 0)
? ? ? ? ? ? ? ? .queryParam("max", 20)
? ? ? ? ? ? ? ? .queryParam("permission", "true")
? ? ? ? ? ? ? ? .queryParam("type", "scope")
? ? ? ? ? ? ? ? .queryParam("name", scopedPermissionMapper. scopePermissionName(user, resource))
? ? ? ? ? ? ? ? .build().toUri().toString();

? ? ? ? ResponseEntity< PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
? ? ? ? PolicyRepresentation[] body = response.getBody();
? ? ? ? List<PolicyRepresentation> policies = Arrays.asList(body);
? ? ? ? Preconditions.checkState( policies.size() < 2, String.format("User %s has more than 1 resource permissions", user.getId()));
? ? ? ? return policies.size() == 0 ? null : policies.get(0);
? ? }


? ? /**
? ? ?* @param userId IAM user
? ? ?* @return all scope permission that has the name in the format of "userId-resourceId-scoped"
? ? ?*/
? ? public List<PolicyRepresentation> findScopePermissions(String userId) {
? ? ? ? RestTemplate template = new RestTemplate();
? ? ? ? HttpHeaders headers = new HttpHeaders();
? ? ? ? headers.add("Content-Type", "application/json");
? ? ? ? headers.add("Authorization", String.format("Bearer %s", keycloak().tokenManager(). getAccessTokenString()));

? ? ? ? final HttpEntity< PolicyRepresentation> entity = new HttpEntity<>(headers);
? ? ? ? //I believed this URL changed in Keycloak 3
? ? ? ? String urlBase = getDeployment(). getAuthServerBaseUrl() + "/admin/realms/" + getDeployment().getRealm() +
? ? ? ? ? ? ? ? "/clients/" + getClientId() +
? ? ? ? ? ? ? ? "/authz/resource-server/ policy";

? ? ? ? String url = UriComponentsBuilder. fromUriString(urlBase)
? ? ? ? ? ? ? ? .queryParam("first", 0)
? ? ? ? ? ? ? ? .queryParam("max", 1001)
? ? ? ? ? ? ? ? .queryParam("permission", "true")
? ? ? ? ? ? ? ? .queryParam("type", "scope")
? ? ? ? ? ? ? ? .queryParam("name", userId)
? ? ? ? ? ? ? ? .build().toUri().toString();

? ? ? ? ResponseEntity< PolicyRepresentation[]> response = template.exchange(url, HttpMethod.GET, entity, PolicyRepresentation[].class);
? ? ? ? PolicyRepresentation[] body = response.getBody();
? ? ? ? //noinspection UnnecessaryLocalVariable
? ? ? ? List<PolicyRepresentation> policies = Arrays.asList(body);
? ? ? ? Preconditions.checkState( policies.size() <= 1000, "Too many scoped permissions for user:" + userId);
? ? ? ? return policies;
? ? }


? ? public void loadScopes() {
? ? ? ? ClientResource clientResource = ApiUtil.findClientByClientId( realm(), deployment.getResourceName());
? ? ? ? //noinspection ConstantConditions
? ? ? ? List<ScopeRepresentation> scopes = clientResource.authorization() .scopes().scopes();
? ? ? ? Map<String, ScopeRepresentation> scopesAsMap = scopes.stream().collect( Collectors.toMap( ScopeRepresentation::getName, s -> s));
? ? ? ? clientScopes.clear();
? ? ? ? clientScopes.putAll( scopesAsMap);
? ? }

? ? /**
? ? ?* @return all the user's realm roles using the service account.
? ? ?*/
? ? @Retryable(value = RuntimeException.class, backoff = @Backoff(delay = 1000, multiplier = 2))
? ? public List<RoleRepresentation> getUserRealmRoles(String userId) {
? ? ? ? List<RoleRepresentation> userAppRoles;
? ? ? ? userAppRoles = realm().users().get(userId). roles().realmLevel().listAll() ;
? ? ? ? return userAppRoles;
? ? }
}

On Monday, June 12, 2017, 10:16:13 AM CDT, matteo restelli <teoreste at gmail.com> wrote:

Hi guys,
how can I add permissions programmatically for a specific resource?

Thank you in advance,
Matteo
______________________________ _________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/ mailman/listinfo/keycloak-user
______________________________ _________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/ mailman/listinfo/keycloak-user



From kedward777 at gmail.com  Mon Jun 12 15:46:46 2017
From: kedward777 at gmail.com (ken edward)
Date: Mon, 12 Jun 2017 15:46:46 -0400
Subject: [keycloak-user] Does keycloak tomcat adapter require IDP
	metadata.xml ??
Message-ID: <CAAqgmoPvmYoTXRGFEcWKEjzxO=m39Uie86WQQV13HZG8XP_txQ@mail.gmail.com>

Hello,

I have installed the keycloak tomcat adapter in my tomcat 8 instance.
I want to use ADFS as my IDP (no keycloak server)

QUESTION:
1.) I configured the keycloak-saml.xml to point to the ADFS IDP. But I
am surprised that there is no reference to the IDP metadata.xml file
that I received from my ADFS admin? Is it used at all? How?

Ken

From kedward777 at gmail.com  Mon Jun 12 15:52:49 2017
From: kedward777 at gmail.com (ken edward)
Date: Mon, 12 Jun 2017 15:52:49 -0400
Subject: [keycloak-user] For tomcat SAML adapter, is /saml required in URL?
Message-ID: <CAAqgmoPCpASpJ27473Z=u1rcTKdxYhB2hH=PP-gOmabBCHsFTQ@mail.gmail.com>

Hello,

I am implementing the tomcat SAML adapter with the IdP being ADFS.

QUESTION:
1.) I see the below reference in the doc that seems to say the /saml
needs to the appended to the URL of the SP? or is this only for
servlet adapter and NOT tomcat adapter that my have servlets?

"For each servlet-based adapter, the endpoint you register for the
assert consumer service URL and and single logout service must be the
base URL of your servlet application with /saml appended to it, that
is, https://example.com/contextPath/saml."

as in the below ???


    <SP entityID="http://localhost:8081/sales-post-sig/saml"
        sslPolicy="EXTERNAL"
        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        logoutPage="/saml/logout.jsp"
        forceAuthentication="false"
        isPassive="false"
        turnOffChangeSessionIdOnLogin="false">
        <Keys>
            <Key signing="true" >
                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
                    <PrivateKey
alias="http://localhost:8080/sales-post-sig/" password="test123"/>
                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
                </KeyStore>
            </Key>
        </Keys>

Ken

From rationull at gmail.com  Mon Jun 12 17:56:10 2017
From: rationull at gmail.com (Jonathan Little)
Date: Mon, 12 Jun 2017 14:56:10 -0700
Subject: [keycloak-user] Invalid token issuer when running as docker
	service
In-Reply-To: <49468ea5-122a-5720-af07-db88a63556d9@web.de>
References: <49468ea5-122a-5720-af07-db88a63556d9@web.de>
Message-ID: <CALLLnfX08xH5DzbJO_um5YeO3sMEuAARUrQnpzZtW+XyWoGyog@mail.gmail.com>

I filed https://issues.jboss.org/browse/KEYCLOAK-5014 last week after
asking a related question on the mailing list -- sounds like there's not a
good way to handle this at this point. I've settled on adding "myhost"
(from your example) to the hosts file on dev computer that need to run our
Docker setup. This is OK in my case because that only affects a few dev
computers.

I would like there to be a way to have the Keycloak middleware allow
multiple issuers based on configuration rather than just requiring a match
to the realm URL.

On Sat, Jun 10, 2017 at 6:30 AM, Tom Braun <braun.tom at web.de> wrote:

> Hello,
>
> got the follwing setup:
> - frontend (oauth, angular2)
> - rest-backend (bearerOnly, spring-boot with spring-security)
> - keycloak (standalone)
>
> If I run the three as "ordinary" processes, everything works fine.
> However, if I try to run them as services within a docker (swarm mode)
> the rest-backend keeps complaining about:
>
> org.keycloak.common.VerificationException: Invalid token issuer.
> Expected 'http://myhost:8180/auth/realms/myrealm', but was
> 'http://localhost:8180/auth/realms/myrealm'
>
>
> I inserted myhost into my /etc/hosts to point to the IP of docker0. So
> far it works, I can access the frontend on port 80 and keycloak on port
> 8180.
>
> Is there a way to make keycloak report as myhost in the issuer token and
> not as localhost?
>
> Tried running keycloak behind a reverse-proxy - no change.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Mon Jun 12 18:47:16 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 12 Jun 2017 18:47:16 -0400
Subject: [keycloak-user] For tomcat SAML adapter,
 is /saml required in URL?
In-Reply-To: <CAAqgmoPCpASpJ27473Z=u1rcTKdxYhB2hH=PP-gOmabBCHsFTQ@mail.gmail.com>
References: <CAAqgmoPCpASpJ27473Z=u1rcTKdxYhB2hH=PP-gOmabBCHsFTQ@mail.gmail.com>
Message-ID: <565ea10c-4111-ab27-edb5-f642ce0075d2@redhat.com>

I'm pretty sure every adapter requires this.  This is because of the 
SAML POST binding.  Adapter has to eat the input stream of the request 
just to determine if it is a SAML request.  There's no nice way of 
putting that data back so that an application can consume it instead.


On 6/12/17 3:52 PM, ken edward wrote:
> Hello,
>
> I am implementing the tomcat SAML adapter with the IdP being ADFS.
>
> QUESTION:
> 1.) I see the below reference in the doc that seems to say the /saml
> needs to the appended to the URL of the SP? or is this only for
> servlet adapter and NOT tomcat adapter that my have servlets?
>
> "For each servlet-based adapter, the endpoint you register for the
> assert consumer service URL and and single logout service must be the
> base URL of your servlet application with /saml appended to it, that
> is, https://example.com/contextPath/saml."
>
> as in the below ???
>
>
>      <SP entityID="http://localhost:8081/sales-post-sig/saml"
>          sslPolicy="EXTERNAL"
>          nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>          logoutPage="/saml/logout.jsp"
>          forceAuthentication="false"
>          isPassive="false"
>          turnOffChangeSessionIdOnLogin="false">
>          <Keys>
>              <Key signing="true" >
>                  <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
>                      <PrivateKey
> alias="http://localhost:8080/sales-post-sig/" password="test123"/>
>                      <Certificate alias="http://localhost:8080/sales-post-sig/"/>
>                  </KeyStore>
>              </Key>
>          </Keys>
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From john.d.ament at gmail.com  Mon Jun 12 18:50:59 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Mon, 12 Jun 2017 22:50:59 +0000
Subject: [keycloak-user] IDToken vs AccessToken
Message-ID: <CAOqetn9-155rYr690Dc1q==QCbNQOBqf8zGe6MUO0yivmc12pQ@mail.gmail.com>

Hi

I noticed that when using Bearer, an AccessToken gets set in the
KeycloakPrincipal's SecurityContext.  However, when I do an SP initiated
login the IDToken gets set.  I was wondering if these two could be
consistent, or if the inconsistency were at least explainable?

I'm also wondering, will the presence of a bearer header cause the keycloak
adapter cookie to get set?

John

From mposolda at redhat.com  Tue Jun 13 02:22:56 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Jun 2017 08:22:56 +0200
Subject: [keycloak-user] IDToken vs AccessToken
In-Reply-To: <CAOqetn9-155rYr690Dc1q==QCbNQOBqf8zGe6MUO0yivmc12pQ@mail.gmail.com>
References: <CAOqetn9-155rYr690Dc1q==QCbNQOBqf8zGe6MUO0yivmc12pQ@mail.gmail.com>
Message-ID: <25d59618-670a-b383-ef82-dbe039cefc39@redhat.com>

The secured applications can be divided into 2 main groups:
- Frontend applications: Those are servlet or javascript UI 
applications, which want to authenticate against Keycloak and they use 
full browser based OIDC flow for it. Once OIDC flow is finished, 
application will receive all 3 tokens:  access token, idToken and 
refresh token.
- Bearer-only (usually REST based) applications: Those are secured by 
the bearer token (access token) sent to them in the "Authorization: 
Bearer" header. Usually some frontend application authenticated 
previously with Keycloak send the access token to the REST based 
application to authenticate particular REST request. Note that bearer 
applications don't set any cookie, they don't have any session, they 
don't redirect to OIDC and they don't use any other tokens beside the 
access token sent to them in the header.

See our docs and demo example for more details. The applications like 
"customer-portal" and "product-portal" are frontend applications when 
the "database-service" is the REST based application.

Marek


On 13/06/17 00:50, John D. Ament wrote:
> Hi
>
> I noticed that when using Bearer, an AccessToken gets set in the
> KeycloakPrincipal's SecurityContext.  However, when I do an SP initiated
> login the IDToken gets set.  I was wondering if these two could be
> consistent, or if the inconsistency were at least explainable?
>
> I'm also wondering, will the presence of a bearer header cause the keycloak
> adapter cookie to get set?
>
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From hmlnarik at redhat.com  Tue Jun 13 04:08:00 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 13 Jun 2017 10:08:00 +0200
Subject: [keycloak-user] Does keycloak tomcat adapter require IDP
 metadata.xml ??
In-Reply-To: <CAAqgmoPvmYoTXRGFEcWKEjzxO=m39Uie86WQQV13HZG8XP_txQ@mail.gmail.com>
References: <CAAqgmoPvmYoTXRGFEcWKEjzxO=m39Uie86WQQV13HZG8XP_txQ@mail.gmail.com>
Message-ID: <CAMvXD=E_txsgZYc4tQDCabeKgaGbAmTkg1hsdL0ukzR=0UY-Ww@mail.gmail.com>

No, the keycloak adapters are not configured from SAML metadata but
from keycloak-saml.xml file. You will need to set it up according to
the metadata. If this functionality is important to you, please file
an Improvement in JIRA.

On Mon, Jun 12, 2017 at 9:46 PM, ken edward <kedward777 at gmail.com> wrote:
> Hello,
>
> I have installed the keycloak tomcat adapter in my tomcat 8 instance.
> I want to use ADFS as my IDP (no keycloak server)
>
> QUESTION:
> 1.) I configured the keycloak-saml.xml to point to the ADFS IDP. But I
> am surprised that there is no reference to the IDP metadata.xml file
> that I received from my ADFS admin? Is it used at all? How?
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From john.d.ament at gmail.com  Tue Jun 13 05:09:34 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Tue, 13 Jun 2017 09:09:34 +0000
Subject: [keycloak-user] IDToken vs AccessToken
In-Reply-To: <25d59618-670a-b383-ef82-dbe039cefc39@redhat.com>
References: <CAOqetn9-155rYr690Dc1q==QCbNQOBqf8zGe6MUO0yivmc12pQ@mail.gmail.com>
	<25d59618-670a-b383-ef82-dbe039cefc39@redhat.com>
Message-ID: <CAOqetn8FwCA_K2PDdbi1CqSTb9hdOKi2KTt-AuBpS7oubxgBEQ@mail.gmail.com>

Marek,

So If I had to digest what you're saying, it sounds like I want my backend
to rely on the AccessToken object more than the IDToken object.

Sound right?

John

On Tue, Jun 13, 2017 at 2:22 AM Marek Posolda <mposolda at redhat.com> wrote:

> The secured applications can be divided into 2 main groups:
> - Frontend applications: Those are servlet or javascript UI
> applications, which want to authenticate against Keycloak and they use
> full browser based OIDC flow for it. Once OIDC flow is finished,
> application will receive all 3 tokens:  access token, idToken and
> refresh token.
> - Bearer-only (usually REST based) applications: Those are secured by
> the bearer token (access token) sent to them in the "Authorization:
> Bearer" header. Usually some frontend application authenticated
> previously with Keycloak send the access token to the REST based
> application to authenticate particular REST request. Note that bearer
> applications don't set any cookie, they don't have any session, they
> don't redirect to OIDC and they don't use any other tokens beside the
> access token sent to them in the header.
>
> See our docs and demo example for more details. The applications like
> "customer-portal" and "product-portal" are frontend applications when
> the "database-service" is the REST based application.
>
> Marek
>
>
> On 13/06/17 00:50, John D. Ament wrote:
> > Hi
> >
> > I noticed that when using Bearer, an AccessToken gets set in the
> > KeycloakPrincipal's SecurityContext.  However, when I do an SP initiated
> > login the IDToken gets set.  I was wondering if these two could be
> > consistent, or if the inconsistency were at least explainable?
> >
> > I'm also wondering, will the presence of a bearer header cause the
> keycloak
> > adapter cookie to get set?
> >
> > John
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From psilva at redhat.com  Tue Jun 13 09:28:53 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 13 Jun 2017 10:28:53 -0300
Subject: [keycloak-user] IDToken vs AccessToken
In-Reply-To: <CAOqetn8FwCA_K2PDdbi1CqSTb9hdOKi2KTt-AuBpS7oubxgBEQ@mail.gmail.com>
References: <CAOqetn9-155rYr690Dc1q==QCbNQOBqf8zGe6MUO0yivmc12pQ@mail.gmail.com>
	<25d59618-670a-b383-ef82-dbe039cefc39@redhat.com>
	<CAOqetn8FwCA_K2PDdbi1CqSTb9hdOKi2KTt-AuBpS7oubxgBEQ@mail.gmail.com>
Message-ID: <CAJrcDBfyD1owpAfxS6AZyudCn1FdhJ1mz4rMzfoTfoXgs2LVZA@mail.gmail.com>

The ID Token is related with OpenID Connect. And this standard is basically
about enabling authentication on top of OAuth2. The ID Token represents an
identity and what parties need to know about it in order to establish a
security context. It tells you who you are but not what you can do.

In the other hand, ATs are more related with the permissions you were
granted in order to access resources protected by a resource server. Where
ATs are usually related with a client acting on behalf of an end user (or
resource owner). ATs hold the scopes granted by the server (usually as a
result of user consent) which can be used by resource servers to decide
whether or not a client is allowed to access some protected resource.

Like Marek said, ATs are the right choice for accessing resources in your
backend.

Regards.
Pedro Igor


On Tue, Jun 13, 2017 at 6:09 AM, John D. Ament <john.d.ament at gmail.com>
wrote:

> Marek,
>
> So If I had to digest what you're saying, it sounds like I want my backend
> to rely on the AccessToken object more than the IDToken object.
>
> Sound right?
>
> John
>
> On Tue, Jun 13, 2017 at 2:22 AM Marek Posolda <mposolda at redhat.com> wrote:
>
> > The secured applications can be divided into 2 main groups:
> > - Frontend applications: Those are servlet or javascript UI
> > applications, which want to authenticate against Keycloak and they use
> > full browser based OIDC flow for it. Once OIDC flow is finished,
> > application will receive all 3 tokens:  access token, idToken and
> > refresh token.
> > - Bearer-only (usually REST based) applications: Those are secured by
> > the bearer token (access token) sent to them in the "Authorization:
> > Bearer" header. Usually some frontend application authenticated
> > previously with Keycloak send the access token to the REST based
> > application to authenticate particular REST request. Note that bearer
> > applications don't set any cookie, they don't have any session, they
> > don't redirect to OIDC and they don't use any other tokens beside the
> > access token sent to them in the header.
> >
> > See our docs and demo example for more details. The applications like
> > "customer-portal" and "product-portal" are frontend applications when
> > the "database-service" is the REST based application.
> >
> > Marek
> >
> >
> > On 13/06/17 00:50, John D. Ament wrote:
> > > Hi
> > >
> > > I noticed that when using Bearer, an AccessToken gets set in the
> > > KeycloakPrincipal's SecurityContext.  However, when I do an SP
> initiated
> > > login the IDToken gets set.  I was wondering if these two could be
> > > consistent, or if the inconsistency were at least explainable?
> > >
> > > I'm also wondering, will the presence of a bearer header cause the
> > keycloak
> > > adapter cookie to get set?
> > >
> > > John
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kedward777 at gmail.com  Tue Jun 13 10:17:16 2017
From: kedward777 at gmail.com (ken edward)
Date: Tue, 13 Jun 2017 10:17:16 -0400
Subject: [keycloak-user] For tomcat SAML adapter,
	is /saml required in URL?
In-Reply-To: <565ea10c-4111-ab27-edb5-f642ce0075d2@redhat.com>
References: <CAAqgmoPCpASpJ27473Z=u1rcTKdxYhB2hH=PP-gOmabBCHsFTQ@mail.gmail.com>
	<565ea10c-4111-ab27-edb5-f642ce0075d2@redhat.com>
Message-ID: <CAAqgmoOtRdq8TB=nAqHEAhXeXhbU+R_Av--t3e=C6woRgRqKpQ@mail.gmail.com>

Thank you Bill,

Does the URL have end with /saml or just include "/saml within the URL
(https://example.com/myapp/saml/subdir or just /myapp/saml ??)

Ken

On Mon, Jun 12, 2017 at 6:47 PM, Bill Burke <bburke at redhat.com> wrote:
> I'm pretty sure every adapter requires this.  This is because of the
> SAML POST binding.  Adapter has to eat the input stream of the request
> just to determine if it is a SAML request.  There's no nice way of
> putting that data back so that an application can consume it instead.
>
>
> On 6/12/17 3:52 PM, ken edward wrote:
>> Hello,
>>
>> I am implementing the tomcat SAML adapter with the IdP being ADFS.
>>
>> QUESTION:
>> 1.) I see the below reference in the doc that seems to say the /saml
>> needs to the appended to the URL of the SP? or is this only for
>> servlet adapter and NOT tomcat adapter that my have servlets?
>>
>> "For each servlet-based adapter, the endpoint you register for the
>> assert consumer service URL and and single logout service must be the
>> base URL of your servlet application with /saml appended to it, that
>> is, https://example.com/contextPath/saml."
>>
>> as in the below ???
>>
>>
>>      <SP entityID="http://localhost:8081/sales-post-sig/saml"
>>          sslPolicy="EXTERNAL"
>>          nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>>          logoutPage="/saml/logout.jsp"
>>          forceAuthentication="false"
>>          isPassive="false"
>>          turnOffChangeSessionIdOnLogin="false">
>>          <Keys>
>>              <Key signing="true" >
>>                  <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
>>                      <PrivateKey
>> alias="http://localhost:8080/sales-post-sig/" password="test123"/>
>>                      <Certificate alias="http://localhost:8080/sales-post-sig/"/>
>>                  </KeyStore>
>>              </Key>
>>          </Keys>
>>
>> Ken
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From shimin_q at yahoo.com  Tue Jun 13 10:38:25 2017
From: shimin_q at yahoo.com (shimin q)
Date: Tue, 13 Jun 2017 14:38:25 +0000 (UTC)
Subject: [keycloak-user] Keycloak client adaptor - Java 8 requirement
In-Reply-To: <665622394.7365199.1497276429078@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<665622394.7365199.1497276429078@mail.yahoo.com>
Message-ID: <589278003.8455132.1497364705835@mail.yahoo.com>


Hi,
I am trying to use keycloak to secure six web apps deployed in Tomcat 7. ?Is there a Java version?requirement for the keycloak client adaptor? ?We are running Tomcat 7 with Java 7. ?The keycloak?version is 2.1.0. ?The strange thing is that not every web app under the tomcat 7 has this error?("org/keycloak/authorization/client/Configuration : Unsupported major.minor version 52.0"). ?They are all compiled similarly and running in the same Tomcat with JRE 7. ??Any ideas?

Jun 08, 2017 1:03:17 AM org.apache.catalina.startup.HostConfig deployDirectory?560 SEVERE: Error deploying web application directory /var/lib/tomcat/webapps/nara?561 java.lang.UnsupportedClassVersionError: org/keycloak/authorization/client/Configuration : Unsupported major.minor version 52.0?562 ? ? at java.lang.ClassLoader.defineClass1(Native Method)?563 ? ? at java.lang.ClassLoader.defineClass(Unknown Source)?564 ? ? at java.security.SecureClassLoader.defineClass(Unknown Source)?565 ? ? at java.net.URLClassLoader.defineClass(Unknown Source)?566 ? ? at java.net.URLClassLoader.access$100(Unknown Source)?567 ? ? at java.net.URLClassLoader$1.run(Unknown Source)?568 ? ? at java.net.URLClassLoader$1.run(Unknown Source)?569 ? ? at java.security.AccessController.doPrivileged(Native Method)?570 ? ? at java.net.URLClassLoader.findClass(Unknown Source)?571 ? ? at java.lang.ClassLoader.loadClass(Unknown Source)?572 ? ? at java.lang.ClassLoader.loadClass(Unknown Source)?573 ? ? at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:55)?574 ? ? at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java ? ? :118)?575 ? ? at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127)?576 ? ? at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloa ? ? kAuthenticatorValve.java:133)?577 ? ? at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycl ? ? oakAuthenticatorValve.java:75)?578 ? ? at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)?579 ? ? at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)?580 ? ? at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)?581 ? ? at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:165)?582 ? ? at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)?583 ? ? at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)?584 ? ? at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)?585 ? ? at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1260)?586 ? ? at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:2002)?587 ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)?588 ? ? at java.util.concurrent.FutureTask.run(Unknown Source)?589 ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)?590 ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)?591 ? ? at java.lang.Thread.run(Unknown Source)


   

From rafterjiang at hotmail.com  Tue Jun 13 13:41:35 2017
From: rafterjiang at hotmail.com (rafterjiang)
Date: Tue, 13 Jun 2017 10:41:35 -0700 (MST)
Subject: [keycloak-user] Group policy for authorization.
Message-ID: <1497375695457-3940.post@n6.nabble.com>

Hello,

Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource. 

Right now we have to create policy for every single new user and assign to
the resource.

Thanks,
R



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-tp3940.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From thiago.addevico at gmail.com  Tue Jun 13 17:47:26 2017
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 13 Jun 2017 18:47:26 -0300
Subject: [keycloak-user] X509 Identity Brokering
Message-ID: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>

Hi,

Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?

Best regards,
Thiago Presa

From pnalyvayko at agi.com  Tue Jun 13 18:35:22 2017
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Tue, 13 Jun 2017 22:35:22 +0000
Subject: [keycloak-user] X509 Identity Brokering
In-Reply-To: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>
References: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>
Message-ID: <CY4PR07MB2936146967B5568F08E312CEDAC20@CY4PR07MB2936.namprd07.prod.outlook.com>

Hi Thiago,

AFAIK x509 user authentication requires an existing user. Can you go into specifics what your use case is? 
--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Thiago Presa [thiago.addevico at gmail.com]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] X509 Identity Brokering

Hi,

Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?

Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From kyle.swensson at tasktop.com  Tue Jun 13 19:56:30 2017
From: kyle.swensson at tasktop.com (Kyle Swensson)
Date: Tue, 13 Jun 2017 16:56:30 -0700
Subject: [keycloak-user] Conflicting logins with admin console
Message-ID: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>

Hello,


(I have asked this question before to no avail, but the wording was poor so
I want to rephrase it in hopes of getting more help)

I am having an issue with conflicting logins from a user application and
the keycloak admin console

The issue arises when I authenticate on my user application as a basic
user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
page on a different window. Despite being logged in as a basic user on my
user application, I am still shown the empty login page for the keycloak
admin console. After navigating to the Keycloak admin console login page,
my session on my user application becomes broken, and I'm not sure why. At
this point if I refresh the page containing my application I will find a
403 error in my console, however I can still access everything in my user
application normally. Additionally, for some reason I can no longer log out
from my session like i normally would (by hitting the authorization
endpoint), when I try to log out nothing happens. The only way that I can
get it out of this permanently logged in state is by going to "account" and
manually ending all of the sessions for my user. It may be worth noting
that I can also still log in to the admin console with a different user,
and use the admin console as normal while this is happening. If I log onto
the admin console while this is happening and look at all of the active
sessions, I can see that there is indeed still an active session for the
basic user using the user application. I assume that is the root of the
problem, but I'm not sure what's causing this to happen.

Setting the "Revoke Refresh Token" option in the keycloak admin console to
ON does prevent this from happening, however it also makes the rest of my
application become very buggy and slow so leaving that on isn't really a
viable option.

I'm wondering if this might be an actual bug with Keycloak, or if this is
just being caused by some configuration error on my side. I am currently
using Keycloak 2.3 for my application, but I have tried temporarily
upgrading to Keycloak 3.1 and that didn't help the issue.

From Dana.Danet at Evisions.com  Tue Jun 13 20:19:41 2017
From: Dana.Danet at Evisions.com (Dana Danet)
Date: Wed, 14 Jun 2017 00:19:41 +0000
Subject: [keycloak-user] Cache-Control set to private
Message-ID: <4CCE6C26-045D-41AF-AB0A-7FE4F4D5645E@evisions.com>

Using a vanilla Spring Boot / Keycloak implementation.

springBootVersion = '1.5.2.RELEASE?

keycloakAdminClient         : "org.keycloak:keycloak-admin-client:3.0.0.Final?,

keycloakSpringBootAdapter   : "org.keycloak:keycloak-spring-boot-adapter:3.0.0.Final?,

keycloakTomcatAdapter       : "org.keycloak:keycloak-tomcat8-adapter:3.0.0.Final",

I?m having difficulty updating the Cache-Control from private to anything else.  It appears that this is a Tomcat setting that usually is set via Spring Security.  Unfortunately I cannot find anyway to affect this value unless I listen for the lifecycle event and then configure the KeycloakAuthenticatorValve.

What am I doing wrong here?




@Configuration
public class KeycloakAuthenticatorValveCustomizerConfig implements EmbeddedServletContainerCustomizer, LifecycleListener
{
    private TomcatEmbeddedServletContainerFactory container;

    @Override
    public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer)
    {
        container = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
        container.addContextLifecycleListeners(this);
    }

    @Override
    public void lifecycleEvent(LifecycleEvent event)
    {
        if (event.getLifecycle().getState() == INITIALIZED) {
            configureKeycloakValve();
        }
    }

    private void configureKeycloakValve() {
        for (Valve valve : container.getContextValves()) {
            if (valve instanceof KeycloakAuthenticatorValve) {
                KeycloakAuthenticatorValve keycloakAuthenticatorValve = (KeycloakAuthenticatorValve) valve;
                keycloakAuthenticatorValve.setSecurePagesWithPragma(true);
            }
        }
    }
}

Within org.apache.catalina.authenticator.AuthenticatorBase securePagesWithPragma is now set to true.

if (constraints != null && disableProxyCaching &&
        !"POST".equalsIgnoreCase(request.getMethod())) {
    if (securePagesWithPragma) {
        // Note: These can cause problems with downloading files with IE
        response.setHeader("Pragma", "No-cache");
        response.setHeader("Cache-Control", "no-cache");
    } else {
        response.setHeader("Cache-Control", "private");
    }
    response.setHeader("Expires", DATE_ONE);
}

-dana





From celso.agra at gmail.com  Wed Jun 14 00:24:48 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Wed, 14 Jun 2017 01:24:48 -0300
Subject: [keycloak-user] How to create a Camel Route with Keycloak Admin
	Client in JBoss Fuse 6.3.0?
Message-ID: <CAOFYJDuBrCka0HQb6Pb144A-eV6jNP-=nt9nAE9eM2DXUjrLtA@mail.gmail.com>

Hi all,

I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0. Everything
works fine when I run the java main class, but when I put this in the JBoss
Fuse (with Karaf) I got an error, because the keycloak are using the
resteasy, and the OSGI is totally different. So, does anyone knows how to
do the same keycloak admin client configuration using this environment?

Here is my log:

javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request

    at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:289)

    at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:454)

    at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)

    at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)

    at com.sun.proxy.$Proxy85.grantToken(Unknown Source)

    at
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)

    at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)

    at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)

    at
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)

    at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)

    at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)

    at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)

    at com.sun.proxy.$Proxy88.create(Unknown Source)

    at
> pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloak(KeycloakAdminManager.java:64)

    at
> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:20)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at
> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)

    at
> org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)

    at
> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)

    at
> org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)

    at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)

    at
> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)

    at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)

    at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)

    at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)

    at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)

    at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)

    at
> org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)

    at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)

    at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)

    at
> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)

    at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)

    at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)

    at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)

    at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)

    at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)

    at
> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)

    at
> org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:91)

    at
> org.apache.camel.component.restlet.RestletConsumer$1.handle(RestletConsumer.java:68)

    at
> org.apache.camel.component.restlet.MethodBasedRouter.handle(MethodBasedRouter.java:54)

    at org.restlet.routing.Filter.doHandle(Filter.java:150)

    at org.restlet.routing.Filter.handle(Filter.java:197)

    at org.restlet.routing.Router.doHandle(Router.java:422)

    at org.restlet.routing.Router.handle(Router.java:639)

    at org.restlet.routing.Filter.doHandle(Filter.java:150)

    at org.restlet.routing.Filter.handle(Filter.java:197)

    at org.restlet.routing.Router.doHandle(Router.java:422)

    at org.restlet.routing.Router.handle(Router.java:639)

    at org.restlet.routing.Filter.doHandle(Filter.java:150)

    at
> org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)

    at org.restlet.routing.Filter.handle(Filter.java:197)

    at org.restlet.routing.Filter.doHandle(Filter.java:150)

    at org.restlet.routing.Filter.handle(Filter.java:197)

    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)

    at org.restlet.Component.handle(Component.java:408)

    at org.restlet.Server.handle(Server.java:507)

    at
> org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)

    at
> org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)

    at
> org.restlet.engine.connector.HttpServerHelper$1.handle(HttpServerHelper.java:64)

    at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)

    at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)

    at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)

    at
> sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)

    at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)

    at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)

    at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

    at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

    at java.lang.Thread.run(Thread.java:748)

Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not find
> writer for content-type application/x-www-form-urlencoded type:
> javax.ws.rs.core.Form$1

    at
> org.jboss.resteasy.core.interception.jaxrs.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40)

    at
> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:146)

    at
> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:121)

    at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:388)

    at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589)

    at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:557)

    at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:456)

    at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)

    ... 70 more


Thanks for the attention.

-- 
---
*Celso Agra*

From jyoti.tech90 at gmail.com  Wed Jun 14 00:49:45 2017
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Wed, 14 Jun 2017 10:19:45 +0530
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate
 user sessions in cluster
In-Reply-To: <CA+37Sd519s3hw8_DXYn_EODvRScY9-DErThcjUV1pFBZyT1AZQ@mail.gmail.com>
References: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
	<CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>
	<CA+37Sd519s3hw8_DXYn_EODvRScY9-DErThcjUV1pFBZyT1AZQ@mail.gmail.com>
Message-ID: <CA+37Sd4=1UmghPnP4BMTuQ4Cf=TauUaFMa2VaXGUuCNa=Ugocw@mail.gmail.com>

Hi Team,

Is there any recommendation for me to look upon?

On Jun 10, 2017 10:47 AM, "Jyoti Kumar Singh" <jyoti.tech90 at gmail.com>
wrote:

> Hi Stian,
>
> Thanks for the reply. I am using below configuration of the
> standalone-ha.xml from 3.1.0 version. I just added owners="2" in
> "infinispan/Keycloak" for cluster-wide replicas for each cache entry.
>
> #standalone-ha.xml:- attached
>
> Also I am using DC/OS as a container platform, which includes Marathon as
> a load balancer (LB) and two container runtimes (Docker and Mesos) for the
> deployment on cloud.
>
> I could see below logs are rolling in Node#2(nodeagent16) once
> Node#1(nodeagent15) goes down. But when I am bringing Node#1 again, request
> is being transferred from LB to Node#1 again and I am not seeing any logs
> related to Cache session are rolling in Node#1, hence user's session is not
> recognized by Node#1 and he is asked to login again.
>
> Currently I am not very sure whether multicasting is not working or
> discovery protocol is having some issue. Your inputs will help me to
> understand the issue in a better way.
>
> #Logs:-
>
> 2017-06-10 04:41:56,330 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
> Cache authorization lost at least half of the stable members, possible
> split brain causing data inconsistency. Current members are [nodeagent16],
> lost members are [nodeagent15], stable members are [nodeagent15,
> nodeagent16]
> 2017-06-10 04:41:56,332 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
> Cache sessions lost at least half of the stable members, possible split
> brain causing data inconsistency. Current members are [nodeagent16], lost
> members are [nodeagent15], stable members are [nodeagent15, nodeagent16]
> 2017-06-10 04:41:56,333 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
> Cache work lost at least half of the stable members, possible split brain
> causing data inconsistency. Current members are [nodeagent16], lost members
> are [nodeagent15], stable members are [nodeagent16, nodeagent15]
> 2017-06-10 04:41:56,334 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
> Cache offlineSessions lost at least half of the stable members, possible
> split brain causing data inconsistency. Current members are [nodeagent16],
> lost members are [nodeagent15], stable members are [nodeagent15,
> nodeagent16]
> 2017-06-10 04:41:56,336 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
> Cache loginFailures lost at least half of the stable members, possible
> split brain causing data inconsistency. Current members are [nodeagent16],
> lost members are [nodeagent15], stable members are [nodeagent15,
> nodeagent16]
> 2017-06-10 04:41:56,509 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
> Received new cluster view for channel web: [nodeagent16|10] (1)
> [nodeagent16]
> 2017-06-10 04:41:56,512 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
> Received new cluster view for channel ejb: [nodeagent16|10] (1)
> [nodeagent16]
> 2017-06-10 04:41:56,513 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
> Received new cluster view for channel hibernate: [nodeagent16|10] (1)
> [nodeagent16]
>
>
>
> On Fri, Jun 9, 2017 at 10:28 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Your configuration is not correct and seems to be from an older version
>> of Keycloak. Please take a look at default standalone-ha.xml from 3.1 for
>> the correct cache configs.
>>
>> You also need to get cluster communication working properly. Make sure
>> the nodes see each other. When you start new nodes something should happen
>> in the log in other nodes. In a cloud environment this can be tricky (you
>> haven't said which one) as multicasting usually doesn't work and you need
>> to use a different discovery protocol.
>>
>> On 7 June 2017 at 16:17, Jyoti Kumar Singh <jyoti.tech90 at gmail.com>
>> wrote:
>>
>>> Hi Team,
>>>
>>> We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
>>> user sessions replication in a cloud system, i.e. when one node goes down
>>> then user will keep logged in on other node.
>>>
>>> I have setup cluster by using standalone-ha.xml and having infinispan
>>> cache
>>> as mentioned below:-
>>>
>>> <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>>>                 <transport lock-timeout="60000"/>
>>>                 <invalidation-cache name="realms" mode="SYNC"/>
>>>                 <invalidation-cache name="users" mode="SYNC"/>
>>>                 <distributed-cache name="sessions" mode="SYNC"
>>> owners="2"/>
>>>                 <distributed-cache name="loginFailures" mode="SYNC"
>>> owners="2"/>
>>> </cache-container>
>>>
>>> Every thing works fine except below use case:-
>>>
>>> 1. Node 1 and Node 2 both are up and user logged in - User session is
>>> getting generated by Node 1
>>> 2. Node 1 is now stopped and user session is getting replicated in Node
>>> 2 -
>>> User is still able to use the Keycloak console
>>> 3. Node 1 is up again and request is being transferred from LB to Node 1
>>> -
>>> User is asked to log in again because session cache is not replicated to
>>>     Node 1 immediately once it is up
>>>
>>> I saw one option to add *start="EAGER" *in cache-container to fix this
>>> but
>>> looks like with latest version of WildFly it is no longer supported. Do
>>> we
>>> have any other way to fix this issue ?
>>>
>>>
>>> --
>>>
>>> *With Regards, Jyoti Kumar Singh*
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
>
> *With Regards, Jyoti Kumar Singh*
>

From marc.tempelmeier at flane.de  Wed Jun 14 03:07:04 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 14 Jun 2017 07:07:04 +0000
Subject: [keycloak-user] Third slave disconnects random slave
Message-ID: <81645885055f4b1387ede68624a4d3d2@dehamex2013.europe.flane.local>

Hi,

I want to connect 3 slaves in Domain Mode, everything works fine for 2 slaves, but if I connect a third one random of the former two get disconnected after a cluster-wide rebalance:

slave1_1          | [Server:slave1]
slave3_1          | [Server:slave3] 06:58:42,688 INFO  [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 54) HV000001: Hibernate Validator 5.2.3.Final
slave1_1          | 06:58:42,675 INFO  [org.jboss.as.process.Server:slave1.status] (reaper for Server:slave1) WFLYPC0011: Process 'Server:slave1' finished with an exit status of 137
slave1_1          | [Host Controller] 06:58:42,877 INFO  [org.jboss.as.host.controller] (ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering server slave1

I think there is some setting I missed?

Best regards and thanks

Marc

From Bettina.Huebner at kvbawue.de  Wed Jun 14 03:16:28 2017
From: Bettina.Huebner at kvbawue.de (=?Windows-1252?Q?H=FCbner=2C_Bettina?=)
Date: Wed, 14 Jun 2017 07:16:28 +0000
Subject: [keycloak-user] Group policy for authorization.
In-Reply-To: <1497375695457-3940.post@n6.nabble.com>
References: <1497375695457-3940.post@n6.nabble.com>
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>

Hi R,

you can use a Group Mapper to add the group to the access token and then create a JavaScript Policy that checks the group membership.

E.g. when using 'group' as 'Token Claim Name' property of the group mapper

var identity = $evaluation.getContext().getIdentity();
var attributes = identity.getAttributes();
var n = attributes.getValue('group').size();
 
for (i = 0; i < n; i++) {
  var group = attributes.getValue('group').asString(i);
  if (group == "name of group needed to acces the resource") {
    $evaluation.grant();
  }
}


Regards
Bettina




-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von rafterjiang
Gesendet: Dienstag, 13. Juni 2017 19:42
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Group policy for authorization.

Hello,

Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource. 

Right now we have to create policy for every single new user and assign to
the resource.

Thanks,
R



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-tp3940.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From marc.tempelmeier at flane.de  Wed Jun 14 04:47:59 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 14 Jun 2017 08:47:59 +0000
Subject: [keycloak-user] Can we forbib mail change?
Message-ID: <a836a77cbeb44e02a42d3101fd50fd60@dehamex2013.europe.flane.local>

Hi,

Subject says it all, but can we forbid that a user can change it?s mail?

Best regards

Marc

From Bettina.Huebner at kvbawue.de  Wed Jun 14 06:57:14 2017
From: Bettina.Huebner at kvbawue.de (=?Windows-1252?Q?H=FCbner=2C_Bettina?=)
Date: Wed, 14 Jun 2017 10:57:14 +0000
Subject: [keycloak-user] Group policy for authorization.
In-Reply-To: <CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>
References: <1497375695457-3940.post@n6.nabble.com>
	<CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C27DEEF@VMSST107.kvbw.local>

Addition:
A group policy will be added to keycloak: https://issues.jboss.org/browse/KEYCLOAK-3168




-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von H?bner, Bettina
Gesendet: Mittwoch, 14. Juni 2017 09:16
An: 'rafterjiang'
Cc: 'keycloak-user at lists.jboss.org'
Betreff: Re: [keycloak-user] Group policy for authorization.

Hi R,

you can use a Group Mapper to add the group to the access token and then create a JavaScript Policy that checks the group membership.

E.g. when using 'group' as 'Token Claim Name' property of the group mapper

var identity = $evaluation.getContext().getIdentity();
var attributes = identity.getAttributes();
var n = attributes.getValue('group').size();
 
for (i = 0; i < n; i++) {
  var group = attributes.getValue('group').asString(i);
  if (group == "name of group needed to acces the resource") {
    $evaluation.grant();
  }
}


Regards
Bettina




-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von rafterjiang
Gesendet: Dienstag, 13. Juni 2017 19:42
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Group policy for authorization.

Hello,

Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource. 

Right now we have to create policy for every single new user and assign to
the resource.

Thanks,
R



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-tp3940.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Wed Jun 14 06:58:50 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 14 Jun 2017 07:58:50 -0300
Subject: [keycloak-user] Group policy for authorization.
In-Reply-To: <CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>
References: <1497375695457-3940.post@n6.nabble.com>
	<CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>
Message-ID: <CAJrcDBcX=ZSN=iqF1SLzUzgF++2aF8DCocziyCx_JeSXUofSsQ@mail.gmail.com>

Should be available soon https://github.com/keycloak/keycloak/pull/4224.

On Wed, Jun 14, 2017 at 4:16 AM, H?bner, Bettina <Bettina.Huebner at kvbawue.de
> wrote:

> Hi R,
>
> you can use a Group Mapper to add the group to the access token and then
> create a JavaScript Policy that checks the group membership.
>
> E.g. when using 'group' as 'Token Claim Name' property of the group mapper
>
> var identity = $evaluation.getContext().getIdentity();
> var attributes = identity.getAttributes();
> var n = attributes.getValue('group').size();
>
> for (i = 0; i < n; i++) {
>   var group = attributes.getValue('group').asString(i);
>   if (group == "name of group needed to acces the resource") {
>     $evaluation.grant();
>   }
> }
>
>
> Regards
> Bettina
>
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Im Auftrag von rafterjiang
> Gesendet: Dienstag, 13. Juni 2017 19:42
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Group policy for authorization.
>
> Hello,
>
> Is there a *group policy *that we can use for authorization? This way we
> can
> simply add new user to the group that we have created and the user can
> automatically gain access to the resource.
>
> Right now we have to create policy for every single new user and assign to
> the resource.
>
> Thanks,
> R
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Group-policy-for-authorization-tp3940.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Jun 14 07:00:43 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 14 Jun 2017 08:00:43 -0300
Subject: [keycloak-user] Group policy for authorization.
In-Reply-To: <CAJrcDBcX=ZSN=iqF1SLzUzgF++2aF8DCocziyCx_JeSXUofSsQ@mail.gmail.com>
References: <1497375695457-3940.post@n6.nabble.com>
	<CFD7003E67B95745B1B4349E3E6309802C27DE41@VMSST107.kvbw.local>
	<CAJrcDBcX=ZSN=iqF1SLzUzgF++2aF8DCocziyCx_JeSXUofSsQ@mail.gmail.com>
Message-ID: <CAJrcDBf9=kVQCB-0U2wg7dVOa=Swq9qu=6S-5V3KoVEg=t60Xg@mail.gmail.com>

Btw, could you guys give more info on how you are using groups to authorize
access to resources/scopes ?

The PR I previously supports:

* Defining a claim from where groups are obtained. We do support hierarchy
checks but the claim must hold the paths and not only their name. In case
the claim only maps to group names, we do an exact match
* Select a group using the group tree as it stands today in the group list
page
* Define if access to a selected/allowed group also extends to children

On Wed, Jun 14, 2017 at 7:58 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Should be available soon https://github.com/keycloak/keycloak/pull/4224.
>
> On Wed, Jun 14, 2017 at 4:16 AM, H?bner, Bettina <
> Bettina.Huebner at kvbawue.de> wrote:
>
>> Hi R,
>>
>> you can use a Group Mapper to add the group to the access token and then
>> create a JavaScript Policy that checks the group membership.
>>
>> E.g. when using 'group' as 'Token Claim Name' property of the group mapper
>>
>> var identity = $evaluation.getContext().getIdentity();
>> var attributes = identity.getAttributes();
>> var n = attributes.getValue('group').size();
>>
>> for (i = 0; i < n; i++) {
>>   var group = attributes.getValue('group').asString(i);
>>   if (group == "name of group needed to acces the resource") {
>>     $evaluation.grant();
>>   }
>> }
>>
>>
>> Regards
>> Bettina
>>
>>
>>
>>
>> -----Urspr?ngliche Nachricht-----
>> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
>> lists.jboss.org] Im Auftrag von rafterjiang
>> Gesendet: Dienstag, 13. Juni 2017 19:42
>> An: keycloak-user at lists.jboss.org
>> Betreff: [keycloak-user] Group policy for authorization.
>>
>> Hello,
>>
>> Is there a *group policy *that we can use for authorization? This way we
>> can
>> simply add new user to the group that we have created and the user can
>> automatically gain access to the resource.
>>
>> Right now we have to create policy for every single new user and assign to
>> the resource.
>>
>> Thanks,
>> R
>>
>>
>>
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/Group-policy-for-authorization-tp3940.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From vikrant02.work at gmail.com  Wed Jun 14 07:03:37 2017
From: vikrant02.work at gmail.com (Vikrant Singh)
Date: Wed, 14 Jun 2017 16:33:37 +0530
Subject: [keycloak-user] Keycloak support for Infinispan 9.x
Message-ID: <CACackcu_nNvM63LKSWXXrQ8pqDCucjEamwDKUWSgjsv6OD5eGw@mail.gmail.com>

Hi,

Is there any plan to upgrade keycloak's Infinispan to latest 9.x version,
if yes what is the timeline we are looking at? Current keycloak still uses
old 8.1.x version of Infinispan.

There are few new features of Infinispan which I would like to use, Is
there any risk if I change Infinispan version in current Keycloak to 9.x?

Thanks,
Vikrant

From bruno at abstractj.org  Wed Jun 14 08:13:50 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 14 Jun 2017 12:13:50 +0000
Subject: [keycloak-user] Keycloak support for Infinispan 9.x
In-Reply-To: <CACackcu_nNvM63LKSWXXrQ8pqDCucjEamwDKUWSgjsv6OD5eGw@mail.gmail.com>
References: <CACackcu_nNvM63LKSWXXrQ8pqDCucjEamwDKUWSgjsv6OD5eGw@mail.gmail.com>
Message-ID: <CAM5SUC6Z3O=u5Qvash0mFMKZJZ22Cvc3Oz391sqDtDzgQhW4VQ@mail.gmail.com>

I don't know about the risk of using new versions of Infinispan. But
Keycloak server uses the same version (
https://github.com/keycloak/keycloak/blob/master/pom.xml) present on
WildFly (https://github.com/wildfly/wildfly/blob/master/pom.xml#L152). I
can be wrong, but we just inherited from the underlying WildFly.

>From what I checked, we don't have a jira for this. So you can file a
feature request or a task, to upgrade.




On Wed, Jun 14, 2017 at 8:32 AM Vikrant Singh <vikrant02.work at gmail.com>
wrote:

> Hi,
>
> Is there any plan to upgrade keycloak's Infinispan to latest 9.x version,
> if yes what is the timeline we are looking at? Current keycloak still uses
> old 8.1.x version of Infinispan.
>
> There are few new features of Infinispan which I would like to use, Is
> there any risk if I change Infinispan version in current Keycloak to 9.x?
>
> Thanks,
> Vikrant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From thiago.addevico at gmail.com  Wed Jun 14 13:23:56 2017
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Wed, 14 Jun 2017 14:23:56 -0300
Subject: [keycloak-user] X509 Identity Brokering
In-Reply-To: <CY4PR07MB2936146967B5568F08E312CEDAC20@CY4PR07MB2936.namprd07.prod.outlook.com>
References: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>
	<CY4PR07MB2936146967B5568F08E312CEDAC20@CY4PR07MB2936.namprd07.prod.outlook.com>
Message-ID: <CAHDpToWY1aBhAY8VMCwmVY9XA4QvjKJFMSHmQWUuQS9e_CvSng@mail.gmail.com>

Hi Peter,

As I could grasp, currently the user would have to manually register
himself into the realm, providing a password for the access. After that, he
or she can use the certificate instead of the password to log into the
realm.
However, we would like users to log in only through valid X509
certificates. It seems a bit artificial to ask for a password that
ultimately won't be used. Can we avoid asking the password somehow?

Best regards,
Thiago Presa

On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko at agi.com>
wrote:

> Hi Thiago,
>
> AFAIK x509 user authentication requires an existing user. Can you go into
> specifics what your use case is?
> --Peter
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.
> jboss.org] on behalf of Thiago Presa [thiago.addevico at gmail.com]
> Sent: Tuesday, June 13, 2017 5:47 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] X509 Identity Brokering
>
> Hi,
>
> Does Keycloak support some sort of Identity Brokering through X509? I
> managed to configure the X509 Client Certificate, but it only replaces the
> password, and requires the user to be already registered. What I would like
> to achieve is to automatically register the users who present a valid X509
> Certificate. Is that possible?
>
> Best regards,
> Thiago Presa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pnalyvayko at agi.com  Wed Jun 14 21:02:41 2017
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Thu, 15 Jun 2017 01:02:41 +0000
Subject: [keycloak-user] X509 Identity Brokering
In-Reply-To: <CAHDpToWY1aBhAY8VMCwmVY9XA4QvjKJFMSHmQWUuQS9e_CvSng@mail.gmail.com>
References: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>
	<CY4PR07MB2936146967B5568F08E312CEDAC20@CY4PR07MB2936.namprd07.prod.outlook.com>,
	<CAHDpToWY1aBhAY8VMCwmVY9XA4QvjKJFMSHmQWUuQS9e_CvSng@mail.gmail.com>
Message-ID: <DM5PR07MB2937615C485A7B9458F2D01EDAC00@DM5PR07MB2937.namprd07.prod.outlook.com>

Hi Thiago,

Have you considered using the LDAP identity provider in conjunction with X509 user authentication? X509 contains an existing identity of a user so whoever's responsible for issuing the certificate can pre-register the user by creating an LDAP record prior to issuing the X509 cert to the user. 
My $0.02
Regards,
Peter

________________________________________
From: Thiago Presa [thiago.addevico at gmail.com]
Sent: Wednesday, June 14, 2017 1:23 PM
To: Nalyvayko, Peter
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] X509 Identity Brokering

Hi Peter,

As I could grasp, currently the user would have to manually register himself into the realm, providing a password for the access. After that, he or she can use the certificate instead of the password to log into the realm.
However, we would like users to log in only through valid X509 certificates. It seems a bit artificial to ask for a password that ultimately won't be used. Can we avoid asking the password somehow?

Best regards,
Thiago Presa

On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>> wrote:
Hi Thiago,

AFAIK x509 user authentication requires an existing user. Can you go into specifics what your use case is?
--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Thiago Presa [thiago.addevico at gmail.com<mailto:thiago.addevico at gmail.com>]
Sent: Tuesday, June 13, 2017 5:47 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] X509 Identity Brokering

Hi,

Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?

Best regards,
Thiago Presa
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From marc.tempelmeier at flane.de  Thu Jun 15 02:56:59 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Thu, 15 Jun 2017 06:56:59 +0000
Subject: [keycloak-user] liquibase.exception.DatabaseException
Message-ID: <77bbd4acb1c3448fb0a8f8184d65331e@dehamex2013.europe.flane.local>

Hi,

Is this a bug?

[Server:slave1] 14:12:02,873 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
[Server:slave1]     Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
[Server:slave1]     Caused by: liquibase.exception.UnexpectedLiquibaseException: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22
[Server:slave1]     Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22
[Server:slave1]     Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22"}}

Database looks good though, after the error the slave crashed and unregistered.

BR

Marc

From mposolda at redhat.com  Thu Jun 15 03:10:43 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 15 Jun 2017 09:10:43 +0200
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
Message-ID: <aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>

Hi,

I guess you're using same realm 'master' for both your application and 
admin console. Can you try to use different realm for your application 
and see if it helps? Also can you try to upgrade to latest Keycloak 
master and see if it helps?

Marek

On 14/06/17 01:56, Kyle Swensson wrote:
> Hello,
>
>
> (I have asked this question before to no avail, but the wording was poor so
> I want to rephrase it in hopes of getting more help)
>
> I am having an issue with conflicting logins from a user application and
> the keycloak admin console
>
> The issue arises when I authenticate on my user application as a basic
> user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
> page on a different window. Despite being logged in as a basic user on my
> user application, I am still shown the empty login page for the keycloak
> admin console. After navigating to the Keycloak admin console login page,
> my session on my user application becomes broken, and I'm not sure why. At
> this point if I refresh the page containing my application I will find a
> 403 error in my console, however I can still access everything in my user
> application normally. Additionally, for some reason I can no longer log out
> from my session like i normally would (by hitting the authorization
> endpoint), when I try to log out nothing happens. The only way that I can
> get it out of this permanently logged in state is by going to "account" and
> manually ending all of the sessions for my user. It may be worth noting
> that I can also still log in to the admin console with a different user,
> and use the admin console as normal while this is happening. If I log onto
> the admin console while this is happening and look at all of the active
> sessions, I can see that there is indeed still an active session for the
> basic user using the user application. I assume that is the root of the
> problem, but I'm not sure what's causing this to happen.
>
> Setting the "Revoke Refresh Token" option in the keycloak admin console to
> ON does prevent this from happening, however it also makes the rest of my
> application become very buggy and slow so leaving that on isn't really a
> viable option.
>
> I'm wondering if this might be an actual bug with Keycloak, or if this is
> just being caused by some configuration error on my side. I am currently
> using Keycloak 2.3 for my application, but I have tried temporarily
> upgrading to Keycloak 3.1 and that didn't help the issue.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Thu Jun 15 03:15:12 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 15 Jun 2017 09:15:12 +0200
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate
 user sessions in cluster
In-Reply-To: <CA+37Sd4=1UmghPnP4BMTuQ4Cf=TauUaFMa2VaXGUuCNa=Ugocw@mail.gmail.com>
References: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
	<CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>
	<CA+37Sd519s3hw8_DXYn_EODvRScY9-DErThcjUV1pFBZyT1AZQ@mail.gmail.com>
	<CA+37Sd4=1UmghPnP4BMTuQ4Cf=TauUaFMa2VaXGUuCNa=Ugocw@mail.gmail.com>
Message-ID: <56bf6640-cae6-8648-eb0d-a848fa594ed9@redhat.com>

Yes, it looks like the issue in clustered communication in your 
environment. See infinispan/jgroups docs and google for "split brain" 
error message below you have. I guess it may help to reconfigure your 
cluster to use TCP based jgroups channel instead of multicast. But not 
sure at 100%...

Marek


On 14/06/17 06:49, Jyoti Kumar Singh wrote:
> Hi Team,
>
> Is there any recommendation for me to look upon?
>
> On Jun 10, 2017 10:47 AM, "Jyoti Kumar Singh" <jyoti.tech90 at gmail.com>
> wrote:
>
>> Hi Stian,
>>
>> Thanks for the reply. I am using below configuration of the
>> standalone-ha.xml from 3.1.0 version. I just added owners="2" in
>> "infinispan/Keycloak" for cluster-wide replicas for each cache entry.
>>
>> #standalone-ha.xml:- attached
>>
>> Also I am using DC/OS as a container platform, which includes Marathon as
>> a load balancer (LB) and two container runtimes (Docker and Mesos) for the
>> deployment on cloud.
>>
>> I could see below logs are rolling in Node#2(nodeagent16) once
>> Node#1(nodeagent15) goes down. But when I am bringing Node#1 again, request
>> is being transferred from LB to Node#1 again and I am not seeing any logs
>> related to Cache session are rolling in Node#1, hence user's session is not
>> recognized by Node#1 and he is asked to login again.
>>
>> Currently I am not very sure whether multicasting is not working or
>> discovery protocol is having some issue. Your inputs will help me to
>> understand the issue in a better way.
>>
>> #Logs:-
>>
>> 2017-06-10 04:41:56,330 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>> Cache authorization lost at least half of the stable members, possible
>> split brain causing data inconsistency. Current members are [nodeagent16],
>> lost members are [nodeagent15], stable members are [nodeagent15,
>> nodeagent16]
>> 2017-06-10 04:41:56,332 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>> Cache sessions lost at least half of the stable members, possible split
>> brain causing data inconsistency. Current members are [nodeagent16], lost
>> members are [nodeagent15], stable members are [nodeagent15, nodeagent16]
>> 2017-06-10 04:41:56,333 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>> Cache work lost at least half of the stable members, possible split brain
>> causing data inconsistency. Current members are [nodeagent16], lost members
>> are [nodeagent15], stable members are [nodeagent16, nodeagent15]
>> 2017-06-10 04:41:56,334 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>> Cache offlineSessions lost at least half of the stable members, possible
>> split brain causing data inconsistency. Current members are [nodeagent16],
>> lost members are [nodeagent15], stable members are [nodeagent15,
>> nodeagent16]
>> 2017-06-10 04:41:56,336 WARN  [org.infinispan.partitionhandling.impl.PreferAvailabilityStrategy]
>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>> Cache loginFailures lost at least half of the stable members, possible
>> split brain causing data inconsistency. Current members are [nodeagent16],
>> lost members are [nodeagent15], stable members are [nodeagent15,
>> nodeagent16]
>> 2017-06-10 04:41:56,509 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>> Received new cluster view for channel web: [nodeagent16|10] (1)
>> [nodeagent16]
>> 2017-06-10 04:41:56,512 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>> Received new cluster view for channel ejb: [nodeagent16|10] (1)
>> [nodeagent16]
>> 2017-06-10 04:41:56,513 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>> Received new cluster view for channel hibernate: [nodeagent16|10] (1)
>> [nodeagent16]
>>
>>
>>
>> On Fri, Jun 9, 2017 at 10:28 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Your configuration is not correct and seems to be from an older version
>>> of Keycloak. Please take a look at default standalone-ha.xml from 3.1 for
>>> the correct cache configs.
>>>
>>> You also need to get cluster communication working properly. Make sure
>>> the nodes see each other. When you start new nodes something should happen
>>> in the log in other nodes. In a cloud environment this can be tricky (you
>>> haven't said which one) as multicasting usually doesn't work and you need
>>> to use a different discovery protocol.
>>>
>>> On 7 June 2017 at 16:17, Jyoti Kumar Singh <jyoti.tech90 at gmail.com>
>>> wrote:
>>>
>>>> Hi Team,
>>>>
>>>> We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
>>>> user sessions replication in a cloud system, i.e. when one node goes down
>>>> then user will keep logged in on other node.
>>>>
>>>> I have setup cluster by using standalone-ha.xml and having infinispan
>>>> cache
>>>> as mentioned below:-
>>>>
>>>> <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>>>>                  <transport lock-timeout="60000"/>
>>>>                  <invalidation-cache name="realms" mode="SYNC"/>
>>>>                  <invalidation-cache name="users" mode="SYNC"/>
>>>>                  <distributed-cache name="sessions" mode="SYNC"
>>>> owners="2"/>
>>>>                  <distributed-cache name="loginFailures" mode="SYNC"
>>>> owners="2"/>
>>>> </cache-container>
>>>>
>>>> Every thing works fine except below use case:-
>>>>
>>>> 1. Node 1 and Node 2 both are up and user logged in - User session is
>>>> getting generated by Node 1
>>>> 2. Node 1 is now stopped and user session is getting replicated in Node
>>>> 2 -
>>>> User is still able to use the Keycloak console
>>>> 3. Node 1 is up again and request is being transferred from LB to Node 1
>>>> -
>>>> User is asked to log in again because session cache is not replicated to
>>>>      Node 1 immediately once it is up
>>>>
>>>> I saw one option to add *start="EAGER" *in cache-container to fix this
>>>> but
>>>> looks like with latest version of WildFly it is no longer supported. Do
>>>> we
>>>> have any other way to fix this issue ?
>>>>
>>>>
>>>> --
>>>>
>>>> *With Regards, Jyoti Kumar Singh*
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>> --
>>
>> *With Regards, Jyoti Kumar Singh*
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Thu Jun 15 03:27:40 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 15 Jun 2017 09:27:40 +0200
Subject: [keycloak-user] X509 Identity Brokering
In-Reply-To: <DM5PR07MB2937615C485A7B9458F2D01EDAC00@DM5PR07MB2937.namprd07.prod.outlook.com>
References: <CAHDpToWYGmhVBHkuBv+4uftVAtpzqqLmm553Gdrrzcqp-NOzGQ@mail.gmail.com>
	<CY4PR07MB2936146967B5568F08E312CEDAC20@CY4PR07MB2936.namprd07.prod.outlook.com>
	<CAHDpToWY1aBhAY8VMCwmVY9XA4QvjKJFMSHmQWUuQS9e_CvSng@mail.gmail.com>
	<DM5PR07MB2937615C485A7B9458F2D01EDAC00@DM5PR07MB2937.namprd07.prod.outlook.com>
Message-ID: <e367f7b4-2e07-e0e8-bd54-4af0f2281832@redhat.com>

I think the use-case of auto-registration makes sense and it will be 
nice to add it as an optional feature to current X509 support. Could you 
please create JIRA for it if it doesn't yet exists?

The bit similar usecase is Kerberos/SPNEGO authentication. That one has 
support for auto-registration as it uses user storage provider 
(typically LDAP, but standalone Kerberos is also supported), which has 
support for auto-registration as long as registration is allowed for 
LDAP storage provider.

Marek


On 15/06/17 03:02, Nalyvayko, Peter wrote:
> Hi Thiago,
>
> Have you considered using the LDAP identity provider in conjunction with X509 user authentication? X509 contains an existing identity of a user so whoever's responsible for issuing the certificate can pre-register the user by creating an LDAP record prior to issuing the X509 cert to the user.
> My $0.02
> Regards,
> Peter
>
> ________________________________________
> From: Thiago Presa [thiago.addevico at gmail.com]
> Sent: Wednesday, June 14, 2017 1:23 PM
> To: Nalyvayko, Peter
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] X509 Identity Brokering
>
> Hi Peter,
>
> As I could grasp, currently the user would have to manually register himself into the realm, providing a password for the access. After that, he or she can use the certificate instead of the password to log into the realm.
> However, we would like users to log in only through valid X509 certificates. It seems a bit artificial to ask for a password that ultimately won't be used. Can we avoid asking the password somehow?
>
> Best regards,
> Thiago Presa
>
> On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>> wrote:
> Hi Thiago,
>
> AFAIK x509 user authentication requires an existing user. Can you go into specifics what your use case is?
> --Peter
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Thiago Presa [thiago.addevico at gmail.com<mailto:thiago.addevico at gmail.com>]
> Sent: Tuesday, June 13, 2017 5:47 PM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] X509 Identity Brokering
>
> Hi,
>
> Does Keycloak support some sort of Identity Brokering through X509? I
> managed to configure the X509 Client Certificate, but it only replaces the
> password, and requires the user to be already registered. What I would like
> to achieve is to automatically register the users who present a valid X509
> Certificate. Is that possible?
>
> Best regards,
> Thiago Presa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jyoti.tech90 at gmail.com  Thu Jun 15 03:44:57 2017
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Thu, 15 Jun 2017 13:14:57 +0530
Subject: [keycloak-user] Not able to setup Keycloak to fully replicate
 user sessions in cluster
In-Reply-To: <56bf6640-cae6-8648-eb0d-a848fa594ed9@redhat.com>
References: <CA+37Sd6VS8jQS1NrLBk=hmRePjrjVnKag94-7Brr1-JRvF6qpQ@mail.gmail.com>
	<CAJgngAdi5OwVVLiE5ATF9uLsacY1hscSK6LknLgRXjDtZTJ=7g@mail.gmail.com>
	<CA+37Sd519s3hw8_DXYn_EODvRScY9-DErThcjUV1pFBZyT1AZQ@mail.gmail.com>
	<CA+37Sd4=1UmghPnP4BMTuQ4Cf=TauUaFMa2VaXGUuCNa=Ugocw@mail.gmail.com>
	<56bf6640-cae6-8648-eb0d-a848fa594ed9@redhat.com>
Message-ID: <CA+37Sd7jtP5Hmg3QuvQOHoC=LjHdP_OyS4JhMN5w=MEqx8H50w@mail.gmail.com>

Hi Marek,

Thanks for the reply. I will try the options suggested by you and will
revert back in case of any doubts.


On Thu, Jun 15, 2017 at 12:45 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Yes, it looks like the issue in clustered communication in your
> environment. See infinispan/jgroups docs and google for "split brain" error
> message below you have. I guess it may help to reconfigure your cluster to
> use TCP based jgroups channel instead of multicast. But not sure at 100%...
>
> Marek
>
>
>
> On 14/06/17 06:49, Jyoti Kumar Singh wrote:
>
>> Hi Team,
>>
>> Is there any recommendation for me to look upon?
>>
>> On Jun 10, 2017 10:47 AM, "Jyoti Kumar Singh" <jyoti.tech90 at gmail.com>
>> wrote:
>>
>> Hi Stian,
>>>
>>> Thanks for the reply. I am using below configuration of the
>>> standalone-ha.xml from 3.1.0 version. I just added owners="2" in
>>> "infinispan/Keycloak" for cluster-wide replicas for each cache entry.
>>>
>>> #standalone-ha.xml:- attached
>>>
>>> Also I am using DC/OS as a container platform, which includes Marathon as
>>> a load balancer (LB) and two container runtimes (Docker and Mesos) for
>>> the
>>> deployment on cloud.
>>>
>>> I could see below logs are rolling in Node#2(nodeagent16) once
>>> Node#1(nodeagent15) goes down. But when I am bringing Node#1 again,
>>> request
>>> is being transferred from LB to Node#1 again and I am not seeing any logs
>>> related to Cache session are rolling in Node#1, hence user's session is
>>> not
>>> recognized by Node#1 and he is asked to login again.
>>>
>>> Currently I am not very sure whether multicasting is not working or
>>> discovery protocol is having some issue. Your inputs will help me to
>>> understand the issue in a better way.
>>>
>>> #Logs:-
>>>
>>> 2017-06-10 04:41:56,330 WARN  [org.infinispan.partitionhandl
>>> ing.impl.PreferAvailabilityStrategy]
>>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>>> Cache authorization lost at least half of the stable members, possible
>>> split brain causing data inconsistency. Current members are
>>> [nodeagent16],
>>> lost members are [nodeagent15], stable members are [nodeagent15,
>>> nodeagent16]
>>> 2017-06-10 04:41:56,332 WARN  [org.infinispan.partitionhandl
>>> ing.impl.PreferAvailabilityStrategy]
>>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>>> Cache sessions lost at least half of the stable members, possible split
>>> brain causing data inconsistency. Current members are [nodeagent16], lost
>>> members are [nodeagent15], stable members are [nodeagent15, nodeagent16]
>>> 2017-06-10 04:41:56,333 WARN  [org.infinispan.partitionhandl
>>> ing.impl.PreferAvailabilityStrategy]
>>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>>> Cache work lost at least half of the stable members, possible split brain
>>> causing data inconsistency. Current members are [nodeagent16], lost
>>> members
>>> are [nodeagent15], stable members are [nodeagent16, nodeagent15]
>>> 2017-06-10 04:41:56,334 WARN  [org.infinispan.partitionhandl
>>> ing.impl.PreferAvailabilityStrategy]
>>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>>> Cache offlineSessions lost at least half of the stable members, possible
>>> split brain causing data inconsistency. Current members are
>>> [nodeagent16],
>>> lost members are [nodeagent15], stable members are [nodeagent15,
>>> nodeagent16]
>>> 2017-06-10 04:41:56,336 WARN  [org.infinispan.partitionhandl
>>> ing.impl.PreferAvailabilityStrategy]
>>> (transport-thread--p16-t3) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000314:
>>> Cache loginFailures lost at least half of the stable members, possible
>>> split brain causing data inconsistency. Current members are
>>> [nodeagent16],
>>> lost members are [nodeagent15], stable members are [nodeagent15,
>>> nodeagent16]
>>> 2017-06-10 04:41:56,509 INFO  [org.infinispan.remoting.trans
>>> port.jgroups.JGroupsTransport]
>>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>>> Received new cluster view for channel web: [nodeagent16|10] (1)
>>> [nodeagent16]
>>> 2017-06-10 04:41:56,512 INFO  [org.infinispan.remoting.trans
>>> port.jgroups.JGroupsTransport]
>>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>>> Received new cluster view for channel ejb: [nodeagent16|10] (1)
>>> [nodeagent16]
>>> 2017-06-10 04:41:56,513 INFO  [org.infinispan.remoting.trans
>>> port.jgroups.JGroupsTransport]
>>> (Incoming-2,ee,nodeagent16) [nodeagent16] KEYCLOAK 3.1.0-0.1 ISPN000094:
>>> Received new cluster view for channel hibernate: [nodeagent16|10] (1)
>>> [nodeagent16]
>>>
>>>
>>>
>>> On Fri, Jun 9, 2017 at 10:28 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> Your configuration is not correct and seems to be from an older version
>>>> of Keycloak. Please take a look at default standalone-ha.xml from 3.1
>>>> for
>>>> the correct cache configs.
>>>>
>>>> You also need to get cluster communication working properly. Make sure
>>>> the nodes see each other. When you start new nodes something should
>>>> happen
>>>> in the log in other nodes. In a cloud environment this can be tricky
>>>> (you
>>>> haven't said which one) as multicasting usually doesn't work and you
>>>> need
>>>> to use a different discovery protocol.
>>>>
>>>> On 7 June 2017 at 16:17, Jyoti Kumar Singh <jyoti.tech90 at gmail.com>
>>>> wrote:
>>>>
>>>> Hi Team,
>>>>>
>>>>> We are setting up keycloak:3.1.0.Final in a cluster mode for HA with
>>>>> full
>>>>> user sessions replication in a cloud system, i.e. when one node goes
>>>>> down
>>>>> then user will keep logged in on other node.
>>>>>
>>>>> I have setup cluster by using standalone-ha.xml and having infinispan
>>>>> cache
>>>>> as mentioned below:-
>>>>>
>>>>> <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>>>>>                  <transport lock-timeout="60000"/>
>>>>>                  <invalidation-cache name="realms" mode="SYNC"/>
>>>>>                  <invalidation-cache name="users" mode="SYNC"/>
>>>>>                  <distributed-cache name="sessions" mode="SYNC"
>>>>> owners="2"/>
>>>>>                  <distributed-cache name="loginFailures" mode="SYNC"
>>>>> owners="2"/>
>>>>> </cache-container>
>>>>>
>>>>> Every thing works fine except below use case:-
>>>>>
>>>>> 1. Node 1 and Node 2 both are up and user logged in - User session is
>>>>> getting generated by Node 1
>>>>> 2. Node 1 is now stopped and user session is getting replicated in Node
>>>>> 2 -
>>>>> User is still able to use the Keycloak console
>>>>> 3. Node 1 is up again and request is being transferred from LB to Node
>>>>> 1
>>>>> -
>>>>> User is asked to log in again because session cache is not replicated
>>>>> to
>>>>>      Node 1 immediately once it is up
>>>>>
>>>>> I saw one option to add *start="EAGER" *in cache-container to fix this
>>>>> but
>>>>> looks like with latest version of WildFly it is no longer supported. Do
>>>>> we
>>>>> have any other way to fix this issue ?
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *With Regards, Jyoti Kumar Singh*
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>> --
>>>
>>> *With Regards, Jyoti Kumar Singh*
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>


-- 

*With Regards, Jyoti Kumar Singh*

From mposolda at redhat.com  Thu Jun 15 04:15:48 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 15 Jun 2017 10:15:48 +0200
Subject: [keycloak-user] How to create a Camel Route with Keycloak Admin
 Client in JBoss Fuse 6.3.0?
In-Reply-To: <CAOFYJDuBrCka0HQb6Pb144A-eV6jNP-=nt9nAE9eM2DXUjrLtA@mail.gmail.com>
References: <CAOFYJDuBrCka0HQb6Pb144A-eV6jNP-=nt9nAE9eM2DXUjrLtA@mail.gmail.com>
Message-ID: <35907b43-bc75-6690-40ec-c1a3cfe62ffb@redhat.com>

Hi,

I think that you're right. ATM our adminClient likely won't work inside 
JBoss Fuse as adminClient is a bit tightly coupled to resteasy JAXRS 
implementation and JBoss Fuse uses Apache CXF.

At some point we had the PR and discussion for Apache CXF support of our 
admin client, but in the end, it wasn't done. Feel free to create JIRA 
for adminClient support in Fuse environment if it doesn't yet exists.

The easiest workaround for you might be to call the REST endpoint 
manually (either with CXF or with Apache HTTP Client) and not use 
Keycloak builtin adminClient.

Marek

On 14/06/17 06:24, Celso Agra wrote:
> Hi all,
>
> I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0. Everything
> works fine when I run the java main class, but when I put this in the JBoss
> Fuse (with Karaf) I got an error, because the keycloak are using the
> resteasy, and the OSGI is totally different. So, does anyone knows how to
> do the same keycloak admin client configuration using this environment?
>
> Here is my log:
>
> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>
>      at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:289)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:454)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>      at com.sun.proxy.$Proxy85.grantToken(Unknown Source)
>
>      at
>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
>      at
>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
>      at
>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
>      at
>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>      at com.sun.proxy.$Proxy88.create(Unknown Source)
>
>      at
>> pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloak(KeycloakAdminManager.java:64)
>      at
>> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:20)
>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>      at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>      at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>      at java.lang.reflect.Method.invoke(Method.java:498)
>
>      at
>> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)
>      at
>> org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)
>      at
>> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)
>      at
>> org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)
>      at
>> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
>      at
>> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)
>      at
>> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)
>      at
>> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>
>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>
>      at
>> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
>      at
>> org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)
>      at
>> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)
>      at
>> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
>      at
>> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)
>      at
>> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)
>      at
>> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>
>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>
>      at
>> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
>      at
>> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)
>      at
>> org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:91)
>      at
>> org.apache.camel.component.restlet.RestletConsumer$1.handle(RestletConsumer.java:68)
>      at
>> org.apache.camel.component.restlet.MethodBasedRouter.handle(MethodBasedRouter.java:54)
>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>
>      at org.restlet.routing.Filter.handle(Filter.java:197)
>
>      at org.restlet.routing.Router.doHandle(Router.java:422)
>
>      at org.restlet.routing.Router.handle(Router.java:639)
>
>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>
>      at org.restlet.routing.Filter.handle(Filter.java:197)
>
>      at org.restlet.routing.Router.doHandle(Router.java:422)
>
>      at org.restlet.routing.Router.handle(Router.java:639)
>
>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>
>      at
>> org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
>      at org.restlet.routing.Filter.handle(Filter.java:197)
>
>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>
>      at org.restlet.routing.Filter.handle(Filter.java:197)
>
>      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
>
>      at org.restlet.Component.handle(Component.java:408)
>
>      at org.restlet.Server.handle(Server.java:507)
>
>      at
>> org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
>      at
>> org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
>      at
>> org.restlet.engine.connector.HttpServerHelper$1.handle(HttpServerHelper.java:64)
>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>
>      at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
>
>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
>
>      at
>> sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)
>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>
>      at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
>
>      at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>      at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>      at java.lang.Thread.run(Thread.java:748)
>
> Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not find
>> writer for content-type application/x-www-form-urlencoded type:
>> javax.ws.rs.core.Form$1
>      at
>> org.jboss.resteasy.core.interception.jaxrs.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40)
>      at
>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:146)
>      at
>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:121)
>      at
>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:388)
>      at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589)
>      at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:557)
>      at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:456)
>      at
>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
>      ... 70 more
>
>
> Thanks for the attention.
>


From jim-keycloak at spudsoft.co.uk  Thu Jun 15 05:47:14 2017
From: jim-keycloak at spudsoft.co.uk (jim-keycloak at spudsoft.co.uk)
Date: Thu, 15 Jun 2017 10:47:14 +0100
Subject: [keycloak-user] KeyCloak behind reverse proxy - hostname incorrect
Message-ID: <a5202d49-1e88-aa4b-2a81-ecea5f7b93cd@spudsoft.co.uk>

Hi,

We are trying to use KeyCloak behind a reverse proxy.

There are lots of discussions about doing this online, but they are all 
concerned about getting the protocol correct - which we are not having a 
problem with.

Our problem is that the reverse proxy has a completely different name 
from the KeyCloak host and this seems to be confusing KeyCloak.

Our reverse proxy ("external") is on https and our KeyCloak server 
("internal") is on http.

There are two examples that we have seen of this:

1. In the UI templates the url.loginAction variable is https://internal

2. In JWTs generated by KeyCloak the iss is https://internal
     This seems to be resulting in all tokens being refused by 
introspection.

Our reverse proxy is adding both X-Forwarded-Proto and 
X-Forwarded-Server headers (we can change these easily).

It would be acceptable for us if KeyCloak were only accessible via the 
reverse proxy.

We are using KeyCloak 3.0.0.FINAL.

How can we get this working?

Thanks

Jim


From bruno at abstractj.org  Thu Jun 15 07:20:48 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 15 Jun 2017 11:20:48 +0000
Subject: [keycloak-user] liquibase.exception.DatabaseException
In-Reply-To: <77bbd4acb1c3448fb0a8f8184d65331e@dehamex2013.europe.flane.local>
References: <77bbd4acb1c3448fb0a8f8184d65331e@dehamex2013.europe.flane.local>
Message-ID: <CAM5SUC7-RTqeGv0Xo8b_BMkMGm8gGv-O-SJ=DpEi3YJXxqnYAQ@mail.gmail.com>

What would be the steps to reproduce and version of the KC server?

On Thu, Jun 15, 2017, 4:09 AM Marc Tempelmeier <marc.tempelmeier at flane.de>
wrote:

> Hi,
>
> Is this a bug?
>
> [Server:slave1] 14:12:02,873 ERROR
> [org.jboss.as.controller.management-operation] (Controller Boot Thread)
> WFLYCTL0013: Operation ("add") failed - address: ([("deployment" =>
> "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
> services" => {"jboss.undertow.deployment.default-server.default-host./auth"
> => "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> [Server:slave1]     Caused by: java.lang.RuntimeException: RESTEASY003325:
> Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> [Server:slave1]     Caused by:
> liquibase.exception.UnexpectedLiquibaseException:
> liquibase.exception.DatabaseException: Error executing SQL select count(*)
> from public.databasechangeloglock: ERROR: relation
> \"public.databasechangeloglock\" does not exist
> [Server:slave1]   Position: 22
> [Server:slave1]     Caused by: liquibase.exception.DatabaseException:
> Error executing SQL select count(*) from public.databasechangeloglock:
> ERROR: relation \"public.databasechangeloglock\" does not exist
> [Server:slave1]   Position: 22
> [Server:slave1]     Caused by: org.postgresql.util.PSQLException: ERROR:
> relation \"public.databasechangeloglock\" does not exist
> [Server:slave1]   Position: 22"}}
>
> Database looks good though, after the error the slave crashed and
> unregistered.
>
> BR
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tomas at intrahouse.com  Thu Jun 15 08:17:27 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 15 Jun 2017 12:17:27 +0000
Subject: [keycloak-user] Development help
In-Reply-To: <CALgk1PLZbDvC+do6CQK2dpnBTpxFR-NbOcmrQk7Hb0Z6Ug74pg@mail.gmail.com>
References: <CALgk1PLZbDvC+do6CQK2dpnBTpxFR-NbOcmrQk7Hb0Z6Ug74pg@mail.gmail.com>
Message-ID: <CALgk1PJYd5UTeL9BPfG0hEp7QK6oHn0eiYPXKPx6fYBnGjkn7A@mail.gmail.com>

I've found a way to fix my problem... I just create a new session and start
a transaction for every API request to that endpoint:

this.session = KeycloakApplication.createSessionFactory().create();
this.session.getTransactionManager().begin();

At the end of the endpoint I commit and close this generated session.

 This looks so wrong... now the endpoint is way slower and the log is full
of those warning due to using internal SPIs. Any clue about a better
alternative or how to fix my original problem? If this things happen when
programming SPIs and developers don't have a guideline about how to use
Keycloak's transaction model, it will make developers life harder.

Thanks.

On Fri, Jun 9, 2017 at 10:25 AM Tom?s Garc?a <tomas at intrahouse.com> wrote:

> Hi,
>
> I've developed an API service for Keycloak. It's a bit complex algorithm
> where the clientSession needs to be recovered later if something happens,
> so I put a note in the style of HMAC + Session ID as Keycloak does in other
> places and then next, when the algorithm needs to continue in the following
> request to the same endpoint, I recover the session. Inside the API
> service, I'm adding users so I have to commit the transaction just in case
> a ModelDuplicateException happens, as I've seen in other places of
> Keycloak's code.
>
> So I'm receiving this exception when I recover the client session from the
> note (note: a user was added and committed previously). I've tried to start
> a new transaction after committing, but yet I still get the same exception.
>
> Any help or ideas will be welcome. Thanks.
>
> 09:06:48,748 ERROR [io.undertow.request] (default task-5) UT005023:
> Exception handling request to /auth/realms/test/testApi/speciallogin
> : org.jboss.resteasy.spi.UnhandledException:
> java.lang.IllegalStateException: Cannot access delegate without a
> transaction
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
> va:64)
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>         at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:4
> 3)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalStateException: Cannot access delegate without
> a transaction
>         at
> org.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:97)
>         at
> org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:182)
>         at
> org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:282)
>         at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:794)
>         at
> com.test.keycloak.api.services.specialLogin(TestAPIService.java:157)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>         ... 37 more
>
>

From bburke at redhat.com  Thu Jun 15 08:28:33 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 15 Jun 2017 08:28:33 -0400
Subject: [keycloak-user] Keycloak support for Infinispan 9.x
In-Reply-To: <CACackcu_nNvM63LKSWXXrQ8pqDCucjEamwDKUWSgjsv6OD5eGw@mail.gmail.com>
References: <CACackcu_nNvM63LKSWXXrQ8pqDCucjEamwDKUWSgjsv6OD5eGw@mail.gmail.com>
Message-ID: <de98aa64-fa99-bcba-2333-07e95b985a7f@redhat.com>

we use whatever is in the Wildfly distribution we build upon.


On 6/14/17 7:03 AM, Vikrant Singh wrote:
> Hi,
>
> Is there any plan to upgrade keycloak's Infinispan to latest 9.x version,
> if yes what is the timeline we are looking at? Current keycloak still uses
> old 8.1.x version of Infinispan.
>
> There are few new features of Infinispan which I would like to use, Is
> there any risk if I change Infinispan version in current Keycloak to 9.x?
>
> Thanks,
> Vikrant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From john.d.ament at gmail.com  Thu Jun 15 09:01:25 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Thu, 15 Jun 2017 13:01:25 +0000
Subject: [keycloak-user] KeyCloak behind reverse proxy - hostname
	incorrect
In-Reply-To: <a5202d49-1e88-aa4b-2a81-ecea5f7b93cd@spudsoft.co.uk>
References: <a5202d49-1e88-aa4b-2a81-ecea5f7b93cd@spudsoft.co.uk>
Message-ID: <CAOqetn8NBGA+VN5i_gWPqMMJaSQgi8RpdCcY0QpR_PWmWp1kEQ@mail.gmail.com>

Hi,

I'm using nginx as a reverse proxy and got things working.  We had to make
sure the following was being set on the proxy:

            proxy_pass << your url >>;
            proxy_set_header  Host              "$host:$app_port";
            proxy_set_header  X-Forwarded-For   $host;
            proxy_set_header  X-Forwarded-Port  $app_port;

In the http-listener on the keycloak server, make sure
that proxy-address-forwarding="true" was set.

John

On Thu, Jun 15, 2017 at 5:49 AM <jim-keycloak at spudsoft.co.uk> wrote:

> Hi,
>
> We are trying to use KeyCloak behind a reverse proxy.
>
> There are lots of discussions about doing this online, but they are all
> concerned about getting the protocol correct - which we are not having a
> problem with.
>
> Our problem is that the reverse proxy has a completely different name
> from the KeyCloak host and this seems to be confusing KeyCloak.
>
> Our reverse proxy ("external") is on https and our KeyCloak server
> ("internal") is on http.
>
> There are two examples that we have seen of this:
>
> 1. In the UI templates the url.loginAction variable is https://internal
>
> 2. In JWTs generated by KeyCloak the iss is https://internal
>      This seems to be resulting in all tokens being refused by
> introspection.
>
> Our reverse proxy is adding both X-Forwarded-Proto and
> X-Forwarded-Server headers (we can change these easily).
>
> It would be acceptable for us if KeyCloak were only accessible via the
> reverse proxy.
>
> We are using KeyCloak 3.0.0.FINAL.
>
> How can we get this working?
>
> Thanks
>
> Jim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From denny.israel at googlemail.com  Thu Jun 15 10:21:24 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Thu, 15 Jun 2017 16:21:24 +0200
Subject: [keycloak-user] Client Mapper mutiple value
Message-ID: <CAF7cocGv=HH7Yyag_R+tTxrwEy42Qhp=AjhrsO3meYNVNRUBiw@mail.gmail.com>

Hi,

i specified a user attribute mapper for a client and set Multivalued to
true. The values i want to map are attributes specified in groups. The idea
is to collect the attributes with the same name in all groups and make them
available as list in the tokens.

When i use the mapper i can see a value of one group but not the values of
other groups. When the mapper does not collect the attributes from all
groups what is the purpose of the multivalued flag? I cannot specify more
than one attribute with the same name in the user or in one group so i
never see mutiple values.

Thanks
Best regards
Denny

From kedward777 at gmail.com  Thu Jun 15 10:36:15 2017
From: kedward777 at gmail.com (ken edward)
Date: Thu, 15 Jun 2017 10:36:15 -0400
Subject: [keycloak-user] How to display user information from keycloak SAML
	adapter assertions/session?
Message-ID: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>

Hello,

I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?

org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession at 13a50bc9

Ken

From juan.cortes at oxnard.org  Thu Jun 15 11:02:32 2017
From: juan.cortes at oxnard.org (Cortes, Juan)
Date: Thu, 15 Jun 2017 08:02:32 -0700
Subject: [keycloak-user] PHP library
Message-ID: <CAM9ED6u1MJn5g-jhpxWiDkLH0SX3LAwzt=hQcgfWyzS3OWHCWQ@mail.gmail.com>

Hello all,

Does anybody know of a php library that will work with keycloak's openId
connect?

Am currently trying OpenIDConnectClient.php and I keep on getting a "Code
not valid" exception.

Thank you

From kedward777 at gmail.com  Thu Jun 15 12:35:35 2017
From: kedward777 at gmail.com (ken edward)
Date: Thu, 15 Jun 2017 12:35:35 -0400
Subject: [keycloak-user] How to implement fallback form auth with keycloak
	SAML adapter tomcat??
Message-ID: <CAAqgmoOjxug9xa4tbqi=nvBc8Y-GxYy36pNVw7W1Ek-82TSsvw@mail.gmail.com>

Hello,

I have implemented the keycloak tomcat adapter with ADFS as the IDP.
All works fine, but should the user not authenticate via SAML, how can
I implement a fall back to a form based authentication?

Ken

From kyle.swensson at tasktop.com  Thu Jun 15 13:29:00 2017
From: kyle.swensson at tasktop.com (Kyle Swensson)
Date: Thu, 15 Jun 2017 10:29:00 -0700
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
	<aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
Message-ID: <CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>

Hi,

We have set up a user client on a seperate realm that is not master that
all users for that realm can access, which is where we have our user
application and we have also set up an additional client for a user
administration console on that (non-master) realm. However, the problem
occurs when we log into the user client on the non-master realm at the same
time as we log into the default admin console on the master realm, so our
problem involes 2 seperate realms.

The latest Keycloak master is Keycloak 3.10.Final right? I have tried
upgrading to that, and the issue was still occurring.

Thanks,
Kyle

On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> I guess you're using same realm 'master' for both your application and
> admin console. Can you try to use different realm for your application and
> see if it helps? Also can you try to upgrade to latest Keycloak master and
> see if it helps?
>
> Marek
>
>
> On 14/06/17 01:56, Kyle Swensson wrote:
>
>> Hello,
>>
>>
>> (I have asked this question before to no avail, but the wording was poor
>> so
>> I want to rephrase it in hopes of getting more help)
>>
>> I am having an issue with conflicting logins from a user application and
>> the keycloak admin console
>>
>> The issue arises when I authenticate on my user application as a basic
>> user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
>> page on a different window. Despite being logged in as a basic user on my
>> user application, I am still shown the empty login page for the keycloak
>> admin console. After navigating to the Keycloak admin console login page,
>> my session on my user application becomes broken, and I'm not sure why. At
>> this point if I refresh the page containing my application I will find a
>> 403 error in my console, however I can still access everything in my user
>> application normally. Additionally, for some reason I can no longer log
>> out
>> from my session like i normally would (by hitting the authorization
>> endpoint), when I try to log out nothing happens. The only way that I can
>> get it out of this permanently logged in state is by going to "account"
>> and
>> manually ending all of the sessions for my user. It may be worth noting
>> that I can also still log in to the admin console with a different user,
>> and use the admin console as normal while this is happening. If I log onto
>> the admin console while this is happening and look at all of the active
>> sessions, I can see that there is indeed still an active session for the
>> basic user using the user application. I assume that is the root of the
>> problem, but I'm not sure what's causing this to happen.
>>
>> Setting the "Revoke Refresh Token" option in the keycloak admin console to
>> ON does prevent this from happening, however it also makes the rest of my
>> application become very buggy and slow so leaving that on isn't really a
>> viable option.
>>
>> I'm wondering if this might be an actual bug with Keycloak, or if this is
>> just being caused by some configuration error on my side. I am currently
>> using Keycloak 2.3 for my application, but I have tried temporarily
>> upgrading to Keycloak 3.1 and that didn't help the issue.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>


--

From mittal.prapti06 at gmail.com  Thu Jun 15 14:12:39 2017
From: mittal.prapti06 at gmail.com (Prapti Mittal)
Date: Thu, 15 Jun 2017 23:42:39 +0530
Subject: [keycloak-user] Custom logout using Java servlet adaptor
In-Reply-To: <CADeao7ixhg4Swk4FZ5rznFQ60DyDSM90eEh6DcXM+78nViFmUA@mail.gmail.com>
References: <CADeao7g1EsXeA4=n9zN_6auaZW5XErO0qSKWe07ZvZfDpt90Zg@mail.gmail.com>
	<CADeao7hO6sBQgBY5SzPOZS4OEdqpkcepbOkrkDtOS97fk3cWzQ@mail.gmail.com>
	<CADeao7ibznsME4SqnRye82jZMVp3nUJ1wXhFgmkY=1YDcbJ7yA@mail.gmail.com>
	<CADeao7i+uiv9s1U+BSi5bETO4igaQwGcPoi4FYG_dUhOnEFzRw@mail.gmail.com>
	<CADeao7gs-fWo8W5EU5TPdoMuF75yqWstWWxM+Km+ObzjghAbGQ@mail.gmail.com>
	<CADeao7j8HYca3kGXuF2f0kUWiv6HyV5KoPH0LvR4sJsSK9+zKQ@mail.gmail.com>
	<CADeao7iCgkAan_kk6PyjGBxfrHhLJuW4AF8Qb0bdTnYhbcgQbQ@mail.gmail.com>
	<CADeao7gG2aBqxfYaVZH_42A5kk9VuwHX+MHKeyQ_K7CbyRr6ng@mail.gmail.com>
	<CADeao7iTS2rfOD_nKGmYHCSu=z66fg9XzvfajrqFKTJRthRcDA@mail.gmail.com>
	<CADeao7ij6XnurfLBUrGP50vx3m-2V-xye-pC17p2QdXsvYD=ng@mail.gmail.com>
	<CADeao7gC6bLAjfS7jUvX=qb5n10TJVo9GOgdp1QucjTkvVs3VQ@mail.gmail.com>
	<CADeao7hZzamA05t35F_RzqOzDVW_B7bS4UShCdYXwM6QtXT6=w@mail.gmail.com>
	<CADeao7jF8ckK+ZzpmxDBAoP3QQiAFBWeMyQiuEAokk-u5tA_iQ@mail.gmail.com>
	<CADeao7iAxnSF0R2hBhYQrnGH3gmyRQgPL7VRPxwgSS9qCAROhA@mail.gmail.com>
	<CADeao7gqE5PfCotMJ0sLfFiHcLvuqvsYjg_ahna+-ke+8e6YKg@mail.gmail.com>
	<CADeao7gLpEq08K6hxyQW=gGVp0SXeWTYaL41n4C9pgqoq3ORbQ@mail.gmail.com>
	<CADeao7jXTO7CumWg2GKemm2o69iVDMZBp4mZFtXJbfgAb6q5xA@mail.gmail.com>
	<CADeao7jTOOXKi6d6efejtQ+TZkR2pik3hpts+SmRWDmXCMh+Mw@mail.gmail.com>
	<CADeao7jeVUk9NR4epYO1fm5Y1NFL0ZutEYZjsrVsjTwwng=bjQ@mail.gmail.com>
	<CADeao7hKdHZn=nmJOZV1spC1y_6brVaPFnTTOm60dB+uOFs94w@mail.gmail.com>
	<CADeao7ixhg4Swk4FZ5rznFQ60DyDSM90eEh6DcXM+78nViFmUA@mail.gmail.com>
Message-ID: <CADeao7hn5mdfMUjQO+Mt2-hiqeuzEEptFZZiEWa+NzRtCCNHLg@mail.gmail.com>

Dear Keycloak Community,

Do we have any mechanism for post logout activity on Client application
using java servlet adaptor of Keycloak IDP?

https://stackoverflow.com/q/44407928/2604398

Two possible solutions that I can think of are below, but neither is very
maintainable.
1. We can modify the servlet filter to notify the logout event to the event
listeners and then add the event listeners for the custom code.
2. Define another custom filter for the logout callback path and then use
filter chain to call the Keycloak java servlet filter.

Please suggest the right way to go about.

Regards,
Prapti Mittal

From yevgeni at kovelman.net  Thu Jun 15 14:27:07 2017
From: yevgeni at kovelman.net (Yevgeni Kovelman)
Date: Thu, 15 Jun 2017 11:27:07 -0700
Subject: [keycloak-user] Tomcat fails to start if client in keycloak
	configured as bearer only
Message-ID: <80D2512D-9ABF-4A80-B936-B4828DF7DDCF@kovelman.net>

Tomcat 7.0.77
Keycloak libs in the lib folder

I have a client configured as
Opened-connect
Confidential

All good, as soon as I switch to Bearer only, restart Tomcat

There is a failure
Httpresponseexception: unexpected response from server 400/bad request.

Any ideas?
Thanks

Sent from my iPhone

From celso.agra at gmail.com  Thu Jun 15 23:44:42 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Fri, 16 Jun 2017 00:44:42 -0300
Subject: [keycloak-user] How to create a Camel Route with Keycloak Admin
 Client in JBoss Fuse 6.3.0?
In-Reply-To: <35907b43-bc75-6690-40ec-c1a3cfe62ffb@redhat.com>
References: <CAOFYJDuBrCka0HQb6Pb144A-eV6jNP-=nt9nAE9eM2DXUjrLtA@mail.gmail.com>
	<35907b43-bc75-6690-40ec-c1a3cfe62ffb@redhat.com>
Message-ID: <CAOFYJDuEWc0S0zDAknzY98yrNj=s=do7-GLPd0zRbyBSzPABeQ@mail.gmail.com>

I'm considering to use another kind of osgi implementation, such as Apache
Karaf, eclipse virgo, etc... maybe some of these implementations are not
using CXF (I hope so!)
Also, I'll take a look in the effort to implement and call the Keycloak
REST endpoint with Apache CXF.

I'll create JIRA for this!

Thanks for your answer, Marek!

2017-06-15 5:15 GMT-03:00 Marek Posolda <mposolda at redhat.com>:

> Hi,
>
> I think that you're right. ATM our adminClient likely won't work inside
> JBoss Fuse as adminClient is a bit tightly coupled to resteasy JAXRS
> implementation and JBoss Fuse uses Apache CXF.
>
> At some point we had the PR and discussion for Apache CXF support of our
> admin client, but in the end, it wasn't done. Feel free to create JIRA for
> adminClient support in Fuse environment if it doesn't yet exists.
>
> The easiest workaround for you might be to call the REST endpoint manually
> (either with CXF or with Apache HTTP Client) and not use Keycloak builtin
> adminClient.
>
> Marek
>
>
> On 14/06/17 06:24, Celso Agra wrote:
>
>> Hi all,
>>
>> I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0.
>> Everything
>> works fine when I run the java main class, but when I put this in the
>> JBoss
>> Fuse (with Karaf) I got an error, because the keycloak are using the
>> resteasy, and the OSGI is totally different. So, does anyone knows how to
>> do the same keycloak admin client configuration using this environment?
>>
>> Here is my log:
>>
>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>> ine.invoke(ApacheHttpClient4Engine.java:289)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
>>> invoke(ClientInvocation.java:454)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker
>>> .invoke(ClientInvoker.java:105)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.
>>> invoke(ClientProxy.java:76)
>>>
>>      at com.sun.proxy.$Proxy85.grantToken(Unknown Source)
>>
>>      at
>>
>>> org.keycloak.admin.client.token.TokenManager.grantToken(Toke
>>> nManager.java:89)
>>>
>>      at
>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(
>>> TokenManager.java:69)
>>>
>>      at
>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenS
>>> tring(TokenManager.java:64)
>>>
>>      at
>>
>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(
>>> BearerAuthFilter.java:52)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
>>> invoke(ClientInvocation.java:431)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker
>>> .invoke(ClientInvoker.java:105)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.
>>> invoke(ClientProxy.java:76)
>>>
>>      at com.sun.proxy.$Proxy88.create(Unknown Source)
>>
>>      at
>>
>>> pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloa
>>> k(KeycloakAdminManager.java:64)
>>>
>>      at
>>
>>> pe.gov.br.ati.service.KeycloakClientService.validateAndInser
>>> tUser(KeycloakClientService.java:20)
>>>
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>>      at
>>
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>>
>>      at
>>
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>>
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>
>>      at
>>
>>> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)
>>>
>>      at
>>
>>> org.apache.camel.component.bean.MethodInfo$1.doProceed(Metho
>>> dInfo.java:279)
>>>
>>      at
>>
>>> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodI
>>> nfo.java:252)
>>>
>>      at
>>
>>> org.apache.camel.component.bean.BeanProcessor.process(BeanPr
>>> ocessor.java:177)
>>>
>>      at
>>
>>> org.apache.camel.management.InstrumentationProcessor.process
>>> (InstrumentationProcessor.java:77)
>>>
>>      at
>>
>>> org.apache.camel.processor.interceptor.TraceInterceptor.proc
>>> ess(TraceInterceptor.java:163)
>>>
>>      at
>>
>>> org.apache.camel.processor.RedeliveryErrorHandler.process(Re
>>> deliveryErrorHandler.java:468)
>>>
>>      at
>>
>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>> melInternalProcessor.java:196)
>>>
>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>>
>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>>
>>      at
>>
>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>> melInternalProcessor.java:196)
>>>
>>      at
>>
>>> org.apache.camel.component.direct.DirectProducer.process(Dir
>>> ectProducer.java:62)
>>>
>>      at
>>
>>> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)
>>>
>>      at
>>
>>> org.apache.camel.management.InstrumentationProcessor.process
>>> (InstrumentationProcessor.java:77)
>>>
>>      at
>>
>>> org.apache.camel.processor.interceptor.TraceInterceptor.proc
>>> ess(TraceInterceptor.java:163)
>>>
>>      at
>>
>>> org.apache.camel.processor.RedeliveryErrorHandler.process(Re
>>> deliveryErrorHandler.java:468)
>>>
>>      at
>>
>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>> melInternalProcessor.java:196)
>>>
>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>>
>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>>
>>      at
>>
>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>> melInternalProcessor.java:196)
>>>
>>      at
>>
>>> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProc
>>> essorHelper.java:109)
>>>
>>      at
>>
>>> org.apache.camel.processor.DelegateAsyncProcessor.process(De
>>> legateAsyncProcessor.java:91)
>>>
>>      at
>>
>>> org.apache.camel.component.restlet.RestletConsumer$1.handle(
>>> RestletConsumer.java:68)
>>>
>>      at
>>
>>> org.apache.camel.component.restlet.MethodBasedRouter.handle(
>>> MethodBasedRouter.java:54)
>>>
>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>
>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>
>>      at org.restlet.routing.Router.doHandle(Router.java:422)
>>
>>      at org.restlet.routing.Router.handle(Router.java:639)
>>
>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>
>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>
>>      at org.restlet.routing.Router.doHandle(Router.java:422)
>>
>>      at org.restlet.routing.Router.handle(Router.java:639)
>>
>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>
>>      at
>>
>>> org.restlet.engine.application.StatusFilter.doHandle(
>>> StatusFilter.java:140)
>>>
>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>
>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>
>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>
>>      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.
>> java:202)
>>
>>      at org.restlet.Component.handle(Component.java:408)
>>
>>      at org.restlet.Server.handle(Server.java:507)
>>
>>      at
>>
>>> org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
>>>
>>      at
>>
>>> org.restlet.engine.adapter.HttpServerHelper.handle(HttpServe
>>> rHelper.java:143)
>>>
>>      at
>>
>>> org.restlet.engine.connector.HttpServerHelper$1.handle(HttpS
>>> erverHelper.java:64)
>>>
>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>>
>>      at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
>>
>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
>>
>>      at
>>
>>> sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(Se
>>> rverImpl.java:675)
>>>
>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>>
>>      at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
>>
>>      at
>>
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>>
>>      at
>>
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>>
>>      at java.lang.Thread.run(Thread.java:748)
>>
>> Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not
>> find
>>
>>> writer for content-type application/x-www-form-urlencoded type:
>>> javax.ws.rs.core.Form$1
>>>
>>      at
>>
>>> org.jboss.resteasy.core.interception.jaxrs.ClientWriterInter
>>> ceptorContext.throwWriterNotFoundException(C
>>> lientWriterInterceptorContext.java:40)
>>>
>>      at
>>
>>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInt
>>> erceptorContext.getWriter(AbstractWriterInterceptorContext.java:146)
>>>
>>      at
>>
>>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInt
>>> erceptorContext.proceed(AbstractWriterInterceptorContext.java:121)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.wr
>>> iteRequestBody(ClientInvocation.java:388)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>> ine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>> ine.buildEntity(ApacheHttpClient4Engine.java:557)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>> ine.loadHttpMethod(ApacheHttpClient4Engine.java:456)
>>>
>>      at
>>
>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>> ine.invoke(ApacheHttpClient4Engine.java:283)
>>>
>>      ... 70 more
>>
>>
>> Thanks for the attention.
>>
>>
>


-- 
---
*Celso Agra*

From hmlnarik at redhat.com  Fri Jun 16 03:07:21 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Fri, 16 Jun 2017 09:07:21 +0200
Subject: [keycloak-user] How to display user information from keycloak
 SAML adapter assertions/session?
In-Reply-To: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>
References: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>
Message-ID: <CAMvXD=G4SBvyOeS2q9kBqrfF3ZRFYV4UfwW7zrFWFGJS7sGtvg@mail.gmail.com>

What kind of information? Wont e.g.
request.getUserPrincipal().getName() and role-related methods on
HttpServletRequest do the job? [1]

--Hynek

[1] https://github.com/keycloak/keycloak/blob/master/examples/saml/post-with-encryption/src/main/webapp/index.jsp#L4

On Thu, Jun 15, 2017 at 4:36 PM, ken edward <kedward777 at gmail.com> wrote:
> Hello,
>
> I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
> I created a simple web app with a protected /saml directory. It seems
> to work. BUT how can I display the logged in user information after
> the user is authenticated?
>
> org.keycloak.adapters.saml.SamlSession :
> org.keycloak.adapters.saml.SamlSession at 13a50bc9
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From adrianmatei at gmail.com  Fri Jun 16 03:14:50 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Fri, 16 Jun 2017 09:14:50 +0200
Subject: [keycloak-user] decouple Keycloak from Active Directory
Message-ID: <CAG=THF1BAP7pBuN69o+q0nXBNMH=TJQxWSrZvQ+p2rmS6BLncA@mail.gmail.com>

Hi guys,

We've made the initial mistake to store our users in Active Directory.
After the number of Keycloak-AD issues increased significantly, we are
considering using just Keycloak DB to store the users.

Is there a way to migrate the users from AD to Keycloak, without forcing
them to update their passwords? If I remove the User-Federation AD Provider
all users are gone...

Thanks,
Adrian

From mposolda at redhat.com  Fri Jun 16 04:58:34 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Jun 2017 10:58:34 +0200
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
	<aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
	<CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>
Message-ID: <1dd29e7d-88f8-bd1d-dec2-0b65282c98d0@redhat.com>

On 15/06/17 19:29, Kyle Swensson wrote:
> Hi,
>
> We have set up a user client on a seperate realm that is not master 
> that all users for that realm can access, which is where we have our 
> user application and we have also set up an additional client for a 
> user administration console on that (non-master) realm. However, the 
> problem occurs when we log into the user client on the non-master 
> realm at the same time as we log into the default admin console on the 
> master realm, so our problem involes 2 seperate realms.
>
> The latest Keycloak master is Keycloak 3.10.Final right? I have tried 
> upgrading to that, and the issue was still occurring.
Latest Keycloak master is here: https://github.com/keycloak/keycloak

You would need to checkout it, build manually SNAPSHOT and then test. 
Some notes are here: 
https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md

There are some changes in latest master, which might be related, but TBH 
I didn't ever see the behaviour you described, so hard to predict if it 
helps or not.

Marek
>
> Thanks,
> Kyle
>
> On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     I guess you're using same realm 'master' for both your application
>     and admin console. Can you try to use different realm for your
>     application and see if it helps? Also can you try to upgrade to
>     latest Keycloak master and see if it helps?
>
>     Marek
>
>
>     On 14/06/17 01:56, Kyle Swensson wrote:
>
>         Hello,
>
>
>         (I have asked this question before to no avail, but the
>         wording was poor so
>         I want to rephrase it in hopes of getting more help)
>
>         I am having an issue with conflicting logins from a user
>         application and
>         the keycloak admin console
>
>         The issue arises when I authenticate on my user application as
>         a basic
>         user, using Tomcat. Then, I navigate to the Keycloak Admin
>         Console login
>         page on a different window. Despite being logged in as a basic
>         user on my
>         user application, I am still shown the empty login page for
>         the keycloak
>         admin console. After navigating to the Keycloak admin console
>         login page,
>         my session on my user application becomes broken, and I'm not
>         sure why. At
>         this point if I refresh the page containing my application I
>         will find a
>         403 error in my console, however I can still access everything
>         in my user
>         application normally. Additionally, for some reason I can no
>         longer log out
>         from my session like i normally would (by hitting the
>         authorization
>         endpoint), when I try to log out nothing happens. The only way
>         that I can
>         get it out of this permanently logged in state is by going to
>         "account" and
>         manually ending all of the sessions for my user. It may be
>         worth noting
>         that I can also still log in to the admin console with a
>         different user,
>         and use the admin console as normal while this is happening.
>         If I log onto
>         the admin console while this is happening and look at all of
>         the active
>         sessions, I can see that there is indeed still an active
>         session for the
>         basic user using the user application. I assume that is the
>         root of the
>         problem, but I'm not sure what's causing this to happen.
>
>         Setting the "Revoke Refresh Token" option in the keycloak
>         admin console to
>         ON does prevent this from happening, however it also makes the
>         rest of my
>         application become very buggy and slow so leaving that on
>         isn't really a
>         viable option.
>
>         I'm wondering if this might be an actual bug with Keycloak, or
>         if this is
>         just being caused by some configuration error on my side. I am
>         currently
>         using Keycloak 2.3 for my application, but I have tried
>         temporarily
>         upgrading to Keycloak 3.1 and that didn't help the issue.
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
> -- 
>
>


From thomas.darimont at googlemail.com  Fri Jun 16 06:27:39 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 16 Jun 2017 12:27:39 +0200
Subject: [keycloak-user] decouple Keycloak from Active Directory
In-Reply-To: <CAG=THF1BAP7pBuN69o+q0nXBNMH=TJQxWSrZvQ+p2rmS6BLncA@mail.gmail.com>
References: <CAG=THF1BAP7pBuN69o+q0nXBNMH=TJQxWSrZvQ+p2rmS6BLncA@mail.gmail.com>
Message-ID: <CAK-7U1gxZ3afZ-iDEfXwwhLqiYmd_ZSJ1ontEN5beg86YGZPMw@mail.gmail.com>

Hi Adrian,

would you mind to share the AD problems you are facing? We currently store
users in PostgreSQL without any problems but some folks are considering
moving the users to AD.

Cheers,
Thomas

Am 16.06.2017 9:22 vorm. schrieb "Adrian Matei" <adrianmatei at gmail.com>:

> Hi guys,
>
> We've made the initial mistake to store our users in Active Directory.
> After the number of Keycloak-AD issues increased significantly, we are
> considering using just Keycloak DB to store the users.
>
> Is there a way to migrate the users from AD to Keycloak, without forcing
> them to update their passwords? If I remove the User-Federation AD Provider
> all users are gone...
>
> Thanks,
> Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kedward777 at gmail.com  Fri Jun 16 10:01:07 2017
From: kedward777 at gmail.com (ken edward)
Date: Fri, 16 Jun 2017 10:01:07 -0400
Subject: [keycloak-user] How to display user information from keycloak
 SAML adapter assertions/session?
In-Reply-To: <CAMvXD=G4SBvyOeS2q9kBqrfF3ZRFYV4UfwW7zrFWFGJS7sGtvg@mail.gmail.com>
References: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>
	<CAMvXD=G4SBvyOeS2q9kBqrfF3ZRFYV4UfwW7zrFWFGJS7sGtvg@mail.gmail.com>
Message-ID: <CAAqgmoPSPAwhqaeYnMAyAUTd27DzmTXgUaMtuJYOFX1+Lmb+zw@mail.gmail.com>

Thanks Hynek,

I was just wanting to see what kind of information is available via
the org.keycloak.adapters.saml.SamlSession  that would not be in the
request.... How would I interrogate the saml session information?

Ken

On Fri, Jun 16, 2017 at 3:07 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
> What kind of information? Wont e.g.
> request.getUserPrincipal().getName() and role-related methods on
> HttpServletRequest do the job? [1]
>
> --Hynek
>
> [1] https://github.com/keycloak/keycloak/blob/master/examples/saml/post-with-encryption/src/main/webapp/index.jsp#L4
>
> On Thu, Jun 15, 2017 at 4:36 PM, ken edward <kedward777 at gmail.com> wrote:
>> Hello,
>>
>> I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
>> I created a simple web app with a protected /saml directory. It seems
>> to work. BUT how can I display the logged in user information after
>> the user is authenticated?
>>
>> org.keycloak.adapters.saml.SamlSession :
>> org.keycloak.adapters.saml.SamlSession at 13a50bc9
>>
>> Ken
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek

From ssilvert at redhat.com  Fri Jun 16 14:39:26 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 16 Jun 2017 14:39:26 -0400
Subject: [keycloak-user] Can we forbib mail change?
In-Reply-To: <a836a77cbeb44e02a42d3101fd50fd60@dehamex2013.europe.flane.local>
References: <a836a77cbeb44e02a42d3101fd50fd60@dehamex2013.europe.flane.local>
Message-ID: <8bb1b638-7b4b-ee60-3380-a983b88eaaf2@redhat.com>

You can easily change the template for account management to make email 
read-only or hidden/removed.  See the documentation on themes for how to 
do that.

Of course, that just modifies the UI and a user could still send a post 
request to change it if he wanted to do some easy hacking. To really 
lock down email changes takes a bit more work but I'm sure it can be done.

Stan

On 6/14/2017 4:47 AM, Marc Tempelmeier wrote:
> Hi,
>
> Subject says it all, but can we forbid that a user can change it?s mail?
>
> Best regards
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From dirk.franssen at gmail.com  Sun Jun 18 07:02:32 2017
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Sun, 18 Jun 2017 13:02:32 +0200
Subject: [keycloak-user] Rest api - missing group info and non-individual
	attributes in the response
Message-ID: <CALT3Sxjp5Rv4sQR2F7yqU7m5quSdFkJmaMe0ZskYCFOu66iC1g@mail.gmail.com>

Hi all,

I have defined several groups in Keycloak 3.0.0.Final with some users and
via the java library I make rest calls to retrieve the list of users via
realmResource.users().search(), but the response does not contain the
groups info (UserRepresentation.getGroups() is null)?

So I added a client mapper of type Group Membership with claim name
myGroups (add to ID token, access token and userinfo). After a login into
the application I do have an otherClaims of myGroups with the groupnames
the user belongs to. But the rest call response does not contain the info (
UserRepresentation.getAttributes() is null)

Also the group attributes (with a new mapper) do not appear in the response
of the rest call. It seems that only individual user attributes are
returned in the rest call response? Is this by design?

I know there is the possibility to extend the rest api via a custom
provider, but this seem cumbersome to just know to which group the user
belongs to...

Currently I query for each group the members separately via
realmResource.groups().group(groupid).members(). This is kind of ok as
there are currently only 4 groups.

Kind regards,
Dirk Franssen

From mposolda at redhat.com  Mon Jun 19 02:57:47 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 19 Jun 2017 08:57:47 +0200
Subject: [keycloak-user] Rest api - missing group info and
 non-individual attributes in the response
In-Reply-To: <CALT3Sxjp5Rv4sQR2F7yqU7m5quSdFkJmaMe0ZskYCFOu66iC1g@mail.gmail.com>
References: <CALT3Sxjp5Rv4sQR2F7yqU7m5quSdFkJmaMe0ZskYCFOu66iC1g@mail.gmail.com>
Message-ID: <d8e3521e-6009-552c-6cb1-1f41e7974c2c@redhat.com>

On 18/06/17 13:02, Dirk Franssen wrote:
> Hi all,
>
> I have defined several groups in Keycloak 3.0.0.Final with some users and
> via the java library I make rest calls to retrieve the list of users via
> realmResource.users().search(), but the response does not contain the
> groups info (UserRepresentation.getGroups() is null)?
There is separate REST endpoint for it. You can try to explore our admin 
console and see what HTTP requests it is sending when you display group 
memberships of user (admin console is just angular application backed by 
admin REST API).
>
> So I added a client mapper of type Group Membership with claim name
> myGroups (add to ID token, access token and userinfo). After a login into
> the application I do have an otherClaims of myGroups with the groupnames
> the user belongs to. But the rest call response does not contain the info (
> UserRepresentation.getAttributes() is null)
>
> Also the group attributes (with a new mapper) do not appear in the response
> of the rest call. It seems that only individual user attributes are
> returned in the rest call response? Is this by design?
Yes. However once user authenticate, you will see all his attributes in 
the token as expected, including the attributes inherited through group 
mapping.

Maybe our admin console and admin REST API could be a bit clever and 
optionally display also attributes inherited through groups. Feel free 
to create JIRA. However not sure about priority of this...

Marek
>
> I know there is the possibility to extend the rest api via a custom
> provider, but this seem cumbersome to just know to which group the user
> belongs to...
>
> Currently I query for each group the members separately via
> realmResource.groups().group(groupid).members(). This is kind of ok as
> there are currently only 4 groups.
>
> Kind regards,
> Dirk Franssen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From federico at info.nl  Mon Jun 19 05:44:25 2017
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Mon, 19 Jun 2017 09:44:25 +0000
Subject: [keycloak-user] How to handle multivalued custom attributes in
	account client?
Message-ID: <FE406DFE-7478-4398-B366-03B39990EC47@info.nl>

Hello,

I?m facing a scenario where I have defined a custom attribute as multivalued. It works all fine using the REST admin API, and while in the Keycloak admin console is displayed as a ?##? separated string, it?s also functional in terms of displaying/editing the values.

However, when it comes to adding the attribute to the account client, it apparently only shows the first element of the attribute, and I get the following log trace:

>>> [org.keycloak.forms.account.freemarker.model.AccountBean] (default task-41) There are more values for attribute 'additionalProductIds' of user 'somebody at somewhere.com' . Will display just first value

Am I overlooking some configuration to enable the handling of multivalued custom attributes?




Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<http://www.linkedin.com/in/jasperleferink>  |  +31 (0)2 05 30 91 61<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From Sven.Vogel at kupper-computer.com  Mon Jun 19 06:14:01 2017
From: Sven.Vogel at kupper-computer.com (Vogel, Sven)
Date: Mon, 19 Jun 2017 10:14:01 +0000
Subject: [keycloak-user] SAML Client Error Code 431
Message-ID: <78F94182E464C4468479C87CC275FAB1017F36F776@KMail1.kupper-computer.local>

Hi Anybody,

we have a problem to get saml to work with cloudstack.

Maybe anybody can help.


1.       We created a saml client.

2.       We filled all information in cloudstack

a.       saml2.default.idpid -->http://192.168.85.40:8080/auth/realms/example.cloud/protocol/saml

b.       saml2.idp.metadata.url --> http://192.168.85.36/metadata.xml (we used the SAML Metadata IDPSSODescriptor)

3.     When we use login on the saml provider from cloudstack we get the following error

a.     {

loginresponse: {

uuidList: [ ],

errorcode: 431,

errortext: "IdP ID (http://192.168.85.40:8080/auth/realms/example.cloud) has no Single Sign On URL defined please contact null <null>, cannot proceed."

}

}

Is there anybody who can help? Maybe it's a problem that we forgott something. Before we used ipsilon and the things work. Maybe we have not enough knowledge.

Thanks

Sven



From michel.laporte at essencedigital.com  Mon Jun 19 06:22:17 2017
From: michel.laporte at essencedigital.com (Michel Laporte)
Date: Mon, 19 Jun 2017 11:22:17 +0100
Subject: [keycloak-user] Social Logins - Allow only specific Domains to
	authenticate
Message-ID: <CALAiTM1hh4+g9MDrtnQfZQy9y=6xcY1AhUbUOdEjP-cdu7rWCg@mail.gmail.com>

Hi there,
Is there any way of configuring social clients to whitelist domains?
At the moment, we are looking to externalise a service and any Google
account can authenticate with Google on the service, we want to limit it to
only the allowed domains specific or specify accounts to log in.
Is this do-able?

Another thread stated authentication flows is do-able but he link
explaining how was dead as it went to Githubs Keycloak page which is now
non existent and the Authentication Flows documentation is not too clear.

Thanks

-- 

*Michel Laporte*
DevOps Engineer

T: +44 20 7758 7162
UK House ? 180 Oxford Street ? London ? W1D 1NN

-- 
-------------------------------------
essencedigital.com <http://www.essencedigital.com/>
Google+ <https://plus.google.com/102138558390623994587/about> ? Facebook 
<http://www.facebook.com/essencedigital> ? Twitter 
<https://twitter.com/essencedigital> ? YouTube 
<http://www.youtube.com/essencedigitalvideos>

From bburke at redhat.com  Mon Jun 19 11:21:29 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 19 Jun 2017 11:21:29 -0400
Subject: [keycloak-user] Social Logins - Allow only specific Domains to
 authenticate
In-Reply-To: <CALAiTM1hh4+g9MDrtnQfZQy9y=6xcY1AhUbUOdEjP-cdu7rWCg@mail.gmail.com>
References: <CALAiTM1hh4+g9MDrtnQfZQy9y=6xcY1AhUbUOdEjP-cdu7rWCg@mail.gmail.com>
Message-ID: <9cde7e34-d5a6-8bf3-9cfa-5982469b2667@redhat.com>



On 6/19/17 6:22 AM, Michel Laporte wrote:
> Hi there,
> Is there any way of configuring social clients to whitelist domains?
> At the moment, we are looking to externalise a service and any Google
> account can authenticate with Google on the service, we want to limit it to
> only the allowed domains specific or specify accounts to log in.
> Is this do-able?
I'm not sure this is possible.  An Auth flow might be able to disallow a 
social login, not sure.

> Another thread stated authentication flows is do-able but he link
> explaining how was dead as it went to Githubs Keycloak page which is now
> non existent and the Authentication Flows documentation is not too clear.
??? Not sure what you mean here by "Githubs Keycloak page which is now 
non existent".


From marcelo.nardelli at gmail.com  Mon Jun 19 13:53:45 2017
From: marcelo.nardelli at gmail.com (Marcelo Nardelli)
Date: Mon, 19 Jun 2017 14:53:45 -0300
Subject: [keycloak-user] Upgrading from Red Hat SSO 7.0 to Keycloak 3.1
Message-ID: <CACrx09aBrU7zNs_JJi6Js6Q0Gz-jG9CmOn-Ef-hDZ2OYmz7C0A@mail.gmail.com>

Hi,

At work, we have an installation of Red Hat SSO 7.0 and we were going to
upgrade it to version 7.1. However, I was told that the our Red Hat
subscription won't be renewed, so now we want to upgrade to the last
Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported?
I've been trying to follow the instructions on the documentation (
https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html),
but it's not working. Specifically, when I try to run the migration script
(after copying the old standalone.xml and the keycloak-server.json file)

    jboss-cli.sh --file=migrate-standalone.cli

I get this error:

    Cannot start embedded server: WFLYEMB0021: Cannot start embedded
process: Operation failed: WFLYSRV0056: Server boot has failed in an
unrecoverable manner; exiting. See previous messages for details.


I suppose the Keycloak version used in SSO 7.0 is too old and I will have
to do some manual work here, but I wanted to know if there is some specific
advice for this case...

Thanks,

Marcelo Nardelli

From rafterjiang at hotmail.com  Mon Jun 19 15:59:37 2017
From: rafterjiang at hotmail.com (rafterjiang)
Date: Mon, 19 Jun 2017 12:59:37 -0700 (MST)
Subject: [keycloak-user] Is there a way to return a customized error message
 from servlet interception of keycloak.
Message-ID: <1497902377869-3941.post@n6.nabble.com>

We are using spring boot to do the web api/url authentication. We have set up
the auth roles and patterns in application.properties. Everything works
fine. Only problem is, when web API auth fails,keycloak returns a either 401
or 403 to client. For example:
{
    "status": "401",
    "errorCode": "SERVER_ERROR",
    "message": "internal server error"
}

or 

{
    "status": "403",
    "errorCode": "SERVER_ERROR",
    "message": "internal server error"
}

The error message is too vague, is it possible to customize the error
message so client knows clearly what goes wrong?



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Is-there-a-way-to-return-a-customized-error-message-from-servlet-interception-of-keycloak-tp3941.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From kyle.swensson at tasktop.com  Mon Jun 19 16:25:12 2017
From: kyle.swensson at tasktop.com (Kyle Swensson)
Date: Mon, 19 Jun 2017 13:25:12 -0700
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <1dd29e7d-88f8-bd1d-dec2-0b65282c98d0@redhat.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
	<aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
	<CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>
	<1dd29e7d-88f8-bd1d-dec2-0b65282c98d0@redhat.com>
Message-ID: <CAP0XCm7afaP89OLxbNrjczme+VPVRAXg9KPjOYVX+nGzzi22gA@mail.gmail.com>

Hi Marek,

Fortunately, installing the master keycloak build did actually solve the
problem, so thank you for that suggestion! When we log into the master
realm admin console while logged into the user application, and then
refresh the page on the user application, we get a page saying "Unexpected
error when handling authentication request to identity provider", which is
what we want to happen. Unfortunately, there is now a new problem, because
once we get to this error page we continue to get this error page no matter
what when attempting to access the user application until we delete all of
our cookies, even closing the browser window doesn't help. When this
happens it will also sometimes attempt to kick us out of the keycloak
master realm admin console, but it doesn't do it consistently. I have
attached a picture of the error page I am seeing. Do you know if there is
any way that we could make this error page stop showing up once the user
who logged into the keycloak master realm admin console logs out?

Thanks,
Kyle

On Fri, Jun 16, 2017 at 1:58 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 15/06/17 19:29, Kyle Swensson wrote:
>
> Hi,
>
> We have set up a user client on a seperate realm that is not master that
> all users for that realm can access, which is where we have our user
> application and we have also set up an additional client for a user
> administration console on that (non-master) realm. However, the problem
> occurs when we log into the user client on the non-master realm at the same
> time as we log into the default admin console on the master realm, so our
> problem involes 2 seperate realms.
>
> The latest Keycloak master is Keycloak 3.10.Final right? I have tried
> upgrading to that, and the issue was still occurring.
>
> Latest Keycloak master is here: https://github.com/keycloak/keycloak
>
> You would need to checkout it, build manually SNAPSHOT and then test. Some
> notes are here: https://github.com/keycloak/ke
> ycloak/blob/master/misc/HackingOnKeycloak.md
>
> There are some changes in latest master, which might be related, but TBH I
> didn't ever see the behaviour you described, so hard to predict if it helps
> or not.
>
> Marek
>
>
> Thanks,
> Kyle
>
> On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Hi,
>>
>> I guess you're using same realm 'master' for both your application and
>> admin console. Can you try to use different realm for your application and
>> see if it helps? Also can you try to upgrade to latest Keycloak master and
>> see if it helps?
>>
>> Marek
>>
>>
>> On 14/06/17 01:56, Kyle Swensson wrote:
>>
>>> Hello,
>>>
>>>
>>> (I have asked this question before to no avail, but the wording was poor
>>> so
>>> I want to rephrase it in hopes of getting more help)
>>>
>>> I am having an issue with conflicting logins from a user application and
>>> the keycloak admin console
>>>
>>> The issue arises when I authenticate on my user application as a basic
>>> user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
>>> page on a different window. Despite being logged in as a basic user on my
>>> user application, I am still shown the empty login page for the keycloak
>>> admin console. After navigating to the Keycloak admin console login page,
>>> my session on my user application becomes broken, and I'm not sure why.
>>> At
>>> this point if I refresh the page containing my application I will find a
>>> 403 error in my console, however I can still access everything in my user
>>> application normally. Additionally, for some reason I can no longer log
>>> out
>>> from my session like i normally would (by hitting the authorization
>>> endpoint), when I try to log out nothing happens. The only way that I can
>>> get it out of this permanently logged in state is by going to "account"
>>> and
>>> manually ending all of the sessions for my user. It may be worth noting
>>> that I can also still log in to the admin console with a different user,
>>> and use the admin console as normal while this is happening. If I log
>>> onto
>>> the admin console while this is happening and look at all of the active
>>> sessions, I can see that there is indeed still an active session for the
>>> basic user using the user application. I assume that is the root of the
>>> problem, but I'm not sure what's causing this to happen.
>>>
>>> Setting the "Revoke Refresh Token" option in the keycloak admin console
>>> to
>>> ON does prevent this from happening, however it also makes the rest of my
>>> application become very buggy and slow so leaving that on isn't really a
>>> viable option.
>>>
>>> I'm wondering if this might be an actual bug with Keycloak, or if this is
>>> just being caused by some configuration error on my side. I am currently
>>> using Keycloak 2.3 for my application, but I have tried temporarily
>>> upgrading to Keycloak 3.1 and that didn't help the issue.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
> --
>
>
>
>


--

From kyle.swensson at tasktop.com  Mon Jun 19 18:06:19 2017
From: kyle.swensson at tasktop.com (Kyle Swensson)
Date: Mon, 19 Jun 2017 15:06:19 -0700
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <CAP0XCm7afaP89OLxbNrjczme+VPVRAXg9KPjOYVX+nGzzi22gA@mail.gmail.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
	<aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
	<CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>
	<1dd29e7d-88f8-bd1d-dec2-0b65282c98d0@redhat.com>
	<CAP0XCm7afaP89OLxbNrjczme+VPVRAXg9KPjOYVX+nGzzi22gA@mail.gmail.com>
Message-ID: <CAP0XCm5+hiN70NFmFa+Mayh3WWB4K=yjjyFArWz0psyJtEHBkw@mail.gmail.com>

Hello again,

We realized that we had installed Keycloak 3.1 incorrectly when we were
trying it out before, so we re-installed keycloak 3.1.0 and actually found
that it fixed our issue as well, in fact it works substantially better than
the master build and has totally different behavior. in 3.1.0, If we login
to the Keycloak admin console while logged into a user application, then
refresh the user application we are just logged out of the user
application, and nothing else happens, which is exactly what we were
looking for, so that's great! We did run into a bit of a weird
inconsistency on the 3.1.0 build though. We found that even though logging
into the master realm admin console logs someone using the user application
out, the user can log back into the user application while the admin
console is still in use, and nothing happens, and users can use both the
master realm keycloak admin console and the user application simultaneously
on the same browser while logged into different users. This isn't really a
big problem, but we were just curious if this is expected behavior, or if
there may be some easy way to make the behavior more consistent.

Thanks,
Kyle

On Mon, Jun 19, 2017 at 1:25 PM, Kyle Swensson <kyle.swensson at tasktop.com>
wrote:

> Hi Marek,
>
> Fortunately, installing the master keycloak build did actually solve the
> problem, so thank you for that suggestion! When we log into the master
> realm admin console while logged into the user application, and then
> refresh the page on the user application, we get a page saying "Unexpected
> error when handling authentication request to identity provider", which is
> what we want to happen. Unfortunately, there is now a new problem, because
> once we get to this error page we continue to get this error page no matter
> what when attempting to access the user application until we delete all of
> our cookies, even closing the browser window doesn't help. When this
> happens it will also sometimes attempt to kick us out of the keycloak
> master realm admin console, but it doesn't do it consistently. I have
> attached a picture of the error page I am seeing. Do you know if there is
> any way that we could make this error page stop showing up once the user
> who logged into the keycloak master realm admin console logs out?
>
> Thanks,
> Kyle
>
> On Fri, Jun 16, 2017 at 1:58 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 15/06/17 19:29, Kyle Swensson wrote:
>>
>> Hi,
>>
>> We have set up a user client on a seperate realm that is not master that
>> all users for that realm can access, which is where we have our user
>> application and we have also set up an additional client for a user
>> administration console on that (non-master) realm. However, the problem
>> occurs when we log into the user client on the non-master realm at the same
>> time as we log into the default admin console on the master realm, so our
>> problem involes 2 seperate realms.
>>
>> The latest Keycloak master is Keycloak 3.10.Final right? I have tried
>> upgrading to that, and the issue was still occurring.
>>
>> Latest Keycloak master is here: https://github.com/keycloak/keycloak
>>
>> You would need to checkout it, build manually SNAPSHOT and then test.
>> Some notes are here: https://github.com/keycloak/ke
>> ycloak/blob/master/misc/HackingOnKeycloak.md
>>
>> There are some changes in latest master, which might be related, but TBH
>> I didn't ever see the behaviour you described, so hard to predict if it
>> helps or not.
>>
>> Marek
>>
>>
>> Thanks,
>> Kyle
>>
>> On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I guess you're using same realm 'master' for both your application and
>>> admin console. Can you try to use different realm for your application and
>>> see if it helps? Also can you try to upgrade to latest Keycloak master and
>>> see if it helps?
>>>
>>> Marek
>>>
>>>
>>> On 14/06/17 01:56, Kyle Swensson wrote:
>>>
>>>> Hello,
>>>>
>>>>
>>>> (I have asked this question before to no avail, but the wording was
>>>> poor so
>>>> I want to rephrase it in hopes of getting more help)
>>>>
>>>> I am having an issue with conflicting logins from a user application and
>>>> the keycloak admin console
>>>>
>>>> The issue arises when I authenticate on my user application as a basic
>>>> user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
>>>> page on a different window. Despite being logged in as a basic user on
>>>> my
>>>> user application, I am still shown the empty login page for the keycloak
>>>> admin console. After navigating to the Keycloak admin console login
>>>> page,
>>>> my session on my user application becomes broken, and I'm not sure why.
>>>> At
>>>> this point if I refresh the page containing my application I will find a
>>>> 403 error in my console, however I can still access everything in my
>>>> user
>>>> application normally. Additionally, for some reason I can no longer log
>>>> out
>>>> from my session like i normally would (by hitting the authorization
>>>> endpoint), when I try to log out nothing happens. The only way that I
>>>> can
>>>> get it out of this permanently logged in state is by going to "account"
>>>> and
>>>> manually ending all of the sessions for my user. It may be worth noting
>>>> that I can also still log in to the admin console with a different user,
>>>> and use the admin console as normal while this is happening. If I log
>>>> onto
>>>> the admin console while this is happening and look at all of the active
>>>> sessions, I can see that there is indeed still an active session for the
>>>> basic user using the user application. I assume that is the root of the
>>>> problem, but I'm not sure what's causing this to happen.
>>>>
>>>> Setting the "Revoke Refresh Token" option in the keycloak admin console
>>>> to
>>>> ON does prevent this from happening, however it also makes the rest of
>>>> my
>>>> application become very buggy and slow so leaving that on isn't really a
>>>> viable option.
>>>>
>>>> I'm wondering if this might be an actual bug with Keycloak, or if this
>>>> is
>>>> just being caused by some configuration error on my side. I am currently
>>>> using Keycloak 2.3 for my application, but I have tried temporarily
>>>> upgrading to Keycloak 3.1 and that didn't help the issue.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>>
>>
>>
>
>
> --
>

From michel.laporte at essencedigital.com  Tue Jun 20 04:35:18 2017
From: michel.laporte at essencedigital.com (Michel Laporte)
Date: Tue, 20 Jun 2017 09:35:18 +0100
Subject: [keycloak-user] Social Logins - Allow only specific Domains to
	authenticate
In-Reply-To: <9cde7e34-d5a6-8bf3-9cfa-5982469b2667@redhat.com>
References: <CALAiTM1hh4+g9MDrtnQfZQy9y=6xcY1AhUbUOdEjP-cdu7rWCg@mail.gmail.com>
	<9cde7e34-d5a6-8bf3-9cfa-5982469b2667@redhat.com>
Message-ID: <CALAiTM3X1OJp_9tqWXCXvUC16nM_Ox=HtoLeSBGDO-TQA0LSZg@mail.gmail.com>

Hi,
http://lists.jboss.org/pipermail/keycloak-user/2016-February/004788.html
This link links you to a Github page which doesn't exist.

How do you use auth flows? There's not much in terms of information online
about it

On 19 June 2017 at 16:21, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 6/19/17 6:22 AM, Michel Laporte wrote:
> > Hi there,
> > Is there any way of configuring social clients to whitelist domains?
> > At the moment, we are looking to externalise a service and any Google
> > account can authenticate with Google on the service, we want to limit it
> to
> > only the allowed domains specific or specify accounts to log in.
> > Is this do-able?
> I'm not sure this is possible.  An Auth flow might be able to disallow a
> social login, not sure.
>
> > Another thread stated authentication flows is do-able but he link
> > explaining how was dead as it went to Githubs Keycloak page which is now
> > non existent and the Authentication Flows documentation is not too clear.
> ??? Not sure what you mean here by "Githubs Keycloak page which is now
> non existent".
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

*Michel Laporte*
DevOps Engineer

T: +44 20 7758 7162
UK House ? 180 Oxford Street ? London ? W1D 1NN

-- 
-------------------------------------
essencedigital.com <http://www.essencedigital.com/>
Google+ <https://plus.google.com/102138558390623994587/about> ? Facebook 
<http://www.facebook.com/essencedigital> ? Twitter 
<https://twitter.com/essencedigital> ? YouTube 
<http://www.youtube.com/essencedigitalvideos>

From sblanc at redhat.com  Tue Jun 20 05:00:49 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 20 Jun 2017 11:00:49 +0200
Subject: [keycloak-user] Social Logins - Allow only specific Domains to
	authenticate
In-Reply-To: <CALAiTM3X1OJp_9tqWXCXvUC16nM_Ox=HtoLeSBGDO-TQA0LSZg@mail.gmail.com>
References: <CALAiTM1hh4+g9MDrtnQfZQy9y=6xcY1AhUbUOdEjP-cdu7rWCg@mail.gmail.com>
	<9cde7e34-d5a6-8bf3-9cfa-5982469b2667@redhat.com>
	<CALAiTM3X1OJp_9tqWXCXvUC16nM_Ox=HtoLeSBGDO-TQA0LSZg@mail.gmail.com>
Message-ID: <CAMZCGg8_5N0=o5vkArUBf_gTv1We4cYD1hoUmiH-SRC7wV5WhQ@mail.gmail.com>

On Tue, Jun 20, 2017 at 10:35 AM, Michel Laporte <
michel.laporte at essencedigital.com> wrote:

> Hi,
> http://lists.jboss.org/pipermail/keycloak-user/2016-February/004788.html
> This link links you to a Github page which doesn't exist.
>
https://keycloak.gitbooks.io/documentation/content/server_development/topics/auth-spi.html

>
> How do you use auth flows? There's not much in terms of information online
> about it
>
> On 19 June 2017 at 16:21, Bill Burke <bburke at redhat.com> wrote:
>
> >
> >
> > On 6/19/17 6:22 AM, Michel Laporte wrote:
> > > Hi there,
> > > Is there any way of configuring social clients to whitelist domains?
> > > At the moment, we are looking to externalise a service and any Google
> > > account can authenticate with Google on the service, we want to limit
> it
> > to
> > > only the allowed domains specific or specify accounts to log in.
> > > Is this do-able?
> > I'm not sure this is possible.  An Auth flow might be able to disallow a
> > social login, not sure.
> >
> > > Another thread stated authentication flows is do-able but he link
> > > explaining how was dead as it went to Githubs Keycloak page which is
> now
> > > non existent and the Authentication Flows documentation is not too
> clear.
> > ??? Not sure what you mean here by "Githubs Keycloak page which is now
> > non existent".
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> *Michel Laporte*
> DevOps Engineer
>
> T: +44 20 7758 7162
> UK House ? 180 Oxford Street ? London ? W1D 1NN
>
> --
> -------------------------------------
> essencedigital.com <http://www.essencedigital.com/>
> Google+ <https://plus.google.com/102138558390623994587/about> ? Facebook
> <http://www.facebook.com/essencedigital> ? Twitter
> <https://twitter.com/essencedigital> ? YouTube
> <http://www.youtube.com/essencedigitalvideos>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Jun 20 05:29:50 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 20 Jun 2017 11:29:50 +0200
Subject: [keycloak-user] Conflicting logins with admin console
In-Reply-To: <CAP0XCm5+hiN70NFmFa+Mayh3WWB4K=yjjyFArWz0psyJtEHBkw@mail.gmail.com>
References: <CAP0XCm6Lb=0ZFO=f17kPYnrjH-3oVmznoWg91FfknV0oG7s2ng@mail.gmail.com>
	<aa3f4742-e5fa-be87-9672-05395f561e51@redhat.com>
	<CAP0XCm5P9iVtMGCD3X=5XXHSxYHYssrexTr5=zuUhNr1tqcqbw@mail.gmail.com>
	<1dd29e7d-88f8-bd1d-dec2-0b65282c98d0@redhat.com>
	<CAP0XCm7afaP89OLxbNrjczme+VPVRAXg9KPjOYVX+nGzzi22gA@mail.gmail.com>
	<CAP0XCm5+hiN70NFmFa+Mayh3WWB4K=yjjyFArWz0psyJtEHBkw@mail.gmail.com>
Message-ID: <37400559-6de0-0f73-3e37-b8690470fc73@redhat.com>

I am seeing in your screenshot that you're using custom theme. Does it 
happen when you change the theme to the default 'Keycloak' theme?

Marek

On 20/06/17 00:06, Kyle Swensson wrote:
> Hello again,
>
> We realized that we had installed Keycloak 3.1 incorrectly when we 
> were trying it out before, so we re-installed keycloak 3.1.0 and 
> actually found that it fixed our issue as well, in fact it works 
> substantially better than the master build and has totally different 
> behavior. in 3.1.0, If we login to the Keycloak admin console while 
> logged into a user application, then refresh the user application we 
> are just logged out of the user application, and nothing else happens, 
> which is exactly what we were looking for, so that's great! We did run 
> into a bit of a weird inconsistency on the 3.1.0 build though. We 
> found that even though logging into the master realm admin console 
> logs someone using the user application out, the user can log back 
> into the user application while the admin console is still in use, and 
> nothing happens, and users can use both the master realm keycloak 
> admin console and the user application simultaneously on the same 
> browser while logged into different users. This isn't really a big 
> problem, but we were just curious if this is expected behavior, or if 
> there may be some easy way to make the behavior more consistent.
>
> Thanks,
> Kyle
>
> On Mon, Jun 19, 2017 at 1:25 PM, Kyle Swensson 
> <kyle.swensson at tasktop.com <mailto:kyle.swensson at tasktop.com>> wrote:
>
>     Hi Marek,
>
>     Fortunately, installing the master keycloak build did actually
>     solve the problem, so thank you for that suggestion! When we log
>     into the master realm admin console while logged into the user
>     application, and then refresh the page on the user application, we
>     get a page saying "Unexpected error when handling authentication
>     request to identity provider", which is what we want to happen.
>     Unfortunately, there is now a new problem, because once we get to
>     this error page we continue to get this error page no matter what
>     when attempting to access the user application until we delete all
>     of our cookies, even closing the browser window doesn't help. When
>     this happens it will also sometimes attempt to kick us out of the
>     keycloak master realm admin console, but it doesn't do it
>     consistently. I have attached a picture of the error page I am
>     seeing. Do you know if there is any way that we could make this
>     error page stop showing up once the user who logged into the
>     keycloak master realm admin console logs out?
>
>     Thanks,
>     Kyle
>
>     On Fri, Jun 16, 2017 at 1:58 AM, Marek Posolda
>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>         On 15/06/17 19:29, Kyle Swensson wrote:
>>         Hi,
>>
>>         We have set up a user client on a seperate realm that is not
>>         master that all users for that realm can access, which is
>>         where we have our user application and we have also set up an
>>         additional client for a user administration console on that
>>         (non-master) realm. However, the problem occurs when we log
>>         into the user client on the non-master realm at the same time
>>         as we log into the default admin console on the master realm,
>>         so our problem involes 2 seperate realms.
>>
>>         The latest Keycloak master is Keycloak 3.10.Final right? I
>>         have tried upgrading to that, and the issue was still occurring.
>         Latest Keycloak master is here:
>         https://github.com/keycloak/keycloak
>         <https://github.com/keycloak/keycloak>
>
>         You would need to checkout it, build manually SNAPSHOT and
>         then test. Some notes are here:
>         https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
>         <https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md>
>
>         There are some changes in latest master, which might be
>         related, but TBH I didn't ever see the behaviour you
>         described, so hard to predict if it helps or not.
>
>         Marek
>
>>
>>         Thanks,
>>         Kyle
>>
>>         On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda
>>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>             Hi,
>>
>>             I guess you're using same realm 'master' for both your
>>             application and admin console. Can you try to use
>>             different realm for your application and see if it helps?
>>             Also can you try to upgrade to latest Keycloak master and
>>             see if it helps?
>>
>>             Marek
>>
>>
>>             On 14/06/17 01:56, Kyle Swensson wrote:
>>
>>                 Hello,
>>
>>
>>                 (I have asked this question before to no avail, but
>>                 the wording was poor so
>>                 I want to rephrase it in hopes of getting more help)
>>
>>                 I am having an issue with conflicting logins from a
>>                 user application and
>>                 the keycloak admin console
>>
>>                 The issue arises when I authenticate on my user
>>                 application as a basic
>>                 user, using Tomcat. Then, I navigate to the Keycloak
>>                 Admin Console login
>>                 page on a different window. Despite being logged in
>>                 as a basic user on my
>>                 user application, I am still shown the empty login
>>                 page for the keycloak
>>                 admin console. After navigating to the Keycloak admin
>>                 console login page,
>>                 my session on my user application becomes broken, and
>>                 I'm not sure why. At
>>                 this point if I refresh the page containing my
>>                 application I will find a
>>                 403 error in my console, however I can still access
>>                 everything in my user
>>                 application normally. Additionally, for some reason I
>>                 can no longer log out
>>                 from my session like i normally would (by hitting the
>>                 authorization
>>                 endpoint), when I try to log out nothing happens. The
>>                 only way that I can
>>                 get it out of this permanently logged in state is by
>>                 going to "account" and
>>                 manually ending all of the sessions for my user. It
>>                 may be worth noting
>>                 that I can also still log in to the admin console
>>                 with a different user,
>>                 and use the admin console as normal while this is
>>                 happening. If I log onto
>>                 the admin console while this is happening and look at
>>                 all of the active
>>                 sessions, I can see that there is indeed still an
>>                 active session for the
>>                 basic user using the user application. I assume that
>>                 is the root of the
>>                 problem, but I'm not sure what's causing this to happen.
>>
>>                 Setting the "Revoke Refresh Token" option in the
>>                 keycloak admin console to
>>                 ON does prevent this from happening, however it also
>>                 makes the rest of my
>>                 application become very buggy and slow so leaving
>>                 that on isn't really a
>>                 viable option.
>>
>>                 I'm wondering if this might be an actual bug with
>>                 Keycloak, or if this is
>>                 just being caused by some configuration error on my
>>                 side. I am currently
>>                 using Keycloak 2.3 for my application, but I have
>>                 tried temporarily
>>                 upgrading to Keycloak 3.1 and that didn't help the issue.
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>>
>>
>>         -- 
>>
>>
>
>
>
>
>     -- 
>
>
>
>


From mposolda at redhat.com  Tue Jun 20 05:55:38 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 20 Jun 2017 11:55:38 +0200
Subject: [keycloak-user] How to handle multivalued custom attributes in
 account client?
In-Reply-To: <FE406DFE-7478-4398-B366-03B39990EC47@info.nl>
References: <FE406DFE-7478-4398-B366-03B39990EC47@info.nl>
Message-ID: <48d6088d-0f19-7fcd-c661-f3e37425886f@redhat.com>

We have JIRA open for Profile SPI, which among other things, will 
hopefully provide support for proper handling of multivalued attributes. 
There is a plan to add it in Keycloak 3.X.

Marek

On 19/06/17 11:44, Federico Navarro Polo - Info.nl wrote:
> Hello,
>
> I?m facing a scenario where I have defined a custom attribute as multivalued. It works all fine using the REST admin API, and while in the Keycloak admin console is displayed as a ?##? separated string, it?s also functional in terms of displaying/editing the values.
>
> However, when it comes to adding the attribute to the account client, it apparently only shows the first element of the attribute, and I get the following log trace:
>
>>>> [org.keycloak.forms.account.freemarker.model.AccountBean] (default task-41) There are more values for attribute 'additionalProductIds' of user 'somebody at somewhere.com' . Will display just first value
> Am I overlooking some configuration to enable the handling of multivalued custom attributes?
>
>
>
>
> Met vriendelijke groet,
>
> Federico Navarro
>
> backend developer
>
> federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<http://www.linkedin.com/in/jasperleferink>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
>
> info.nl<http://www.info.nl/>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From moon3854 at yandex.ru  Tue Jun 20 08:18:36 2017
From: moon3854 at yandex.ru (=?utf-8?B?0JrQvtGA0YfQtdC80LrQuNC9INCU0LzQuNGC0YDQuNC5?=)
Date: Tue, 20 Jun 2017 15:18:36 +0300
Subject: [keycloak-user] How to disable user roles updates with subsequent
	idp logins?
Message-ID: <53821497961116@web15m.yandex.ru>

Hello,

I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed.

I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way?

Best regards,
Dmitry

From marc.jadoul at auth-o-matic.com  Tue Jun 20 08:13:45 2017
From: marc.jadoul at auth-o-matic.com (Marc Jadoul)
Date: Tue, 20 Jun 2017 14:13:45 +0200
Subject: [keycloak-user] IDP Broker (SAML) - add LDAP attributes from
	ReadOnly LDAP.
Message-ID: <CAM4OLyTszZAuWB3oNnq16h74DrNe=zqA4dHam8d9vHiTMz3qBw@mail.gmail.com>

Hello,

I am trying to configure RH SSO 7.0 (available as container in Openshift
V3.2), to obtain attributes and roles from a read-only LDAP.
User are authenticated using SAML, but applications do need additional
attributes.
The LDAP server has those attributes but do not provide user
authentication, which is provided by Kerberos or SAML.

Kerberos + LDAP is not really an option as it authenticate only a part of
the users of the organization while SAML + LDAP could works for all.

I found a couple of related issues:
https://issues.jboss.org/browse/KEYCLOAK-4171

But solutions proposed does not work for me.... May be because my LDAP does
not allows authentication?

I get this error:
09:13:07,510 WARN  [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata, userId=null,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...

Or this one (if in first login I allows user re-authentication) but then I
am prompted for a password which fail authenticating as the LDAP does not
know my password.
09:13:07,510 WARN  [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata,
userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...

Is there a solution out of the box for my use case? Adding additional
information about users from an ldap connection, read-only and without
re-authentication?


Regards,

Marc

From adam.lis at gmail.com  Tue Jun 20 08:24:38 2017
From: adam.lis at gmail.com (Adam Lis)
Date: Tue, 20 Jun 2017 14:24:38 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
Message-ID: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>

Hi!

I've tried to search for this information in documentation, but not
succeeded.

Let's assume I'm using keycloak docker container.

Inside running instance I'm willing to add new Client like this:

/opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
FILE_CONTAINING_DEFINITION.json -i

So I'm getting actual contents of JSON file for example by exporting
existing Client (since I see no example in documentation as well)

But in the export software is not setting 'secret' value in case
'clientAuthenticatorType' is set to 'client-secret'.

I've anyway tried to add 'secret' field to JSON and it has been accepted by
Keycloak - so Keycloak has created Client with ClientSecret value passed by
JSON file in field named 'secret'.

My question and concern is: does this functionality (setting desired
ClientSecret on Client creation from JSON) work intended way? Can I base my
whole Realm/Client creation solution on that functionality?

A little background: I'm willing to run Keycloak deployment with docker
container as part of configuration management - so I'm storing Realm and
Client data in outside storage and I'm willing to pass these configuration
pieces into newly started Keycloak inside docker container.

Thanks;
AdamLis;

From bburke at redhat.com  Tue Jun 20 09:11:54 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 20 Jun 2017 09:11:54 -0400
Subject: [keycloak-user] How to disable user roles updates with
 subsequent idp logins?
In-Reply-To: <53821497961116@web15m.yandex.ru>
References: <53821497961116@web15m.yandex.ru>
Message-ID: <761c2691-39d3-da74-4da8-53c3ae47664f@redhat.com>

How are you using our ldap adapter?  is "Import Enabled" true or false?  
If it is false then Keycloak will not store role mappings if there are 
no ldap mapping for it.


On 6/20/17 8:18 AM, ????????? ??????? wrote:
> Hello,
>
> I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed.
>
> I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way?
>
> Best regards,
> Dmitry
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From kedward777 at gmail.com  Tue Jun 20 09:29:58 2017
From: kedward777 at gmail.com (ken edward)
Date: Tue, 20 Jun 2017 09:29:58 -0400
Subject: [keycloak-user] Does keycloak tomcat valve need connectivity to IDP?
Message-ID: <CAAqgmoO8TAX9My3xOA4MEPxHrfDBaFnZ8qsO4h+r2A+ciH3x7g@mail.gmail.com>

Hello,

Does the keycloak tomcat saml valve need connectivity to the IDP (in
my case ADFS)? Or does is only the client browser connecting to the
IDP via redirects from the tomcat server?

Ken

From mstrukel at redhat.com  Tue Jun 20 10:17:14 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 20 Jun 2017 16:17:14 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
In-Reply-To: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
References: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
Message-ID: <CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>

You can find doumentation for kcadm.sh at:
https://keycloak.gitbooks.io/documentation/server_admin/topics/admin-cli.html

Maybe for your usecase you might also want to use kcreg.sh, documentation
for which you can find at:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/client-registration/client-registration-cli.html

kcreg.sh is meant for use by application developers to self-provision
clients in order to integrate their apps with a Keycloak Server.

There is also a boot time import functionality which you can use to import
the whole realm:
https://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.html

As to your question whether you can base realm / client creation on
Keycloak's export / import functionality or CLI tools the answer is - yes,
that's the idea. If you can't achieve something basic and obvious then the
tools have to be improved.

If you can be more specific what you are trying to achieve and what exactly
you do, then I can give you more specific advice.

Also, if you can be more specific what you were not able to find in the
documentation, we can add it or make it easier to find.

On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:

> Hi!
>
> I've tried to search for this information in documentation, but not
> succeeded.
>
> Let's assume I'm using keycloak docker container.
>
> Inside running instance I'm willing to add new Client like this:
>
> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
> FILE_CONTAINING_DEFINITION.json -i
>
> So I'm getting actual contents of JSON file for example by exporting
> existing Client (since I see no example in documentation as well)
>
> But in the export software is not setting 'secret' value in case
> 'clientAuthenticatorType' is set to 'client-secret'.
>
> I've anyway tried to add 'secret' field to JSON and it has been accepted by
> Keycloak - so Keycloak has created Client with ClientSecret value passed by
> JSON file in field named 'secret'.
>
> My question and concern is: does this functionality (setting desired
> ClientSecret on Client creation from JSON) work intended way? Can I base my
> whole Realm/Client creation solution on that functionality?
>
> A little background: I'm willing to run Keycloak deployment with docker
> container as part of configuration management - so I'm storing Realm and
> Client data in outside storage and I'm willing to pass these configuration
> pieces into newly started Keycloak inside docker container.
>
> Thanks;
> AdamLis;
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From adam.lis at gmail.com  Tue Jun 20 11:07:20 2017
From: adam.lis at gmail.com (Adam Lis)
Date: Tue, 20 Jun 2017 17:07:20 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
In-Reply-To: <CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>
References: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
	<CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>
Message-ID: <CAGsjquzBiLPXTM7v=n5OZEHt6hchLiXvtqoZWXJ_+-yaB1Z8Kw@mail.gmail.com>

Hi!

Thanks for response.

Re what I'd like to achieve: I'd like to give some people pair
Client/ClientSecret so they could use my Keycloak instance. Since this
instance gets recreated using config management utility very often (e.g. 5
times a day), I need a functionality to be able to specify ClientSecret
when "provisioning" Keycloak instance.

So for my needs - export-import is not good solution - since my server is
started using standalone.sh script as PID=1 inside docker container. Also
it would be hard to execute Export in my case, since docker container
shutdown is also done by config management system - and I'd need to start
standalone.sh again with export set. BTW: when export/import is involved by
migration.action - it seems strange that main server thread is also
starting.

So I've read
https://keycloak.gitbooks.io/documentation/server_admin/topics/admin-cli.html
and
https://keycloak.gitbooks.io/documentation/securing_apps/topics/client-registration/client-registration-cli.html

In above documents there is describes process of e.g. defining new Clients.
But it does not answer my question at all.

So maybe once again my question: >>> Is specifying 'secret' parameter into
JSON creating new Client using e.g. "kcadm.sh create clients -r REALM_NAME
-f JSON_FILE.json -i" proper and supported way of passing ClientSecret
value to newly created Client? <<<

AdamLis;


2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:

> You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
> io/documentation/server_admin/topics/admin-cli.html
>
> Maybe for your usecase you might also want to use kcreg.sh, documentation
> for which you can find at: https://keycloak.gitbooks.
> io/documentation/securing_apps/topics/client-registration/client-
> registration-cli.html
>
> kcreg.sh is meant for use by application developers to self-provision
> clients in order to integrate their apps with a Keycloak Server.
>
> There is also a boot time import functionality which you can use to import
> the whole realm: https://keycloak.gitbooks.io/documentation/
> server_admin/topics/export-import.html
>
> As to your question whether you can base realm / client creation on
> Keycloak's export / import functionality or CLI tools the answer is - yes,
> that's the idea. If you can't achieve something basic and obvious then the
> tools have to be improved.
>
> If you can be more specific what you are trying to achieve and what
> exactly you do, then I can give you more specific advice.
>
> Also, if you can be more specific what you were not able to find in the
> documentation, we can add it or make it easier to find.
>
> On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:
>
>> Hi!
>>
>> I've tried to search for this information in documentation, but not
>> succeeded.
>>
>> Let's assume I'm using keycloak docker container.
>>
>> Inside running instance I'm willing to add new Client like this:
>>
>> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
>> FILE_CONTAINING_DEFINITION.json -i
>>
>> So I'm getting actual contents of JSON file for example by exporting
>> existing Client (since I see no example in documentation as well)
>>
>> But in the export software is not setting 'secret' value in case
>> 'clientAuthenticatorType' is set to 'client-secret'.
>>
>> I've anyway tried to add 'secret' field to JSON and it has been accepted
>> by
>> Keycloak - so Keycloak has created Client with ClientSecret value passed
>> by
>> JSON file in field named 'secret'.
>>
>> My question and concern is: does this functionality (setting desired
>> ClientSecret on Client creation from JSON) work intended way? Can I base
>> my
>> whole Realm/Client creation solution on that functionality?
>>
>> A little background: I'm willing to run Keycloak deployment with docker
>> container as part of configuration management - so I'm storing Realm and
>> Client data in outside storage and I'm willing to pass these configuration
>> pieces into newly started Keycloak inside docker container.
>>
>> Thanks;
>> AdamLis;
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From moon3854 at yandex.ru  Tue Jun 20 12:48:54 2017
From: moon3854 at yandex.ru (=?utf-8?B?0JrQvtGA0YfQtdC80LrQuNC9INCU0LzQuNGC0YDQuNC5?=)
Date: Tue, 20 Jun 2017 19:48:54 +0300
Subject: [keycloak-user] How to disable user roles updates with
	subsequent idp logins?
In-Reply-To: <761c2691-39d3-da74-4da8-53c3ae47664f@redhat.com>
References: <53821497961116@web15m.yandex.ru>
	<761c2691-39d3-da74-4da8-53c3ae47664f@redhat.com>
Message-ID: <66121497977334@web23j.yandex.ru>

Ldap provider on User Federation tab is not being used at all. We do not propagate changes made to AD users on keycloak back to AD, they come from different domain and roles configured on keycloak do not even exist there.
>From you questions i assume that Keycloak does indeed re-write user data on each login through a broker?

20.06.2017, 16:31, "Bill Burke" <bburke at redhat.com>:
> How are you using our ldap adapter? is "Import Enabled" true or false?
> If it is false then Keycloak will not store role mappings if there are
> no ldap mapping for it.
>
> On 6/20/17 8:18 AM, ????????? ??????? wrote:
>> ?Hello,
>>
>> ?I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed.
>>
>> ?I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way?
>>
>> ?Best regards,
>> ?Dmitry
>> ?_______________________________________________
>> ?keycloak-user mailing list
>> ?keycloak-user at lists.jboss.org
>> ?https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From carrbrpoa at gmail.com  Tue Jun 20 15:30:08 2017
From: carrbrpoa at gmail.com (=?UTF-8?Q?C=C3=A9sar_Augusto_Ribeiro?=)
Date: Tue, 20 Jun 2017 16:30:08 -0300
Subject: [keycloak-user] Keycloak use-case with Android and custom API
Message-ID: <CAJVncubAn=o7oVFtmN-g=DOEd8nq1_Db6fRwTO1i9c47Lp3MWg@mail.gmail.com>

Hello,

I have an APP (Android + NativeScript) and a custom NodeJS API that serves
it.My idea is to let my API handle any authentication/authorization stuff
through Keycloak - with keycloak-nodejs-connect.
So we could have the following flow:
- APP sends user and pass to this custom API;- API calls Keycloak to
authenticate the user with data provided (/token, scope='offline_access' -
to a public Keycloak client);- Keycloak returns a token to the API;- API
returns the access token to the app, which holds it to be used in
subsequent calls (Authorization Bearer ... header).
In my tests through HTTP clients, simulating the flow I would have in the
real case, I get HTTP Status 403 - Forbidden after token expiration.
I have the impression that the refreshing of the token should be
automatically done, but that doesn't seems to be happening.
Small pieces of code:


    app.use(session({        secret: '...',        resave: false,
saveUninitialized: true,        store: memoryStore,    }));
        var keycloak = new Keycloak({        store: memoryStore,
scope: 'offline_access'    }, 'keycloak.json');
app.use(keycloak.middleware());
        app.post('/login', function (req, res) {
keycloak.grantManager.obtainDirectly('USER', 'PASS').then(grant => {
     keycloak.storeGrant(grant, req, res);             ...         }, error
=> {             ...         });    });
        app.get('/someProtectedEndpoint', keycloak.protect(), function
(req, res, next) {    ...    });

Do you see anything wrong in this use-case? Maybe I also need to store the
refresh token in the client and use it to somehow force token refresh?
Maybe it's not a good auth flow at all?

For who wants some SO points: https://stackoverflow.com/q/44656168/643416

Thanks in advance!

From Marcin.Wieloch at sicpa.com  Wed Jun 21 02:22:35 2017
From: Marcin.Wieloch at sicpa.com (Wieloch, Marcin)
Date: Wed, 21 Jun 2017 06:22:35 +0000
Subject: [keycloak-user] A bug in the Brute Force Detection mechanism?
Message-ID: <D56FDD4B.93A9%marcin.wieloch@sicpa.com>

Hi,

One day I was looking for a workaround for a lacking feature (KEYCLOAK-4204),
and I have encountered a problem with Brute Force Detection mechanism.
For some specific settings (e.g., MaxLoginFailures = 3, WaitIncrement = 24855 days,
Max Wait = 24855 days, FailureResetTime = 24855 days) the mechanism does not work,
i.e., I am still able to login after 3 (or more) failed login attempts.

I think it is caused by integer overflows happening
in lines 121 and 133 of DefaultBruteForceProtector (v. 3.1.0.Final).

Could you please confirm this is a bug? I would then create an issue in your JIRA.

Best regards,
Marcin



The information in this email and any attachments is confidential and intended solely for the use of the individual(s) to whom it is addressed or otherwise directed.
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company.
Finally, the recipient should check this email and any attachments for the presence of viruses.
The Company accepts no liability for any damage caused by any virus transmitted by this email.


From tomas at intrahouse.com  Wed Jun 21 03:09:39 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Wed, 21 Jun 2017 07:09:39 +0000
Subject: [keycloak-user] Development help
In-Reply-To: <CALgk1PJYd5UTeL9BPfG0hEp7QK6oHn0eiYPXKPx6fYBnGjkn7A@mail.gmail.com>
References: <CALgk1PLZbDvC+do6CQK2dpnBTpxFR-NbOcmrQk7Hb0Z6Ug74pg@mail.gmail.com>
	<CALgk1PJYd5UTeL9BPfG0hEp7QK6oHn0eiYPXKPx6fYBnGjkn7A@mail.gmail.com>
Message-ID: <CALgk1PKwrfypDVqfkDw7ut6p65f_3rWOy29002+0N3_5ps6bQg@mail.gmail.com>

Well, I've found that even a user search requires an on-going
transaction... so committing the transaction must be the last thing you do
in a REST endpoint, or those read-only operations cannot be done. That
fixed my problem.

On Thu, Jun 15, 2017 at 1:17 PM Tom?s Garc?a <tomas at intrahouse.com> wrote:

> I've found a way to fix my problem... I just create a new session and
> start a transaction for every API request to that endpoint:
>
> this.session = KeycloakApplication.createSessionFactory().create();
> this.session.getTransactionManager().begin();
>
> At the end of the endpoint I commit and close this generated session.
>
>  This looks so wrong... now the endpoint is way slower and the log is full
> of those warning due to using internal SPIs. Any clue about a better
> alternative or how to fix my original problem? If this things happen when
> programming SPIs and developers don't have a guideline about how to use
> Keycloak's transaction model, it will make developers life harder.
>
> Thanks.
>
> On Fri, Jun 9, 2017 at 10:25 AM Tom?s Garc?a <tomas at intrahouse.com> wrote:
>
>> Hi,
>>
>> I've developed an API service for Keycloak. It's a bit complex algorithm
>> where the clientSession needs to be recovered later if something happens,
>> so I put a note in the style of HMAC + Session ID as Keycloak does in other
>> places and then next, when the algorithm needs to continue in the following
>> request to the same endpoint, I recover the session. Inside the API
>> service, I'm adding users so I have to commit the transaction just in case
>> a ModelDuplicateException happens, as I've seen in other places of
>> Keycloak's code.
>>
>> So I'm receiving this exception when I recover the client session from
>> the note (note: a user was added and committed previously). I've tried to
>> start a new transaction after committing, but yet I still get the same
>> exception.
>>
>> Any help or ideas will be welcome. Thanks.
>>
>> 09:06:48,748 ERROR [io.undertow.request] (default task-5) UT005023:
>> Exception handling request to /auth/realms/test/testApi/speciallogin
>> : org.jboss.resteasy.spi.UnhandledException:
>> java.lang.IllegalStateException: Cannot access delegate without a
>> transaction
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>         at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>         at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>         at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>         at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>         at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>         at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>         at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>         at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>         at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
>> va:64)
>>         at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>         at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>         at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>         at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:4
>> 3)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>         at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>         at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>         at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.lang.IllegalStateException: Cannot access delegate
>> without a transaction
>>         at
>> org.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:97)
>>         at
>> org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:182)
>>         at
>> org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:282)
>>         at
>> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:794)
>>         at
>> com.test.keycloak.api.services.specialLogin(TestAPIService.java:157)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>         at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>         at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>         ... 37 more
>>
>>

From hmlnarik at redhat.com  Wed Jun 21 03:29:45 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 21 Jun 2017 09:29:45 +0200
Subject: [keycloak-user] Does keycloak tomcat valve need connectivity to
 IDP?
In-Reply-To: <CAAqgmoO8TAX9My3xOA4MEPxHrfDBaFnZ8qsO4h+r2A+ciH3x7g@mail.gmail.com>
References: <CAAqgmoO8TAX9My3xOA4MEPxHrfDBaFnZ8qsO4h+r2A+ciH3x7g@mail.gmail.com>
Message-ID: <25656aba-dcd5-e0c6-6486-fbb9b244ee69@redhat.com>

Only the browser. However if you are going to issue backchannel requests from AD FS to tomcat, the two would have to have connectivity too.

--Hynek

On 06/20/2017 03:29 PM, ken edward wrote:
> Hello,
> 
> Does the keycloak tomcat saml valve need connectivity to the IDP (in
> my case ADFS)? Or does is only the client browser connecting to the
> IDP via redirects from the tomcat server?
> 
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From mposolda at redhat.com  Wed Jun 21 04:04:35 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 21 Jun 2017 10:04:35 +0200
Subject: [keycloak-user] IDP Broker (SAML) - add LDAP attributes from
 ReadOnly LDAP.
In-Reply-To: <CAM4OLyTszZAuWB3oNnq16h74DrNe=zqA4dHam8d9vHiTMz3qBw@mail.gmail.com>
References: <CAM4OLyTszZAuWB3oNnq16h74DrNe=zqA4dHam8d9vHiTMz3qBw@mail.gmail.com>
Message-ID: <96b12935-d4d0-814f-ff30-db50e03ea350@redhat.com>

We don't have OOTB support for this usecase. AFAIK JIRAs still exists to 
improve this.

You may need to create new Authenticator implementation and add it to 
first broker login flow, which will automatically ends with "success" in 
case that existing user is a user from your LDAP.

Marek

On 20/06/17 14:13, Marc Jadoul wrote:
> Hello,
>
> I am trying to configure RH SSO 7.0 (available as container in Openshift
> V3.2), to obtain attributes and roles from a read-only LDAP.
> User are authenticated using SAML, but applications do need additional
> attributes.
> The LDAP server has those attributes but do not provide user
> authentication, which is provided by Kerberos or SAML.
>
> Kerberos + LDAP is not really an option as it authenticate only a part of
> the users of the organization while SAML + LDAP could works for all.
>
> I found a couple of related issues:
> https://issues.jboss.org/browse/KEYCLOAK-4171
>
> But solutions proposed does not work for me.... May be because my LDAP does
> not allows authentication?
>
> I get this error:
> 09:13:07,510 WARN  [org.keycloak.events] (default task-320)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
> http://testapp.example.corp/mellon/metadata, userId=null,
> ipAddress=10.0.0.20, error=invalid_user_credentials,
> identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
> http://testapp.example.corp/mellon/postResponse,
> identity_provider_identity=testuser,
> code_id=...
>
> Or this one (if in first login I allows user re-authentication) but then I
> am prompted for a password which fail authenticating as the LDAP does not
> know my password.
> 09:13:07,510 WARN  [org.keycloak.events] (default task-320)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
> http://testapp.example.corp/mellon/metadata,
> userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2,
> ipAddress=10.0.0.20, error=invalid_user_credentials,
> identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
> http://testapp.example.corp/mellon/postResponse,
> identity_provider_identity=testuser,
> code_id=...
>
> Is there a solution out of the box for my use case? Adding additional
> information about users from an ldap connection, read-only and without
> re-authentication?
>
>
> Regards,
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From thomas.goettlich at it-informatik.de  Wed Jun 21 07:14:24 2017
From: thomas.goettlich at it-informatik.de (=?iso-8859-1?Q?G=F6ttlich=2C_Thomas?=)
Date: Wed, 21 Jun 2017 11:14:24 +0000
Subject: [keycloak-user] Refesh token error
Message-ID: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>

Hi there,

we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling.

It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error:


-          Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

-          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty.

For testing purposes we have set the following timeouts:


-          SSO session idle: 1 minute

-          SSO session max: 10 hours

-          Access token lifespan: 1 minute

-          Access token lifespan for implicit flow: 1 minute

The client has the following settings:


-          Only standard flow enabled

-          Access type: confidential

-          Client protocol: openid-connect

Any idea what could cause that error or where we should look at?

Thanks in advance,

Thomas

From thomas.goettlich at it-informatik.de  Wed Jun 21 08:28:31 2017
From: thomas.goettlich at it-informatik.de (=?iso-8859-1?Q?G=F6ttlich=2C_Thomas?=)
Date: Wed, 21 Jun 2017 12:28:31 +0000
Subject: [keycloak-user] Refesh token error
In-Reply-To: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>
References: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>
Message-ID: <13eeca59ad86429fa58f1c73d715c9a1@SRV-ESX-MAIL2.itulm.lan>

Never mind, I found the problem (at least I think I did):

-          SSO session idle: 1 minute
-          Access token lifespan: 1 minute

When the access token has timed out and the application needs to refresh it the sso session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.

Mit freundlichen Gr??en 

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH 
Magirus-Deutz-Stra?e 17, 89077 Ulm 
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de 
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662 
Sitz der Gesellschaft: Ulm 
USt-IdNr.: DE 145567338 
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von G?ttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Refesh token error

Hi there,

we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling.

It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error:


-          Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

-          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty.

For testing purposes we have set the following timeouts:


-          SSO session idle: 1 minute

-          SSO session max: 10 hours

-          Access token lifespan: 1 minute

-          Access token lifespan for implicit flow: 1 minute

The client has the following settings:


-          Only standard flow enabled

-          Access type: confidential

-          Client protocol: openid-connect

Any idea what could cause that error or where we should look at?

Thanks in advance,

Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Wed Jun 21 09:13:31 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 21 Jun 2017 15:13:31 +0200
Subject: [keycloak-user] Refesh token error
In-Reply-To: <CAK-7U1j3TLQVLUjsSKXz6AQq9WkFFVDFLvos1s-Mjw1_mMA+mw@mail.gmail.com>
References: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>
	<13eeca59ad86429fa58f1c73d715c9a1@SRV-ESX-MAIL2.itulm.lan>
	<CAK-7U1ggWMmaYvMVa4e5WS09wZf_C1SQpyUth9OvAtPd-k4UZA@mail.gmail.com>
	<CAK-7U1j3TLQVLUjsSKXz6AQq9WkFFVDFLvos1s-Mjw1_mMA+mw@mail.gmail.com>
Message-ID: <CAK-7U1iTW5Qgm=KJDQemYfWaSY6uJBEFSmR=Ddxp_OHmG7hFmw@mail.gmail.com>

Hi Thomas,

Great you figured this out.

Would you mind elaborating a bit about  what you did with respect to
session fixation prevention?

Cheers,
Thomas


Am 21.06.2017 2:55 nachm. schrieb "G?ttlich, Thomas" <
thomas.goettlich at it-informatik.de>:

Never mind, I found the problem (at least I think I did):

-          SSO session idle: 1 minute
-          Access token lifespan: 1 minute

When the access token has timed out and the application needs to refresh it
the sso session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.

Mit freundlichen Gr??en

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Stra?e 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] Im Auftrag von G?ttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Refesh token error

Hi there,

we're currently integrating two Java server applications via Keycloak and
use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded
from the database) as well as some adjustments on session fixation
prevention and login redirect handling.

It works well so far, with one exception: when the access token times out
and needs to be refreshed, we get the following error:


-          Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext]
Refresh token failure status: 400
{"error":"invalid_grant","error_description":"Refresh
token expired"}

-          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR,
realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1,
error=invalid_token, grant_type=refresh_token, client_auth_method=client-
secret

So far I could verify that the refresh token is not null so it seems to
either be invalid or the request is faulty.

For testing purposes we have set the following timeouts:


-          SSO session idle: 1 minute

-          SSO session max: 10 hours

-          Access token lifespan: 1 minute

-          Access token lifespan for implicit flow: 1 minute

The client has the following settings:


-          Only standard flow enabled

-          Access type: confidential

-          Client protocol: openid-connect

Any idea what could cause that error or where we should look at?

Thanks in advance,

Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From marc.tempelmeier at flane.de  Wed Jun 21 09:35:56 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 21 Jun 2017 13:35:56 +0000
Subject: [keycloak-user] Unicast
Message-ID: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>

Hi,

does someone here use unicast instead of multicast to form a cluster?

If yes, I would be interested in the config :)

Best regards

Marc

From thomas.goettlich at it-informatik.de  Wed Jun 21 09:43:36 2017
From: thomas.goettlich at it-informatik.de (=?utf-8?B?R8O2dHRsaWNoLCBUaG9tYXM=?=)
Date: Wed, 21 Jun 2017 13:43:36 +0000
Subject: [keycloak-user] Refesh token error
In-Reply-To: <CAK-7U1iTW5Qgm=KJDQemYfWaSY6uJBEFSmR=Ddxp_OHmG7hFmw@mail.gmail.com>
References: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>
	<13eeca59ad86429fa58f1c73d715c9a1@SRV-ESX-MAIL2.itulm.lan>
	<CAK-7U1ggWMmaYvMVa4e5WS09wZf_C1SQpyUth9OvAtPd-k4UZA@mail.gmail.com>
	<CAK-7U1j3TLQVLUjsSKXz6AQq9WkFFVDFLvos1s-Mjw1_mMA+mw@mail.gmail.com>
	<CAK-7U1iTW5Qgm=KJDQemYfWaSY6uJBEFSmR=Ddxp_OHmG7hFmw@mail.gmail.com>
Message-ID: <658af5af49354e65b9739be3974d9413@SRV-ESX-MAIL2.itulm.lan>

Hi,

I basically did what I described in this issue I posted: https://issues.jboss.org/browse/KEYCLOAK-4820
(I unfortunately didn?t have time to prepare the pull request as well as the test yet.)

The main part is extending FilterRequestAuthenticator and overwriting changeHttpSessionId() as follows:

protected String changeHttpSessionId( boolean pCreate )
  {
    HttpSession session = request.getSession( false );
    if( session != null )
    {
      session.invalidate();
    }

    return super.changeHttpSessionId( pCreate );
  }

To use the custom authenticator we then had to subclass KeycloakOIDCFilter and copy doFilter() along with a few other methods because the original doFilter() contains this line:

FilterRequestAuthenticator authenticator = new FilterRequestAuthenticator(deployment, tokenStore, facade, request, 8443);

In our copy of doFilter() we only changed that line to get an instance of our custom authenticator.


Mit freundlichen Gr??en

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Stra?e 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de<http://www.it-informatik.de/>
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele

Von: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Gesendet: Mittwoch, 21. Juni 2017 15:14
An: G?ttlich, Thomas <thomas.goettlich at it-informatik.de>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Refesh token error

Hi Thomas,

Great you figured this out.

Would you mind elaborating a bit about  what you did with respect to session fixation prevention?

Cheers,
Thomas


Am 21.06.2017 2:55 nachm. schrieb "G?ttlich, Thomas" <thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>>:
Never mind, I found the problem (at least I think I did):

-          SSO session idle: 1 minute
-          Access token lifespan: 1 minute
When the access token has timed out and the application needs to refresh it the sso session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.

Mit freundlichen Gr??en

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301<tel:%2B49%20%280%29731%20%2F%209%2035%2042%20-301>
thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Stra?e 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130<tel:%2B49%20%280%29731%20%2F%209%2035%2042%20-%20130>
www.it-informatik.de<http://www.it-informatik.de>
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] Im Auftrag von G?ttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] Refesh token error

Hi there,

we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling.

It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error:


-          Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

-          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty.

For testing purposes we have set the following timeouts:


-          SSO session idle: 1 minute

-          SSO session max: 10 hours

-          Access token lifespan: 1 minute

-          Access token lifespan for implicit flow: 1 minute

The client has the following settings:


-          Only standard flow enabled

-          Access type: confidential

-          Client protocol: openid-connect

Any idea what could cause that error or where we should look at?

Thanks in advance,

Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Wed Jun 21 09:44:58 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 21 Jun 2017 13:44:58 +0000
Subject: [keycloak-user] Refesh token error
In-Reply-To: <658af5af49354e65b9739be3974d9413@SRV-ESX-MAIL2.itulm.lan>
References: <01245f2f17b04c18b31e4ee9f4542a12@SRV-ESX-MAIL2.itulm.lan>
	<13eeca59ad86429fa58f1c73d715c9a1@SRV-ESX-MAIL2.itulm.lan>
	<CAK-7U1ggWMmaYvMVa4e5WS09wZf_C1SQpyUth9OvAtPd-k4UZA@mail.gmail.com>
	<CAK-7U1j3TLQVLUjsSKXz6AQq9WkFFVDFLvos1s-Mjw1_mMA+mw@mail.gmail.com>
	<CAK-7U1iTW5Qgm=KJDQemYfWaSY6uJBEFSmR=Ddxp_OHmG7hFmw@mail.gmail.com>
	<658af5af49354e65b9739be3974d9413@SRV-ESX-MAIL2.itulm.lan>
Message-ID: <CAK-7U1i1k9v_XYehWgAoquJegBasZ=C+Ed2Mvm7Bm=1XcOwVsg@mail.gmail.com>

Great, thanks!

G?ttlich, Thomas <thomas.goettlich at it-informatik.de> schrieb am Mi., 21.
Juni 2017, 15:43:

> Hi,
>
>
>
> I basically did what I described in this issue I posted:
> https://issues.jboss.org/browse/KEYCLOAK-4820
>
> (I unfortunately didn?t have time to prepare the pull request as well as
> the test yet.)
>
>
>
> The main part is extending FilterRequestAuthenticator and overwriting
> changeHttpSessionId() as follows:
>
>
>
> *protected* String changeHttpSessionId( *boolean* pCreate )
>
>   {
>
>     HttpSession session = request.getSession( *false* );
>
>     *if*( session != *null* )
>
>     {
>
>       session.invalidate();
>
>     }
>
>
>
>     *return* *super*.changeHttpSessionId( pCreate );
>
>   }
>
>
>
> To use the custom authenticator we then had to subclass KeycloakOIDCFilter
> and copy doFilter() along with a few other methods because the original
> doFilter() contains this line:
>
>
>
> FilterRequestAuthenticator authenticator = new
> FilterRequestAuthenticator(deployment, tokenStore, facade, request, 8443);
>
>
>
> In our copy of doFilter() we only changed that line to get an instance of
> our custom authenticator.
>
>
>
>
>
> Mit freundlichen Gr??en
>
> i. A. Thomas G?ttlich
> -------------------------------------------------------------
> Entwicklung factor:plus
> +49 (0)731 / 9 35 42 -301
> thomas.goettlich at it-informatik.de
> -------------------------------------------------------------
> IT-Informatik GmbH
> Magirus-Deutz-Stra?e 17, 89077 Ulm
> Fax: +49 (0)731 / 9 35 42 - 130
> www.it-informatik.de
> -------------------------------------------------------------
> Amtsgericht Ulm: HRB 2662
> Sitz der Gesellschaft: Ulm
> USt-IdNr.: DE 145567338
> Gesch?ftsf?hrender Gesellschafter: G?nter N?gele
>
>
>
> *Von:* Thomas Darimont [mailto:thomas.darimont at googlemail.com]
> *Gesendet:* Mittwoch, 21. Juni 2017 15:14
> *An:* G?ttlich, Thomas <thomas.goettlich at it-informatik.de>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Refesh token error
>
>
>
> Hi Thomas,
>
>
>
> Great you figured this out.
>
>
>
> Would you mind elaborating a bit about  what you did with respect to
> session fixation prevention?
>
>
>
> Cheers,
>
> Thomas
>
>
>
>
>
> Am 21.06.2017 2:55 nachm. schrieb "G?ttlich, Thomas" <
> thomas.goettlich at it-informatik.de>:
>
> Never mind, I found the problem (at least I think I did):
>
>
> -          SSO session idle: 1 minute
>
> -          Access token lifespan: 1 minute
>
> When the access token has timed out and the application needs to refresh
> it the sso session has also timed out already, hence the error.
> Setting SSO session idle to 2 minutes or more fixes the issue.
>
> Mit freundlichen Gr??en
>
> i. A. Thomas G?ttlich
> -------------------------------------------------------------
> Entwicklung factor:plus
> +49 (0)731 / 9 35 42 -301
> thomas.goettlich at it-informatik.de
> -------------------------------------------------------------
> IT-Informatik GmbH
> Magirus-Deutz-Stra?e 17, 89077 Ulm
> Fax: +49 (0)731 / 9 35 42 - 130
> www.it-informatik.de
> -------------------------------------------------------------
> Amtsgericht Ulm: HRB 2662
> Sitz der Gesellschaft: Ulm
> USt-IdNr.: DE 145567338
> Gesch?ftsf?hrender Gesellschafter: G?nter N?gele
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] Im Auftrag von G?ttlich, Thomas
> Gesendet: Mittwoch, 21. Juni 2017 13:14
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Refesh token error
>
>
> Hi there,
>
> we're currently integrating two Java server applications via Keycloak and
> use a subclass of KeycloakOIDCFilter on the client side.
> The subclassing is done mainly to facilitate configuration (which is
> loaded from the database) as well as some adjustments on session fixation
> prevention and login redirect handling.
>
> It works well so far, with one exception: when the access token times out
> and needs to be refreshed, we get the following error:
>
>
> -          Client:
> [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token
> failure status: 400 {"error":"invalid_grant","error_description":"Refresh
> token expired"}
>
> -          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR,
> realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1,
> error=invalid_token, grant_type=refresh_token,
> client_auth_method=client-secret
>
> So far I could verify that the refresh token is not null so it seems to
> either be invalid or the request is faulty.
>
> For testing purposes we have set the following timeouts:
>
>
> -          SSO session idle: 1 minute
>
> -          SSO session max: 10 hours
>
> -          Access token lifespan: 1 minute
>
> -          Access token lifespan for implicit flow: 1 minute
>
> The client has the following settings:
>
>
> -          Only standard flow enabled
>
> -          Access type: confidential
>
> -          Client protocol: openid-connect
>
> Any idea what could cause that error or where we should look at?
>
> Thanks in advance,
>
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From mstrukel at redhat.com  Wed Jun 21 09:58:41 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 21 Jun 2017 15:58:41 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
In-Reply-To: <CAGsjquzBiLPXTM7v=n5OZEHt6hchLiXvtqoZWXJ_+-yaB1Z8Kw@mail.gmail.com>
References: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
	<CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>
	<CAGsjquzBiLPXTM7v=n5OZEHt6hchLiXvtqoZWXJ_+-yaB1Z8Kw@mail.gmail.com>
Message-ID: <CA+1OW+i0C9h8dZ5EGOoRdei_XTcVwMrDHsbMh_p0tNkyVkPc=A@mail.gmail.com>

Your use case is indeed rather poorly documented, and requires some
exploration, especially when using kcadm.sh or Admin Client API you need to
also consult Admin REST API documentation (
http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_clientrepresentation)
or directly explore the code for Admin REST endpoint (
https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java#L146
).

Here's how you can set the secret for the client:

$ cat > client.json << EOF
{
  "clientId" : "test-cli",
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",
  "secret" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d000"
}

The key here are the properties "clientAuthenticatorType", and "secret".
You can safely get away by only setting "secret" since "client-secret' is
default for "clientAuthenticatorType".

$ kcadm.sh create clients -r REALM_NAME -f client.json -i

If you want to check the value of secret you need to perform another REST
call as it's not returned as part of client GET.

$ kcadm.sh get clients/$CID/client-secret

Which will return CredentialRepresentation (
http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_getclientsecret):
{
  "type" : "secret",
  "value" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d737"
}

Hopefully that addresses your problem.


On Tue, Jun 20, 2017 at 5:07 PM, Adam Lis <adam.lis at gmail.com> wrote:

> Hi!
>
> Thanks for response.
>
> Re what I'd like to achieve: I'd like to give some people pair
> Client/ClientSecret so they could use my Keycloak instance. Since this
> instance gets recreated using config management utility very often (e.g. 5
> times a day), I need a functionality to be able to specify ClientSecret
> when "provisioning" Keycloak instance.
>
> So for my needs - export-import is not good solution - since my server is
> started using standalone.sh script as PID=1 inside docker container. Also
> it would be hard to execute Export in my case, since docker container
> shutdown is also done by config management system - and I'd need to start
> standalone.sh again with export set. BTW: when export/import is involved by
> migration.action - it seems strange that main server thread is also
> starting.
>
> So I've read
> https://keycloak.gitbooks.io/documentation/server_admin/
> topics/admin-cli.html
> and
> https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/client-registration/client-registration-cli.html
>
> In above documents there is describes process of e.g. defining new Clients.
> But it does not answer my question at all.
>
> So maybe once again my question: >>> Is specifying 'secret' parameter into
> JSON creating new Client using e.g. "kcadm.sh create clients -r REALM_NAME
> -f JSON_FILE.json -i" proper and supported way of passing ClientSecret
> value to newly created Client? <<<
>
> AdamLis;
>
>
> 2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:
>
> > You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
> > io/documentation/server_admin/topics/admin-cli.html
> >
> > Maybe for your usecase you might also want to use kcreg.sh, documentation
> > for which you can find at: https://keycloak.gitbooks.
> > io/documentation/securing_apps/topics/client-registration/client-
> > registration-cli.html
> >
> > kcreg.sh is meant for use by application developers to self-provision
> > clients in order to integrate their apps with a Keycloak Server.
> >
> > There is also a boot time import functionality which you can use to
> import
> > the whole realm: https://keycloak.gitbooks.io/documentation/
> > server_admin/topics/export-import.html
> >
> > As to your question whether you can base realm / client creation on
> > Keycloak's export / import functionality or CLI tools the answer is -
> yes,
> > that's the idea. If you can't achieve something basic and obvious then
> the
> > tools have to be improved.
> >
> > If you can be more specific what you are trying to achieve and what
> > exactly you do, then I can give you more specific advice.
> >
> > Also, if you can be more specific what you were not able to find in the
> > documentation, we can add it or make it easier to find.
> >
> > On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:
> >
> >> Hi!
> >>
> >> I've tried to search for this information in documentation, but not
> >> succeeded.
> >>
> >> Let's assume I'm using keycloak docker container.
> >>
> >> Inside running instance I'm willing to add new Client like this:
> >>
> >> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
> >> FILE_CONTAINING_DEFINITION.json -i
> >>
> >> So I'm getting actual contents of JSON file for example by exporting
> >> existing Client (since I see no example in documentation as well)
> >>
> >> But in the export software is not setting 'secret' value in case
> >> 'clientAuthenticatorType' is set to 'client-secret'.
> >>
> >> I've anyway tried to add 'secret' field to JSON and it has been accepted
> >> by
> >> Keycloak - so Keycloak has created Client with ClientSecret value passed
> >> by
> >> JSON file in field named 'secret'.
> >>
> >> My question and concern is: does this functionality (setting desired
> >> ClientSecret on Client creation from JSON) work intended way? Can I base
> >> my
> >> whole Realm/Client creation solution on that functionality?
> >>
> >> A little background: I'm willing to run Keycloak deployment with docker
> >> container as part of configuration management - so I'm storing Realm and
> >> Client data in outside storage and I'm willing to pass these
> configuration
> >> pieces into newly started Keycloak inside docker container.
> >>
> >> Thanks;
> >> AdamLis;
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ssilvert at redhat.com  Wed Jun 21 10:10:56 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 21 Jun 2017 10:10:56 -0400
Subject: [keycloak-user] Unicast
In-Reply-To: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
References: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
Message-ID: <d68f16be-8c11-9385-92b8-def52d81075d@redhat.com>

I suggest that you try the WildFly mailing list and documentation.

You may also need to learn a bit about jgroups.

On 6/21/2017 9:35 AM, Marc Tempelmeier wrote:
> Hi,
>
> does someone here use unicast instead of multicast to form a cluster?
>
> If yes, I would be interested in the config :)
>
> Best regards
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From adam.lis at gmail.com  Wed Jun 21 10:27:12 2017
From: adam.lis at gmail.com (Adam Lis)
Date: Wed, 21 Jun 2017 16:27:12 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
In-Reply-To: <CA+1OW+i0C9h8dZ5EGOoRdei_XTcVwMrDHsbMh_p0tNkyVkPc=A@mail.gmail.com>
References: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
	<CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>
	<CAGsjquzBiLPXTM7v=n5OZEHt6hchLiXvtqoZWXJ_+-yaB1Z8Kw@mail.gmail.com>
	<CA+1OW+i0C9h8dZ5EGOoRdei_XTcVwMrDHsbMh_p0tNkyVkPc=A@mail.gmail.com>
Message-ID: <CAGsjquynNJWBQOhVgzUFS2ji5XS+JERxWWy+MUZQq7UFj1RcOw@mail.gmail.com>

Hi!

Thanks for your response.

This is indeed what I needed.

As far as I understand, since 'secret' field name is present in
ClientRepresentation in http://www.keycloak.org/docs-api/3.1/rest-api/index.
html#_clientrepresentation - I can be sure that support of that field
remain in e.g. next versions of KeyCloak?

PS: Sorry Marko, I've posted a private message to you earlier.

AdamLis;

2017-06-21 15:58 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:

> Your use case is indeed rather poorly documented, and requires some
> exploration, especially when using kcadm.sh or Admin Client API you need to
> also consult Admin REST API documentation (http://www.keycloak.org/docs-
> api/3.1/rest-api/index.html#_clientrepresentation) or directly explore
> the code for Admin REST endpoint (https://github.com/keycloak/
> keycloak/blob/3.1.0.Final/services/src/main/java/org/
> keycloak/services/resources/admin/ClientsResource.java#L146).
>
> Here's how you can set the secret for the client:
>
> $ cat > client.json << EOF
> {
>   "clientId" : "test-cli",
>   "enabled" : true,
>   "clientAuthenticatorType" : "client-secret",
>   "secret" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d000"
> }
>
> The key here are the properties "clientAuthenticatorType", and "secret".
> You can safely get away by only setting "secret" since "client-secret' is
> default for "clientAuthenticatorType".
>
> $ kcadm.sh create clients -r REALM_NAME -f client.json -i
>
> If you want to check the value of secret you need to perform another REST
> call as it's not returned as part of client GET.
>
> $ kcadm.sh get clients/$CID/client-secret
>
> Which will return CredentialRepresentation (http://www.keycloak.org/docs-
> api/3.1/rest-api/index.html#_getclientsecret):
> {
>   "type" : "secret",
>   "value" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d737"
> }
>
> Hopefully that addresses your problem.
>
>
> On Tue, Jun 20, 2017 at 5:07 PM, Adam Lis <adam.lis at gmail.com> wrote:
>
>> Hi!
>>
>> Thanks for response.
>>
>> Re what I'd like to achieve: I'd like to give some people pair
>> Client/ClientSecret so they could use my Keycloak instance. Since this
>> instance gets recreated using config management utility very often (e.g. 5
>> times a day), I need a functionality to be able to specify ClientSecret
>> when "provisioning" Keycloak instance.
>>
>> So for my needs - export-import is not good solution - since my server is
>> started using standalone.sh script as PID=1 inside docker container. Also
>> it would be hard to execute Export in my case, since docker container
>> shutdown is also done by config management system - and I'd need to start
>> standalone.sh again with export set. BTW: when export/import is involved
>> by
>> migration.action - it seems strange that main server thread is also
>> starting.
>>
>> So I've read
>> https://keycloak.gitbooks.io/documentation/server_admin/topi
>> cs/admin-cli.html
>> and
>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>> ics/client-registration/client-registration-cli.html
>>
>> In above documents there is describes process of e.g. defining new
>> Clients.
>> But it does not answer my question at all.
>>
>> So maybe once again my question: >>> Is specifying 'secret' parameter into
>> JSON creating new Client using e.g. "kcadm.sh create clients -r REALM_NAME
>> -f JSON_FILE.json -i" proper and supported way of passing ClientSecret
>> value to newly created Client? <<<
>>
>> AdamLis;
>>
>>
>> 2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:
>>
>> > You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
>> > io/documentation/server_admin/topics/admin-cli.html
>> >
>> > Maybe for your usecase you might also want to use kcreg.sh,
>> documentation
>> > for which you can find at: https://keycloak.gitbooks.
>> > io/documentation/securing_apps/topics/client-registration/client-
>> > registration-cli.html
>> >
>> > kcreg.sh is meant for use by application developers to self-provision
>> > clients in order to integrate their apps with a Keycloak Server.
>> >
>> > There is also a boot time import functionality which you can use to
>> import
>> > the whole realm: https://keycloak.gitbooks.io/documentation/
>> > server_admin/topics/export-import.html
>> >
>> > As to your question whether you can base realm / client creation on
>> > Keycloak's export / import functionality or CLI tools the answer is -
>> yes,
>> > that's the idea. If you can't achieve something basic and obvious then
>> the
>> > tools have to be improved.
>> >
>> > If you can be more specific what you are trying to achieve and what
>> > exactly you do, then I can give you more specific advice.
>> >
>> > Also, if you can be more specific what you were not able to find in the
>> > documentation, we can add it or make it easier to find.
>> >
>> > On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:
>> >
>> >> Hi!
>> >>
>> >> I've tried to search for this information in documentation, but not
>> >> succeeded.
>> >>
>> >> Let's assume I'm using keycloak docker container.
>> >>
>> >> Inside running instance I'm willing to add new Client like this:
>> >>
>> >> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
>> >> FILE_CONTAINING_DEFINITION.json -i
>> >>
>> >> So I'm getting actual contents of JSON file for example by exporting
>> >> existing Client (since I see no example in documentation as well)
>> >>
>> >> But in the export software is not setting 'secret' value in case
>> >> 'clientAuthenticatorType' is set to 'client-secret'.
>> >>
>> >> I've anyway tried to add 'secret' field to JSON and it has been
>> accepted
>> >> by
>> >> Keycloak - so Keycloak has created Client with ClientSecret value
>> passed
>> >> by
>> >> JSON file in field named 'secret'.
>> >>
>> >> My question and concern is: does this functionality (setting desired
>> >> ClientSecret on Client creation from JSON) work intended way? Can I
>> base
>> >> my
>> >> whole Realm/Client creation solution on that functionality?
>> >>
>> >> A little background: I'm willing to run Keycloak deployment with docker
>> >> container as part of configuration management - so I'm storing Realm
>> and
>> >> Client data in outside storage and I'm willing to pass these
>> configuration
>> >> pieces into newly started Keycloak inside docker container.
>> >>
>> >> Thanks;
>> >> AdamLis;
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From Sebastian.Schuster at bosch-si.com  Wed Jun 21 10:31:19 2017
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1))
Date: Wed, 21 Jun 2017 14:31:19 +0000
Subject: [keycloak-user] Unicast
In-Reply-To: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
References: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
Message-ID: <cc1fccbf023940aaa617211db45d1a6a@FE-MBX1028.de.bosch.com>

Hi Marc,

I don't have production experience with it yet, but you can setup JGroups discovery to use the DB (JDBC_PING) instead of multicast.
You can see how this works on Kubernetes and MySQL for example at https://github.com/Reposoft/keycloak-ha-kubernetes/tree/keycloak3-ha-mysql/server-ha-mysql. Using Minikube (https://github.com/kubernetes/minikube) you will have a Keycloak cluster running in no time (if you don?t try to mount persistent volumes for the DB from the host as I did :)

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

 Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 



> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] On Behalf Of Marc Tempelmeier
> Sent: Mittwoch, 21. Juni 2017 15:36
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Unicast
> 
> Hi,
> 
> does someone here use unicast instead of multicast to form a cluster?
> 
> If yes, I would be interested in the config :)
> 
> Best regards
> 
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mstrukel at redhat.com  Wed Jun 21 10:50:51 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 21 Jun 2017 16:50:51 +0200
Subject: [keycloak-user] clientSecret passing upon Client creation
In-Reply-To: <CAGsjquy8_21rpTVEraoCXzF4HPnb2dL4X_4ZdfxAD9wrg4B2iw@mail.gmail.com>
References: <CAGsjquz3ER=YuDUO7y6nRKjEyNvQC6CEiKpgAV_DN4oN=n4EfQ@mail.gmail.com>
	<CA+1OW+h9DpLGzc0mziPGT6bh49U2TWDsVOCz87hAt4mA34MrUA@mail.gmail.com>
	<CAGsjquzBiLPXTM7v=n5OZEHt6hchLiXvtqoZWXJ_+-yaB1Z8Kw@mail.gmail.com>
	<CA+1OW+i0C9h8dZ5EGOoRdei_XTcVwMrDHsbMh_p0tNkyVkPc=A@mail.gmail.com>
	<CAGsjquy8_21rpTVEraoCXzF4HPnb2dL4X_4ZdfxAD9wrg4B2iw@mail.gmail.com>
Message-ID: <CA+1OW+gujJ-zQ=p3owz_1tsVDbqQSw-o9j4+P1c-vrWQ_R9JNw@mail.gmail.com>

While nobody can give any guarantees about the future of a community
project (as opposed to a commercial product like RH-SSO), it is reasonable
to expect that "secret" field will remain for as long as there is Admin
REST API.

There will most likely be another version of Admin REST API in the future,
but that would almost certainly be parallel to the current one.


On Wed, Jun 21, 2017 at 4:26 PM, Adam Lis <adam.lis at gmail.com> wrote:

> Hi!
>
> Thanks for your response.
>
> This is indeed what I needed.
>
> As far as I understand, since 'secret' field name is present in
> ClientRepresentation in http://www.keycloak.org/
> docs-api/3.1/rest-api/index.html#_clientrepresentation - I can be sure
> that support of that field remain in e.g. next versions of KeyCloak?
>
> AdamLis;
>
>
>
> 2017-06-21 15:58 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:
>
>> Your use case is indeed rather poorly documented, and requires some
>> exploration, especially when using kcadm.sh or Admin Client API you need to
>> also consult Admin REST API documentation (http://www.keycloak.org/docs-
>> api/3.1/rest-api/index.html#_clientrepresentation) or directly explore
>> the code for Admin REST endpoint (https://github.com/keycloak/k
>> eycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak
>> /services/resources/admin/ClientsResource.java#L146).
>>
>> Here's how you can set the secret for the client:
>>
>> $ cat > client.json << EOF
>> {
>>   "clientId" : "test-cli",
>>   "enabled" : true,
>>   "clientAuthenticatorType" : "client-secret",
>>   "secret" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d000"
>> }
>>
>> The key here are the properties "clientAuthenticatorType", and "secret".
>> You can safely get away by only setting "secret" since "client-secret' is
>> default for "clientAuthenticatorType".
>>
>> $ kcadm.sh create clients -r REALM_NAME -f client.json -i
>>
>> If you want to check the value of secret you need to perform another REST
>> call as it's not returned as part of client GET.
>>
>> $ kcadm.sh get clients/$CID/client-secret
>>
>> Which will return CredentialRepresentation (http://www.keycloak.org/docs-
>> api/3.1/rest-api/index.html#_getclientsecret):
>> {
>>   "type" : "secret",
>>   "value" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d737"
>> }
>>
>> Hopefully that addresses your problem.
>>
>>
>> On Tue, Jun 20, 2017 at 5:07 PM, Adam Lis <adam.lis at gmail.com> wrote:
>>
>>> Hi!
>>>
>>> Thanks for response.
>>>
>>> Re what I'd like to achieve: I'd like to give some people pair
>>> Client/ClientSecret so they could use my Keycloak instance. Since this
>>> instance gets recreated using config management utility very often (e.g.
>>> 5
>>> times a day), I need a functionality to be able to specify ClientSecret
>>> when "provisioning" Keycloak instance.
>>>
>>> So for my needs - export-import is not good solution - since my server is
>>> started using standalone.sh script as PID=1 inside docker container. Also
>>> it would be hard to execute Export in my case, since docker container
>>> shutdown is also done by config management system - and I'd need to start
>>> standalone.sh again with export set. BTW: when export/import is involved
>>> by
>>> migration.action - it seems strange that main server thread is also
>>> starting.
>>>
>>> So I've read
>>> https://keycloak.gitbooks.io/documentation/server_admin/topi
>>> cs/admin-cli.html
>>> and
>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>> ics/client-registration/client-registration-cli.html
>>>
>>> In above documents there is describes process of e.g. defining new
>>> Clients.
>>> But it does not answer my question at all.
>>>
>>> So maybe once again my question: >>> Is specifying 'secret' parameter
>>> into
>>> JSON creating new Client using e.g. "kcadm.sh create clients -r
>>> REALM_NAME
>>> -f JSON_FILE.json -i" proper and supported way of passing ClientSecret
>>> value to newly created Client? <<<
>>>
>>> AdamLis;
>>>
>>>
>>> 2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:
>>>
>>> > You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
>>> > io/documentation/server_admin/topics/admin-cli.html
>>> >
>>> > Maybe for your usecase you might also want to use kcreg.sh,
>>> documentation
>>> > for which you can find at: https://keycloak.gitbooks.
>>> > io/documentation/securing_apps/topics/client-registration/client-
>>> > registration-cli.html
>>> >
>>> > kcreg.sh is meant for use by application developers to self-provision
>>> > clients in order to integrate their apps with a Keycloak Server.
>>> >
>>> > There is also a boot time import functionality which you can use to
>>> import
>>> > the whole realm: https://keycloak.gitbooks.io/documentation/
>>> > server_admin/topics/export-import.html
>>> >
>>> > As to your question whether you can base realm / client creation on
>>> > Keycloak's export / import functionality or CLI tools the answer is -
>>> yes,
>>> > that's the idea. If you can't achieve something basic and obvious then
>>> the
>>> > tools have to be improved.
>>> >
>>> > If you can be more specific what you are trying to achieve and what
>>> > exactly you do, then I can give you more specific advice.
>>> >
>>> > Also, if you can be more specific what you were not able to find in the
>>> > documentation, we can add it or make it easier to find.
>>> >
>>> > On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:
>>> >
>>> >> Hi!
>>> >>
>>> >> I've tried to search for this information in documentation, but not
>>> >> succeeded.
>>> >>
>>> >> Let's assume I'm using keycloak docker container.
>>> >>
>>> >> Inside running instance I'm willing to add new Client like this:
>>> >>
>>> >> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
>>> >> FILE_CONTAINING_DEFINITION.json -i
>>> >>
>>> >> So I'm getting actual contents of JSON file for example by exporting
>>> >> existing Client (since I see no example in documentation as well)
>>> >>
>>> >> But in the export software is not setting 'secret' value in case
>>> >> 'clientAuthenticatorType' is set to 'client-secret'.
>>> >>
>>> >> I've anyway tried to add 'secret' field to JSON and it has been
>>> accepted
>>> >> by
>>> >> Keycloak - so Keycloak has created Client with ClientSecret value
>>> passed
>>> >> by
>>> >> JSON file in field named 'secret'.
>>> >>
>>> >> My question and concern is: does this functionality (setting desired
>>> >> ClientSecret on Client creation from JSON) work intended way? Can I
>>> base
>>> >> my
>>> >> whole Realm/Client creation solution on that functionality?
>>> >>
>>> >> A little background: I'm willing to run Keycloak deployment with
>>> docker
>>> >> container as part of configuration management - so I'm storing Realm
>>> and
>>> >> Client data in outside storage and I'm willing to pass these
>>> configuration
>>> >> pieces into newly started Keycloak inside docker container.
>>> >>
>>> >> Thanks;
>>> >> AdamLis;
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From marc.tempelmeier at flane.de  Wed Jun 21 11:28:11 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 21 Jun 2017 15:28:11 +0000
Subject: [keycloak-user] Unicast
In-Reply-To: <cc1fccbf023940aaa617211db45d1a6a@FE-MBX1028.de.bosch.com>
References: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
	<cc1fccbf023940aaa617211db45d1a6a@FE-MBX1028.de.bosch.com>
Message-ID: <cc838022124a4618820f9743fce8268c@dehamex2013.europe.flane.local>

Hi,

thanks, we went with docker swarm, where we have other services already. So I want to try to get the unicast working.
I?ll take a look at JDBC_PING though.



-----Urspr?ngliche Nachricht-----
Von: Schuster Sebastian (INST/ESY1) [mailto:Sebastian.Schuster at bosch-si.com] 
Gesendet: Wednesday, June 21, 2017 4:31 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>; keycloak-user at lists.jboss.org
Betreff: RE: Unicast

Hi Marc,

I don't have production experience with it yet, but you can setup JGroups discovery to use the DB (JDBC_PING) instead of multicast.
You can see how this works on Kubernetes and MySQL for example at https://github.com/Reposoft/keycloak-ha-kubernetes/tree/keycloak3-ha-mysql/server-ha-mysql. Using Minikube (https://github.com/kubernetes/minikube) you will have a Keycloak cluster running in no time (if you don?t try to mount persistent volumes for the DB from the host as I did :)

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

 Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch?Software Innovations?GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 



> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] On Behalf Of Marc Tempelmeier
> Sent: Mittwoch, 21. Juni 2017 15:36
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Unicast
> 
> Hi,
> 
> does someone here use unicast instead of multicast to form a cluster?
> 
> If yes, I would be interested in the config :)
> 
> Best regards
> 
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Wed Jun 21 12:28:42 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 21 Jun 2017 18:28:42 +0200
Subject: [keycloak-user] Unicast
In-Reply-To: <cc838022124a4618820f9743fce8268c@dehamex2013.europe.flane.local>
References: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
	<cc1fccbf023940aaa617211db45d1a6a@FE-MBX1028.de.bosch.com>
	<cc838022124a4618820f9743fce8268c@dehamex2013.europe.flane.local>
Message-ID: <CAK-7U1iGBmve=CHrZqU4z9jeBwT9eDFCVvmtx+9tu85NerW0kA@mail.gmail.com>

Hello Marc,

the following infinispan unicast configuration is working well for us at
the moment with Keycloak 2.5.5.Final in Docker:

echo SETUP: Configure JGroups clustering with TCP-Unicast
# Add the participating host entries for initial discovery in the form
"host[port]" - quotes are required, e.g. "host1[7800],host2[4711]". Default
port is 7800.

echo SETUP: Configure JGroups and Infinispan to use TCP-Unicast instead of
UDP-Multicast
/subsystem=jgroups/stack=unicast-tcp:add(transport={type=>TCP,socket-binding=>jgroups-tcp},
protocols=[])
/subsystem=jgroups/stack=unicast-tcp/transport=TCP/property=bind_port/:add(value=${env.JGROUPS_PORT:7800})
/subsystem=jgroups/stack=unicast-tcp/transport=TCP/property=external_addr/:add(value=${env.JGROUPS_EXTERNAL_IP:127.0.0.1})
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=TCPPING)
/subsystem=jgroups/stack=unicast-tcp/protocol=TCPPING/property=initial_hosts/:add(value="${env.JGROUPS_REMOTE_HOSTS:localhost[7800]}")
/subsystem=jgroups/stack=unicast-tcp/protocol=TCPPING/property=port_range/:add(value=0)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=MERGE3)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FD_SOCK)
/subsystem=jgroups/stack=unicast-tcp/protocol=FD_SOCK:write-attribute(name=socket-binding,value=jgroups-tcp-fd)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FD_ALL)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=VERIFY_SUSPECT)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.NAKACK2)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.NAKACK2/property=use_mcast_xmit/:add(value=false)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=UNICAST3)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.STABLE)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.GMS)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.GMS/property=print_physical_addrs/:add(value=true)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.GMS/property=print_local_addr/:add(value=true)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=UFC)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=MFC)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FRAG2)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=RSVP)

echo SETUP: Activate JGroups stack unicast-tcp
/subsystem=jgroups/:write-attribute(name=default-stack,value=unicast-tcp)
/subsystem=jgroups/channel=ee/:write-attribute(name=stack,value=unicast-tcp)

echo SETUP: Configure jgroups-tcp socket binding to use public interface
/socket-binding-group=standard-sockets/socket-binding=jgroups-tcp/:write-attribute(name=interface,value=public)

echo SETUP: Configure replication for Keycloak caches
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners,
value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners,
value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization:write-attribute(name=owners,
value=2)


Cheers,
Thomas

2017-06-21 17:28 GMT+02:00 Marc Tempelmeier <marc.tempelmeier at flane.de>:

> Hi,
>
> thanks, we went with docker swarm, where we have other services already.
> So I want to try to get the unicast working.
> I?ll take a look at JDBC_PING though.
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: Schuster Sebastian (INST/ESY1) [mailto:Sebastian.Schuster@
> bosch-si.com]
> Gesendet: Wednesday, June 21, 2017 4:31 PM
> An: Marc Tempelmeier <marc.tempelmeier at flane.de>;
> keycloak-user at lists.jboss.org
> Betreff: RE: Unicast
>
> Hi Marc,
>
> I don't have production experience with it yet, but you can setup JGroups
> discovery to use the DB (JDBC_PING) instead of multicast.
> You can see how this works on Kubernetes and MySQL for example at
> https://github.com/Reposoft/keycloak-ha-kubernetes/tree/
> keycloak3-ha-mysql/server-ha-mysql. Using Minikube (https://github.com/
> kubernetes/minikube) you will have a Keycloak cluster running in no time
> (if you don?t try to mount persistent volumes for the DB from the host as I
> did :)
>
> Best regards,
> Sebastian
>
> Mit freundlichen Gr??en / Best regards
>
>  Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin |
> GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100
> | Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
>
>
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> > bounces at lists.jboss.org] On Behalf Of Marc Tempelmeier
> > Sent: Mittwoch, 21. Juni 2017 15:36
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Unicast
> >
> > Hi,
> >
> > does someone here use unicast instead of multicast to form a cluster?
> >
> > If yes, I would be interested in the config :)
> >
> > Best regards
> >
> > Marc
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From marc.tempelmeier at flane.de  Wed Jun 21 12:34:40 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Wed, 21 Jun 2017 16:34:40 +0000
Subject: [keycloak-user] Unicast
In-Reply-To: <CAK-7U1iGBmve=CHrZqU4z9jeBwT9eDFCVvmtx+9tu85NerW0kA@mail.gmail.com>
References: <1a82458c560a4d8ca814e7d03aee1e91@dehamex2013.europe.flane.local>
	<cc1fccbf023940aaa617211db45d1a6a@FE-MBX1028.de.bosch.com>
	<cc838022124a4618820f9743fce8268c@dehamex2013.europe.flane.local>
	<CAK-7U1iGBmve=CHrZqU4z9jeBwT9eDFCVvmtx+9tu85NerW0kA@mail.gmail.com>
Message-ID: <ef356c9275c04978b6b128b1c863bbd4@dehamex2013.europe.flane.local>

Thanks!

I got it working 15 mins ago actually:

<subsystem xmlns="urn:jboss:domain:jgroups:4.0">
    <channels default="ee">
        <channel name="ee" stack="tcp"/>
    </channels>
    <stacks>
        <stack name="udp">
            <transport type="UDP" socket-binding="jgroups-udp"/>
            <protocol type="PING"/>
            <protocol type="MERGE3"/>
            <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
            <protocol type="FD_ALL"/>
            <protocol type="VERIFY_SUSPECT"/>
            <protocol type="pbcast.NAKACK2"/>
            <protocol type="UNICAST3"/>
            <protocol type="pbcast.STABLE"/>
            <protocol type="pbcast.GMS"/>
            <protocol type="UFC"/>
            <protocol type="MFC"/>
            <protocol type="FRAG2"/>
        </stack>
        <stack name="tcp">
            <transport type="TCP" socket-binding="jgroups-tcp"/>
            <protocol type="TCPPING">
                <property name="initial_hosts">slave1[7600],slave2[7600],slave37600]</property>
                <property name="port_range">10</property>
                <property name="join_timeout">3000</property>
            </protocol>
            <protocol type="MERGE3"/>
            <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
            <protocol type="FD"/>
            <protocol type="VERIFY_SUSPECT"/>
            <protocol type="pbcast.NAKACK2"/>
            <protocol type="UNICAST3"/>
            <protocol type="pbcast.STABLE"/>
            <protocol type="pbcast.GMS"/>
            <protocol type="MFC"/>
            <protocol type="FRAG2"/>
        </stack>
    </stacks>
</subsystem>

I hope it will last the night though ?

Von: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Gesendet: Wednesday, June 21, 2017 6:29 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>
Cc: Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Unicast

Hello Marc,

the following infinispan unicast configuration is working well for us at the moment with Keycloak 2.5.5.Final in Docker:

echo SETUP: Configure JGroups clustering with TCP-Unicast
# Add the participating host entries for initial discovery in the form "host[port]" - quotes are required, e.g. "host1[7800],host2[4711]". Default port is 7800.

echo SETUP: Configure JGroups and Infinispan to use TCP-Unicast instead of UDP-Multicast
/subsystem=jgroups/stack=unicast-tcp:add(transport={type=>TCP,socket-binding=>jgroups-tcp}, protocols=[])
/subsystem=jgroups/stack=unicast-tcp/transport=TCP/property=bind_port/:add(value=${env.JGROUPS_PORT:7800})
/subsystem=jgroups/stack=unicast-tcp/transport=TCP/property=external_addr/:add(value=${env.JGROUPS_EXTERNAL_IP:127.0.0.1})
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=TCPPING)
/subsystem=jgroups/stack=unicast-tcp/protocol=TCPPING/property=initial_hosts/:add(value="${env.JGROUPS_REMOTE_HOSTS:localhost[7800]}")
/subsystem=jgroups/stack=unicast-tcp/protocol=TCPPING/property=port_range/:add(value=0)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=MERGE3)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FD_SOCK)
/subsystem=jgroups/stack=unicast-tcp/protocol=FD_SOCK:write-attribute(name=socket-binding,value=jgroups-tcp-fd)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FD_ALL)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=VERIFY_SUSPECT)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.NAKACK2)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.NAKACK2/property=use_mcast_xmit/:add(value=false)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=UNICAST3)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.STABLE)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=pbcast.GMS)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.GMS/property=print_physical_addrs/:add(value=true)
/subsystem=jgroups/stack=unicast-tcp/protocol=pbcast.GMS/property=print_local_addr/:add(value=true)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=UFC)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=MFC)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=FRAG2)
/subsystem=jgroups/stack=unicast-tcp/:add-protocol(type=RSVP)

echo SETUP: Activate JGroups stack unicast-tcp
/subsystem=jgroups/:write-attribute(name=default-stack,value=unicast-tcp)
/subsystem=jgroups/channel=ee/:write-attribute(name=stack,value=unicast-tcp)

echo SETUP: Configure jgroups-tcp socket binding to use public interface
/socket-binding-group=standard-sockets/socket-binding=jgroups-tcp/:write-attribute(name=interface,value=public)

echo SETUP: Configure replication for Keycloak caches
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=2)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization:write-attribute(name=owners, value=2)


Cheers,
Thomas

2017-06-21 17:28 GMT+02:00 Marc Tempelmeier <marc.tempelmeier at flane.de<mailto:marc.tempelmeier at flane.de>>:
Hi,

thanks, we went with docker swarm, where we have other services already. So I want to try to get the unicast working.
I?ll take a look at JDBC_PING though.



-----Urspr?ngliche Nachricht-----
Von: Schuster Sebastian (INST/ESY1) [mailto:Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>]
Gesendet: Wednesday, June 21, 2017 4:31 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de<mailto:marc.tempelmeier at flane.de>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: RE: Unicast

Hi Marc,

I don't have production experience with it yet, but you can setup JGroups discovery to use the DB (JDBC_PING) instead of multicast.
You can see how this works on Kubernetes and MySQL for example at https://github.com/Reposoft/keycloak-ha-kubernetes/tree/keycloak3-ha-mysql/server-ha-mysql. Using Minikube (https://github.com/kubernetes/minikube) you will have a Keycloak cluster running in no time (if you don?t try to mount persistent volumes for the DB from the host as I did :)

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

 Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-485<tel:%2B49%2030%20726112-485> | Fax +49 30 726112-100<tel:%2B49%2030%20726112-100> | Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn



> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-<mailto:keycloak-user->
> bounces at lists.jboss.org<mailto:bounces at lists.jboss.org>] On Behalf Of Marc Tempelmeier
> Sent: Mittwoch, 21. Juni 2017 15:36
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Unicast
>
> Hi,
>
> does someone here use unicast instead of multicast to form a cluster?
>
> If yes, I would be interested in the config :)
>
> Best regards
>
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From shimin_q at yahoo.com  Wed Jun 21 14:26:00 2017
From: shimin_q at yahoo.com (shimin q)
Date: Wed, 21 Jun 2017 18:26:00 +0000 (UTC)
Subject: [keycloak-user] Keycloak and kong
In-Reply-To: <589278003.8455132.1497364705835@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<665622394.7365199.1497276429078@mail.yahoo.com>
	<589278003.8455132.1497364705835@mail.yahoo.com>
Message-ID: <363727655.653573.1498069560731@mail.yahoo.com>

Hi,
We have multiplecontainers each of which contain web servers with multiple web apps deployed but we go through a front endproxy like kong cluster. ? We are looking to integrate Keycloak as the sso solution in this architecture. ? Does Keycloak support this setup? ?And if so, how would it work and will we have SSO across multiple back end webservers??

Thanks!!

From celso.agra at gmail.com  Wed Jun 21 16:04:47 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Wed, 21 Jun 2017 17:04:47 -0300
Subject: [keycloak-user] How to create a Camel Route with Keycloak Admin
 Client in JBoss Fuse 6.3.0?
In-Reply-To: <CAOFYJDuEWc0S0zDAknzY98yrNj=s=do7-GLPd0zRbyBSzPABeQ@mail.gmail.com>
References: <CAOFYJDuBrCka0HQb6Pb144A-eV6jNP-=nt9nAE9eM2DXUjrLtA@mail.gmail.com>
	<35907b43-bc75-6690-40ec-c1a3cfe62ffb@redhat.com>
	<CAOFYJDuEWc0S0zDAknzY98yrNj=s=do7-GLPd0zRbyBSzPABeQ@mail.gmail.com>
Message-ID: <CAOFYJDvwu=1yMaW3b-WM+ZyqvRTSHeNDSt=6BhhsZmnNY10n_w@mail.gmail.com>

@Marek,

I created a JIRA to discuss this possibility -->
https://issues.jboss.org/browse/KEYCLOAK-5080
So, I'll talk to Fuse support to help us

Thanks!

2017-06-16 0:44 GMT-03:00 Celso Agra <celso.agra at gmail.com>:

> I'm considering to use another kind of osgi implementation, such as Apache
> Karaf, eclipse virgo, etc... maybe some of these implementations are not
> using CXF (I hope so!)
> Also, I'll take a look in the effort to implement and call the Keycloak
> REST endpoint with Apache CXF.
>
> I'll create JIRA for this!
>
> Thanks for your answer, Marek!
>
> 2017-06-15 5:15 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>
>> Hi,
>>
>> I think that you're right. ATM our adminClient likely won't work inside
>> JBoss Fuse as adminClient is a bit tightly coupled to resteasy JAXRS
>> implementation and JBoss Fuse uses Apache CXF.
>>
>> At some point we had the PR and discussion for Apache CXF support of our
>> admin client, but in the end, it wasn't done. Feel free to create JIRA for
>> adminClient support in Fuse environment if it doesn't yet exists.
>>
>> The easiest workaround for you might be to call the REST endpoint
>> manually (either with CXF or with Apache HTTP Client) and not use Keycloak
>> builtin adminClient.
>>
>> Marek
>>
>>
>> On 14/06/17 06:24, Celso Agra wrote:
>>
>>> Hi all,
>>>
>>> I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0.
>>> Everything
>>> works fine when I run the java main class, but when I put this in the
>>> JBoss
>>> Fuse (with Karaf) I got an error, because the keycloak are using the
>>> resteasy, and the OSGI is totally different. So, does anyone knows how to
>>> do the same keycloak admin client configuration using this environment?
>>>
>>> Here is my log:
>>>
>>> javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke
>>> request
>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>>> ine.invoke(ApacheHttpClient4Engine.java:289)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.in
>>>> voke(ClientInvocation.java:454)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker
>>>> .invoke(ClientInvoker.java:105)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.i
>>>> nvoke(ClientProxy.java:76)
>>>>
>>>      at com.sun.proxy.$Proxy85.grantToken(Unknown Source)
>>>
>>>      at
>>>
>>>> org.keycloak.admin.client.token.TokenManager.grantToken(Toke
>>>> nManager.java:89)
>>>>
>>>      at
>>>
>>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(
>>>> TokenManager.java:69)
>>>>
>>>      at
>>>
>>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenS
>>>> tring(TokenManager.java:64)
>>>>
>>>      at
>>>
>>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(B
>>>> earerAuthFilter.java:52)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.in
>>>> voke(ClientInvocation.java:431)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker
>>>> .invoke(ClientInvoker.java:105)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.i
>>>> nvoke(ClientProxy.java:76)
>>>>
>>>      at com.sun.proxy.$Proxy88.create(Unknown Source)
>>>
>>>      at
>>>
>>>> pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloa
>>>> k(KeycloakAdminManager.java:64)
>>>>
>>>      at
>>>
>>>> pe.gov.br.ati.service.KeycloakClientService.validateAndInser
>>>> tUser(KeycloakClientService.java:20)
>>>>
>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>
>>>      at
>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>>
>>>      at
>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>>
>>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>>
>>>      at
>>>
>>>> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.bean.MethodInfo$1.doProceed(Metho
>>>> dInfo.java:279)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodI
>>>> nfo.java:252)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.bean.BeanProcessor.process(BeanPr
>>>> ocessor.java:177)
>>>>
>>>      at
>>>
>>>> org.apache.camel.management.InstrumentationProcessor.process
>>>> (InstrumentationProcessor.java:77)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.interceptor.TraceInterceptor.proc
>>>> ess(TraceInterceptor.java:163)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.RedeliveryErrorHandler.process(Re
>>>> deliveryErrorHandler.java:468)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>>> melInternalProcessor.java:196)
>>>>
>>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>>>
>>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>>>
>>>      at
>>>
>>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>>> melInternalProcessor.java:196)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.direct.DirectProducer.process(Dir
>>>> ectProducer.java:62)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.SendProcessor.process(SendProcess
>>>> or.java:145)
>>>>
>>>      at
>>>
>>>> org.apache.camel.management.InstrumentationProcessor.process
>>>> (InstrumentationProcessor.java:77)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.interceptor.TraceInterceptor.proc
>>>> ess(TraceInterceptor.java:163)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.RedeliveryErrorHandler.process(Re
>>>> deliveryErrorHandler.java:468)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>>> melInternalProcessor.java:196)
>>>>
>>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
>>>
>>>      at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
>>>
>>>      at
>>>
>>>> org.apache.camel.processor.CamelInternalProcessor.process(Ca
>>>> melInternalProcessor.java:196)
>>>>
>>>      at
>>>
>>>> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProc
>>>> essorHelper.java:109)
>>>>
>>>      at
>>>
>>>> org.apache.camel.processor.DelegateAsyncProcessor.process(De
>>>> legateAsyncProcessor.java:91)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.restlet.RestletConsumer$1.handle(
>>>> RestletConsumer.java:68)
>>>>
>>>      at
>>>
>>>> org.apache.camel.component.restlet.MethodBasedRouter.handle(
>>>> MethodBasedRouter.java:54)
>>>>
>>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>>
>>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>>
>>>      at org.restlet.routing.Router.doHandle(Router.java:422)
>>>
>>>      at org.restlet.routing.Router.handle(Router.java:639)
>>>
>>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>>
>>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>>
>>>      at org.restlet.routing.Router.doHandle(Router.java:422)
>>>
>>>      at org.restlet.routing.Router.handle(Router.java:639)
>>>
>>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>>
>>>      at
>>>
>>>> org.restlet.engine.application.StatusFilter.doHandle(StatusF
>>>> ilter.java:140)
>>>>
>>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>>
>>>      at org.restlet.routing.Filter.doHandle(Filter.java:150)
>>>
>>>      at org.restlet.routing.Filter.handle(Filter.java:197)
>>>
>>>      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.ja
>>> va:202)
>>>
>>>      at org.restlet.Component.handle(Component.java:408)
>>>
>>>      at org.restlet.Server.handle(Server.java:507)
>>>
>>>      at
>>>
>>>> org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
>>>>
>>>      at
>>>
>>>> org.restlet.engine.adapter.HttpServerHelper.handle(HttpServe
>>>> rHelper.java:143)
>>>>
>>>      at
>>>
>>>> org.restlet.engine.connector.HttpServerHelper$1.handle(HttpS
>>>> erverHelper.java:64)
>>>>
>>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>>>
>>>      at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
>>>
>>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
>>>
>>>      at
>>>
>>>> sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(Se
>>>> rverImpl.java:675)
>>>>
>>>      at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
>>>
>>>      at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
>>>
>>>      at
>>>
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>>
>>>      at
>>>
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>>
>>>      at java.lang.Thread.run(Thread.java:748)
>>>
>>> Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not
>>> find
>>>
>>>> writer for content-type application/x-www-form-urlencoded type:
>>>> javax.ws.rs.core.Form$1
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.core.interception.jaxrs.ClientWriterInter
>>>> ceptorContext.throwWriterNotFoundException(ClientWriterInter
>>>> ceptorContext.java:40)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInt
>>>> erceptorContext.getWriter(AbstractWriterInterceptorContext.java:146)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInt
>>>> erceptorContext.proceed(AbstractWriterInterceptorContext.java:121)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.wr
>>>> iteRequestBody(ClientInvocation.java:388)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>>> ine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>>> ine.buildEntity(ApacheHttpClient4Engine.java:557)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>>> ine.loadHttpMethod(ApacheHttpClient4Engine.java:456)
>>>>
>>>      at
>>>
>>>> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Eng
>>>> ine.invoke(ApacheHttpClient4Engine.java:283)
>>>>
>>>      ... 70 more
>>>
>>>
>>> Thanks for the attention.
>>>
>>>
>>
>
>
> --
> ---
> *Celso Agra*
>



-- 
---
*Celso Agra*

From daduev.ad at gmail.com  Thu Jun 22 02:04:19 2017
From: daduev.ad at gmail.com (Adam Daduev)
Date: Thu, 22 Jun 2017 06:04:19 +0000
Subject: [keycloak-user] Fwd: Error when session expired and ajax
 request execute in Keycloak?
In-Reply-To: <CACKoP8E1ML=3KLP913dOYG_mtzBNiwq9SL4Zd8VB9yEnYuSkhQ@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
	<CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
	<CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>
	<CACKoP8HE4nqNCC=PvVqX0C87WDE8iwv9BrrODeG9iQmAHmnb7w@mail.gmail.com>
	<CAMZCGg_knVB95V4ENU15_Gmy9XxFryomUWUWJai8ndgkeTRkJQ@mail.gmail.com>
	<CACKoP8E1ML=3KLP913dOYG_mtzBNiwq9SL4Zd8VB9yEnYuSkhQ@mail.gmail.com>
Message-ID: <CACKoP8F_pDVu5LNcTg3qdfxOXb+9r_XvfkuMNe2iQpoCqHejMw@mail.gmail.com>

Hi Seb,
Is there progress in this issue, in which release will be fixed this bug?
Thanks.

??, 13 ???. 2017 ?. ? 19:43, Adam Daduev <daduev.ad at gmail.com>:

> Hi Seb,
>
> For all i do not say, but i would wanted. About specs, i do not know. I
> use Keycloak in my application, and i can not to report user when session
> is expired. I do not know whether i said, but when occur redirect request,
> not ajax request, i catched error with jsf exception handler (there is in
> my example CommonExceptionHandler), and to report users, i want that same
> occurred with my ajax request. It is occur not only in Richfaces, but in
> Primefaces, i think it it happens with all jsf ajax request.
> And one more, i observed that keycloak session expire early than i setup
> in the keycloak admin console, and in keycloak log i have warning, error
> refresh token. Maybe these problems are bind, i do not know.
> I have one little question, can i disable refresh token, use Implicit
> Flow, when i disabled Authorization Code Flow, nothing works?
>
> Thank you.
>
> ??, 12 ???. 2017 ?. ? 15:47, Sebastien Blanc <sblanc at redhat.com>:
>
>> Hi Adam,
>>
>> I started today to look at your ticket. First of all, thank you for the
>> provided example, it makes it really easier to reproduce.
>>
>> So Stian is right, it's expecting a token which isn't present and
>> therefore returning a 401.
>> Stian suggested that we should maybe support ajax request secured with
>> the session (to support Richfaces ajax requests).
>>
>> I would like to have the opinion of everyone here, is that something we
>> want ? Doesn't we break any specs here (I have no idea just asking) ?
>>
>> Anyway I will start looking how this change could be implemented.
>>
>> Seb
>>
>>
>> On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:
>>
>>> I created JIRA bug, and add simple example.
>>> https://issues.jboss.org/browse/KEYCLOAK-4214
>>>
>>>
>>> ??, 13 ???. 2017 ?. ? 9:34, Stian Thorgersen <sthorger at redhat.com>:
>>>
>>> > Might be that it's expecting a token in the ajax request rather than
>>> > checking for a session, not 100% sure though. RichFaces won't work
>>> unless
>>> > we can support securing the requests from the session.
>>> >
>>> > Can you create a JIRA bug for this please? If you can attach a simple
>>> > example we can build and deploy to reproduce the issue that would be
>>> > extremely helpful and we would be able to look at it sooner.
>>> >
>>> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > After login, i get in my app, and for all my ajax request from page to
>>> > backing bean, i receive response 401 even if the session is still
>>> alive.
>>> > If removed autodetect-bearer-only option, all work fine, but going
>>> back to
>>> > the old error.
>>> >
>>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> > realms/azovstal/protocol/openid-connect/auth??ml&state=
>>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> > 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> > Origin 'http://localhost:8080' is therefore not allowed access.
>>> >
>>> > ---------- Forwarded message ---------
>>> > From: Adam Daduev <daduev.ad at gmail.com>
>>> > Date: ??, 10 ???. 2017 ?. ? 14:08
>>> > Subject: Re: [keycloak-user] Error when session expired and ajax
>>> request
>>> > execute in Keycloak?
>>> > To: <stian at redhat.com>
>>> >
>>> >
>>> > I tried, but does not work.
>>> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
>>> wildfly
>>> > not started, he not know autodetect-bearer-only option, then, i added
>>> via
>>> > json, wildfly started and app was deployed.
>>> > Secondly, on my ajax request to backing bean, i receive response 401
>>> and
>>> > does not happend.
>>> > This is my keycloak.json
>>> > {
>>> > "realm": "azovstal",
>>> > "auth-server-url": "http://dc09-apps-06:8090/auth",
>>> > "ssl-required": "none",
>>> > "resource": "web-test",
>>> > "public-client": true,
>>> > "use-resource-role-mappings": true,
>>> > "autodetect-bearer-only": true
>>> > }
>>> >
>>> > ??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:
>>> >
>>> > Ok, I try, thanks.
>>> >
>>> > 10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com>
>>> > ???????(?):
>>> >
>>> > In that case take a look at the new autodetect-bearer-only option.
>>> You'll
>>> > need 2.5.0.Final for that.
>>> >
>>> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>>> >
>>> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
>>> > 10.1.
>>> >
>>> > 9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com>
>>> > ???????(?):
>>> >
>>> > [Adding list back]
>>> >
>>> > A web app redirects the user to a login page if not authenticated,
>>> while a
>>> > service should return a 401.
>>> >
>>> > It sounds like what you have is a JS application with a service
>>> backend. In
>>> > Keycloak you should have two separate types of clients for that. The JS
>>> > application should be a public client, while the services a bearer-only
>>> > client.
>>> >
>>> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > Thanks for the answer.
>>> > Yes i have confidential client, i have web application, that asks
>>> > Keycloak server
>>> > to authenticate a user for them. As I understand, bearer-only is for
>>> web
>>> > services clients.
>>> > I probably something do not understand?
>>> >
>>> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>> >
>>> > Looks like your services are configured as confidential clients rather
>>> than
>>> > bearer-only and hence is sending a login request back rather than a
>>> 401.
>>> > You should either swap your service war to be a bearer-only client or
>>> use
>>> > the new autodetect-bearer-only option in adapters if you have both web
>>> > pages and services in the same war.
>>> >
>>> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > Hi, can you help me!
>>> > When session expired and ajax request execute in Keycloak, i have
>>> error in
>>> > browser console:
>>> >
>>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> > realms/azovstal/protocol/openid-connect/auth??ml&state=
>>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> > 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> > Origin 'http://localhost:8080' is therefore not allowed access.
>>> >
>>> > I add in Keycloak admin console, in the client setting, Web Origins=
>>> > http://localhost:8080 (or *), and enabled cors in app, but still has
>>> error
>>> > in console. I used Keycloak 2.5.0
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>

From mevans at aconex.com  Thu Jun 22 02:04:30 2017
From: mevans at aconex.com (Matt Evans)
Date: Thu, 22 Jun 2017 06:04:30 +0000
Subject: [keycloak-user] User Attributes value length
Message-ID: <ME1PR01MB0769A80D043CFAB9A8539207A9DB0@ME1PR01MB0769.ausprd01.prod.outlook.com>

Hi

We're using keycloak with postgresql and we've just hit a problem where one of our user attribute values is long, and it's longer than the max of the fed_user_attribute.value column, which is varchar(2024).

Was there a reason it's set to 2024? Is there a reason for me not to alter the column to a text type (or unbound varchar)?

Thanks

Matt

From jose.damaso at linkconsulting.com  Thu Jun 22 04:11:15 2017
From: jose.damaso at linkconsulting.com (=?utf-8?B?Sm9zw6kgRWR1YXJkbyBQYWl2YSBEw6JtYXNv?=)
Date: Thu, 22 Jun 2017 08:11:15 +0000
Subject: [keycloak-user] Behavior of back-channel logout for starter
	application
In-Reply-To: <VI1PR04MB29916E9E56A6799F79DF5A9581DA0@VI1PR04MB2991.eurprd04.prod.outlook.com>
Message-ID: <ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


?         The user logs in to the application and starts an HTTP session on node 2

?         The user logs out (HttpServletRequest.logout)

?         Keycloak starts the single-log-out process and sends a ?k_logout? POST to our cluster

?         The ?k_logout? POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it?s owned by node 2)

?         The ?k_logout? request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
Jos? D?maso


From jose.damaso at linkconsulting.com  Thu Jun 22 04:17:23 2017
From: jose.damaso at linkconsulting.com (=?Windows-1252?Q?Jos=E9_Eduardo_Paiva_D=E2maso?=)
Date: Thu, 22 Jun 2017 08:17:23 +0000
Subject: [keycloak-user] Behavior of back-channel logout for
	starter	application
In-Reply-To: <ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>
References: <VI1PR04MB29916E9E56A6799F79DF5A9581DA0@VI1PR04MB2991.eurprd04.prod.outlook.com>,
	<ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>
Message-ID: <cc1c023c-e59d-4e34-9ec3-cdb062aa4100@aitec.pt>

Correction: I meant logout process (not login) on my first question.
________________________________
From: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>
Sent: Jun 22, 2017 09:12
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Behavior of back-channel logout for starter application

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


?         The user logs in to the application and starts an HTTP session on node 2

?         The user logs out (HttpServletRequest.logout)

?         Keycloak starts the single-log-out process and sends a ?k_logout? POST to our cluster

?         The ?k_logout? POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it?s owned by node 2)

?         The ?k_logout? request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
Jos? D?maso

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From thomas.goettlich at it-informatik.de  Thu Jun 22 07:12:12 2017
From: thomas.goettlich at it-informatik.de (=?iso-8859-1?Q?G=F6ttlich=2C_Thomas?=)
Date: Thu, 22 Jun 2017 11:12:12 +0000
Subject: [keycloak-user] Behavior of back-channel logout
	for	starter	application
In-Reply-To: <cc1c023c-e59d-4e34-9ec3-cdb062aa4100@aitec.pt>
References: <VI1PR04MB29916E9E56A6799F79DF5A9581DA0@VI1PR04MB2991.eurprd04.prod.outlook.com>,
	<ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>
	<cc1c023c-e59d-4e34-9ec3-cdb062aa4100@aitec.pt>
Message-ID: <8ae7c3b442884cf2a384b55d9048c727@SRV-ESX-MAIL2.itulm.lan>

Hi,

I'm not sure I correctly understand your problem but as far as I know this is correct behavior.
The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc.

Mit freundlichen Gr??en 

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH 
Magirus-Deutz-Stra?e 17, 89077 Ulm 
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de 
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662 
Sitz der Gesellschaft: Ulm 
USt-IdNr.: DE 145567338 
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele


-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Jos? Eduardo Paiva D?maso
Gesendet: Donnerstag, 22. Juni 2017 10:17
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application

Correction: I meant logout process (not login) on my first question.
________________________________
From: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>
Sent: Jun 22, 2017 09:12
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Behavior of back-channel logout for starter application

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


?         The user logs in to the application and starts an HTTP session on node 2

?         The user logs out (HttpServletRequest.logout)

?         Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster

?         The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2)

?         The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
Jos? D?maso

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From federico at info.nl  Thu Jun 22 09:20:53 2017
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Thu, 22 Jun 2017 13:20:53 +0000
Subject: [keycloak-user] Recommended way to import user accounts with
 external identity provider information?
Message-ID: <72DC34C5-A442-441F-9BCC-57A9405A70C5@info.nl>

Hello,

I?m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).

From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:

{
    "realm": "test",
    "users": [
        {
            "createdTimestamp" : 1476191007295,
            "username" : "somebody at somewhere.com",
            "enabled" : true,
            "totp" : false,
            "emailVerified" : true,
            "firstName" : "Test",
            "lastName" : "Test",
            "email" : "somebody at somewhere.com",
            "credentials" : [ ],
            "disableableCredentialTypes" : [ ],
            "requiredActions" : [ ],
            "federatedIdentities" : [ {
              "identityProvider" : "facebook",
              "userId" : "0123456789",
              "userName" : "somebody at somewhere.com",
            } ],
            "realmRoles" : [ "offline_access", "uma_authorization" ],
            "clientRoles" : {
              "account" : [ "manage-account", "view-profile" ]
            }
          }
      ]
}

, which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the ?Account linking? screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.

I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can?t figure out what is it. Is there any possible way to avoid the account linking step?

Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From jose.damaso at linkconsulting.com  Thu Jun 22 09:49:15 2017
From: jose.damaso at linkconsulting.com (=?iso-8859-1?Q?Jos=E9_Eduardo_Paiva_D=E2maso?=)
Date: Thu, 22 Jun 2017 13:49:15 +0000
Subject: [keycloak-user] Behavior of back-channel logout
	for	starter	application
In-Reply-To: <8ae7c3b442884cf2a384b55d9048c727@SRV-ESX-MAIL2.itulm.lan>
References: <VI1PR04MB29916E9E56A6799F79DF5A9581DA0@VI1PR04MB2991.eurprd04.prod.outlook.com>,
	<ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>
	<cc1c023c-e59d-4e34-9ec3-cdb062aa4100@aitec.pt>
	<8ae7c3b442884cf2a384b55d9048c727@SRV-ESX-MAIL2.itulm.lan>
Message-ID: <AM5PR04MB29807F00C6B4768CB8BBDCCB81DB0@AM5PR04MB2980.eurprd04.prod.outlook.com>

Hi,

Thanks for the response.

I understand the point of the back-channel logout process to notify other clients.
My question is why does Keycloak notify the same client that is requesting the logout? It should be assumed that the client that requested the logout will do its own cleanup, no?

In our case, this causes a deadlock because our app waits for Keycloak to finish the logout but Keycloak is waiting for that same app to process a back-channel logout that itself has requested.

Best regards,
Jos? D?maso

-----Original Message-----
From: G?ttlich, Thomas [mailto:thomas.goettlich at it-informatik.de] 
Sent: 22 de junho de 2017 12:12
To: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>; keycloak-user at lists.jboss.org
Subject: AW: [keycloak-user] Behavior of back-channel logout for starter application

Hi,

I'm not sure I correctly understand your problem but as far as I know this is correct behavior.
The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc.

Mit freundlichen Gr??en 

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH 
Magirus-Deutz-Stra?e 17, 89077 Ulm 
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de 
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662 
Sitz der Gesellschaft: Ulm 
USt-IdNr.: DE 145567338 
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele


-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Jos? Eduardo Paiva D?maso
Gesendet: Donnerstag, 22. Juni 2017 10:17
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application

Correction: I meant logout process (not login) on my first question.
________________________________
From: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>
Sent: Jun 22, 2017 09:12
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Behavior of back-channel logout for starter application

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


?         The user logs in to the application and starts an HTTP session on node 2

?         The user logs out (HttpServletRequest.logout)

?         Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster

?         The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2)

?         The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
Jos? D?maso

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From shimin_q at yahoo.com  Thu Jun 22 10:23:09 2017
From: shimin_q at yahoo.com (shimin q)
Date: Thu, 22 Jun 2017 14:23:09 +0000 (UTC)
Subject: [keycloak-user] keycloak with embedded servlet containers
In-Reply-To: <363727655.653573.1498069560731@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<665622394.7365199.1497276429078@mail.yahoo.com>
	<589278003.8455132.1497364705835@mail.yahoo.com>
	<363727655.653573.1498069560731@mail.yahoo.com>
Message-ID: <963152054.4226083.1498141389085@mail.yahoo.com>

Are all the keycloak client adaptors meant to be deployed/installed in external servlet containers (not the embedded containers)? ?We have some web apps that use embedded jetty. ?The Jetty client adaptors that Keycloak supports are for external jetty containers, correct? ?If we were to integrate keycloak with embedded jetty, how do we go about it?
Please advise. ?Thank you!

From mposolda at redhat.com  Fri Jun 23 02:08:53 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 23 Jun 2017 08:08:53 +0200
Subject: [keycloak-user] keycloak with embedded servlet containers
In-Reply-To: <963152054.4226083.1498141389085@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<665622394.7365199.1497276429078@mail.yahoo.com>
	<589278003.8455132.1497364705835@mail.yahoo.com>
	<363727655.653573.1498069560731@mail.yahoo.com>
	<963152054.4226083.1498141389085@mail.yahoo.com>
Message-ID: <10c71415-9b02-804d-325c-c7922c6bc74e@redhat.com>

It's not officially supported, but I think it should work. You somehow 
need to programatically inject the securityHandler with the 
KeycloakJettyAuthenticator to Jetty handler chain for your webapps. 
We're doing something similar in our Fuse adapters btv.

Marek

On 22/06/17 16:23, shimin q wrote:
> Are all the keycloak client adaptors meant to be deployed/installed in 
> external servlet containers (not the embedded containers)?  We have 
> some web apps that use embedded jetty.  The Jetty client adaptors that 
> Keycloak supports are for external jetty containers, correct?  If we 
> were to integrate keycloak with embedded jetty, how do we go about it?
>
> Please advise.  Thank you!



From mposolda at redhat.com  Fri Jun 23 02:15:45 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 23 Jun 2017 08:15:45 +0200
Subject: [keycloak-user] Recommended way to import user accounts with
 external identity provider information?
In-Reply-To: <72DC34C5-A442-441F-9BCC-57A9405A70C5@info.nl>
References: <72DC34C5-A442-441F-9BCC-57A9405A70C5@info.nl>
Message-ID: <e870c980-1513-2009-6f1d-8509890042e6@redhat.com>

I think it should work - unless we have a bug :) The question is if 
"userId" and "userName" are really filled correctly in your JSON?

I suggest that you try to setup some Keycloak environment from scratch 
and do facebook login there. Then you can doublecheck the content from 
DB and how the federated link in Keycloak DB looks like. You can also 
export Keycloak DB and re-import to clean DB and then doublecheck if 
Facebook login still works after export/import.

If this works, you can compare the exported JSON with your own JSON file 
and doublecheck if "userId" and "userName" matches.

Marek

On 22/06/17 15:20, Federico Navarro Polo - Info.nl wrote:
> Hello,
>
> I?m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).
>
>  From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:
>
> {
>      "realm": "test",
>      "users": [
>          {
>              "createdTimestamp" : 1476191007295,
>              "username" : "somebody at somewhere.com",
>              "enabled" : true,
>              "totp" : false,
>              "emailVerified" : true,
>              "firstName" : "Test",
>              "lastName" : "Test",
>              "email" : "somebody at somewhere.com",
>              "credentials" : [ ],
>              "disableableCredentialTypes" : [ ],
>              "requiredActions" : [ ],
>              "federatedIdentities" : [ {
>                "identityProvider" : "facebook",
>                "userId" : "0123456789",
>                "userName" : "somebody at somewhere.com",
>              } ],
>              "realmRoles" : [ "offline_access", "uma_authorization" ],
>              "clientRoles" : {
>                "account" : [ "manage-account", "view-profile" ]
>              }
>            }
>        ]
> }
>
> , which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the ?Account linking? screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.
>
> I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can?t figure out what is it. Is there any possible way to avoid the account linking step?
>
> Met vriendelijke groet,
>
> Federico Navarro
>
> backend developer
>
> federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
>
> info.nl<http://www.info.nl/>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Fri Jun 23 03:36:48 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 23 Jun 2017 09:36:48 +0200
Subject: [keycloak-user] keycloak with embedded servlet containers
In-Reply-To: <10c71415-9b02-804d-325c-c7922c6bc74e@redhat.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<665622394.7365199.1497276429078@mail.yahoo.com>
	<589278003.8455132.1497364705835@mail.yahoo.com>
	<363727655.653573.1498069560731@mail.yahoo.com>
	<963152054.4226083.1498141389085@mail.yahoo.com>
	<10c71415-9b02-804d-325c-c7922c6bc74e@redhat.com>
Message-ID: <CAMZCGg8RVo0dkMK=jtgK9ooCw0ZLw46LXSv5BbDi2iPo8cYOxQ@mail.gmail.com>

You can get some inspiration but looking at the Spring Boot Adapter that
leverage the embedded containers :
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-boot/src/main/java/org/keycloak/adapters/springboot/KeycloakAutoConfiguration.java

On Fri, Jun 23, 2017 at 8:08 AM, Marek Posolda <mposolda at redhat.com> wrote:

> It's not officially supported, but I think it should work. You somehow
> need to programatically inject the securityHandler with the
> KeycloakJettyAuthenticator to Jetty handler chain for your webapps. We're
> doing something similar in our Fuse adapters btv.
>
> Marek
>
> On 22/06/17 16:23, shimin q wrote:
>
> Are all the keycloak client adaptors meant to be deployed/installed in
> external servlet containers (not the embedded containers)?  We have some
> web apps that use embedded jetty.  The Jetty client adaptors that Keycloak
> supports are for external jetty containers, correct?  If we were to
> integrate keycloak with embedded jetty, how do we go about it?
>
> Please advise.  Thank you!
>
>
>

From kasugakyosuke at gmail.com  Fri Jun 23 13:05:51 2017
From: kasugakyosuke at gmail.com (Sherminator Kasuga)
Date: Fri, 23 Jun 2017 19:05:51 +0200
Subject: [keycloak-user] Keycloak offline token
Message-ID: <CAEC2WbwfSUN_vqPjJ7LtkiNnjr5VTT4h3AsZxDTAGyB3FESzsg@mail.gmail.com>

I have a web app (called A) that is using Keycloak to login in.
There is another external web app (called B) that uses an own system as
login.

Now I need to create a link between A to B that automatic logins into web
app B without keycloak login form (auto-login).

How can i reproduce this behavior?
I have user and a password for B , and i am thinking to use an offline
token could help me with this objective.

username=bburke&password=geheim&grant_type=password&scope=offline_access

Saving into the database of A the offline token at the first time that
i use the link and then using this offline token for the next.

could it be possible?


my idea is something like:

If database.offlinetoken = empty
    LINK_TO_GENERATE_OFFLINE_TOKEN  --- save this token into db after login in B

else

    LINK_USING_OFFLINETOKEN
endif


Do you have any example about how to build above links? Thanks in advance :)

From john.d.ament at gmail.com  Fri Jun 23 14:32:11 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Fri, 23 Jun 2017 18:32:11 +0000
Subject: [keycloak-user] Supporting forceAuthn on a per scenario basis
Message-ID: <CAOqetn_7_zqWgNT+E6O0ZhX631rejMsOp7dmicHCLtrKfTEW=Q@mail.gmail.com>

Hi,

I have a use case where I need to support the SAML forceAuthn on a per
scenario basis.  E.g. when a user does action 1, need to send the
forceAuthn flag, but when they do any other action don't send it.

When I look at the code in SAMLIdentityProvider, I see this being built:

SAML2AuthnRequestBuilder authnRequestBuilder = new
SAML2AuthnRequestBuilder()
                    .assertionConsumerUrl(assertionConsumerServiceUrl)
                    .destination(destinationUrl)
                    .issuer(issuerURL)
                    .forceAuthn(getConfig().isForceAuthn())
                    .protocolBinding(protocolBinding)

.nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));

so it always looks at the config.  If we wanted to support a forceAuthn
behavior based on other actions, how could that work?  I was thinking the
oidc prompt attribute could be used, but I don't seem to have the OIDC
request available in this class.

John

From pkboucher801 at gmail.com  Mon Jun 26 10:07:17 2017
From: pkboucher801 at gmail.com (Peter K. Boucher)
Date: Mon, 26 Jun 2017 10:07:17 -0400
Subject: [keycloak-user] Brokering tenant SSO (instead of social SSO)
Message-ID: <009501d2ee85$8561dcd0$90259670$@gmail.com>

We have an app that is multi-tenanted (the app is provisioned in a realm per
tenant, with some code that knows which keycloak.json to load for the
appropriate realm).

 

We want to support SSO from the tenants using SAML. Ideally, the tenant's
user would be logged into their own intranet, and from there, they would
click on a link and end up logged into our app without having to see any
login page or SSO provider selection page.

 

We were thinking that one way this could be done would be to shortcut steps
3 and 4 in the diagram at
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-brok
er/overview.html (maybe by writing javascript code in the in the page to
automatically select the tenant appropriate for the current realm and submit
it in order carry out the rest of the SSO without asking the user to click
on anything).

 

Is there a way to do this without kludging javascript into the SSO provider
selection page?

 

Thanks!

 

Regards,

Peter K. Boucher

 


From pkboucher801 at gmail.com  Mon Jun 26 10:14:31 2017
From: pkboucher801 at gmail.com (Peter K. Boucher)
Date: Mon, 26 Jun 2017 10:14:31 -0400
Subject: [keycloak-user] How to display user information from keycloak
	SAML	adapter assertions/session?
In-Reply-To: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>
References: <CAAqgmoO6jzwTrqaLKrbDKFRQ44L92eNLZztd2xZ+eVR1mc91Kg@mail.gmail.com>
Message-ID: <009a01d2ee86$87e36220$97aa2660$@gmail.com>

Hi Ken,

Did you use Keycloak as an identity broker (as in
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-brok
er/overview.html), or did you configure ADFS as the IdP in some other way?

Thanks!

Regards,
Peter K. Boucher

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of ken edward
Sent: Thursday, June 15, 2017 10:36 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] How to display user information from keycloak SAML
adapter assertions/session?

Hello,

I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?

org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession at 13a50bc9

Ken
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.goettlich at it-informatik.de  Mon Jun 26 11:08:25 2017
From: thomas.goettlich at it-informatik.de (=?iso-8859-1?Q?G=F6ttlich=2C_Thomas?=)
Date: Mon, 26 Jun 2017 15:08:25 +0000
Subject: [keycloak-user] Behavior of back-channel logout
	for	starter	application
In-Reply-To: <AM5PR04MB29807F00C6B4768CB8BBDCCB81DB0@AM5PR04MB2980.eurprd04.prod.outlook.com>
References: <VI1PR04MB29916E9E56A6799F79DF5A9581DA0@VI1PR04MB2991.eurprd04.prod.outlook.com>,
	<ccc8c478-53b5-4073-a681-55b872b78a4e@aitec.pt>
	<cc1c023c-e59d-4e34-9ec3-cdb062aa4100@aitec.pt>
	<8ae7c3b442884cf2a384b55d9048c727@SRV-ESX-MAIL2.itulm.lan>
	<AM5PR04MB29807F00C6B4768CB8BBDCCB81DB0@AM5PR04MB2980.eurprd04.prod.outlook.com>
Message-ID: <ecedbd8858e24119b136aa077981f3b5@SRV-ESX-MAIL2.itulm.lan>

Hi,

as far as I know Keycloak doesn't care which client called the logout url, especially since in most cases it would be the user's browser that calls that url and which gets the redirect as a response.
Thus Keycloak probably assumes that none of the clients (especially the backend systems) don't know when the logout url is being called via their frontend and hence Keycloak informs all clients.

If I understand you correctly your client does the call on behalf of the user so you might try to do something like this:
- push some flag into the user's http session
- call the logout url
- do your required cleanup
- remove the flag from the http session

Then you'd probably need to modify the adapter so that upon k_logout being called it checks the current http session (it should know which that is anyways) and if the flag is present it would just ignore the call.

Mit freundlichen Gr??en 

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH 
Magirus-Deutz-Stra?e 17, 89077 Ulm 
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de 
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662 
Sitz der Gesellschaft: Ulm 
USt-IdNr.: DE 145567338 
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele


-----Urspr?ngliche Nachricht-----
Von: Jos? Eduardo Paiva D?maso [mailto:jose.damaso at linkconsulting.com] 
Gesendet: Donnerstag, 22. Juni 2017 15:49
An: G?ttlich, Thomas <thomas.goettlich at it-informatik.de>; keycloak-user at lists.jboss.org
Betreff: RE: [keycloak-user] Behavior of back-channel logout for starter application

Hi,

Thanks for the response.

I understand the point of the back-channel logout process to notify other clients.
My question is why does Keycloak notify the same client that is requesting the logout? It should be assumed that the client that requested the logout will do its own cleanup, no?

In our case, this causes a deadlock because our app waits for Keycloak to finish the logout but Keycloak is waiting for that same app to process a back-channel logout that itself has requested.

Best regards,
Jos? D?maso

-----Original Message-----
From: G?ttlich, Thomas [mailto:thomas.goettlich at it-informatik.de] 
Sent: 22 de junho de 2017 12:12
To: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>; keycloak-user at lists.jboss.org
Subject: AW: [keycloak-user] Behavior of back-channel logout for starter application

Hi,

I'm not sure I correctly understand your problem but as far as I know this is correct behavior.
The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc.

Mit freundlichen Gr??en 

i. A. Thomas G?ttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH 
Magirus-Deutz-Stra?e 17, 89077 Ulm 
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de 
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662 
Sitz der Gesellschaft: Ulm 
USt-IdNr.: DE 145567338 
Gesch?ftsf?hrender Gesellschafter: G?nter N?gele


-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Jos? Eduardo Paiva D?maso
Gesendet: Donnerstag, 22. Juni 2017 10:17
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application

Correction: I meant logout process (not login) on my first question.
________________________________
From: Jos? Eduardo Paiva D?maso <jose.damaso at linkconsulting.com>
Sent: Jun 22, 2017 09:12
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Behavior of back-channel logout for starter application

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


?         The user logs in to the application and starts an HTTP session on node 2

?         The user logs out (HttpServletRequest.logout)

?         Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster

?         The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2)

?         The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
Jos? D?maso

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mytestemal at gmail.com  Mon Jun 26 11:31:03 2017
From: mytestemal at gmail.com (Julian Wermes)
Date: Mon, 26 Jun 2017 08:31:03 -0700 (MST)
Subject: [keycloak-user]  Authentication SPI and connection management
Message-ID: <1498491063657-3942.post@n6.nabble.com>

Hello,


I've followed the instructions from

https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html

But instead of changing the existing DS and provider, I added
another one, because I have to implement additional check and/or actions
against the data in the second database:

   <subsystem xmlns="urn:jboss:domain:datasources:4.0">
      <datasources>
        <datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
           ...
        </datasource>
        <datasource jndi-name="java:jboss/datasources/myDbDS"
pool-name="mydb" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url>
            <driver>postgresql</driver>
            <pool>
                <max-pool-size>20</max-pool-size>
            </pool>
            <security>
                <user-name>user</user-name>
                <password>password</password>
            </security>
        </datasource>
      </datasources>
   </subsystem>
   <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">

      <spi name="connectionsJpa">
         <provider name="default" enabled="true">
            ...
         </provider>
         <provider name="mydb" enabled="true">
             <properties>
                 <property name="dataSource"
value="java:jboss/datasources/myDbDS"/>
                 <property name="initializeEmpty" value="false"/>
                 <property name="migrationStrategy" value="validate"/>
             </properties>
         </provider>
      </spi>
      ...
   </subsystem>


Now I can't find this connection provider in the admin console. Only the
default is listed in Server Info > Providers. In the log file I've found
initialization of both datasources

 (MSC service thread 1-8) WFLYJCA0001: Bound data source
[java:jboss/datasources/KeycloakDS
 (MSC service thread 1-1) WFLYJCA0001: Bound data source
[java:jboss/datasources/myDbDS

but only one PersistenceUnit was processed:

HHH000204: Processing PersistenceUnitInfo [
	name: keycloak-default
	...]



As result the call 

context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class,
"default")

does return me an instance of JpaConnectionProvider Class, but the call

context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class,
"mydb")

returns null.

Would you suggest possible solution of the problem?

Server Version: 3.1.0.Final 

Thank a lot in advance.





--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Authentication-SPI-and-connection-management-tp3942.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From sthorger at redhat.com  Tue Jun 27 02:43:56 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Jun 2017 08:43:56 +0200
Subject: [keycloak-user] Review Japanese PR
Message-ID: <CAJgngAcUGLbR-yA1GE_VfTYe87N_JzCqUrJY5QQT1ev0KpHYRg@mail.gmail.com>

There's a PR for fixes to the Japanese translations. Could someone review
it please?

https://github.com/keycloak/keycloak/pull/4245

From sthorger at redhat.com  Tue Jun 27 02:45:20 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Jun 2017 08:45:20 +0200
Subject: [keycloak-user] Review German PR
Message-ID: <CAJgngAdwHZ-Cz4KMBoN6XbjnyvEkuMBybCN-r3u18K5+EDk9vQ@mail.gmail.com>

Can someone please review fixes to the German translations in PR
https://github.com/keycloak/keycloak/pull/4234?

From mytestemal at gmail.com  Tue Jun 27 03:50:59 2017
From: mytestemal at gmail.com (Max Musternam)
Date: Tue, 27 Jun 2017 09:50:59 +0200
Subject: [keycloak-user] Authentication SPI and connection management
Message-ID: <CAGVVpncM2cXH3tmJnjv2M-2F2F4H0V6RqP2SEgbXX0_uvZuHBw@mail.gmail.com>

Hello,


I've followed the instructions from

https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html

But instead of changing the existing DS and provider, I added
another one, because I have to implement additional check and/or actions
against the data in the second database:

   <subsystem xmlns="urn:jboss:domain:datasources:4.0">
      <datasources>
        <datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
           ...
        </datasource>
        <datasource jndi-name="java:jboss/datasources/myDbDS"
pool-name="mydb" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url>
            <driver>postgresql</driver>
            <pool>
                <max-pool-size>20</max-pool-size>
            </pool>
            <security>
                <user-name>user</user-name>
                <password>password</password>
            </security>
        </datasource>
      </datasources>
   </subsystem>
   <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">

      <spi name="connectionsJpa">
         <provider name="default" enabled="true">
            ...
         </provider>
         <provider name="mydb" enabled="true">
             <properties>
                 <property name="dataSource"
value="java:jboss/datasources/myDbDS"/>
                 <property name="initializeEmpty" value="false"/>
                 <property name="migrationStrategy" value="validate"/>
             </properties>
         </provider>
      </spi>
      ...
   </subsystem>


Now I can't find this connection provider in the admin console. Only the
default is listed in Server Info > Providers. In the log file I've found
initialization of both datasources

 (MSC service thread 1-8) WFLYJCA0001: Bound data source
[java:jboss/datasources/KeycloakDS
 (MSC service thread 1-1) WFLYJCA0001: Bound data source
[java:jboss/datasources/myDbDS

but only one PersistenceUnit was processed:

HHH000204: Processing PersistenceUnitInfo [
        name: keycloak-default
        ...]



As result the call

context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class,
"default")

does return me an instance of JpaConnectionProvider Class, but the call

context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class,
"mydb")

returns null.

Would you suggest possible solution of the problem?

Server Version: 3.1.0.Final

Thank a lot in advance.

From jonas.schoenenberger at gmail.com  Tue Jun 27 04:58:05 2017
From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=)
Date: Tue, 27 Jun 2017 10:58:05 +0200
Subject: [keycloak-user] java.lang.ClassNotFoundException when running
 Keycloak with an spi that is using Akka
Message-ID: <CAP1gnsJKf51-vfDtyUBS4=zYyHFc5R-7Lqm52E0M8z4cSN1PfA@mail.gmail.com>

Hi everyone

I am writing an Keycloak SPI that will modify clients based on events.
Therefore I use the EventListenerProvider. In the SPI code, that is written
in Scala, I am using the Akka library for certain tasks. Unfortunately I
get an ClassNotFoundException for the class
akka.event.DefaultLoggingFilter when I run Keycloak with the spi. I've
built an spi before, that is not using Akka and it worked.
The class is available inside the spi .jar-file. I found a ticket on
Keycloak's Jira Board (https://issues.jboss.org/browse/KEYCLOAK-4738) and
updated to Keycloak version 3.1.0.Final, that contains the fix for this
ticket - didn't help.

Here is the full error message I get:

09:47:49,003 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 52) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
> public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ... 6 more
> Caused by: java.lang.ClassNotFoundException:
> akka.event.DefaultLoggingFilter from [Module
> "deployment.keycloak-server.war:main" from Service Module Loader]
> at
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
> at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
> at
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
> at
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:348)
> at
> akka.actor.ReflectiveDynamicAccess.$anonfun$getClassFor$1(ReflectiveDynamicAccess.scala:21)
> at scala.util.Try$.apply(Try.scala:209)
> at
> akka.actor.ReflectiveDynamicAccess.getClassFor(ReflectiveDynamicAccess.scala:20)
> at
> akka.actor.ReflectiveDynamicAccess.createInstanceFor(ReflectiveDynamicAccess.scala:38)
> at akka.actor.ActorSystemImpl.<init>(ActorSystem.scala:758)
> at akka.actor.ActorSystem$.apply(ActorSystem.scala:245)
> at akka.actor.ActorSystem$.apply(ActorSystem.scala:288)
> at akka.actor.ActorSystem$.apply(ActorSystem.scala:263)
> at
> some.package.keycloak.keycloak.REST.KeycloakAdminClient.<init>(REST.scala:592)
> at
> some.package.keycloak.keycloak.KeycloakConfigurator.<init>(KeycloakConfigurator.scala:21)
> at
> some.package.keycloak.MyEventListenerProviderFactory.init(MyEventListenerProvider.scala:50)
> at
> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:209)
> at
> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:76)
> at
> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:313)
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:110)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> ... 19 more
> 09:47:49,010 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]) - failure description:
> {"WFLYCTL0080: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./auth" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>     Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>     Caused by: java.lang.ClassNotFoundException:
> akka.event.DefaultLoggingFilter from [Module
> \"deployment.keycloak-server.war:main\" from Service Module Loader]"}}


Do you guys have an idea what can cause this error and how to solve it?

Thank you for your help and Best Regards
Jonas

From sthorger at redhat.com  Tue Jun 27 07:27:24 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Jun 2017 13:27:24 +0200
Subject: [keycloak-user] Review Japanese PR
In-Reply-To: <9f1782b6-1c64-edad-5f76-d65e646c0b0c@redhat.com>
References: <CAJgngAcUGLbR-yA1GE_VfTYe87N_JzCqUrJY5QQT1ev0KpHYRg@mail.gmail.com>
	<9f1782b6-1c64-edad-5f76-d65e646c0b0c@redhat.com>
Message-ID: <CAJgngAfFxJxuPFn+m66J64Qb1k=FbLwRnkqzX=v+XkSh5aJnmg@mail.gmail.com>

Thanks. Just add a comment to the PR if it's OK or not.

On 27 June 2017 at 10:53, Masanobu Hatanaka <mhatanak at redhat.com> wrote:

> I will check this request.
>
> Thanks,
> Masanobu Hatanaka
>
> On 2017?06?27? 15:43, Stian Thorgersen wrote:
> > There's a PR for fixes to the Japanese translations. Could someone review
> > it please?
> >
> > https://github.com/keycloak/keycloak/pull/4245
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>

From sthorger at redhat.com  Tue Jun 27 07:31:15 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Jun 2017 13:31:15 +0200
Subject: [keycloak-user] java.lang.ClassNotFoundException when running
 Keycloak with an spi that is using Akka
In-Reply-To: <CAP1gnsJKf51-vfDtyUBS4=zYyHFc5R-7Lqm52E0M8z4cSN1PfA@mail.gmail.com>
References: <CAP1gnsJKf51-vfDtyUBS4=zYyHFc5R-7Lqm52E0M8z4cSN1PfA@mail.gmail.com>
Message-ID: <CAJgngAfEq+sk9YQyGbgfMPHgxdc_R2EMhMQwKuEkMJX7Zfb0iQ@mail.gmail.com>

You probably just need to make sure you are passing the correct classloader
to ReflectiveDynamicAccess.

On 27 June 2017 at 10:58, Jonas Sch?nenberger <
jonas.schoenenberger at gmail.com> wrote:

> Hi everyone
>
> I am writing an Keycloak SPI that will modify clients based on events.
> Therefore I use the EventListenerProvider. In the SPI code, that is written
> in Scala, I am using the Akka library for certain tasks. Unfortunately I
> get an ClassNotFoundException for the class
> akka.event.DefaultLoggingFilter when I run Keycloak with the spi. I've
> built an spi before, that is not using Akka and it worked.
> The class is available inside the spi .jar-file. I found a ticket on
> Keycloak's Jira Board (https://issues.jboss.org/browse/KEYCLOAK-4738) and
> updated to Keycloak version 3.1.0.Final, that contains the fix for this
> ticket - didn't help.
>
> Here is the full error message I get:
>
> 09:47:49,003 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> > -- 52) MSC000001: Failed to start service
> > jboss.undertow.deployment.default-server.default-host./auth:
> > org.jboss.msc.service.StartException in service
> > jboss.undertow.deployment.default-server.default-host./auth:
> > java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> > org.keycloak.services.resources.KeycloakApplication(
> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.
> run(UndertowDeploymentService.java:85)
> > at java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> > at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> > at
> > java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:745)
> > at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> construct
> > public
> > org.keycloak.services.resources.KeycloakApplication(
> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> > at
> > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(
> ConstructorInjectorImpl.java:162)
> > at
> > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(
> ResteasyProviderFactory.java:2209)
> > at
> > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(
> ResteasyDeployment.java:299)
> > at
> > org.jboss.resteasy.spi.ResteasyDeployment.start(
> ResteasyDeployment.java:240)
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> init(ServletContainerDispatcher.java:113)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(
> HttpServletDispatcher.java:36)
> > at
> > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(
> LifecyleInterceptorInvocation.java:117)
> > at
> > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(
> RunAsLifecycleInterceptor.java:78)
> > at
> > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(
> LifecyleInterceptorInvocation.java:103)
> > at
> > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(
> ManagedServlet.java:231)
> > at
> > io.undertow.servlet.core.ManagedServlet.createServlet(
> ManagedServlet.java:132)
> > at
> > io.undertow.servlet.core.DeploymentManagerImpl.start(
> DeploymentManagerImpl.java:526)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.
> startContext(UndertowDeploymentService.java:101)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.
> run(UndertowDeploymentService.java:82)
> > ... 6 more
> > Caused by: java.lang.ClassNotFoundException:
> > akka.event.DefaultLoggingFilter from [Module
> > "deployment.keycloak-server.war:main" from Service Module Loader]
> > at
> > org.jboss.modules.ModuleClassLoader.findClass(
> ModuleClassLoader.java:198)
> > at
> > org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(
> ConcurrentClassLoader.java:363)
> > at
> > org.jboss.modules.ConcurrentClassLoader.performLoadClass(
> ConcurrentClassLoader.java:351)
> > at
> > org.jboss.modules.ConcurrentClassLoader.loadClass(
> ConcurrentClassLoader.java:93)
> > at java.lang.Class.forName0(Native Method)
> > at java.lang.Class.forName(Class.java:348)
> > at
> > akka.actor.ReflectiveDynamicAccess.$anonfun$getClassFor$1(
> ReflectiveDynamicAccess.scala:21)
> > at scala.util.Try$.apply(Try.scala:209)
> > at
> > akka.actor.ReflectiveDynamicAccess.getClassFor(
> ReflectiveDynamicAccess.scala:20)
> > at
> > akka.actor.ReflectiveDynamicAccess.createInstanceFor(
> ReflectiveDynamicAccess.scala:38)
> > at akka.actor.ActorSystemImpl.<init>(ActorSystem.scala:758)
> > at akka.actor.ActorSystem$.apply(ActorSystem.scala:245)
> > at akka.actor.ActorSystem$.apply(ActorSystem.scala:288)
> > at akka.actor.ActorSystem$.apply(ActorSystem.scala:263)
> > at
> > some.package.keycloak.keycloak.REST.KeycloakAdminClient.<init>(
> REST.scala:592)
> > at
> > some.package.keycloak.keycloak.KeycloakConfigurator.
> <init>(KeycloakConfigurator.scala:21)
> > at
> > some.package.keycloak.MyEventListenerProviderFactory
> .init(MyEventListenerProvider.scala:50)
> > at
> > org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(
> DefaultKeycloakSessionFactory.java:209)
> > at
> > org.keycloak.services.DefaultKeycloakSessionFactory.init(
> DefaultKeycloakSessionFactory.java:76)
> > at
> > org.keycloak.services.resources.KeycloakApplication.
> createSessionFactory(KeycloakApplication.java:313)
> > at
> > org.keycloak.services.resources.KeycloakApplication.
> <init>(KeycloakApplication.java:110)
> > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> > at
> > sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> > at
> > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> > at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> > at
> > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(
> ConstructorInjectorImpl.java:150)
> > ... 19 more
> > 09:47:49,010 ERROR [org.jboss.as.controller.management-operation]
> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> > ([("deployment" => "keycloak-server.war")]) - failure description:
> > {"WFLYCTL0080: Failed services" =>
> > {"jboss.undertow.deployment.default-server.default-host./auth" =>
> > "org.jboss.msc.service.StartException in service
> > jboss.undertow.deployment.default-server.default-host./auth:
> > java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> > org.keycloak.services.resources.KeycloakApplication(
> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >     Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> > construct public
> > org.keycloak.services.resources.KeycloakApplication(
> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >     Caused by: java.lang.ClassNotFoundException:
> > akka.event.DefaultLoggingFilter from [Module
> > \"deployment.keycloak-server.war:main\" from Service Module Loader]"}}
>
>
> Do you guys have an idea what can cause this error and how to solve it?
>
> Thank you for your help and Best Regards
> Jonas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Stepan.Vanecek at finnova.com  Tue Jun 27 08:07:24 2017
From: Stepan.Vanecek at finnova.com (Vanecek Stepan)
Date: Tue, 27 Jun 2017 12:07:24 +0000
Subject: [keycloak-user] Activating events-listener SPI on keycloak startup
Message-ID: <B4BD2202-7F38-4B78-A416-E8D225919DA8@finnova.com>

Hello,

I implemented my own events-listener SPI based on the documentation example (https://keycloak.gitbooks.io/documentation/server_development/topics/providers.html).

Now I want to activate the event listener. I can do so in the admin console (Events->Config) but I would like to activate it automatically on startup. I tried modifying the standalone.xml but it did not help, probably I am missing something.

Could you please help me on how to activate the event listener implemented in the SPI on startup of keycloak?

Regards,
Stepan Vanecek

From sthorger at redhat.com  Tue Jun 27 08:51:25 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 27 Jun 2017 14:51:25 +0200
Subject: [keycloak-user] Activating events-listener SPI on keycloak
	startup
In-Reply-To: <B4BD2202-7F38-4B78-A416-E8D225919DA8@finnova.com>
References: <B4BD2202-7F38-4B78-A416-E8D225919DA8@finnova.com>
Message-ID: <CAJgngAdT_foKnSAF4TC-HWigzrkrFiiM_qkSMxNEeqpU7FUoSw@mail.gmail.com>

It's a realm config thing and can't be activated at startup.

On 27 June 2017 at 14:07, Vanecek Stepan <Stepan.Vanecek at finnova.com> wrote:

> Hello,
>
> I implemented my own events-listener SPI based on the documentation
> example (https://keycloak.gitbooks.io/documentation/server_
> development/topics/providers.html).
>
> Now I want to activate the event listener. I can do so in the admin
> console (Events->Config) but I would like to activate it automatically on
> startup. I tried modifying the standalone.xml but it did not help, probably
> I am missing something.
>
> Could you please help me on how to activate the event listener implemented
> in the SPI on startup of keycloak?
>
> Regards,
> Stepan Vanecek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From shailesh.kochhar at gmail.com  Tue Jun 27 13:12:19 2017
From: shailesh.kochhar at gmail.com (Shailesh Kochhar)
Date: Tue, 27 Jun 2017 22:42:19 +0530
Subject: [keycloak-user] OAuth 2.0 JWT Bearer flow
In-Reply-To: <CALf0UKb26tQMUpdVYEHnHgHQQfhrY=okbvMOsoRLKqMyCTSO6A@mail.gmail.com>
References: <CALf0UKb26tQMUpdVYEHnHgHQQfhrY=okbvMOsoRLKqMyCTSO6A@mail.gmail.com>
Message-ID: <CALf0UKaDdQztwuG-aoaCMF=xdTfHkFx3CtFSDExj027SooJ+UA@mail.gmail.com>

Hello everyone,

I'm working on integrating Keycloak into a multi-party authentication
system where I need to use the OAuth 2.0 JWT bearer flow as described in
this document: https://help.salesforce.com/articleView?id=
remoteaccess_oauth_jwt_flow.htm&type=0. I wanted to know if Keycloak could
support this token bearer flow.

I was able to find some documentation about client authentication with a
signed JWT. Despite searching through the list archives and the server
admin docs, I cannot tell there is a similar flow which could be used to
authenticate the user as well.

Any pointers in figuring out if this is feasible would be really helpful.


Thanks a lot!
Shailesh

From dcorbett at expedia.com  Tue Jun 27 18:09:01 2017
From: dcorbett at expedia.com (Dan Corbett)
Date: Tue, 27 Jun 2017 22:09:01 +0000
Subject: [keycloak-user] Initial state transfer times out for cache
	loginFailures
In-Reply-To: <D5784001.4269B%dcorbett@expedia.com>
References: <D5784001.4269B%dcorbett@expedia.com>
Message-ID: <D579139B.42759%dcorbett@expedia.com>

We have a 3 node cluster of Keycloak 3.1.0.Final (WildFly Core 2.0.10.Final) running in Docker AWS ECS.
It all has been running smoothly for many months, through various versions, deployments and recycles.

Just recently, when one of the containers was terminated, the new container was run by ECS but could not start Keycloak and join the cluster.

Error is:  Failed to start service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures, Initial state transfer timed out for cache loginFailures

We also see some of the following, which may be related?
2017-06-27 05:54:01,914 DEBUG [org.infinispan.remoting.inboundhandler.NonTotalOrderPerCacheInboundInvocationHandler] (remote-thread--p10-t3) ISPN000311: Received a command from an outdated topology, returning the exception to caller: org.infinispan.statetransfer.OutdatedTopologyException: Cache topology changed while the command was executing: expected 1962, got 1963

We enabled various Debug log levels but haven?t yet found anything conclusive.
We tried clearing caches via Infinispan JMX tooling etc, but still could not start the new node.
The two remaining instances were still clustered OK.
We provisioned additional cluster and it's working as expected, so don?t believe at this stage it?s a network communication issue.

Found this report for Redhat SSO, seems similar? I can?t see solution. https://access.redhat.com/solutions/2841711

Any info on possible cause or how to debug/investigate further would be a great help.
Configs and logs below..

Thanks
Dan

Our cache config is:

<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
            <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
                <transport lock-timeout="60000"/>
                <local-cache name="realms">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <distributed-cache name="sessions" mode="SYNC" owners="5" />
                <distributed-cache name="offlineSessions" mode="SYNC" owners="1" />
                <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
                <distributed-cache name="authorization" mode="SYNC" owners="1"/>
                <replicated-cache name="work" mode="SYNC"/>
                <local-cache name="keys">
                    <eviction max-entries="1000" strategy="LRU"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
            </cache-container>
            <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
                <transport lock-timeout="60000"/>
                <replicated-cache name="default" mode="SYNC">
                    <transaction mode="BATCH"/>
                </replicated-cache>
            </cache-container>
            <cache-container name="web" default-cache="dist" module="org.wildfly.clustering.web.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="ejb" aliases="sfsb" default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="hibernate" default-cache="local-query" module="org.hibernate.infinispan">
                <transport lock-timeout="60000"/>
                <local-cache name="local-query">
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <invalidation-cache name="entity" mode="SYNC">
                    <transaction mode="NON_XA"/>
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </invalidation-cache>
                <replicated-cache name="timestamps" mode="ASYNC"/>
            </cache-container>
        </subsystem>

Snip of error log below.

02:49:49,248 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0002: Started sessions cache from keycloak container
02:53:48,262 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 53) MSC000001: Failed to start service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(AsynchronousServiceBuilder.java:107)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:172)
at org.infinispan.factories.AbstractComponentRegistry$PrioritizedMethod.invoke(AbstractComponentRegistry.java:870)
at org.infinispan.factories.AbstractComponentRegistry.invokeStartMethods(AbstractComponentRegistry.java:639)
at org.infinispan.factories.AbstractComponentRegistry.internalStart(AbstractComponentRegistry.java:628)
at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:531)
at org.infinispan.factories.ComponentRegistry.start(ComponentRegistry.java:222)
at org.infinispan.cache.impl.CacheImpl.start(CacheImpl.java:849)
at org.infinispan.manager.DefaultCacheManager.wireAndStartCache(DefaultCacheManager.java:621)
at org.infinispan.manager.DefaultCacheManager.createCache(DefaultCacheManager.java:572)
at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManager.java:440)
at org.jboss.as.clustering.infinispan.DefaultCacheContainer.lambda$getCache$6(DefaultCacheContainer.java:119)
at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(DefaultCacheContainer.java:120)
at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(DefaultCacheContainer.java:114)
at org.wildfly.clustering.infinispan.spi.service.CacheBuilder.start(CacheBuilder.java:80)
at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(AsynchronousServiceBuilder.java:102)
... 4 more
Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d
at org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:168)
... 18 more
02:53:48,275 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,276 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "backup-for")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,276 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "backups")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "eviction")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "expiration")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "locking")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,278 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "partition-handling")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,278 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "state-transfer")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,279 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("component" => "transaction")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,279 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("distributed-cache" => "loginFailures"),
    ("store" => "none")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
02:53:48,350 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 51) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
02:53:48,369 INFO  [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl



From mitya at cargosoft.ru  Tue Jun 27 21:35:46 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Wed, 28 Jun 2017 04:35:46 +0300
Subject: [keycloak-user] ProviderFactory::postInit not called with hot
	deployment
Message-ID: <1498613746.13078.1.camel@cargosoft.ru>

Hi,

Seems like o.k.provider.ProviderFactory::postInit() is called only upon
server startup, no matter which way the provider has been deployed, as
a module or via the deployments dir. However, if the provider is hot
(re)deployed on the running server, the method is not called.
(ProviderFactory::init() is called always, but it's insufficient for
most init phase tasks since normally a KeycloakSessionFactory instance
is required.)

Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() doesn't
contain mentions of postInit, contrary to
DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK to
file JIRA issue and PR?

Regards,
Dmitry

From sthorger at redhat.com  Wed Jun 28 01:15:44 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 28 Jun 2017 07:15:44 +0200
Subject: [keycloak-user] ProviderFactory::postInit not called with hot
	deployment
In-Reply-To: <1498613746.13078.1.camel@cargosoft.ru>
References: <1498613746.13078.1.camel@cargosoft.ru>
Message-ID: <CAJgngAeaFzSynDZHhZr_Z03eDK7zEgs4qPsBmX9TLb36XatVJw@mail.gmail.com>

Yep, seems like a bug

On 28 June 2017 at 03:35, Dmitry Telegin <mitya at cargosoft.ru> wrote:

> Hi,
>
> Seems like o.k.provider.ProviderFactory::postInit() is called only upon
> server startup, no matter which way the provider has been deployed, as
> a module or via the deployments dir. However, if the provider is hot
> (re)deployed on the running server, the method is not called.
> (ProviderFactory::init() is called always, but it's insufficient for
> most init phase tasks since normally a KeycloakSessionFactory instance
> is required.)
>
> Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() doesn't
> contain mentions of postInit, contrary to
> DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK to
> file JIRA issue and PR?
>
> Regards,
> Dmitry
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Jun 28 01:36:31 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 28 Jun 2017 07:36:31 +0200
Subject: [keycloak-user] Initial state transfer times out for cache
	loginFailures
In-Reply-To: <D579139B.42759%dcorbett@expedia.com>
References: <D5784001.4269B%dcorbett@expedia.com>
	<D579139B.42759%dcorbett@expedia.com>
Message-ID: <CAJgngAcQX-nYHKXcWYMBodty3YR1mf4xMg7ZG+4U3-3fDy70yw@mail.gmail.com>

Should be fixed with https://issues.jboss.org/browse/ISPN-6806, but that is
not included in Keycloak until we upgrade to WildFly 11. That'll be another
couple months probably. It's fixed in RH-SSO 7.1 as it's fixed in JBoss EAP.

There's a potential workaround:
As a workaround for RH SSO 7.0.0 users, disable L1 caching by setting
l1-lifespan="0" on the distributed-caches.

You could maybe also upgrade the Infinispan version yourself. Or get the
supported version of Keycloak (RH-SSO). Or wait....


On 28 June 2017 at 00:09, Dan Corbett <dcorbett at expedia.com> wrote:

> We have a 3 node cluster of Keycloak 3.1.0.Final (WildFly Core
> 2.0.10.Final) running in Docker AWS ECS.
> It all has been running smoothly for many months, through various
> versions, deployments and recycles.
>
> Just recently, when one of the containers was terminated, the new
> container was run by ECS but could not start Keycloak and join the cluster.
>
> Error is:  Failed to start service jboss.infinispan.keycloak.loginFailures:
> org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures,
> Initial state transfer timed out for cache loginFailures
>
> We also see some of the following, which may be related?
> 2017-06-27 05:54:01,914 DEBUG [org.infinispan.remoting.inboundhandler.
> NonTotalOrderPerCacheInboundInvocationHandler] (remote-thread--p10-t3)
> ISPN000311: Received a command from an outdated topology, returning the
> exception to caller: org.infinispan.statetransfer.OutdatedTopologyException:
> Cache topology changed while the command was executing: expected 1962, got
> 1963
>
> We enabled various Debug log levels but haven?t yet found anything
> conclusive.
> We tried clearing caches via Infinispan JMX tooling etc, but still could
> not start the new node.
> The two remaining instances were still clustered OK.
> We provisioned additional cluster and it's working as expected, so don?t
> believe at this stage it?s a network communication issue.
>
> Found this report for Redhat SSO, seems similar? I can?t see solution.
> https://access.redhat.com/solutions/2841711
>
> Any info on possible cause or how to debug/investigate further would be a
> great help.
> Configs and logs below..
>
> Thanks
> Dan
>
> Our cache config is:
>
> <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>             <cache-container name="keycloak" jndi-name="infinispan/
> Keycloak">
>                 <transport lock-timeout="60000"/>
>                 <local-cache name="realms">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <distributed-cache name="sessions" mode="SYNC" owners="5"
> />
>                 <distributed-cache name="offlineSessions" mode="SYNC"
> owners="1" />
>                 <distributed-cache name="loginFailures" mode="SYNC"
> owners="1"/>
>                 <distributed-cache name="authorization" mode="SYNC"
> owners="1"/>
>                 <replicated-cache name="work" mode="SYNC"/>
>                 <local-cache name="keys">
>                     <eviction max-entries="1000" strategy="LRU"/>
>                     <expiration max-idle="3600000"/>
>                 </local-cache>
>             </cache-container>
>             <cache-container name="server" aliases="singleton cluster"
> default-cache="default" module="org.wildfly.clustering.server">
>                 <transport lock-timeout="60000"/>
>                 <replicated-cache name="default" mode="SYNC">
>                     <transaction mode="BATCH"/>
>                 </replicated-cache>
>             </cache-container>
>             <cache-container name="web" default-cache="dist"
> module="org.wildfly.clustering.web.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <distributed-cache name="dist" mode="ASYNC"
> l1-lifespan="0" owners="2">
>                     <locking isolation="REPEATABLE_READ"/>
>                     <transaction mode="BATCH"/>
>                     <file-store/>
>                 </distributed-cache>
>             </cache-container>
>             <cache-container name="ejb" aliases="sfsb"
> default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <distributed-cache name="dist" mode="ASYNC"
> l1-lifespan="0" owners="2">
>                     <locking isolation="REPEATABLE_READ"/>
>                     <transaction mode="BATCH"/>
>                     <file-store/>
>                 </distributed-cache>
>             </cache-container>
>             <cache-container name="hibernate" default-cache="local-query"
> module="org.hibernate.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <local-cache name="local-query">
>                     <eviction strategy="LRU" max-entries="10000"/>
>                     <expiration max-idle="100000"/>
>                 </local-cache>
>                 <invalidation-cache name="entity" mode="SYNC">
>                     <transaction mode="NON_XA"/>
>                     <eviction strategy="LRU" max-entries="10000"/>
>                     <expiration max-idle="100000"/>
>                 </invalidation-cache>
>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>             </cache-container>
>         </subsystem>
>
> Snip of error log below.
>
> 02:49:49,248 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 60) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 02:53:48,262 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 53) MSC000001: Failed to start service jboss.infinispan.keycloak.loginFailures:
> org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
> at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(
> AsynchronousServiceBuilder.java:107)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: org.infinispan.commons.CacheException: Unable to invoke method
> public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
> at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(
> ReflectionUtil.java:172)
> at org.infinispan.factories.AbstractComponentRegistry$
> PrioritizedMethod.invoke(AbstractComponentRegistry.java:870)
> at org.infinispan.factories.AbstractComponentRegistry.invokeStartMethods(
> AbstractComponentRegistry.java:639)
> at org.infinispan.factories.AbstractComponentRegistry.internalStart(
> AbstractComponentRegistry.java:628)
> at org.infinispan.factories.AbstractComponentRegistry.start(
> AbstractComponentRegistry.java:531)
> at org.infinispan.factories.ComponentRegistry.start(
> ComponentRegistry.java:222)
> at org.infinispan.cache.impl.CacheImpl.start(CacheImpl.java:849)
> at org.infinispan.manager.DefaultCacheManager.wireAndStartCache(
> DefaultCacheManager.java:621)
> at org.infinispan.manager.DefaultCacheManager.createCache(
> DefaultCacheManager.java:572)
> at org.infinispan.manager.DefaultCacheManager.getCache(
> DefaultCacheManager.java:440)
> at org.jboss.as.clustering.infinispan.DefaultCacheContainer.lambda$
> getCache$6(DefaultCacheContainer.java:119)
> at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(
> DefaultCacheContainer.java:120)
> at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(
> DefaultCacheContainer.java:114)
> at org.wildfly.clustering.infinispan.spi.service.CacheBuilder.start(
> CacheBuilder.java:80)
> at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(
> AsynchronousServiceBuilder.java:102)
> ... 4 more
> Caused by: org.infinispan.commons.CacheException: Initial state transfer
> timed out for cache loginFailures on 9c8ea5960a4d
> at org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:224)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(
> ReflectionUtil.java:168)
> ... 18 more
> 02:53:48,275 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,276 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "backup-for")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,276 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "backups")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,277 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "eviction")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,277 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "expiration")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,277 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "locking")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,278 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "partition-handling")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,278 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "state-transfer")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,279 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("component" => "transaction")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,279 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("distributed-cache" => "loginFailures"),
>     ("store" => "none")
> ]) - failure description: {"WFLYCTL0080: Failed services" =>
> {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache loginFailures on 9c8ea5960a4d"}}
> 02:53:48,350 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 51)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 02:53:48,369 INFO  [org.jboss.as.controller] (Controller Boot Thread)
> WFLYCTL0183: Service status report
> WFLYCTL0186:   Services which failed to start:      service
> jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException
> in service jboss.infinispan.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public
> void org.infinispan.statetransfer.StateTransferManagerImpl.
> waitForInitialStateTransferToComplete() throws java.lang.Exception on
> object of type StateTransferManagerImpl
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From shailesh.kochhar at gmail.com  Wed Jun 28 03:52:27 2017
From: shailesh.kochhar at gmail.com (Shailesh Kochhar)
Date: Wed, 28 Jun 2017 13:22:27 +0530
Subject: [keycloak-user] OAuth 2.0 JWT Bearer flow
In-Reply-To: <CALf0UKaDdQztwuG-aoaCMF=xdTfHkFx3CtFSDExj027SooJ+UA@mail.gmail.com>
References: <CALf0UKb26tQMUpdVYEHnHgHQQfhrY=okbvMOsoRLKqMyCTSO6A@mail.gmail.com>
	<CALf0UKaDdQztwuG-aoaCMF=xdTfHkFx3CtFSDExj027SooJ+UA@mail.gmail.com>
Message-ID: <CALf0UKbj4BfMrDvo+AWjXP-oL-ooirrPQx6RPyZj19vLYcbLfA@mail.gmail.com>

I noticed that the link was long and got mangled.
Here's an alternate short version http://sforce.co/2tj77ua and the
reference to the RFC https://tools.ietf.org/html/rfc7523

Thanks in advance for any guidance or docs which can help figure out how to
make this flow work.

Thanks!

On Tue, Jun 27, 2017 at 10:42 PM, Shailesh Kochhar <
shailesh.kochhar at gmail.com> wrote:

> Hello everyone,
>
> I'm working on integrating Keycloak into a multi-party authentication
> system where I need to use the OAuth 2.0 JWT bearer flow as described in
> this document: https://help.salesforce.com/articleView?id=remotea
> ccess_oauth_jwt_flow.htm&type=0. I wanted to know if Keycloak could
> support this token bearer flow.
>
> I was able to find some documentation about client authentication with a
> signed JWT. Despite searching through the list archives and the server
> admin docs, I cannot tell there is a similar flow which could be used to
> authenticate the user as well.
>
> Any pointers in figuring out if this is feasible would be really helpful.
>
>
> Thanks a lot!
> Shailesh
>
>

From kasugakyosuke at gmail.com  Wed Jun 28 08:20:40 2017
From: kasugakyosuke at gmail.com (Sherminator Kasuga)
Date: Wed, 28 Jun 2017 14:20:40 +0200
Subject: [keycloak-user] Keycloak offline token
Message-ID: <CAEC2WbzA014gzq8-Rmczg3DDJ6Cz-KxzDaK4FW0qGYmiRgtOEg@mail.gmail.com>

Any idea about how can i solve this issue please?
Thanks in advance

From nikolaj at majorov.biz  Wed Jun 28 08:49:15 2017
From: nikolaj at majorov.biz (Nikolaj Majorov)
Date: Wed, 28 Jun 2017 14:49:15 +0200
Subject: [keycloak-user] install quickstart into to the keycloak server
Message-ID: <CAHSaR+8rsh_Nt2JQjOmYy279pcJYFP5FDFbXNwm5VHHpeA88_g@mail.gmail.com>

HI all,
if I install quickstarts to keycloak server 3.1.0.Final
do I need to install wildfly adapter there ? ot it's already enabled ?

I register client  and deploy service-jee-jaxrs application,

but only get  Unknown authentication mechanism KEYCLOAK then I deploy
directly to the keycloak server 3.1.0




Regards,
Nikolaj

From K.Buler at adbglobal.com  Wed Jun 28 09:09:50 2017
From: K.Buler at adbglobal.com (Karol Buler)
Date: Wed, 28 Jun 2017 15:09:50 +0200
Subject: [keycloak-user] CORS's problem with JavaScript's library
Message-ID: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>

Hi Everyone,

We have problem with CORS. We are using this lib: https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript application.

When we try to get AccessToken we are getting this message:

Fetch API cannot load http://<keycloak_address>/auth/realms/master/protocol/openid-connect/token. Request header field x-client is not allowed by Access-Control-Allow-Headers in preflight response.

We tried to modify CORS headers in standalone.xml file of Keycloak's server, but we found that CORS headers are hardcoded and added "in air".

Best regards,
Karol Buler

[https://www.adbglobal.com/wp-content/uploads/adb.png]
connecting lives
connecting worlds

From sblanc at redhat.com  Wed Jun 28 09:49:41 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 28 Jun 2017 15:49:41 +0200
Subject: [keycloak-user] install quickstart into to the keycloak server
In-Reply-To: <CAHSaR+8rsh_Nt2JQjOmYy279pcJYFP5FDFbXNwm5VHHpeA88_g@mail.gmail.com>
References: <CAHSaR+8rsh_Nt2JQjOmYy279pcJYFP5FDFbXNwm5VHHpeA88_g@mail.gmail.com>
Message-ID: <CAMZCGg87CENySL4KDfgXHyqEST66qCTcQW-cHspqa4OrFXg+-w@mail.gmail.com>

Hi,

You can't not deploy the quickstarts (or any application) on the Keycloak
Server (Unless you are using the server overlay distribution).

You must deploy the quickstarts on a separate application server and
install the adapter.

Seb



On Wed, Jun 28, 2017 at 2:49 PM, Nikolaj Majorov <nikolaj at majorov.biz>
wrote:

> HI all,
> if I install quickstarts to keycloak server 3.1.0.Final
> do I need to install wildfly adapter there ? ot it's already enabled ?
>
> I register client  and deploy service-jee-jaxrs application,
>
> but only get  Unknown authentication mechanism KEYCLOAK then I deploy
> directly to the keycloak server 3.1.0
>
>
>
>
> Regards,
> Nikolaj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bruno at abstractj.org  Wed Jun 28 10:00:39 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 28 Jun 2017 14:00:39 +0000
Subject: [keycloak-user] install quickstart into to the keycloak server
In-Reply-To: <CAHSaR+8rsh_Nt2JQjOmYy279pcJYFP5FDFbXNwm5VHHpeA88_g@mail.gmail.com>
References: <CAHSaR+8rsh_Nt2JQjOmYy279pcJYFP5FDFbXNwm5VHHpeA88_g@mail.gmail.com>
Message-ID: <CAM5SUC4EZJ4QEOHweNA-5NaLFa3Bv3SdVfn8wpSirA4XAjY05A@mail.gmail.com>

Yes. Or you can just download the demo distribution
https://downloads.jboss.org/keycloak/3.1.0.Final/keycloak-demo-3.1.0.Final.zip

On Wed, Jun 28, 2017 at 10:45 AM Nikolaj Majorov <nikolaj at majorov.biz>
wrote:

> HI all,
> if I install quickstarts to keycloak server 3.1.0.Final
> do I need to install wildfly adapter there ? ot it's already enabled ?
>
> I register client  and deploy service-jee-jaxrs application,
>
> but only get  Unknown authentication mechanism KEYCLOAK then I deploy
> directly to the keycloak server 3.1.0
>
>
>
>
> Regards,
> Nikolaj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Wed Jun 28 10:47:36 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 28 Jun 2017 16:47:36 +0200
Subject: [keycloak-user] Fwd:  CORS's problem with JavaScript's library
In-Reply-To: <CAMZCGg87VSrkuTWM=CKgnzHFrp7oNU+h85KG9EcSDJ_SKgweDw@mail.gmail.com>
References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
	<CAMZCGg87VSrkuTWM=CKgnzHFrp7oNU+h85KG9EcSDJ_SKgweDw@mail.gmail.com>
Message-ID: <CAMZCGg_hS9YOMLr8-5mi6PWuEufxiW-xSsJeR48rBraFASdxsw@mail.gmail.com>

(forgot including user list)

Are you using keycloak-auth-utils on your frontend application ? Why not
the JavaScript library ?
Also have you configured the "Web Origins" field of your client in the
Keycloak Web Console ?

On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler <K.Buler at adbglobal.com> wrote:

> Hi Everyone,
>
> We have problem with CORS. We are using this lib:
> https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript
> application.
>
> When we try to get AccessToken we are getting this message:
>
> Fetch API cannot load http://<keycloak_address>/auth
> /realms/master/protocol/openid-connect/token. Request header field
> x-client is not allowed by Access-Control-Allow-Headers in preflight
> response.
>
> We tried to modify CORS headers in standalone.xml file of Keycloak's
> server, but we found that CORS headers are hardcoded and added "in air".
>
> Best regards,
> Karol Buler
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> connecting lives
> connecting worlds
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mitya at cargosoft.ru  Wed Jun 28 14:18:24 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Wed, 28 Jun 2017 21:18:24 +0300
Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup
	failure
Message-ID: <1498673904.3162.1.camel@cargosoft.ru>

Hi,

(TL;DR) if a KeycloakTransaction is opened from
ProviderFactory::postInit, sometimes the transaction is already active
on the underlying
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads
to errors.

(full version) I think it's essential for the providers to be able to
access realm data in postInit(). For that, a transaction is required;
using KeycloakModelUtils.runJobInTransaction() is a convenient method
to do that:

????@Override
????public void postInit(KeycloakSessionFactory factory) {
????????KeycloakModelUtils.runJobInTransaction(factory,
(KeycloakSession session) -> {
????????????List<RealmModel> realms = session.realms().getRealms();
            // do stuff
????????});
????}

When such a provider is deployed, in about half of cases Keycloak fails
to start due to the following exception:

java.sql.SQLException: IJ031017: You cannot set autocommit during a
managed transaction

(see full stacktrace here https://pastebin.com/ETtPqXQk)

I've managed to track it down to something that looks like transaction
clash over a single instance of
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What happens
is that the two treads at the same time begin two KeycloakTransactions
which end up with the same instance of LocalManagedConnection. The
above exception results from the second begin() call.

There's a system property called "ironjacamar.jdbc.ignoreautocommit"
that allows to ignore the situation, but I think it's dangerous because
it doesn't eliminate the transaction clash, just suppresses the check.
If I'm not mistaken, this began to happen around Keycloak 2.2.x, which
coincides with the changes to Keycloak transaction management. That
said, do I need now some additional transaction coordination with the
rest of Keycloak, or is it a bug? If former, how do I do that? If
latter, how do we fix it?

I hope we'll sort it out, since the ability to access the data at every
phase of provider's lifecycle seems something fundamental to me.

Regards,
Dmitry

From marc.tempelmeier at flane.de  Thu Jun 29 04:01:01 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Thu, 29 Jun 2017 08:01:01 +0000
Subject: [keycloak-user] liquibase.exception.DatabaseException
In-Reply-To: <CAM5SUC7-RTqeGv0Xo8b_BMkMGm8gGv-O-SJ=DpEi3YJXxqnYAQ@mail.gmail.com>
References: <77bbd4acb1c3448fb0a8f8184d65331e@dehamex2013.europe.flane.local>
	<CAM5SUC7-RTqeGv0Xo8b_BMkMGm8gGv-O-SJ=DpEi3YJXxqnYAQ@mail.gmail.com>
Message-ID: <b47ea66b702b4c2d99889f13829caf19@dehamex2013.europe.flane.local>

Hi,

It?s difficult to provide a whole step guide, because it?s a domain controlled cluster with master and 3 slaves.
It happens 4 out of 5 starts and as I see it only on the first slave. I wait for every slave boots and then start the next.
The first slave produces the unregister message, but the master does not recognize this unregister in its logs.

I use Keycloak 3.1.0 with postgres cluster over pgpool.

Best regards

Marc

Von: Bruno Oliveira [mailto:bruno at abstractj.org]
Gesendet: Thursday, June 15, 2017 1:21 PM
An: Marc Tempelmeier <marc.tempelmeier at flane.de>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] liquibase.exception.DatabaseException


What would be the steps to reproduce and version of the KC server?

On Thu, Jun 15, 2017, 4:09 AM Marc Tempelmeier <marc.tempelmeier at flane.de<mailto:marc.tempelmeier at flane.de>> wrote:
Hi,

Is this a bug?

[Server:slave1] 14:12:02,873 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
[Server:slave1]     Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
[Server:slave1]     Caused by: liquibase.exception.UnexpectedLiquibaseException: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22
[Server:slave1]     Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22
[Server:slave1]     Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1]   Position: 22"}}

Database looks good though, after the error the slave crashed and unregistered.

BR

Marc
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From ravthiru at gmail.com  Thu Jun 29 04:02:17 2017
From: ravthiru at gmail.com (Ravinder Thirumala)
Date: Thu, 29 Jun 2017 18:02:17 +1000
Subject: [keycloak-user] service account with offline tokens
Message-ID: <CA+xxDHrZ1n1DatHRPfDaH-fTm6Ric34MgvpBoq83zbQ3H=njsg@mail.gmail.com>

Hi,

We have application which has frontend and backend(running on glassfish),
we have secured with keycloak for user authentication.

Now have got other application X which provides RESTful service, these
RESTful APIs are called as part of scheduled jobs from backend without user
login.

Can I use service account with offline tokens for calling RESTful API on
AppX. Do i need to have different keycloak.json for REST API communication
?


regards

Ravi

From K.Buler at adbglobal.com  Thu Jun 29 04:29:50 2017
From: K.Buler at adbglobal.com (Karol Buler)
Date: Thu, 29 Jun 2017 10:29:50 +0200
Subject: [keycloak-user] Fwd: CORS's problem with JavaScript's library
In-Reply-To: <CAMZCGg_hS9YOMLr8-5mi6PWuEufxiW-xSsJeR48rBraFASdxsw@mail.gmail.com>
References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
	<CAMZCGg87VSrkuTWM=CKgnzHFrp7oNU+h85KG9EcSDJ_SKgweDw@mail.gmail.com>
	<CAMZCGg_hS9YOMLr8-5mi6PWuEufxiW-xSsJeR48rBraFASdxsw@mail.gmail.com>
Message-ID: <c65cd0e1-eda9-286e-7fff-65f65f69ec89@adbglobal.com>

We are using keycloak-auth-utils because our application isn't strict 
frontend. It is something like "middle-end" app. We can't use e.g. code 
flow authentication.

Secondly... yes, We applied "*" to "Web Origins".


On 28.06.2017 16:47, Sebastien Blanc wrote:
> (forgot including user list)
>
> Are you using keycloak-auth-utils on your frontend application ? Why not
> the JavaScript library ?
> Also have you configured the "Web Origins" field of your client in the
> Keycloak Web Console ?
>
> On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler <K.Buler at adbglobal.com> wrote:
>
>> Hi Everyone,
>>
>> We have problem with CORS. We are using this lib:
>> https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript
>> application.
>>
>> When we try to get AccessToken we are getting this message:
>>
>> Fetch API cannot load http://<keycloak_address>/auth
>> /realms/master/protocol/openid-connect/token. Request header field
>> x-client is not allowed by Access-Control-Allow-Headers in preflight
>> response.
>>
>> We tried to modify CORS headers in standalone.xml file of Keycloak's
>> server, but we found that CORS headers are hardcoded and added "in air".
>>
>> Best regards,
>> Karol Buler
>>
>> [https://www.adbglobal.com/wp-content/uploads/adb.png]
>> connecting lives
>> connecting worlds
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bruno at abstractj.org  Thu Jun 29 05:40:26 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 29 Jun 2017 06:40:26 -0300
Subject: [keycloak-user] CORS's problem with JavaScript's library
In-Reply-To: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
Message-ID: <20170629094026.GC23375@abstractj.org>

Hi Karol, could you write an integration test with the exact steps to
reproduce your issue?
See: https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/test/integration/grant-manager-spec.js

That would help us to investigate.

Out of curiosity, why don't you use keycloak-connect?

On 2017-06-28, Karol Buler wrote:
> Hi Everyone,
>
> We have problem with CORS. We are using this lib: https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript application.
>
> When we try to get AccessToken we are getting this message:
>
> Fetch API cannot load http://<keycloak_address>/auth/realms/master/protocol/openid-connect/token. Request header field x-client is not allowed by Access-Control-Allow-Headers in preflight response.
>
> We tried to modify CORS headers in standalone.xml file of Keycloak's server, but we found that CORS headers are hardcoded and added "in air".
>
> Best regards,
> Karol Buler
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> connecting lives
> connecting worlds
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From sthorger at redhat.com  Thu Jun 29 06:57:34 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 29 Jun 2017 12:57:34 +0200
Subject: [keycloak-user] service account with offline tokens
In-Reply-To: <CA+xxDHrZ1n1DatHRPfDaH-fTm6Ric34MgvpBoq83zbQ3H=njsg@mail.gmail.com>
References: <CA+xxDHrZ1n1DatHRPfDaH-fTm6Ric34MgvpBoq83zbQ3H=njsg@mail.gmail.com>
Message-ID: <CAJgngAdsa1QQsOFMJ1Oz3MEtnGQzBD94XSwTGR8XdW0mCpYOog@mail.gmail.com>

Why would you need to use offline tokens with service accounts? They are by
design "offline" as there is no user.

On 29 June 2017 at 10:02, Ravinder Thirumala <ravthiru at gmail.com> wrote:

> Hi,
>
> We have application which has frontend and backend(running on glassfish),
> we have secured with keycloak for user authentication.
>
> Now have got other application X which provides RESTful service, these
> RESTful APIs are called as part of scheduled jobs from backend without user
> login.
>
> Can I use service account with offline tokens for calling RESTful API on
> AppX. Do i need to have different keycloak.json for REST API communication
> ?
>
>
> regards
>
> Ravi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kevin.berendsen at pharmapartners.nl  Thu Jun 29 07:24:20 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Thu, 29 Jun 2017 11:24:20 +0000
Subject: [keycloak-user] Fwd: CORS's problem with JavaScript's library
In-Reply-To: <c65cd0e1-eda9-286e-7fff-65f65f69ec89@adbglobal.com>
References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
	<CAMZCGg87VSrkuTWM=CKgnzHFrp7oNU+h85KG9EcSDJ_SKgweDw@mail.gmail.com>
	<CAMZCGg_hS9YOMLr8-5mi6PWuEufxiW-xSsJeR48rBraFASdxsw@mail.gmail.com>
	<c65cd0e1-eda9-286e-7fff-65f65f69ec89@adbglobal.com>
Message-ID: <ac529659f1b3485487a1e57322a6d34b@PHINEAS.ppg.lan>

Hi,

This is a perfect response from your browser. X-client is a custom header and not allowed out of the box.
I think either you should strip that header from your request to Keycloak or modify Keycloak to allow that header or some sort (not recommend).

You could also modify your standalone configuration to add a response header but that's not really recommended either.

> -----Oorspronkelijk bericht-----
> Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-
> bounces at lists.jboss.org] Namens Karol Buler
> Verzonden: donderdag 29 juni 2017 10:30
> Aan: keycloak-user at lists.jboss.org
> Onderwerp: Re: [keycloak-user] Fwd: CORS's problem with JavaScript's
> library
> 
> We are using keycloak-auth-utils because our application isn't strict frontend.
> It is something like "middle-end" app. We can't use e.g. code flow
> authentication.
> 
> Secondly... yes, We applied "*" to "Web Origins".
> 
> 
> On 28.06.2017 16:47, Sebastien Blanc wrote:
> > (forgot including user list)
> >
> > Are you using keycloak-auth-utils on your frontend application ? Why
> > not the JavaScript library ?
> > Also have you configured the "Web Origins" field of your client in the
> > Keycloak Web Console ?
> >
> > On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler <K.Buler at adbglobal.com>
> wrote:
> >
> >> Hi Everyone,
> >>
> >> We have problem with CORS. We are using this lib:
> >> https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript
> >> application.
> >>
> >> When we try to get AccessToken we are getting this message:
> >>
> >> Fetch API cannot load http://<keycloak_address>/auth
> >> /realms/master/protocol/openid-connect/token. Request header field
> >> x-client is not allowed by Access-Control-Allow-Headers in preflight
> >> response.
> >>
> >> We tried to modify CORS headers in standalone.xml file of Keycloak's
> >> server, but we found that CORS headers are hardcoded and added "in
> air".
> >>
> >> Best regards,
> >> Karol Buler
> >>
> >> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> >> connecting lives
> >> connecting worlds
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From K.Buler at adbglobal.com  Thu Jun 29 08:02:10 2017
From: K.Buler at adbglobal.com (Karol Buler)
Date: Thu, 29 Jun 2017 14:02:10 +0200
Subject: [keycloak-user] CORS's problem with JavaScript's library
In-Reply-To: <20170629094026.GC23375@abstractj.org>
References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>
	<20170629094026.GC23375@abstractj.org>
Message-ID: <830cf014-9725-0a8f-828d-3b41e115608f@adbglobal.com>

Honestly I can't because I am Java programmer. JavaScript application is 
from another team, but unfortunately only I have from them is that the 
problem is with x-client CORS header (it isn't added to "allowed 
headers" from Keycloak's server, but it is in request from 
keycloak-auth-utils). They use "obtainDirectly(username, password)" 
method. Also I have the curl request which is produced by 
keycloak-auth-utils, and here it is:

curl 
'http://<keycloak_host>/auth/realms/master/protocol/openid-connect/token' 
<http://keycloak.pz-test.graphyne2.adbglobal.com/auth/realms/ADB/protocol/openid-connect/token%27> 
-X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: 
POST' -H 'Origin: http://localhost:8082' -H 'Accept-Encoding: gzip, 
deflate, sdch' -H 'Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4' 
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' -H 'Accept: */*' 
-H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 
'Access-Control-Request-Headers: authorization,x-client' --compressed

If you call Keycloak with curl above you will see that there is no 
X-Client header in Access-Control-Allow-Headers, but (!!!) request must 
be from another host.

Why they don't use keycloak-connect? I have no idea ;/


On 29.06.2017 11:40, Bruno Oliveira wrote:
> Hi Karol, could you write an integration test with the exact steps to
> reproduce your issue?
> See: https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/test/integration/grant-manager-spec.js
>
> That would help us to investigate.
>
> Out of curiosity, why don't you use keycloak-connect?
>
> On 2017-06-28, Karol Buler wrote:
>> Hi Everyone,
>>
>> We have problem with CORS. We are using this lib: https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript application.
>>
>> When we try to get AccessToken we are getting this message:
>>
>> Fetch API cannot load http://<keycloak_address>/auth/realms/master/protocol/openid-connect/token. Request header field x-client is not allowed by Access-Control-Allow-Headers in preflight response.
>>
>> We tried to modify CORS headers in standalone.xml file of Keycloak's server, but we found that CORS headers are hardcoded and added "in air".
>>
>> Best regards,
>> Karol Buler
>>
>> [https://www.adbglobal.com/wp-content/uploads/adb.png]
>> connecting lives
>> connecting worlds
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
>
> abstractj


From cedric.couralet at insee.fr  Thu Jun 29 09:57:17 2017
From: cedric.couralet at insee.fr (=?iso-8859-1?Q?Couralet_C=E9dric?=)
Date: Thu, 29 Jun 2017 13:57:17 +0000
Subject: [keycloak-user] Cache renewal and invalidation for User provider
Message-ID: <991F3957FFD69B49B2F61FA7F87AB2BC0136673751@pdexchbalwst03.ad.insee.intra>

Hello,

With Keycloak 3.1.0 configured with a ldap as user storage provider, we had a problem where when an attribute is modified the ldap directly, it is not immediately picked up by keycloak (in account or administrative interface), even though the attribute in question is marked as "Always Read Value From LDAP" in the mapper.

We tried changing the cache policy on the user federation configuration, or even with "import" option off. But it seems the cache is global to keycloak (wildfly?).

There is 2 needs behind that question :
 1) we have an attribute in ldap which governs if the user must change password. Our idea was to check the attribute in a script based authenticator to add and user action if found. Except, in our situation the new value was never read from ldap, we finally had a solution by calling "user.getDelegateForUpdate();" before reading the attribute, but I don't think it is the best way to do that.

 2) We have some attribute changing independantly from keycloak, which could change some access authorization for an user. So we need thos attribute picked up immediatly. Clearing the realm cache seems to work, but it is far from a good solution.

Is there something we missed? What are the recommended ways to treat these cases?

Best regards,
C?dric Couralet


From nikolaj at majorov.biz  Thu Jun 29 11:33:27 2017
From: nikolaj at majorov.biz (Nikolaj Majorov)
Date: Thu, 29 Jun 2017 17:33:27 +0200
Subject: [keycloak-user] example for Resteasy and keycloak
Message-ID: <CAHSaR+_YN5dyH0dHN2hfPc_5BX=7Y8PxvcrOKA4_f5W7YMcG+A@mail.gmail.com>

Hi all,
there can I find example for resteasy and keycloak ?
can someone share ?

thanks !

Regards,
Nikolaj

From igneuslynx at gmail.com  Thu Jun 29 12:26:54 2017
From: igneuslynx at gmail.com (Kirill Liubun)
Date: Thu, 29 Jun 2017 19:26:54 +0300
Subject: [keycloak-user] Keycloak relations between resources in a system
Message-ID: <CA+nyPF55LFT-u-wA24a636Y4aJbM5VcFLxVh0DCdohmhPqRigw@mail.gmail.com>

      Hi there,


I am new to keycloak and try to use it as auth server in my solution.

I have next entity's model: the *devices* are owned by a particular
*company* to which belongs some *users*. A user with role *admin* can grant
permission for viewing some set of devices to a regular user but only those
devices that belong to admin's company. Thus all users except admins can
view the only subset of all devices in the company. Based on requirements I
decided to make a company as *group* and devices as keycloak's *resources*.
To evaluating permissions I chose *rule-based policy*. The problem is I ran
into next question about hot to implement other relations and business
rules:

   1.

   Can I set the group as an owner of the resource to check this relation
   in policy?
   2.

   Which mechanism better to use in my case to grant view permission on a
   particular device to a regular user?

If someone is more experienced in keycloak and knows how to better
represent such model, please help.

Thank you in advance.

*P.S.*

For the second question I have two solutions:

   - Create on each device new role which name consists of *device's name* +
   word *view* (This solution has big disadvantage because If user has over
   1000 devices the *Permission Ticket* will be very huge)
   - Represent mapping between user and device via scope -- when you admin
   set relation between particular device and user to the resource (device)
   added scope which name consists of *user id* plus word *view* (I know it
   is not good way to use scopes but I have no idea can better configure this
   relation in keycloak)

From jasonspittel at yahoo.com  Thu Jun 29 13:27:58 2017
From: jasonspittel at yahoo.com (Jason Spittel)
Date: Thu, 29 Jun 2017 17:27:58 +0000 (UTC)
Subject: [keycloak-user] Problems logging out using JEE to keycloak to SAML
	(ADFS)
References: <1600714554.1524021.1498757278012.ref@mail.yahoo.com>
Message-ID: <1600714554.1524021.1498757278012@mail.yahoo.com>

Hello,
I'm having difficulty completing a logout.?
SETUP: JEE webapp to keycloak to IdP (ADFS (SAML))
WORKFLOW: 1) On logout in the webapp externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true");
 2) User is sent to ADFS letting them know they have successfully logged out.
 3) However, there is still a keycloak user session alive (seen in the admin console)
 4) Hitting a protected resource in the webapp lets user in without having to log back in.
Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262
 String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); if (brokerId != null) {  ? ?IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);  ? ?Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);  ? ?if (response != null) return response; } return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly?
Thanks,?
Jason

From sthorger at redhat.com  Thu Jun 29 14:01:59 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 29 Jun 2017 20:01:59 +0200
Subject: [keycloak-user] Review Chinese translations
Message-ID: <CAJgngAds0SEx+x1BZAxbEK9UH5+8NrX7G1BeuMG4f6Nq9aeF_g@mail.gmail.com>

Can someone please review PR for Chinese translations:
https://github.com/keycloak/keycloak/pull/4251

From bburke at redhat.com  Thu Jun 29 14:42:41 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 29 Jun 2017 14:42:41 -0400
Subject: [keycloak-user] Cache renewal and invalidation for User provider
In-Reply-To: <991F3957FFD69B49B2F61FA7F87AB2BC0136673751@pdexchbalwst03.ad.insee.intra>
References: <991F3957FFD69B49B2F61FA7F87AB2BC0136673751@pdexchbalwst03.ad.insee.intra>
Message-ID: <560bc561-2a4a-3814-d1c6-d99ece8ef35f@redhat.com>

Cache is global.  No way around it except to invalidate the cache of the 
specific user or all users for that storage provider.  You can define a 
cache policy per user storage provider.  We've been meaning to add an 
cache option to either evict on login or evict on logout. Even an option 
to validate the cache.  Guess we need it for this case.


On 6/29/17 9:57 AM, Couralet C?dric wrote:
> Hello,
>
> With Keycloak 3.1.0 configured with a ldap as user storage provider, we had a problem where when an attribute is modified the ldap directly, it is not immediately picked up by keycloak (in account or administrative interface), even though the attribute in question is marked as "Always Read Value From LDAP" in the mapper.
>
> We tried changing the cache policy on the user federation configuration, or even with "import" option off. But it seems the cache is global to keycloak (wildfly?).
>
> There is 2 needs behind that question :
>   1) we have an attribute in ldap which governs if the user must change password. Our idea was to check the attribute in a script based authenticator to add and user action if found. Except, in our situation the new value was never read from ldap, we finally had a solution by calling "user.getDelegateForUpdate();" before reading the attribute, but I don't think it is the best way to do that.
>
>   2) We have some attribute changing independantly from keycloak, which could change some access authorization for an user. So we need thos attribute picked up immediatly. Clearing the realm cache seems to work, but it is far from a good solution.
>
> Is there something we missed? What are the recommended ways to treat these cases?
>
> Best regards,
> C?dric Couralet
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From teatimej at gmail.com  Thu Jun 29 19:56:10 2017
From: teatimej at gmail.com (Michael Mok)
Date: Fri, 30 Jun 2017 07:56:10 +0800
Subject: [keycloak-user] SAML2 exception - Undeclared namespace prefix "dsig"
Message-ID: <CAO=w+JMPbUFtnrNJ2oF7fy2_UjtuwLC0P2b3n7EXJbuQzT=QUw@mail.gmail.com>

Hi there

We are using Keycloak 3.1.0 and when it is processing a SAML response, we
encountered the following error.

08:24:46,541 ERROR [io.undertow.request] (default task-352) UT005023:
Exception handling request to
/auth/realms/dev/login-actions/first-broker-login:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException:
Undeclared namespace prefix "dsig"

 at [row,col {unknown-source}]: [1,338]

at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
ExceptionHandler.java:76)

at org.jboss.resteasy.core.ExceptionHandler.handleException(
ExceptionHandler.java:212)


The "dsig" is declared in the header of the xml but Keycloak does not
appear to recognise it.


Here is the SAML response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                *xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig#>"*

                xmlns:enc="http://www.w3.org/2001/04/xmlenc#"

                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:
attribute:X500"

                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                Destination="https://www.bill.com/auth/realms/dev/broker/
saml/endpoint
<https://www.billview.com.au/auth/realms/billviewdev/broker/saml/endpoint>"

                ID="id--nk-7uGxvonvTG7h8NL09hLwcKIpGZC053Zj-3Cz"

                InResponseTo="ID_0c62fac6-d0d1-487d-91a6-44dd8c6cee16"

                IssueInstant="2017-06-29T00:24:46Z"

                Version="2.0"

                >

    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
http://iamdev.edu/oam/fed</saml:Issuer
<http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>

    </samlp:Status>

    <saml:Assertion ID="id-S80vqfesnCZBogvgpKyOKL2z1I8Y-mlMpAQwVk8q"

                    IssueInstant="2017-06-29T00:24:46Z"

                    Version="2.0"

                    >

        <saml:Issuer Format="urn:oasis:names:tc:
SAML:2.0:nameid-format:entity">http://iamdev.edu/oam/fed</saml:Issuer
<http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>

        <dsig:Signature>

            <dsig:SignedInfo>

                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#" />

                <dsig:SignatureMethod Algorithm="http://www.w3.org/
2000/09/xmldsig#rsa-sha1" />

                <dsig:Reference URI="#id-S80vqfesnCZBogvgpKyOKL2z1I8Y-
mlMpAQwVk8q">

                    <dsig:Transforms>

                        <dsig:Transform Algorithm="http://www.w3.org/
2000/09/xmldsig#enveloped-signature" />

                        <dsig:Transform Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#" />

                    </dsig:Transforms>

                    <dsig:DigestMethod Algorithm="http://www.w3.org/
2000/09/xmldsig#sha1" />

                    <dsig:DigestValue>/9fx72oB3eQ5vDcEJE5q0u43P8k=</
dsig:DigestValue>

                </dsig:Reference>

            </dsig:SignedInfo>

From sthorger at redhat.com  Fri Jun 30 03:59:38 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Jun 2017 09:59:38 +0200
Subject: [keycloak-user] example for Resteasy and keycloak
In-Reply-To: <CAHSaR+_YN5dyH0dHN2hfPc_5BX=7Y8PxvcrOKA4_f5W7YMcG+A@mail.gmail.com>
References: <CAHSaR+_YN5dyH0dHN2hfPc_5BX=7Y8PxvcrOKA4_f5W7YMcG+A@mail.gmail.com>
Message-ID: <CAJgngAeBWVWo_mJQL=uw5JOVt0RxLLRuch1pUMm2BqdawBL4nQ@mail.gmail.com>

https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs

On 29 June 2017 at 17:33, Nikolaj Majorov <nikolaj at majorov.biz> wrote:

> Hi all,
> there can I find example for resteasy and keycloak ?
> can someone share ?
>
> thanks !
>
> Regards,
> Nikolaj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hmlnarik at redhat.com  Fri Jun 30 04:34:50 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Fri, 30 Jun 2017 10:34:50 +0200
Subject: [keycloak-user] SAML2 exception - Undeclared namespace prefix
	"dsig"
In-Reply-To: <CAO=w+JMPbUFtnrNJ2oF7fy2_UjtuwLC0P2b3n7EXJbuQzT=QUw@mail.gmail.com>
References: <CAO=w+JMPbUFtnrNJ2oF7fy2_UjtuwLC0P2b3n7EXJbuQzT=QUw@mail.gmail.com>
Message-ID: <CAMvXD=EOBahTF1WLdk8ML1yZSTE4YBY9EpS5NBpuhtzsr25==w@mail.gmail.com>

Hi,

this has been reported already as
https://issues.jboss.org/browse/KEYCLOAK-4818. I suggest you to join
the list of watchers and please comment in the JIRA as much of the
details on your installation as possible: e.g. where it has happened
(in server? in adapter - in which server in that case?)

Thank you

--Hynek

On Fri, Jun 30, 2017 at 1:56 AM, Michael Mok <teatimej at gmail.com> wrote:
> Hi there
>
> We are using Keycloak 3.1.0 and when it is processing a SAML response, we
> encountered the following error.
>
> 08:24:46,541 ERROR [io.undertow.request] (default task-352) UT005023:
> Exception handling request to
> /auth/realms/dev/login-actions/first-broker-login:
> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
> java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException:
> Undeclared namespace prefix "dsig"
>
>  at [row,col {unknown-source}]: [1,338]
>
> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> ExceptionHandler.java:76)
>
> at org.jboss.resteasy.core.ExceptionHandler.handleException(
> ExceptionHandler.java:212)
>
>
> The "dsig" is declared in the header of the xml but Keycloak does not
> appear to recognise it.
>
>
> Here is the SAML response
>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
>                 *xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
> <http://www.w3.org/2000/09/xmldsig#>"*
>
>                 xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
>
>                 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
>                 xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:
> attribute:X500"
>
>                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
>                 Destination="https://www.bill.com/auth/realms/dev/broker/
> saml/endpoint
> <https://www.billview.com.au/auth/realms/billviewdev/broker/saml/endpoint>"
>
>                 ID="id--nk-7uGxvonvTG7h8NL09hLwcKIpGZC053Zj-3Cz"
>
>                 InResponseTo="ID_0c62fac6-d0d1-487d-91a6-44dd8c6cee16"
>
>                 IssueInstant="2017-06-29T00:24:46Z"
>
>                 Version="2.0"
>
>                 >
>
>     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> http://iamdev.edu/oam/fed</saml:Issuer
> <http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>
>
>     <samlp:Status>
>
>         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
> />
>
>     </samlp:Status>
>
>     <saml:Assertion ID="id-S80vqfesnCZBogvgpKyOKL2z1I8Y-mlMpAQwVk8q"
>
>                     IssueInstant="2017-06-29T00:24:46Z"
>
>                     Version="2.0"
>
>                     >
>
>         <saml:Issuer Format="urn:oasis:names:tc:
> SAML:2.0:nameid-format:entity">http://iamdev.edu/oam/fed</saml:Issuer
> <http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>
>
>         <dsig:Signature>
>
>             <dsig:SignedInfo>
>
>                 <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>
>                 <dsig:SignatureMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#rsa-sha1" />
>
>                 <dsig:Reference URI="#id-S80vqfesnCZBogvgpKyOKL2z1I8Y-
> mlMpAQwVk8q">
>
>                     <dsig:Transforms>
>
>                         <dsig:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>
>                         <dsig:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>
>                     </dsig:Transforms>
>
>                     <dsig:DigestMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#sha1" />
>
>                     <dsig:DigestValue>/9fx72oB3eQ5vDcEJE5q0u43P8k=</
> dsig:DigestValue>
>
>                 </dsig:Reference>
>
>             </dsig:SignedInfo>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From psilva at redhat.com  Fri Jun 30 07:27:20 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 30 Jun 2017 08:27:20 -0300
Subject: [keycloak-user] Keycloak relations between resources in a system
In-Reply-To: <CA+nyPF55LFT-u-wA24a636Y4aJbM5VcFLxVh0DCdohmhPqRigw@mail.gmail.com>
References: <CA+nyPF55LFT-u-wA24a636Y4aJbM5VcFLxVh0DCdohmhPqRigw@mail.gmail.com>
Message-ID: <CAJrcDBfKHMta5KcgwM2Z-tbE4Je13WGdoDsKvnHdHC6HzL59+A@mail.gmail.com>

Hello ...

On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx at gmail.com> wrote:

>       Hi there,
>
>
> I am new to keycloak and try to use it as auth server in my solution.
>
> I have next entity's model: the *devices* are owned by a particular
> *company* to which belongs some *users*. A user with role *admin* can grant
> permission for viewing some set of devices to a regular user but only those
> devices that belong to admin's company. Thus all users except admins can
> view the only subset of all devices in the company. Based on requirements I
> decided to make a company as *group* and devices as keycloak's *resources*.
> To evaluating permissions I chose *rule-based policy*. The problem is I ran
> into next question about hot to implement other relations and business
> rules:
>
>    1.
>
>    Can I set the group as an owner of the resource to check this relation
>    in policy?
>

You can't. Right the owner should be an user (or service account). But I
think groups should also be included in the list if supported owners
though. I think that would help you to address your requirement [1].

In fact, maybe we should allow anything as the owner. I think we had some
discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.

[1] https://issues.jboss.org/browse/JBEAP-11377


>    2.
>
>    Which mechanism better to use in my case to grant view permission on a
>    particular device to a regular user?
>
> If someone is more experienced in keycloak and knows how to better
> represent such model, please help.
>
> Thank you in advance.
>
> *P.S.*
>
> For the second question I have two solutions:
>
>    - Create on each device new role which name consists of *device's name*
> +
>    word *view* (This solution has big disadvantage because If user has over
>    1000 devices the *Permission Ticket* will be very huge)
>    - Represent mapping between user and device via scope -- when you admin
>    set relation between particular device and user to the resource (device)
>    added scope which name consists of *user id* plus word *view* (I know it
>    is not good way to use scopes but I have no idea can better configure
> this
>    relation in keycloak)
>

It seems company and realm have a 1:1 mapping ? If so, we end up missing
the group issue I mentioned previously.

Makes sense ?


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From java at neposoft.com  Fri Jun 30 07:29:07 2017
From: java at neposoft.com (java_os)
Date: Fri, 30 Jun 2017 07:29:07 -0400
Subject: [keycloak-user] keycloak.js - access custom claims in token
Message-ID: <5981187796a8bbb586db3ab0e7a04a70.squirrel@neposoft.com>

Hi Group

Using keycloak.js, what is the best approach to access any custom claims
(other claims) from the token.
Anyway can share this I would appreciate it.
Thanks
D


From sthorger at redhat.com  Fri Jun 30 07:31:33 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Jun 2017 13:31:33 +0200
Subject: [keycloak-user] Keycloak 3.2.0.CR2 released
Message-ID: <CAJgngAcsf0VxqcxdbaGtF3PVuY8t200OsnmFQqpAoE=UX=eXmw@mail.gmail.com>

We've just released Keycloak 3.2.0.CR1.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsFine grained admin permissions

This is something that we've wanted to add for a long time! Through our
authorization services it's now possible to finely tune permissions for
admins. This makes it possible to limit what clients, users, roles, etc.
admins have access to. Documentation is missing for this at the moment, but
will be added in time for 3.2.0.Final.
Docker Registry support

It's not possible to secure a Docker Registry with a standard OAuth or
OpenID Connect provider. For some strange reason they have only partially
followed the specifications and the Docker Registry maintainers refuse to
fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who
contributed this we now have a special Docker Registry protocol that can be
enabled in Keycloak.
Authentication sessions and access tokens

In the effort to provide support for running Keycloak in multiple data
centers we've done a large amount of work around user sessions. We've
introduced authentication sessions that are special sessions used primarily
during the authentication flows. There are two main reasons for this.
Authentication flows can fairly easily be fixed to a specific node within a
specific data center and there is no need to replicate this to other data
centers. They are also more write heavy than the user sessions. The
introduction of access tokens makes it possible to detach actions (for
example verify email) from a user session, which has a number of benefits.
More will come in future 3.x releases and by the end of the year we aim to
fully support replicating Keycloak cross multiple data centers.
Authorization Service improvements

There's been a lot of work done to the authorization services in this
release. Way to many to list here so check out JIRA
<https://issues.jboss.org/browse/KEYCLOAK-5072?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.2.0.CR1%20and%20component%20%3D%20Authorization>
for
details.
QuickStarts

We've introduced new QuickStarts with the aim to make it even simpler for
you to get started securing your applications and services with Keycloak.
The QuickStarts have proper tests as well, which can serve as a reference
on how to tests your own applications and services secured with Keycloak.
Check out the new QuickStarts in the keycloak-quickstarts GitHub repository
<https://github.com/keycloak/keycloak-quickstarts>.
Upgraded AngularJS and JQuery

We've upgraded the versions we use of AngularJS and JQuery as there where a
number of known vulnerabilities. We're fairly certain neither of the known
vulnerabilities affect Keycloak, but to be on the safe side we decided to
upgrade.
Updated Password Hashing Algorithms

We're still using PBKDF2, but we've added support for SHA256 and SHA512.
PBKDF2 is SHA256 is now used by default.
Spring Boot QuickStarter

We've added a new Spring Boot QuickStarter that makes it super simple to
get started securing your Spring Boot applications. For more details check
out the blog post about it
<http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>.
Loads more..

   - Partial export of realms in the admin console
   - Redirect URI rewrite rules for adapters
   - Test email settings in the admin console
   - Initial access tokens now persisted to the db

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.2.0.CR1>
.
Upgrading

Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html>.
Release candidates are not recommended in production and we do not support
upgrading from release candidates.

From thomas.darimont at googlemail.com  Fri Jun 30 08:20:13 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 30 Jun 2017 14:20:13 +0200
Subject: [keycloak-user] Keycloak 3.2.0.CR2 released
In-Reply-To: <CAJgngAcsf0VxqcxdbaGtF3PVuY8t200OsnmFQqpAoE=UX=eXmw@mail.gmail.com>
References: <CAJgngAcsf0VxqcxdbaGtF3PVuY8t200OsnmFQqpAoE=UX=eXmw@mail.gmail.com>
Message-ID: <CAK-7U1hd=db4tRat9Q4L-ZPWNiZoeiKgYBrwoEvV+KbNSHCt4Q@mail.gmail.com>

Hello guys,

congratulations to the team for this awesome release! :)

Cheers,
Thomas

2017-06-30 13:31 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> We've just released Keycloak 3.2.0.CR1.
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> HighlightsFine grained admin permissions
>
> This is something that we've wanted to add for a long time! Through our
> authorization services it's now possible to finely tune permissions for
> admins. This makes it possible to limit what clients, users, roles, etc.
> admins have access to. Documentation is missing for this at the moment, but
> will be added in time for 3.2.0.Final.
> Docker Registry support
>
> It's not possible to secure a Docker Registry with a standard OAuth or
> OpenID Connect provider. For some strange reason they have only partially
> followed the specifications and the Docker Registry maintainers refuse to
> fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who
> contributed this we now have a special Docker Registry protocol that can be
> enabled in Keycloak.
> Authentication sessions and access tokens
>
> In the effort to provide support for running Keycloak in multiple data
> centers we've done a large amount of work around user sessions. We've
> introduced authentication sessions that are special sessions used primarily
> during the authentication flows. There are two main reasons for this.
> Authentication flows can fairly easily be fixed to a specific node within a
> specific data center and there is no need to replicate this to other data
> centers. They are also more write heavy than the user sessions. The
> introduction of access tokens makes it possible to detach actions (for
> example verify email) from a user session, which has a number of benefits.
> More will come in future 3.x releases and by the end of the year we aim to
> fully support replicating Keycloak cross multiple data centers.
> Authorization Service improvements
>
> There's been a lot of work done to the authorization services in this
> release. Way to many to list here so check out JIRA
> <https://issues.jboss.org/browse/KEYCLOAK-5072?jql=
> project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.
> 2.0.CR1%20and%20component%20%3D%20Authorization>
> for
> details.
> QuickStarts
>
> We've introduced new QuickStarts with the aim to make it even simpler for
> you to get started securing your applications and services with Keycloak.
> The QuickStarts have proper tests as well, which can serve as a reference
> on how to tests your own applications and services secured with Keycloak.
> Check out the new QuickStarts in the keycloak-quickstarts GitHub repository
> <https://github.com/keycloak/keycloak-quickstarts>.
> Upgraded AngularJS and JQuery
>
> We've upgraded the versions we use of AngularJS and JQuery as there where a
> number of known vulnerabilities. We're fairly certain neither of the known
> vulnerabilities affect Keycloak, but to be on the safe side we decided to
> upgrade.
> Updated Password Hashing Algorithms
>
> We're still using PBKDF2, but we've added support for SHA256 and SHA512.
> PBKDF2 is SHA256 is now used by default.
> Spring Boot QuickStarter
>
> We've added a new Spring Boot QuickStarter that makes it super simple to
> get started securing your Spring Boot applications. For more details check
> out the blog post about it
> <http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>.
> Loads more..
>
>    - Partial export of realms in the admin console
>    - Redirect URI rewrite rules for adapters
>    - Test email settings in the admin console
>    - Initial access tokens now persisted to the db
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%
> 20keycloak%20and%20fixVersion%20%3D%203.2.0.CR1>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the migration
> guide
> <https://keycloak.gitbooks.io/documentation/server_admin/topics/
> MigrationFromOlderVersions.html>.
> Release candidates are not recommended in production and we do not support
> upgrading from release candidates.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jun 30 08:30:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Jun 2017 14:30:46 +0200
Subject: [keycloak-user] Keycloak 3.2.0.CR2 released
In-Reply-To: <CAK-7U1hd=db4tRat9Q4L-ZPWNiZoeiKgYBrwoEvV+KbNSHCt4Q@mail.gmail.com>
References: <CAJgngAcsf0VxqcxdbaGtF3PVuY8t200OsnmFQqpAoE=UX=eXmw@mail.gmail.com>
	<CAK-7U1hd=db4tRat9Q4L-ZPWNiZoeiKgYBrwoEvV+KbNSHCt4Q@mail.gmail.com>
Message-ID: <CAJgngAdcuk9bOBaz8ToMrEOP0=8eUgKC+26CqX7r9_WD5uLrjQ@mail.gmail.com>

For those wondering. It's CR1, not CR2 as the subject states ;)

On 30 June 2017 at 14:20, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello guys,
>
> congratulations to the team for this awesome release! :)
>
> Cheers,
> Thomas
>
> 2017-06-30 13:31 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> We've just released Keycloak 3.2.0.CR1.
>>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>.
>> HighlightsFine grained admin permissions
>>
>> This is something that we've wanted to add for a long time! Through our
>> authorization services it's now possible to finely tune permissions for
>> admins. This makes it possible to limit what clients, users, roles, etc.
>> admins have access to. Documentation is missing for this at the moment,
>> but
>> will be added in time for 3.2.0.Final.
>> Docker Registry support
>>
>> It's not possible to secure a Docker Registry with a standard OAuth or
>> OpenID Connect provider. For some strange reason they have only partially
>> followed the specifications and the Docker Registry maintainers refuse to
>> fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who
>> contributed this we now have a special Docker Registry protocol that can
>> be
>> enabled in Keycloak.
>> Authentication sessions and access tokens
>>
>> In the effort to provide support for running Keycloak in multiple data
>> centers we've done a large amount of work around user sessions. We've
>> introduced authentication sessions that are special sessions used
>> primarily
>> during the authentication flows. There are two main reasons for this.
>> Authentication flows can fairly easily be fixed to a specific node within
>> a
>> specific data center and there is no need to replicate this to other data
>> centers. They are also more write heavy than the user sessions. The
>> introduction of access tokens makes it possible to detach actions (for
>> example verify email) from a user session, which has a number of benefits.
>> More will come in future 3.x releases and by the end of the year we aim to
>> fully support replicating Keycloak cross multiple data centers.
>> Authorization Service improvements
>>
>> There's been a lot of work done to the authorization services in this
>> release. Way to many to list here so check out JIRA
>> <https://issues.jboss.org/browse/KEYCLOAK-5072?jql=project%
>> 20%3D%20keycloak%20and%20fixVersion%20%3D%203.2.0.
>> CR1%20and%20component%20%3D%20Authorization>
>> for
>> details.
>> QuickStarts
>>
>> We've introduced new QuickStarts with the aim to make it even simpler for
>> you to get started securing your applications and services with Keycloak.
>> The QuickStarts have proper tests as well, which can serve as a reference
>> on how to tests your own applications and services secured with Keycloak.
>> Check out the new QuickStarts in the keycloak-quickstarts GitHub
>> repository
>> <https://github.com/keycloak/keycloak-quickstarts>.
>> Upgraded AngularJS and JQuery
>>
>> We've upgraded the versions we use of AngularJS and JQuery as there where
>> a
>> number of known vulnerabilities. We're fairly certain neither of the known
>> vulnerabilities affect Keycloak, but to be on the safe side we decided to
>> upgrade.
>> Updated Password Hashing Algorithms
>>
>> We're still using PBKDF2, but we've added support for SHA256 and SHA512.
>> PBKDF2 is SHA256 is now used by default.
>> Spring Boot QuickStarter
>>
>> We've added a new Spring Boot QuickStarter that makes it super simple to
>> get started securing your Spring Boot applications. For more details check
>> out the blog post about it
>> <http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>.
>> Loads more..
>>
>>    - Partial export of realms in the admin console
>>    - Redirect URI rewrite rules for adapters
>>    - Test email settings in the admin console
>>    - Initial access tokens now persisted to the db
>>
>> The full list of resolved issues is available in JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%20keyclo
>> ak%20and%20fixVersion%20%3D%203.2.0.CR1>
>> .
>> Upgrading
>>
>> Before you upgrade remember to backup your database and check the
>> migration
>> guide
>> <https://keycloak.gitbooks.io/documentation/server_admin/top
>> ics/MigrationFromOlderVersions.html>.
>> Release candidates are not recommended in production and we do not support
>> upgrading from release candidates.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sthorger at redhat.com  Fri Jun 30 08:35:14 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 30 Jun 2017 14:35:14 +0200
Subject: [keycloak-user] keycloak.js - access custom claims in token
In-Reply-To: <5981187796a8bbb586db3ab0e7a04a70.squirrel@neposoft.com>
References: <5981187796a8bbb586db3ab0e7a04a70.squirrel@neposoft.com>
Message-ID: <CAJgngAc0LLybohEnKcu7N+sm=NsopO7xvj-R2MdGeF2VjHOK4w@mail.gmail.com>

tokenParsed contains all the claims, see
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/javascript-adapter.html
for more details

On 30 June 2017 at 13:29, java_os <java at neposoft.com> wrote:

> Hi Group
>
> Using keycloak.js, what is the best approach to access any custom claims
> (other claims) from the token.
> Anyway can share this I would appreciate it.
> Thanks
> D
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From java at neposoft.com  Fri Jun 30 08:59:56 2017
From: java at neposoft.com (java_os)
Date: Fri, 30 Jun 2017 08:59:56 -0400
Subject: [keycloak-user] keycloak.js - access custom claims in token
In-Reply-To: <CAJgngAc0LLybohEnKcu7N+sm=NsopO7xvj-R2MdGeF2VjHOK4w@mail.gmail.com>
References: <5981187796a8bbb586db3ab0e7a04a70.squirrel@neposoft.com>
	<CAJgngAc0LLybohEnKcu7N+sm=NsopO7xvj-R2MdGeF2VjHOK4w@mail.gmail.com>
Message-ID: <9dd4a7a4617fa8b33feb768a73ef684f.squirrel@neposoft.com>

Stian - thx for the tip.

> tokenParsed contains all the claims, see
> https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/javascript-adapter.html
> for more details
>
> On 30 June 2017 at 13:29, java_os <java at neposoft.com> wrote:
>
>> Hi Group
>>
>> Using keycloak.js, what is the best approach to access any custom claims
>> (other claims) from the token.
>> Anyway can share this I would appreciate it.
>> Thanks
>> D
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>



From igneuslynx at gmail.com  Fri Jun 30 11:47:39 2017
From: igneuslynx at gmail.com (Kirill Liubun)
Date: Fri, 30 Jun 2017 18:47:39 +0300
Subject: [keycloak-user] Keycloak relations between resources in a system
Message-ID: <CA+nyPF6=dtJZv883k1puG-JDYN3xZZziCvMCLwdUtzKad012vQ@mail.gmail.com>

Thank you for your answer. Mapping company as the realm is a good idea I
thought about this too but it has a big disadvantage for my case.
I forgot to note that device can change a company and if I made the company
as a realm, it will complicate the way of transferring the device from one
company to another. Also, as far as I know, I can specify in keycloak
adapter only one realm thus I need to create separate resource server per
company instead of storing all data in one. It makes my architecture more
tangled and harder to implement future features those require executing
operations in more than one company.
What do you suggest to do in such case?
Also, I want to ask one more question: Can keycloak's javascript-based
policy call API of remote service? I need this because relations in my
system can become much complex (will be added companies' departments and
subdepartments, a device can be into two or more departments at the same
time). And as far as I know, keycloak don't allow to implement
sophisticated *hierarchical (network) relation model *among system's
resources. So, I decided to create separate *mapping server* that would
know all those relations and keycloak policies would call one to figure out
to grant or deny access to the resources.

On Fri, Jun 30, 2017 at 6:46 PM, Kirill Liubun <igneuslynx at gmail.com> wrote:

> Thank you for your answer. Mapping company as the realm is a good idea I
> thought about this too but it has a big disadvantage for my case.
> I forgot to note that device can change a company and if I made the
> company as a realm, it will complicate the way of transferring the device
> from one company to another. Also, as far as I know, I can specify in
> keycloak adapter only one realm thus I need to create separate resource
> server per company instead of storing all data in one. It makes my
> architecture more tangled and harder to implement future features those
> require executing operations in more than one company.
> What do you suggest to do in such case?
> Also, I want to ask one more question: Can keycloak's javascript-based
> policy call API of remote service? I need this because relations in my
> system can become much complex (will be added companies' departments and
> subdepartments, a device can be into two or more departments at the same
> time). And as far as I know, keycloak don't allow to implement
> sophisticated *hierarchical (network) relation model *among system's
> resources. So, I decided to create separate *mapping server* that would
> know all those relations and keycloak policies would call one to figure out
> to grant or deny access to the resources.
>
>
> On Fri, Jun 30, 2017 at 2:27 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hello ...
>>
>> On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx at gmail.com>
>> wrote:
>>
>>>       Hi there,
>>>
>>>
>>> I am new to keycloak and try to use it as auth server in my solution.
>>>
>>> I have next entity's model: the *devices* are owned by a particular
>>> *company* to which belongs some *users*. A user with role *admin* can
>>> grant
>>> permission for viewing some set of devices to a regular user but only
>>> those
>>> devices that belong to admin's company. Thus all users except admins can
>>> view the only subset of all devices in the company. Based on
>>> requirements I
>>> decided to make a company as *group* and devices as keycloak's
>>> *resources*.
>>> To evaluating permissions I chose *rule-based policy*. The problem is I
>>> ran
>>> into next question about hot to implement other relations and business
>>> rules:
>>>
>>>    1.
>>>
>>>    Can I set the group as an owner of the resource to check this relation
>>>    in policy?
>>>
>>
>> You can't. Right the owner should be an user (or service account). But I
>> think groups should also be included in the list if supported owners
>> though. I think that would help you to address your requirement [1].
>>
>> In fact, maybe we should allow anything as the owner. I think we had some
>> discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.
>>
>> [1] https://issues.jboss.org/browse/JBEAP-11377
>>
>>
>>>    2.
>>>
>>>    Which mechanism better to use in my case to grant view permission on a
>>>    particular device to a regular user?
>>>
>>> If someone is more experienced in keycloak and knows how to better
>>> represent such model, please help.
>>>
>>> Thank you in advance.
>>>
>>> *P.S.*
>>>
>>> For the second question I have two solutions:
>>>
>>>    - Create on each device new role which name consists of *device's
>>> name* +
>>>    word *view* (This solution has big disadvantage because If user has
>>> over
>>>    1000 devices the *Permission Ticket* will be very huge)
>>>    - Represent mapping between user and device via scope -- when you
>>> admin
>>>    set relation between particular device and user to the resource
>>> (device)
>>>    added scope which name consists of *user id* plus word *view* (I know
>>> it
>>>    is not good way to use scopes but I have no idea can better configure
>>> this
>>>    relation in keycloak)
>>>
>>
>> It seems company and realm have a 1:1 mapping ? If so, we end up missing
>> the group issue I mentioned previously.
>>
>> Makes sense ?
>>
>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From emalenfant at xtreme-eda.com  Fri Jun 30 11:50:25 2017
From: emalenfant at xtreme-eda.com (Eric Malenfant)
Date: Fri, 30 Jun 2017 15:50:25 +0000
Subject: [keycloak-user] Okta as IdP, Keycloak as SP,
	end-app is node.js w/openid-connect
Message-ID: <BLUPR19MB01953F276B4992BA7A89E3FEF4D30@BLUPR19MB0195.namprd19.prod.outlook.com>


So, I?m trying to figure this one out, see if it?s possible. Maybe I?m just not using the right re-directs..
Anyways, keycloak is version 3.0.0, on centos 7.3.1611
I?ve got my App able to use Okta from app -> keycloak -> okta ? but the customer has a requirement to use the Okta portal, click on the app, and be auto-logged in (after account creation).

What I am not seeing, or understanding perhaps, is which URL I should be using to redirect for SSO from Okta -> go through keycloak then onto my App.

Is this even possible?

Thanks in advance.
Eric