From sthorger at redhat.com  Wed Nov  1 01:58:09 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 1 Nov 2017 06:58:09 +0100
Subject: [keycloak-user] Backup of config and users
In-Reply-To: <6c31978c16c84d979583c0d9e9796ad7@EX2013-DB02.adesso.local>
References: <a1630398cb1a4b25853353f711f471f6@EX2013-DB02.adesso.local>
	<CAMZCGg93qJzFLh8XMZVy=dHFfeOjw_dmDmUpPwstr_K0BK-B0w@mail.gmail.com>
	<6c31978c16c84d979583c0d9e9796ad7@EX2013-DB02.adesso.local>
Message-ID: <CAJgngAfpK9pJ-j4AosidsdJQ5cAuwMpPNG35-zA6bBp0PZc03g@mail.gmail.com>

Wouldn't it be better and more efficient to use dB tools for backing up the
dB?

On 30 Oct 2017 8:27 am, "Knurr, Michael" <Michael.Knurr at adesso.ch> wrote:

> Dear Sebastien
>
> thanks for your response. This seems to be an easy solution.
>
> Having an automatted process in mind, is there any way to know when I can
> stop the instance again "once the export is done"?
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: Sebastien Blanc [mailto:sblanc at redhat.com]
> Gesendet: Freitag, 27. Oktober 2017 10:50
> An: Knurr, Michael <Michael.Knurr at adesso.ch>
> Cc: keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Backup of config and users
>
> You can just run another instance on a different port (i.e : with
> -Djboss.socket.binding.port-offset=) with the export args , then you can
> safely stop this instance once the export is done.
>
> On Fri, Oct 27, 2017 at 10:32 AM, Knurr, Michael <Michael.Knurr at adesso.ch>
> wrote:
>
> > In the documentation I can see that the whole domain configuration and
> > all user information can be exported by the "startup" export
> functionality.
> >
> > http://www.keycloak.org/docs/latest/server_admin/topics/export-import.
> > html
> >
> > Unfortunately this method requires us to stop the server to do the
> export.
> > What is the recommended procedure to export domain configuration and
> > users in an actively running keycloak instance?
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Michael.Knurr at adesso.ch  Wed Nov  1 04:30:22 2017
From: Michael.Knurr at adesso.ch (Knurr, Michael)
Date: Wed, 1 Nov 2017 08:30:22 +0000
Subject: [keycloak-user] Backup of config and users
In-Reply-To: <CAJgngAfpK9pJ-j4AosidsdJQ5cAuwMpPNG35-zA6bBp0PZc03g@mail.gmail.com>
References: <a1630398cb1a4b25853353f711f471f6@EX2013-DB02.adesso.local>
	<CAMZCGg93qJzFLh8XMZVy=dHFfeOjw_dmDmUpPwstr_K0BK-B0w@mail.gmail.com>
	<6c31978c16c84d979583c0d9e9796ad7@EX2013-DB02.adesso.local>
	<CAJgngAfpK9pJ-j4AosidsdJQ5cAuwMpPNG35-zA6bBp0PZc03g@mail.gmail.com>
Message-ID: <741c63a6e94243159a60fa1df3023791@EX2013-DB02.adesso.local>


Well, I don?t know, using db tools is certainly more efficient. There are probably a number of ways to backup the keycloak data. However, looking at it from a ?product perspective? I think that keycloak needs to have a builtin method to backup and restore its own data.

When you are running keycloak in a production environment you need to have a recommended and supported way of creating and restoring your backups. Most certainly there are alredy a number of companies which already have these procedures in place.

Wouldn?t it be a good idea to write them down and add them to a ?backup and restore? Chapter in the keycloak documentation? What do you think?



Von: Stian Thorgersen [mailto:sthorger at redhat.com]
Gesendet: Mittwoch, 1. November 2017 06:58
An: Knurr, Michael <Michael.Knurr at adesso.ch>
Cc: Sebastien Blanc <sblanc at redhat.com>; keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Backup of config and users

Wouldn't it be better and more efficient to use dB tools for backing up the dB?

On 30 Oct 2017 8:27 am, "Knurr, Michael" <Michael.Knurr at adesso.ch<mailto:Michael.Knurr at adesso.ch>> wrote:
Dear Sebastien

thanks for your response. This seems to be an easy solution.

Having an automatted process in mind, is there any way to know when I can stop the instance again "once the export is done"?



-----Urspr?ngliche Nachricht-----
Von: Sebastien Blanc [mailto:sblanc at redhat.com<mailto:sblanc at redhat.com>]
Gesendet: Freitag, 27. Oktober 2017 10:50
An: Knurr, Michael <Michael.Knurr at adesso.ch<mailto:Michael.Knurr at adesso.ch>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Backup of config and users

You can just run another instance on a different port (i.e : with
-Djboss.socket.binding.port-offset=) with the export args , then you can safely stop this instance once the export is done.

On Fri, Oct 27, 2017 at 10:32 AM, Knurr, Michael <Michael.Knurr at adesso.ch<mailto:Michael.Knurr at adesso.ch>>
wrote:

> In the documentation I can see that the whole domain configuration and
> all user information can be exported by the "startup" export functionality.
>
> http://www.keycloak.org/docs/latest/server_admin/topics/export-import.
> html
>
> Unfortunately this method requires us to stop the server to do the export.
> What is the recommended procedure to export domain configuration and
> users in an actively running keycloak instance?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From kruti.parmar at oneadvanced.com  Wed Nov  1 05:39:56 2017
From: kruti.parmar at oneadvanced.com (Kruti Parmar)
Date: Wed, 1 Nov 2017 09:39:56 +0000
Subject: [keycloak-user] NoSuchMethodError when storing the user into
	Keycloak's cache
Message-ID: <ad0091f342eb4e0683640114a956dcb8@SL1ACSEXCMB03.acsresource.com>

Hi,

I have created  a custom storage provider which will migrate user from legacy app to keycloak's local storage on demand.  That is achieved.

Now I want to modify this functionality and store the user in to keycloak's cache instead of keycloak's local storage.

For that I have used the following code :

@Override
public void onCache(RealmModel realm, CachedUserModel user, UserModel delegate) {
                String password = ((UserAdapter)delegate).getPassword();
                if (password != null) {
                                user.getCachedWith().put(PASSWORD_CACHE_KEY, password);
                }
}

But I am getting an error saying - "org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.keycloak.models.cache.CachedUserModel.getCachedWith()Ljava/util/concurrent/ConcurrentMap;".

Can anyone please help me to resolve this?

PS : I am using keycloak 3.1.0 Final version.

Thanks & regards,
Kruti

***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com

From narendra_kadali at hotmail.com  Wed Nov  1 10:45:20 2017
From: narendra_kadali at hotmail.com (Narendra Kadali)
Date: Wed, 1 Nov 2017 14:45:20 +0000
Subject: [keycloak-user] Issue with not enabling sticky session
Message-ID: <CY4PR03MB2903C4B53A22855788B3A39F9B5F0@CY4PR03MB2903.namprd03.prod.outlook.com>

Hello All,


We configured an external SAML based identity provider in a realm and. When user coming back to Keycloak after successful authentication at external IdP Keycloak giving either "Page expired" or "Not found serialized context in authenticationSession " error.


The process of reproducing the issue is as follows:

  1.  Access the corresponding realm login page and then click on the identity provider link to login using external IdP.
  2.  This will take us to the external identity provider. After successful authentication at external IdP, the user will be redirected back to Keycloak instance with a valid SAMLResponse.
  3.  Then there might be a chance that instead of either showing first-broker-login flow or profile page you might be presented with 'page expired' error or 'Not found serialized context in authenticationSession' error.

Some information about my environment:
1. Three Keycloak instances running in a standalone mode. All of them connected to common DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final

2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances connected to this external Infinispan cluster.
3. We don't have any session stickiness enabled at the load balancer

  1.  Below is the configuration we are using for autehtnicationSessions cache in standalone.xml file.

<local-cache name="authenticationSessions">

        <remote-store cache="authenticationSessions" remote-servers="remote-cache" fetch-state="false" passivation="false" preload="false" purge="false" shared="true">

                <property name="rawValues">

                            true

                </property>

                <property name="marshaller">

                            org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory

                </property>

        </remote-store>

</local-cache>



Some findings on this issue:

  1.  Since session stickiness is not there the first time when login page rendered it can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
  2.  The error log observed for 'Not found serialized context in authenticationSession' message is: ERROR [org.keycloak.services] (default task-17) KC-SERVICES0068: Not found serialized context in clientSession under note 'BROKERED_CONTEXT'
  3.  If we run only one single Keycloak node, we are not seeing this error.

Any of you seen a similar issue?


Thanks!


From mitya at cargosoft.ru  Wed Nov  1 17:10:42 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Thu, 02 Nov 2017 00:10:42 +0300
Subject: [keycloak-user] Hot (re)deployment breaks EntityProviders
Message-ID: <1509570642.6401.2.camel@cargosoft.ru>

Hi,

Seems like EntityProviders containing JPA entities can be neither hot
deployed nor "cold" deployed and hot redeployed afterwards. In both
cases, the result is non-working JPA.

Please see https://issues.jboss.org/browse/KEYCLOAK-5782 and its
corresponding subtasks, as things are a bit different for the two
cases.

Regards,
Dmitry


From takashi.norimatsu.ws at hitachi.com  Wed Nov  1 23:47:49 2017
From: takashi.norimatsu.ws at hitachi.com (=?iso-2022-jp?B?GyRCPmg+Pk40O1YbKEIgLyBOT1JJTUFUU1UbJEIhJBsoQlRBS0FTSEk=?=)
Date: Thu, 2 Nov 2017 03:47:49 +0000
Subject: [keycloak-user] JWS Client Assertion On Client Authentication
Message-ID: <831D472326678942A9B4BB933AAA103D68D0B251@GSjpTK1DCembx01.service.hitachi.net>

Hello.

I'm interested in Client Authentication in JWS Client Assertion.
It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .

In org.keycloak.protocol.oidc.OIDCLoginProtocol

    // Client authentication methods
    public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
    public static final String CLIENT_SECRET_POST = "client_secret_post";
    public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
    public static final String PRIVATE_KEY_JWT = "private_key_jwt";

PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.

Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
(ex. security concerns, etc ...)

And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?

Best Regards
Takashi Norimatsu
Hitachi, Ltd.


From narendra_kadali at hotmail.com  Thu Nov  2 18:53:21 2017
From: narendra_kadali at hotmail.com (Narendra Kadali)
Date: Thu, 2 Nov 2017 22:53:21 +0000
Subject: [keycloak-user] Keycloak startup fails when Widlfly running in
	Standalone-HA mode
Message-ID: <CY4PR03MB29034A5E8DB199DDCFFF26F79B5C0@CY4PR03MB2903.namprd03.prod.outlook.com>

I am trying to deploy Keycloak cluster in standalone-ha mode in our Openshift environment. I followed following blog post: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html and made changes to standalone-ha.xml configuration file. When I am deploying Keycloak in our environment, deployment is failing and I am seeing below error message.


21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand)


Apart from this I don't see any errors in the logs. In fact in logs, I see Keycloak deployed successfully but when I am trying to access Keycloak getting HTTP 404 error. Below is the snippet of the log.


21:53:01,612 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 51) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")

21:53:01,694 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management

21:53:01,694 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand)


When I accessed Wildfly management console and looked under deployments section, I realized that keycloak war file deployment failed. For some reason Keycloak deployment failing and it is not outputting any error logs. In our environment UDP - Multicast doesn't work. So we are relaying on TCPPING protocol for node discovery process.  Can it cause any such issues?


Attached the complete server startup log and ha configuration we are using. On a side note, when we are running Keycloak in standalone mode we are not facing any such issues.


Have you any of you came across this issue? Any help on this issue is appreciated.


Thanks!



From sthorger at redhat.com  Fri Nov  3 03:34:51 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Nov 2017 08:34:51 +0100
Subject: [keycloak-user] Backup of config and users
In-Reply-To: <741c63a6e94243159a60fa1df3023791@EX2013-DB02.adesso.local>
References: <a1630398cb1a4b25853353f711f471f6@EX2013-DB02.adesso.local>
	<CAMZCGg93qJzFLh8XMZVy=dHFfeOjw_dmDmUpPwstr_K0BK-B0w@mail.gmail.com>
	<6c31978c16c84d979583c0d9e9796ad7@EX2013-DB02.adesso.local>
	<CAJgngAfpK9pJ-j4AosidsdJQ5cAuwMpPNG35-zA6bBp0PZc03g@mail.gmail.com>
	<741c63a6e94243159a60fa1df3023791@EX2013-DB02.adesso.local>
Message-ID: <CAJgngAf4F6z0zEy-6hxoxD_Q5noZ2ECTsfLC1Y=0EosUVODKwA@mail.gmail.com>

I agree it would be good to have a section on this in the docs. Feel free
to create a JIRA.

Maybe we could consider improving import/export to json, but I feel we'll
never be able to compete with db specific tools.

On 1 Nov 2017 9:30 am, "Knurr, Michael" <Michael.Knurr at adesso.ch> wrote:

>
>
> Well, I don?t know, using db tools is certainly more efficient. There are
> probably a number of ways to backup the keycloak data. However, looking at
> it from a ?product perspective? I think that keycloak needs to have a
> builtin method to backup and restore its own data.
>
>
>
> When you are running keycloak in a production environment you need to have
> a recommended and supported way of creating and restoring your backups.
> Most certainly there are alredy a number of companies which already have
> these procedures in place.
>
>
>
> Wouldn?t it be a good idea to write them down and add them to a ?backup
> and restore? Chapter in the keycloak documentation? What do you think?
>
>
>
>
>
>
>
> *Von:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Gesendet:* Mittwoch, 1. November 2017 06:58
> *An:* Knurr, Michael <Michael.Knurr at adesso.ch>
> *Cc:* Sebastien Blanc <sblanc at redhat.com>; keycloak-user <
> keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Backup of config and users
>
>
>
> Wouldn't it be better and more efficient to use dB tools for backing up
> the dB?
>
>
>
> On 30 Oct 2017 8:27 am, "Knurr, Michael" <Michael.Knurr at adesso.ch> wrote:
>
> Dear Sebastien
>
> thanks for your response. This seems to be an easy solution.
>
> Having an automatted process in mind, is there any way to know when I can
> stop the instance again "once the export is done"?
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: Sebastien Blanc [mailto:sblanc at redhat.com]
> Gesendet: Freitag, 27. Oktober 2017 10:50
> An: Knurr, Michael <Michael.Knurr at adesso.ch>
> Cc: keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Backup of config and users
>
> You can just run another instance on a different port (i.e : with
> -Djboss.socket.binding.port-offset=) with the export args , then you can
> safely stop this instance once the export is done.
>
> On Fri, Oct 27, 2017 at 10:32 AM, Knurr, Michael <Michael.Knurr at adesso.ch>
> wrote:
>
> > In the documentation I can see that the whole domain configuration and
> > all user information can be exported by the "startup" export
> functionality.
> >
> > http://www.keycloak.org/docs/latest/server_admin/topics/export-import.
> > html
> >
> > Unfortunately this method requires us to stop the server to do the
> export.
> > What is the recommended procedure to export domain configuration and
> > users in an actively running keycloak instance?
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From sthorger at redhat.com  Fri Nov  3 03:37:27 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Nov 2017 08:37:27 +0100
Subject: [keycloak-user] Keycloak & Large # of Realms
In-Reply-To: <CAOqetn_HgR6R6ejGHu_ZNYRoaHKTM+4f=0oMGKUmZdesEbFVyA@mail.gmail.com>
References: <CAOqetn-MkwAhGz6Rn8AU=LPB2bbpnQ=DimrS5wtPrcR6MBSqWw@mail.gmail.com>
	<CAJgngAfwKerFkYJJ6JY8hz78QX0145+4sb9A5aRQyjOh4A0OKQ@mail.gmail.com>
	<CAOqetn_HgR6R6ejGHu_ZNYRoaHKTM+4f=0oMGKUmZdesEbFVyA@mail.gmail.com>
Message-ID: <CAJgngAe65Acu8y-Ma7Y_NcTfJHU97oOuugaYqddEYW23eZ2GDw@mail.gmail.com>

On 27 Oct 2017 1:10 am, "John D. Ament" <john.d.ament at gmail.com> wrote:

Adding a query param was one option we were talking about.  The other was
to introduce a new endpoint to do this querying.  Either way it should also
be a lighter DB query that pulls back the id/name combinations.

BTW, Why do you display the "name" value on the screen instead of the
display name value?  Not a critical issue, but a noted quirk.


Probably just wasn't updated when we added display name field as originally
we only had the name. JIRA/PR welcome ;)


John

On Thu, Oct 26, 2017 at 4:18 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> The admin console only needs the realm id and name at this point afaik and
> it will go and fetch the whole realm json rep separately. Changing the API
> wouldn't be nice so adding an extra query param perhaps that requests only
> the needed content?
>
> On 25 October 2017 at 20:17, John D. Ament <john.d.ament at gmail.com> wrote:
>
>> Hi All
>>
>> Looking for some more insight, haven't heard about this issue in a while.
>>
>> The specific endpoint I'm having issues with is the /auth/admin/realms
>> endpoint ->
>> https://github.com/keycloak/keycloak/blob/master/services/
>> src/main/java/org/keycloak/services/resources/admin/
>> RealmsAdminResource.java#L98
>>
>> For what Keycloak is doing in the UI for the list realms, is it necessary
>> to provide all realm details or can it use a simplified version of the
>> realm representation to populate the drop down in the top left navigation
>> (at least I'm assuming that's where it's being fetched to be populated
>> into)?
>>
>> I'm seeing this endpoint perform particularly slowly.  Some of the key
>> spots (I have 125
>>
>> - 750 calls to select authentica0_.ID as ID1_3_0_, authentica0_.ALIAS as
>> ALIAS2_3_0_, authentica0_.BUILT_IN as BUILT_IN3_3_0_,
>> authentica0_.DESCRIPTION as DESCRIPT4_3_0_, authentica0_.PROVIDER_ID as
>> PROVIDER5_3_0_, authentica0_.REALM_ID as REALM_ID7_3_0_,
>> authentica0_.TOP_LEVEL as TOP_LEVE6_3_0_ from AUTHENTICATION_FLOW
>> authentica0_ where authentica0_.ID='15249ca1-1be3-4b59-a0e0-80bf00a107a4'
>> (the ID changes per request, looks like you're loading auth flows per ID)
>> - 250 calls to get client entities
>> - 125 calls for groups, locales, enabled events, required actions, roles,
>> smtp config, idps, attributes, roles, role mappers, etc.
>>
>> I suspect the 125 calls are needed, we don't want to load those in a
>> larger
>> batch.  However, if there's a simpler use for realms that would be
>> beneficial from a loading standpoint.
>>
>> John
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From rgshepherd at gmail.com  Fri Nov  3 15:18:28 2017
From: rgshepherd at gmail.com (Rob Shepherd)
Date: Fri, 3 Nov 2017 19:18:28 +0000
Subject: [keycloak-user] Login Confirmation every time
Message-ID: <B034BBB6-ABAF-463E-A22B-93A0CE3FA0EA@gmail.com>

Hi,

I have a requirement where multiple users use shared terminals.

I would like to have a ?Continue to ${client} as ${username}??  prompt page that occurs after every (unprompted) authentication. (I.e. if cookie auth was successful, but no login form)

So this would always be present when processing of a login that can occur without interaction if a cookie is still valid.

When prompted, and it appears to the user that it is an old login from previous person, then I will present  the option to ?Login as someone else"

(What I describe is different to the consent screen that occurs once per client per user.)

Doe this already exist?
Otherwise, should I be thinking of a RequiredAction for this, or an Authentication flow?  

Pointers appreciated.

Thanks

Rob





From rgshepherd at gmail.com  Sat Nov  4 08:17:36 2017
From: rgshepherd at gmail.com (Rob Shepherd)
Date: Sat, 4 Nov 2017 12:17:36 +0000
Subject: [keycloak-user] Roles from UserStorageSPI
Message-ID: <03EAD437-DE93-4C2F-83DD-FD5B7E00C719@gmail.com>

Hi,

I have successfully authenticated users from a custom User Storage Provider.

I cannot find how I map roles to the users that come from this provider.

I am able to include the user's roles in the UserModel, and i have created ClientRoles which match, but I can?t find how I attribute Roles to my users.


Furthermore, I have a default realm role, but this never appears in the ID token or userInfo object.

Any pointers appreciated.

Thanks

Rob

From valerij.timofeev at gmail.com  Sat Nov  4 16:30:33 2017
From: valerij.timofeev at gmail.com (Valerij Timofeev)
Date: Sat, 4 Nov 2017 21:30:33 +0100
Subject: [keycloak-user] Extract kc_locale from a redirect URI
Message-ID: <CAOy2obGn3DS1sveRBKTDAXtnESMM-S2t0akdx+V0Cru+p3=PQA@mail.gmail.com>

Hi,

we are extracting kc_locale parameter from redirect URIs and appending it
to the Keycloak login form URI using NGINX rewrite rule at the moment.

Extracting locale from redirect URI is indispensable for example when using
deep links in emails or linking to protected resources from a public site.

I wonder whether there is more simple method to extract kc_locale parameter
from redirect URI and set according locale in the Keycloak login form.

Best regards,
Valerij

From kruti.parmar at oneadvanced.com  Sun Nov  5 23:19:35 2017
From: kruti.parmar at oneadvanced.com (Kruti Parmar)
Date: Mon, 6 Nov 2017 04:19:35 +0000
Subject: [keycloak-user] Roles from UserStorageSPI
In-Reply-To: <03EAD437-DE93-4C2F-83DD-FD5B7E00C719@gmail.com>
References: <03EAD437-DE93-4C2F-83DD-FD5B7E00C719@gmail.com>
Message-ID: <970f4ab5b7694dc7bbd6ccab1f149198@SL1ACSEXCMB03.acsresource.com>

I am not sure but you can do something like this to map the role with your user.

for(String role : listOfRoles) {
                    RoleModel roleModel = realmModel.getRole(role);
                    if(roleModel != null) {
                        userModel.grantRole(roleModel);
                    }
                }

Regards,
Kruti

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rob Shepherd
Sent: 04 November 2017 05:48 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Roles from UserStorageSPI

Hi,

I have successfully authenticated users from a custom User Storage Provider.

I cannot find how I map roles to the users that come from this provider.

I am able to include the user's roles in the UserModel, and i have created ClientRoles which match, but I can?t find how I attribute Roles to my users.


Furthermore, I have a default realm role, but this never appears in the ID token or userInfo object.

Any pointers appreciated.

Thanks

Rob
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From mposolda at redhat.com  Mon Nov  6 03:56:00 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 6 Nov 2017 09:56:00 +0100
Subject: [keycloak-user] identity broker role mapping bug?
In-Reply-To: <CAPZw1G5nZYzRtN-UoGw07VtZAzc9g5BHZ13ScMYbcR3_hZh5vA@mail.gmail.com>
References: <CAPZw1G5s+OQYqDKeAQJJ9QHmWegtYd3=JV3Vt7gTXj-QTiLDcA@mail.gmail.com>
	<CAPZw1G5nZYzRtN-UoGw07VtZAzc9g5BHZ13ScMYbcR3_hZh5vA@mail.gmail.com>
Message-ID: <86543428-f370-0c06-0204-7aedf69c5478@redhat.com>

It makes sense to me. Feel free to create JIRA and ideally also submit 
PR with the test.

Just one note: Make sure that "user.grantRole" is called during upgrade 
just in case that user doesn't yet have this role. I guess you would 
need to add some additional check like:

if (!user.hasRole(role)) {
     user.grantRole(role);
}

That's because of performance (Calling of user.grantRole always 
invalidates the user in the cache and require to reload him from DB, 
which is not needed if he has the role already).

Marek

On 26/10/17 11:54, Simon Payne wrote:
> further to this, i think i've located the responsible code in the class
> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper, which in my opinion
> doesn't perform the expected behavior as previously highlighted.  I'm
> making a couple of assumptions that importNewUser method only gets called
> on first broker login and that updateBrokeredUser gets called on every
> login thereafter.
>
> we can see in the code below that importNewUser grants the role if the
> claim is found - which is fine.  However, updateBrokeredUser only removes
> if not found in the claim.
>
> I'm proposing that we alter the method updateBrokeredUser to include the
> addition of the role as well.  I can't see how anyone is currently using
> this code in any meaningful way as currently the code doesn't support the
> addition of role after first login.
>
> any thoughts?  i'm happy to make the changes myself.
>
> Simon.
>
>
>
> @Override
> public void importNewUser(KeycloakSession session, RealmModel realm,
> UserModel user, IdentityProviderMapperModel mapperModel,
> BrokeredIdentityContext context) {
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      if (hasClaimValue(mapperModel, context)) {
>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>          if (role == null) throw new IdentityBrokerException("Unable to
> find role: " + roleName);
>          user.grantRole(role);
>      }
> }
>
> @Override
> public void updateBrokeredUser(KeycloakSession session, RealmModel
> realm, UserModel user, IdentityProviderMapperModel mapperModel,
> BrokeredIdentityContext context) {
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      if (!hasClaimValue(mapperModel, context)) {
>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>          if (role == null) throw new IdentityBrokerException("Unable to
> find role: " + roleName);
>          user.deleteRoleMapping(role);
>      }
>
> }
>
>
>
>
> On Wed, Oct 25, 2017 at 2:46 PM, Simon Payne <simonpayne58 at gmail.com> wrote:
>
>> Hi, i think i may have found a bug in the identity provider mapping of
>> claims to roles.
>>
>> it appears that if i have an identity provider with claims in the token,
>> which i want to map to a role in the identity broker, then it only does
>> this once during the first time login.  if i remove the claim from the
>> identity provider token, then this successfully removes it from the broker
>> - but never remaps if i then add it again.
>>
>> the scenario i am trying to create here is that the identity provider is
>> responsible for authentication where active directory groups appears as
>> claim in the token.  the broker then map this claim to the role providing
>> the authorization.
>>
>> this behaviour appears to be the same whether i map a broker role to a
>> custom claim or a realm role in the provider token.
>>
>> hope this makes sense, thanks
>>
>> Simon.
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Nov  6 03:59:28 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 6 Nov 2017 09:59:28 +0100
Subject: [keycloak-user] User registration outside of Keycloak login form
In-Reply-To: <CAPLPyg=ng64B-3OZXdf7jF-JmhAiWm4QNuGHfr3SXXS_JL+hkw@mail.gmail.com>
References: <CAPLPyg=ng64B-3OZXdf7jF-JmhAiWm4QNuGHfr3SXXS_JL+hkw@mail.gmail.com>
Message-ID: <57f51875-53e2-1d20-9a8c-9fd35ac1f561@redhat.com>

I think it can be done with the authentication SPI. After the 
registration, you will need to have authenticator, which will accept 
username + password (you know the password from the registration) and 
authenticates user based on that. I suggest to take a look at the 
authentication SPI and examples for this.

Marek


On 26/10/17 18:13, Niels Bertram wrote:
> Hi Keycloak users,
>
> a strange question for the community ... I have a customer that wants to
> have SSO but does not want to use the Keycloak registration screens (themed
> or otherwise) but requires the user to be "logged in" to Keycloak after
> user registration.
>
> My understanding is that to get the SSO magic to work, a user agent must be
> redirected to the Keycloak server so the KEYCLOAK_SESSION? cookie can be
> set so that when the user navigates to another SSO enabled site after user
> registration, they would be identified in the auth flow of this client. Is
> there any way to create a valid SSO session without using the registration
> forms of Keycloak server itself? Like doing an XHR request that would
> create a user registration and also sets the required server side cookies
> in the user agent?
>
> Interested to hear your thoughts.
>
> Many thanks, Niels
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Nov  6 04:09:34 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 6 Nov 2017 10:09:34 +0100
Subject: [keycloak-user] JWS Client Assertion On Client Authentication
In-Reply-To: <831D472326678942A9B4BB933AAA103D68D0B251@GSjpTK1DCembx01.service.hitachi.net>
References: <831D472326678942A9B4BB933AAA103D68D0B251@GSjpTK1DCembx01.service.hitachi.net>
Message-ID: <d9fa574e-0cc9-1881-06a1-a861e596ed61@redhat.com>

Yes, we don't yet have support for this. AFAIK nobody yet requested it 
and it wasn't strictly required for the OpenID Connect Certification as 
well (Note that Keycloak is OpenID Connect certified).

Feel free to create JIRA if it doesn't already exists. Ideally if you 
want to contribute this including tests, documentation and support on 
both the server and adapters side, it will be nice.

Thanks,
Marek


On 02/11/17 04:47, ???? / NORIMATSU?TAKASHI wrote:
> Hello.
>
> I'm interested in Client Authentication in JWS Client Assertion.
> It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
>
> In org.keycloak.protocol.oidc.OIDCLoginProtocol
>
>      // Client authentication methods
>      public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
>      public static final String CLIENT_SECRET_POST = "client_secret_post";
>      public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
>      public static final String PRIVATE_KEY_JWT = "private_key_jwt";
>
> PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
> Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
>
> Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
> (ex. security concerns, etc ...)
>
> And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Nov  6 04:17:51 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 6 Nov 2017 10:17:51 +0100
Subject: [keycloak-user] Issue with not enabling sticky session
In-Reply-To: <CY4PR03MB2903C4B53A22855788B3A39F9B5F0@CY4PR03MB2903.namprd03.prod.outlook.com>
References: <CY4PR03MB2903C4B53A22855788B3A39F9B5F0@CY4PR03MB2903.namprd03.prod.outlook.com>
Message-ID: <4046d82e-5b8d-b564-e4c8-36f36a1336fd@redhat.com>

I think that you may either need to:
1) Enable sticky sessions for your loadbalancer
2) use the distributed-cache instead of local-cache
3) Make some changes in remote-store so that it works for your use-case. 
But this is not tested configuration by us. I suggest to rather do (1) 
or (2) if possible.

BTV. If you want to doublecheck, you can try with 1 node only. If the 
issue is not here with 1 node, but it is with 2 or more nodes, then you 
surely need to do something mentioned above.

Marek

On 01/11/17 15:45, Narendra Kadali wrote:
> Hello All,
>
>
> We configured an external SAML based identity provider in a realm and. When user coming back to Keycloak after successful authentication at external IdP Keycloak giving either "Page expired" or "Not found serialized context in authenticationSession " error.
>
>
> The process of reproducing the issue is as follows:
>
>    1.  Access the corresponding realm login page and then click on the identity provider link to login using external IdP.
>    2.  This will take us to the external identity provider. After successful authentication at external IdP, the user will be redirected back to Keycloak instance with a valid SAMLResponse.
>    3.  Then there might be a chance that instead of either showing first-broker-login flow or profile page you might be presented with 'page expired' error or 'Not found serialized context in authenticationSession' error.
>
> Some information about my environment:
> 1. Three Keycloak instances running in a standalone mode. All of them connected to common DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final
>
> 2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances connected to this external Infinispan cluster.
> 3. We don't have any session stickiness enabled at the load balancer
>
>    1.  Below is the configuration we are using for autehtnicationSessions cache in standalone.xml file.
>
> <local-cache name="authenticationSessions">
>
>          <remote-store cache="authenticationSessions" remote-servers="remote-cache" fetch-state="false" passivation="false" preload="false" purge="false" shared="true">
>
>                  <property name="rawValues">
>
>                              true
>
>                  </property>
>
>                  <property name="marshaller">
>
>                              org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
>                  </property>
>
>          </remote-store>
>
> </local-cache>
>
>
>
> Some findings on this issue:
>
>    1.  Since session stickiness is not there the first time when login page rendered it can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
>    2.  The error log observed for 'Not found serialized context in authenticationSession' message is: ERROR [org.keycloak.services] (default task-17) KC-SERVICES0068: Not found serialized context in clientSession under note 'BROKERED_CONTEXT'
>    3.  If we run only one single Keycloak node, we are not seeing this error.
>
> Any of you seen a similar issue?
>
>
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From john.ocallaghan at accenture.com  Mon Nov  6 07:37:45 2017
From: john.ocallaghan at accenture.com (O'Callaghan, John)
Date: Mon, 6 Nov 2017 12:37:45 +0000
Subject: [keycloak-user] Adding users to groups using restapi
Message-ID: <6EB9822A-DE17-4A36-BEA7-144C0329D3CB@contoso.com>



Hi All

Im trying to use the rest api to update an existing user to add them to an existing group.
The url that I am using is /auth/admin/realms/MY_REALM/users/USER_ID

Where MY_REALM is equal to my realm name and
USER_ID is equal to an existing users id.

I am sending a json doc in the PUT body and in here I have { ?groups?: [?admin?], ?enabled?: True }

But when I look at the users info using the WebUI I am not seeing the admin group listed in their ?Group Membership? table. I do see it listed in their ?Available Groups? table.

I do see that the users ?enabled? flag is going from False to True after the PUT so I believe the permission to update the user is correct. But shouldn?t I see the admin group added to the Group Membership table too?

Has anyone come across this problem?
Any help would be really appreciated.
Thanks
John



________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

From to_sud at yahoo.com  Mon Nov  6 10:20:49 2017
From: to_sud at yahoo.com (Sud Ramasamy)
Date: Mon, 6 Nov 2017 10:20:49 -0500
Subject: [keycloak-user] populating phone number in IDToken
Message-ID: <etPan.5a007dd1.123134fa.fdd0@yahoo.com>

Hi Keycloak team,

We were wondering if and how the phone number property in IDToken is populated. We are using OIDC between the client and Keycloak we came across the?org.keycloak.protocol.oidc.OIDCLoginProtocolFactory.java class which seems to be responsible for populating some of the properties of IDToken but phone number isn?t one of them.

Regards
-sud


From mstrukel at redhat.com  Mon Nov  6 12:05:55 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 6 Nov 2017 18:05:55 +0100
Subject: [keycloak-user] Adding users to groups using restapi
In-Reply-To: <6EB9822A-DE17-4A36-BEA7-144C0329D3CB@contoso.com>
References: <6EB9822A-DE17-4A36-BEA7-144C0329D3CB@contoso.com>
Message-ID: <CA+1OW+g-DB3=S-JEc-uM6kzmh2u7N=k=guUL0BCxw6C62Dqh6A@mail.gmail.com>

I think you should use
/auth/admin/realms/MY_REALM/users/USER_ID/groups/GROUP_ID.

And your JSON should contain:
{"realm": "My_realm", "userId":USER_ID, "groupId":GROUP_ID}




On Mon, Nov 6, 2017 at 1:37 PM, O'Callaghan, John <
john.ocallaghan at accenture.com> wrote:

>
>
> Hi All
>
> Im trying to use the rest api to update an existing user to add them to an
> existing group.
> The url that I am using is /auth/admin/realms/MY_REALM/users/USER_ID
>
> Where MY_REALM is equal to my realm name and
> USER_ID is equal to an existing users id.
>
> I am sending a json doc in the PUT body and in here I have { ?groups?:
> [?admin?], ?enabled?: True }
>
> But when I look at the users info using the WebUI I am not seeing the
> admin group listed in their ?Group Membership? table. I do see it listed in
> their ?Available Groups? table.
>
> I do see that the users ?enabled? flag is going from False to True after
> the PUT so I believe the permission to update the user is correct. But
> shouldn?t I see the admin group added to the Group Membership table too?
>
> Has anyone come across this problem?
> Any help would be really appreciated.
> Thanks
> John
>
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> ____________________________________________________________
> __________________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jrowe at openet.com  Tue Nov  7 03:34:51 2017
From: jrowe at openet.com (James Rowe)
Date: Tue, 7 Nov 2017 08:34:51 +0000
Subject: [keycloak-user] Automatically disable inactive users
Message-ID: <DB6PR0501MB27905993E5F9E57B0A520CC8D5510@DB6PR0501MB2790.eurprd05.prod.outlook.com>

Hi all,

is there a way in Keycloak to automatically disable a users account after a configurable period of inactivity? For example, if a user has been inactive (e.g. not authenticated) for 60 days then his account is automatically disabled meaning he can no longer login.

If it is not possible then i plan to add a feature request. I don't see anything like this in the existing JIRA requests.

Thanks,
Jim.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation, retention or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify postmaster at openet.com. Although Openet has taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the use of this email or attachments.

From pkaim at hotmail.com  Tue Nov  7 05:10:33 2017
From: pkaim at hotmail.com (pavlos kaimakis)
Date: Tue, 7 Nov 2017 10:10:33 +0000
Subject: [keycloak-user] create admin user to control other users,
 but at the same time making him/her unable to change his/her own
 permissions
Message-ID: <BN6PR10MB18251C96341A72F4F724BA32B1510@BN6PR10MB1825.namprd10.prod.outlook.com>

Hi there,


Is there any way we can configure a user that will have the rights to view/edit/delete/assign other users' roles, but will NOT be able to change the setting for him/herself.

Reason asking is I want a user as admin to deal with the rest of the users, but at the same time i don't want that user to be able to grant permissions to him/herself to access some other clients. The default 'admin' role gives him/her this option.

Waiting for your response


BRs


Lefteris


From john.ocallaghan at accenture.com  Tue Nov  7 05:39:25 2017
From: john.ocallaghan at accenture.com (O'Callaghan, John)
Date: Tue, 7 Nov 2017 10:39:25 +0000
Subject: [keycloak-user] Adding users to groups using restapi
In-Reply-To: <<6EB9822A-DE17-4A36-BEA7-144C0329D3CB@contoso.com>>
Message-ID: <40B4A693-9844-4372-9899-52B2077B25AA@contoso.com>


Hi Marko

That worked perfectly. Thanks for the help!
John

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

From john.ocallaghan at accenture.com  Tue Nov  7 07:58:45 2017
From: john.ocallaghan at accenture.com (O'Callaghan, John)
Date: Tue, 7 Nov 2017 12:58:45 +0000
Subject: [keycloak-user] Use RestAPI to add roles to groups
In-Reply-To: <<40B4A693-9844-4372-9899-52B2077B25AA@contoso.com>>
Message-ID: <E84DCA61-933B-4D83-ABFB-D933C71D9A28@contoso.com>


Hi all

A similar question to before. Am trying to use the rest api to add existing access roles to an existing group.
I have tried to use:

PUT /auth/admin/realms/REALM_NAME/groups/GROUP_ID
With data {'realmRoles': [LIST_OF_ROLES], 'id': gid}

Am getting a 204 back from PUT but when I look in the webui I am not seeing the assigned roles table getting updated for the group.

This is similar to a previous question I had (thanks again Marko for the response) and for fun I did try :
PUT /auth/admin/realms/REALM_ID/groups/GROUP_ID/roles/ROLE_ID
With data {'roleId': ROLE_ID, 'id': GROUP_ID, ?realm?: REALM_NAME}

But that gave a 404.

Anyone else had this problem? Any help would be much appreciated!
Thanks
John

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

From leonelfreire at gmail.com  Tue Nov  7 08:17:09 2017
From: leonelfreire at gmail.com (Leonel Freire)
Date: Tue, 7 Nov 2017 10:17:09 -0300
Subject: [keycloak-user] Role revocation after a specified date and time
Message-ID: <CAKfXtmagTVXFo+_-awEA5jKrV8ExZcmGFo9uyQpvocEBzxr2WA@mail.gmail.com>

Is there anyway to revocate a role after a specified date and time?

-- 
Leonel Freire
*Have you tried turning it off and on again?*

From mstrukel at redhat.com  Tue Nov  7 09:43:23 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 7 Nov 2017 14:43:23 +0000
Subject: [keycloak-user] Use RestAPI to add roles to groups
In-Reply-To: <E84DCA61-933B-4D83-ABFB-D933C71D9A28@contoso.com>
References: <E84DCA61-933B-4D83-ABFB-D933C71D9A28@contoso.com>
Message-ID: <CA+1OW+gH4GiVXZNWNm15F42vaBQOLSkOgAbRzx2QUGz9Tnnukw@mail.gmail.com>

Are you using some documentation / examples or are you just doing trial and
error to reverse engineer how to use REST API based on Admin REST
Documentation?

In practice it's easiest to just activate developer tools in your browser
and turn on request logging, then perform the desired operations in Admin
Console, and check what JSON was sent and received.

Another option is Admin CLI docs containing recipes which are easy to
translate into raw REST requests:
http://www.keycloak.org/docs/latest/server_admin/topics/admin-cli.html.

Additionally, there are Admin REST API tests in our testsuite:
https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin
They should cover most use-cases, but it may be a bit difficult to find
exactly the thing you're looking for.

Our REST API Documentation is rather messy and not very helpful for many
use cases. But since it's so easy to reverse engineer communication using
Admin Console with request tracing enabled in your browser, the priority
for improving REST API is pretty low ATM.

On Tue, Nov 7, 2017 at 12:58 PM, O'Callaghan, John <
john.ocallaghan at accenture.com> wrote:

>
> Hi all
>
> A similar question to before. Am trying to use the rest api to add
> existing access roles to an existing group.
> I have tried to use:
>
> PUT /auth/admin/realms/REALM_NAME/groups/GROUP_ID
> With data {'realmRoles': [LIST_OF_ROLES], 'id': gid}
>
> Am getting a 204 back from PUT but when I look in the webui I am not
> seeing the assigned roles table getting updated for the group.
>
> This is similar to a previous question I had (thanks again Marko for the
> response) and for fun I did try :
> PUT /auth/admin/realms/REALM_ID/groups/GROUP_ID/roles/ROLE_ID
> With data {'roleId': ROLE_ID, 'id': GROUP_ID, ?realm?: REALM_NAME}
>
> But that gave a 404.
>
> Anyone else had this problem? Any help would be much appreciated!
> Thanks
> John
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> ____________________________________________________________
> __________________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Nov  7 10:13:46 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 7 Nov 2017 13:13:46 -0200
Subject: [keycloak-user] Role revocation after a specified date and time
In-Reply-To: <CAKfXtmagTVXFo+_-awEA5jKrV8ExZcmGFo9uyQpvocEBzxr2WA@mail.gmail.com>
References: <CAKfXtmagTVXFo+_-awEA5jKrV8ExZcmGFo9uyQpvocEBzxr2WA@mail.gmail.com>
Message-ID: <CAJrcDBec8dg9eRcMvrqpChyXW6PsAg=UTtkP0Aq_R_Vbp+1adQ@mail.gmail.com>

You should be able to achieve this using fine-grained permissions. There
you could probably mix a RBAC and Time based policies or use a JS/Rules
policy.

On Tue, Nov 7, 2017 at 11:17 AM, Leonel Freire <leonelfreire at gmail.com>
wrote:

> Is there anyway to revocate a role after a specified date and time?
>
> --
> Leonel Freire
> *Have you tried turning it off and on again?*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From d.weirshousky at xsb.com  Tue Nov  7 10:19:49 2017
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Tue, 7 Nov 2017 09:19:49 -0600 (CST)
Subject: [keycloak-user] Keycloak SAML IDP configuration problems
In-Reply-To: <541885307.8468277.1510067868123.JavaMail.zimbra@xsb.com>
Message-ID: <248037491.8469878.1510067989181.JavaMail.zimbra@xsb.com>

I am having a problem setting up Okta as an IDP with keycloak as the SP using SAML.  We are using keycloak 3.2.1.

What we want:
We want to prepopulate the users from Okta in keycloak (only a handful of users are involved).  So that when a user comes from Okta to our application no registration info has to be entered or confirmed.  The user will be authenticated with Okta, click on the application link.  Keycloak will handle the SAML authentication and then redirect the user to our application.

What I have so far:
I am initiating login to the application from Okta.  When the user comes from Okta they are prompted to update account information. Then a message appears stating that the account already exists, click add to existing account.  The user receives the verify email and confirms linking.  Then the user goes back to the browser window and continues and is redirected to a page that doesn't exist.

Link from SP:
https://myHost/auth/realms/myRealm/login-actions/first-broker-login?code=someCodeHere&execution=someExecutionHere&client_id=idOfMyClient

Link it redirects to:
https://myHost/auth/realms/myRealm/broker/null

The user is linked to the identity provider and a session is created.  At this point I am starting to think that we shouldn't use this version of Keycloak and wondering if this is a bug or configuration issue.

Any help would be appreciated.

Thanks
Drew

From leonelfreire at gmail.com  Tue Nov  7 10:30:41 2017
From: leonelfreire at gmail.com (Leonel Freire)
Date: Tue, 7 Nov 2017 12:30:41 -0300
Subject: [keycloak-user] Role revocation after a specified date and time
In-Reply-To: <CAJrcDBec8dg9eRcMvrqpChyXW6PsAg=UTtkP0Aq_R_Vbp+1adQ@mail.gmail.com>
References: <CAKfXtmagTVXFo+_-awEA5jKrV8ExZcmGFo9uyQpvocEBzxr2WA@mail.gmail.com>
	<CAJrcDBec8dg9eRcMvrqpChyXW6PsAg=UTtkP0Aq_R_Vbp+1adQ@mail.gmail.com>
Message-ID: <CAKfXtmbSEMFqgDnP_4VdfvauK6g=n9KqpVnDXXRo=gKhiOKNXw@mail.gmail.com>

Thank you very much. I'll check this out.

2017-11-07 12:13 GMT-03:00 Pedro Igor Silva <psilva at redhat.com>:

> You should be able to achieve this using fine-grained permissions. There
> you could probably mix a RBAC and Time based policies or use a JS/Rules
> policy.
>
> On Tue, Nov 7, 2017 at 11:17 AM, Leonel Freire <leonelfreire at gmail.com>
> wrote:
>
>> Is there anyway to revocate a role after a specified date and time?
>>
>> --
>> Leonel Freire
>> *Have you tried turning it off and on again?*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Leonel Freire
*Have you tried turning it off and on again?*

From john.ocallaghan at accenture.com  Tue Nov  7 13:01:52 2017
From: john.ocallaghan at accenture.com (O'Callaghan, John)
Date: Tue, 7 Nov 2017 18:01:52 +0000
Subject: [keycloak-user] [External] Re: Use RestAPI to add roles to
	groups
In-Reply-To: <CA+1OW+gH4GiVXZNWNm15F42vaBQOLSkOgAbRzx2QUGz9Tnnukw@mail.gmail.com>
References: <E84DCA61-933B-4D83-ABFB-D933C71D9A28@contoso.com>
	<CA+1OW+gH4GiVXZNWNm15F42vaBQOLSkOgAbRzx2QUGz9Tnnukw@mail.gmail.com>
Message-ID: <09A9F758-EE16-43B0-9114-0991A90E70AA@accenture.com>


Hi Marko

Yes I?m going through the REST docs and trying to use them to programmatically setup my keycloak installation.
You are absolutely right of course, I have fired up dev tools and can now see at a glance precisely what network apis are being called and with what data.
Much easier now! ?

Again many thanks for your time.

John


From: Marko Strukelj <mstrukel at redhat.com>
Date: Tuesday 7 November 2017 at 14:43
To: "O'Callaghan, John" <john.ocallaghan at accenture.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: [External] Re: [keycloak-user] Use RestAPI to add roles to groups

Are you using some documentation / examples or are you just doing trial and error to reverse engineer how to use REST API based on Admin REST Documentation?

In practice it's easiest to just activate developer tools in your browser and turn on request logging, then perform the desired operations in Admin Console, and check what JSON was sent and received.

Another option is Admin CLI docs containing recipes which are easy to translate into raw REST requests: http://www.keycloak.org/docs/latest/server_admin/topics/admin-cli.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fadmin_topics_admin-2Dcli.html&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MU_KJXJNiVzpKH9iO2oEENGKvd9j8rpJfiPNXLOJNiY&m=PLA-_Z0S8usQIMAp3swErorh-ZR6dgFk_HPz6SW80VI&s=xnV0ExtNdUZuYCUS2SoDb9DxfGsXI6nnVpB-68d-kKI&e=>.

Additionally, there are Admin REST API tests in our testsuite: https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_tree_master_testsuite_integration-2Darquillian_tests_base_src_test_java_org_keycloak_testsuite_admin&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MU_KJXJNiVzpKH9iO2oEENGKvd9j8rpJfiPNXLOJNiY&m=PLA-_Z0S8usQIMAp3swErorh-ZR6dgFk_HPz6SW80VI&s=_3KOqTTfMZPXUyQ8aHcWHiHYlE7gp7R_ZzDZdaKTHBU&e=>
They should cover most use-cases, but it may be a bit difficult to find exactly the thing you're looking for.

Our REST API Documentation is rather messy and not very helpful for many use cases. But since it's so easy to reverse engineer communication using Admin Console with request tracing enabled in your browser, the priority for improving REST API is pretty low ATM.

On Tue, Nov 7, 2017 at 12:58 PM, O'Callaghan, John <john.ocallaghan at accenture.com<mailto:john.ocallaghan at accenture.com>> wrote:

Hi all

A similar question to before. Am trying to use the rest api to add existing access roles to an existing group.
I have tried to use:

PUT /auth/admin/realms/REALM_NAME/groups/GROUP_ID
With data {'realmRoles': [LIST_OF_ROLES], 'id': gid}

Am getting a 204 back from PUT but when I look in the webui I am not seeing the assigned roles table getting updated for the group.

This is similar to a previous question I had (thanks again Marko for the response) and for fun I did try :
PUT /auth/admin/realms/REALM_ID/groups/GROUP_ID/roles/ROLE_ID
With data {'roleId': ROLE_ID, 'id': GROUP_ID, ?realm?: REALM_NAME}

But that gave a 404.

Anyone else had this problem? Any help would be much appreciated!
Thanks
John

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MU_KJXJNiVzpKH9iO2oEENGKvd9j8rpJfiPNXLOJNiY&m=PLA-_Z0S8usQIMAp3swErorh-ZR6dgFk_HPz6SW80VI&s=SoOs4vugySY7GMmvO75FyrmEl_AL_1O3ldtdMAaIBaE&e=>


From leonelfreire at gmail.com  Tue Nov  7 14:21:42 2017
From: leonelfreire at gmail.com (Leonel Freire)
Date: Tue, 7 Nov 2017 16:21:42 -0300
Subject: [keycloak-user] Role revocation after a specified date and time
In-Reply-To: <CAKfXtmbSEMFqgDnP_4VdfvauK6g=n9KqpVnDXXRo=gKhiOKNXw@mail.gmail.com>
References: <CAKfXtmagTVXFo+_-awEA5jKrV8ExZcmGFo9uyQpvocEBzxr2WA@mail.gmail.com>
	<CAJrcDBec8dg9eRcMvrqpChyXW6PsAg=UTtkP0Aq_R_Vbp+1adQ@mail.gmail.com>
	<CAKfXtmbSEMFqgDnP_4VdfvauK6g=n9KqpVnDXXRo=gKhiOKNXw@mail.gmail.com>
Message-ID: <CAKfXtmaePJimi84juUUowdnLCkDr0TX9u1eHy0s1a6V5mzdq=A@mail.gmail.com>

I read the documentation, but that's not the case. I would like the user's
role to be removed at a certain date. Using Authorization Services I get
something close in terms of functionality, but it's not possible to remove
the role.

2017-11-07 12:30 GMT-03:00 Leonel Freire <leonelfreire at gmail.com>:

> Thank you very much. I'll check this out.
>
> 2017-11-07 12:13 GMT-03:00 Pedro Igor Silva <psilva at redhat.com>:
>
>> You should be able to achieve this using fine-grained permissions. There
>> you could probably mix a RBAC and Time based policies or use a JS/Rules
>> policy.
>>
>> On Tue, Nov 7, 2017 at 11:17 AM, Leonel Freire <leonelfreire at gmail.com>
>> wrote:
>>
>>> Is there anyway to revocate a role after a specified date and time?
>>>
>>> --
>>> Leonel Freire
>>> *Have you tried turning it off and on again?*
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Leonel Freire
> *Have you tried turning it off and on again?*
>



-- 
Leonel Freire
*Have you tried turning it off and on again?*

From corentin.dupont at gmail.com  Tue Nov  7 18:13:47 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 8 Nov 2017 00:13:47 +0100
Subject: [keycloak-user] Fwd: Authz with nodejs
In-Reply-To: <CAEyhvmpL=ZOnh4nY7W7d387Hk1Apht44mpC=0Q8xk10rKZsB=w@mail.gmail.com>
References: <CAEyhvmpL=ZOnh4nY7W7d387Hk1Apht44mpC=0Q8xk10rKZsB=w@mail.gmail.com>
Message-ID: <CAEyhvmrD568OV3voZj-hojfbSF4JT4hE7qT-2_k4=ba4tLtu8Q@mail.gmail.com>

Hi guys,
I created a REST API that I would like to protect with keycloak.
However, I don't find any example/tutorial on Internet that suits.

At the moment I use keycloak-nodejs-connect: https://github.com/keycloak/ke
ycloak-nodejs-connect/blob/master/example/index.js

This is the basic example given:

var Keycloak = require('keycloak-connect');
var express = require('express');
var session = require('express-session');

var app = express();
var server = app.listen(3000, function () {});
var memoryStore = new session.MemoryStore();

app.use(session({
  secret: 'mySecret',
  resave: false,
  saveUninitialized: true,
  store: memoryStore,
}));

var keycloak = new Keycloak({
  store: memoryStore
});

app.use(keycloak.middleware({
  logout: '/logout',
  admin: '/'
}));

app.get('/login', keycloak.protect(), function (req, res) {
  res.render('index', {
    result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null,
4),
    event: '1. Authentication\n2. Login'
  });
});

But that doesn't corresponds to my need: in a REST API I have no login or
logout and no memory.
I think the user should always make requests with a bearer token. Based on
that token I can identify the user and get his roles.
Then I could use keycloak.protect('realm:myendpoint') to protect each of my
endpoints. If the user have got that role, he is authorized.
Did I understood correctly the flow?
Is there some example or REST API with authz, using nodeJS?

Thanks a lot!!!
Corentin

From nielsbne at gmail.com  Wed Nov  8 00:04:01 2017
From: nielsbne at gmail.com (Niels Bertram)
Date: Wed, 8 Nov 2017 15:04:01 +1000
Subject: [keycloak-user] Keycloak 3.3.0 fails Google Social Registration
	with NPE
Message-ID: <CAPLPygkv1xCT4ALHorAbxM1GKTxi0c_c=kLhZ6cK7Y7bqaYdqQ@mail.gmail.com>

I unzipped Keycloak 3.3.0.Final and configured a localhost:8080 instance
realm "play" to use Google Identity Provider for sozial. Navigating to
http://localhost:8080/auth/realms/play/account will get me to the login
page as expected, then I click on the Google logo and it takes me to google
login. Login is all good but then I get back to the Keycloak server and I
see this stack trace in the web browser and logs.

Anynone seen this before? I got exact setup behind a proper DNS with SSL
and it works fine. In the "Play" realm I configured Require SSL to none and
cant really think of any other thing that could cause this. Anyone seen
this error or has any suggestions for configuration?

14:47:05,845 ERROR [io.undertow.request] (default task-14) UT005023:
Exception handling request to
/auth/realms/play/login-actions/first-broker-login:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: No
ident
ifier provider for identity.
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: No identifier provider for identity.
        at
org.keycloak.broker.provider.BrokeredIdentityContext.<init>(BrokeredIdentityContext.java:53)
        at
org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext.deserialize(SerializedBrokeredIdentityContext.java:250)
        at
org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:697)
        at
org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:650)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        ... 48 more

From zitrone at gmx-topmail.de  Wed Nov  8 04:14:08 2017
From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de)
Date: Wed, 8 Nov 2017 10:14:08 +0100
Subject: [keycloak-user] Set CreatedTimestamp
Message-ID: <trinity-2c65841a-ead8-4324-890d-c5bced524ab5-1510132448740@3c-app-gmx-bs18>

Hi,
i'm currently trying to migrate users from an old system to keycloak (3.1.0). Im using the java implementation of the keycloak admin api to create the accounts, building a UserRepresentation and sending it to realm.users().create(). Now i have the problem, that i want to migrate the creation date of the accounts from the old system. Although i can set the createdTimestamp for the userRepresentation, it will not be stored in keycloak. Instead the current time is set for the createdTimestamp. Is there a way to modify the?createdTimestamp? I understand that this is something you usually dont want to happen, but during migration of already existing accounts, it would be kind of handy.
If there is no other way i have to use a custom attribute, storing the old creation date, but that means additional code to retrieve it.
?
Second question: What is the best way to iterate over all accounts in keycloak? Currently i'm using something like this:
Integer userCount = keyCloakClient.realm(realmname).users().count();
int processed = 0;
List<String> userIds = new ArrayList<>();
int fetchsize = 100;
while (processed < userCount) {
?? ?keyCloakClient
?? ??? ??? ?.realm(realmname)
?? ??? ??? ?.users()
?? ??? ??? ?.search("", processed, fetchsize)
?? ??? ??? ?.stream()
?? ??? ??? ?//some filters
?? ??? ??? ?.forEach(user -> userIds.add(user.getId()));
?? ?processed += fetchsize;
}
If i put the fetchsize to big, i get problems processing the json response. But i'm worried that the result from the empty search will not be stable and i'll miss accounts.
?
regards
zitrone


From stef at epardaud.fr  Wed Nov  8 04:35:36 2017
From: stef at epardaud.fr (Stephane Epardaud)
Date: Wed, 8 Nov 2017 10:35:36 +0100
Subject: [keycloak-user] Keycloak REST API
Message-ID: <32a90b9a-1cc2-9aa1-acc7-c0d3e569288d@epardaud.fr>

Hi,

I'm trying to use the REST API of keycloak to seed an initial config for
tests that depend on keycloak, but I only found this doc:
http://www.keycloak.org/docs-api/3.3/rest-api/index.html

Are there better docs somewhere else?

If not: they barely explain what the entities are, and don't tell me
which parts are settable, required, or server-generated. They also
contain some links to types that are not documented (like Map), and
don't explain how to get a token to play along (found that somewhere
completely different). A set of examples with each endpoint and entity
type would be _greatly_ appreciated too. Otherwise there's a lot of
guesswork involved :(

Otherwise, pretty impressed with the rest of KeyCloak, so don't take
that issue harshly :)

Cheers.



From mstrukel at redhat.com  Wed Nov  8 04:58:41 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 8 Nov 2017 09:58:41 +0000
Subject: [keycloak-user] Keycloak REST API
In-Reply-To: <32a90b9a-1cc2-9aa1-acc7-c0d3e569288d@epardaud.fr>
References: <32a90b9a-1cc2-9aa1-acc7-c0d3e569288d@epardaud.fr>
Message-ID: <CA+1OW+gfxm+TYPo38g4xopJuZVAJNzAuDaEMN=0369xoCS1XQw@mail.gmail.com>

We are aware of the issue. See
http://lists.jboss.org/pipermail/keycloak-user/2017-November/012181.html
for some suggestions.

REST API Docs are autogenerated from code and javadoc and we prefer it this
way to minimise inconsistencies that would otherwise arise over time.

The choice of documentation generation pipeline is a factor. We're not
using Swagger ATM, and OpenAPI seems to be the best option to move to in
the future. I don't think there's a JIRA for it yet. Feel free to open it.

Any contributions welcome :)


On Wed, Nov 8, 2017 at 9:35 AM, Stephane Epardaud <stef at epardaud.fr> wrote:

> Hi,
>
> I'm trying to use the REST API of keycloak to seed an initial config for
> tests that depend on keycloak, but I only found this doc:
> http://www.keycloak.org/docs-api/3.3/rest-api/index.html
>
> Are there better docs somewhere else?
>
> If not: they barely explain what the entities are, and don't tell me
> which parts are settable, required, or server-generated. They also
> contain some links to types that are not documented (like Map), and
> don't explain how to get a token to play along (found that somewhere
> completely different). A set of examples with each endpoint and entity
> type would be _greatly_ appreciated too. Otherwise there's a lot of
> guesswork involved :(
>
> Otherwise, pretty impressed with the rest of KeyCloak, so don't take
> that issue harshly :)
>
> Cheers.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Wed Nov  8 05:14:29 2017
From: simonpayne58 at gmail.com (Simon Payne)
Date: Wed, 8 Nov 2017 10:14:29 +0000
Subject: [keycloak-user] create admin user to control other users,
 but at the same time making him/her unable to change his/her own
 permissions
In-Reply-To: <BN6PR10MB18251C96341A72F4F724BA32B1510@BN6PR10MB1825.namprd10.prod.outlook.com>
References: <BN6PR10MB18251C96341A72F4F724BA32B1510@BN6PR10MB1825.namprd10.prod.outlook.com>
Message-ID: <CAPZw1G49dmVb5QiEHDKD3C6oGoiewFQveAvxLu1CKNu3VxPrFw@mail.gmail.com>

Hi, it is possible - try the following or some variation to suit your use
case.  my example allowed a user in a suitable admin role to allocate
client roles to a user, but the user was otherwise read only.

1 - Create a role to act as admin
2 - Create a policy for your role
3 - Give permission to map client roles.  this is done by selecting your
client then switching on permissions.  then against map-roles apply your
role policy.
4 - Give permission to view users.  this is done by selecting the admin
role, then role mappings.  select client roles -> realm-management -> view
users.
5 - Give permission to map roles to users.  enable permissions on the users
sections.  then apply your admin role policy.


Hope this works for you

Simon.




On Tue, Nov 7, 2017 at 10:10 AM, pavlos kaimakis <pkaim at hotmail.com> wrote:

> Hi there,
>
>
> Is there any way we can configure a user that will have the rights to
> view/edit/delete/assign other users' roles, but will NOT be able to change
> the setting for him/herself.
>
> Reason asking is I want a user as admin to deal with the rest of the
> users, but at the same time i don't want that user to be able to grant
> permissions to him/herself to access some other clients. The default
> 'admin' role gives him/her this option.
>
> Waiting for your response
>
>
> BRs
>
>
> Lefteris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Wed Nov  8 05:30:00 2017
From: simonpayne58 at gmail.com (Simon Payne)
Date: Wed, 8 Nov 2017 10:30:00 +0000
Subject: [keycloak-user] identity broker role mapping bug?
In-Reply-To: <86543428-f370-0c06-0204-7aedf69c5478@redhat.com>
References: <CAPZw1G5s+OQYqDKeAQJJ9QHmWegtYd3=JV3Vt7gTXj-QTiLDcA@mail.gmail.com>
	<CAPZw1G5nZYzRtN-UoGw07VtZAzc9g5BHZ13ScMYbcR3_hZh5vA@mail.gmail.com>
	<86543428-f370-0c06-0204-7aedf69c5478@redhat.com>
Message-ID: <CAPZw1G64NAxOnvQHxkRQAPmwt4u2aPm0QWrg4fknscdsZ8MbkA@mail.gmail.com>

i made the change on our system by rebuilding the keycloak-service at
3.2.1.final jar and deployed separately.  The code was changed as follows
and after some testing appears to provide the functionality we need.  I can
open a Jira ticket no problem as it would be useful to get it pushed into
the main build, as we have since upgraded to 3.3.0.final and lost the
changes.

@Override
public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    mapRole(realm, user, mapperModel, context);
}

@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
    mapRole(realm, user, mapperModel, context);

}

private void mapRole(RealmModel realm, UserModel user,
IdentityProviderMapperModel mapperModel, BrokeredIdentityContext
context) {

    String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
    RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
    if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);

    if (hasClaimValue(mapperModel, context)) {
        user.grantRole(role);
    }else{
        user.deleteRoleMapping(role);
    }
}


On Mon, Nov 6, 2017 at 8:56 AM, Marek Posolda <mposolda at redhat.com> wrote:

> It makes sense to me. Feel free to create JIRA and ideally also submit PR
> with the test.
>
> Just one note: Make sure that "user.grantRole" is called during upgrade
> just in case that user doesn't yet have this role. I guess you would need
> to add some additional check like:
>
> if (!user.hasRole(role)) {
>     user.grantRole(role);
> }
>
> That's because of performance (Calling of user.grantRole always
> invalidates the user in the cache and require to reload him from DB, which
> is not needed if he has the role already).
>
> Marek
>
>
> On 26/10/17 11:54, Simon Payne wrote:
>
>> further to this, i think i've located the responsible code in the class
>> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper, which in my opinion
>> doesn't perform the expected behavior as previously highlighted.  I'm
>> making a couple of assumptions that importNewUser method only gets called
>> on first broker login and that updateBrokeredUser gets called on every
>> login thereafter.
>>
>> we can see in the code below that importNewUser grants the role if the
>> claim is found - which is fine.  However, updateBrokeredUser only removes
>> if not found in the claim.
>>
>> I'm proposing that we alter the method updateBrokeredUser to include the
>> addition of the role as well.  I can't see how anyone is currently using
>> this code in any meaningful way as currently the code doesn't support the
>> addition of role after first login.
>>
>> any thoughts?  i'm happy to make the changes myself.
>>
>> Simon.
>>
>>
>>
>> @Override
>> public void importNewUser(KeycloakSession session, RealmModel realm,
>> UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>>      if (hasClaimValue(mapperModel, context)) {
>>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm,
>> roleName);
>>          if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>>          user.grantRole(role);
>>      }
>> }
>>
>> @Override
>> public void updateBrokeredUser(KeycloakSession session, RealmModel
>> realm, UserModel user, IdentityProviderMapperModel mapperModel,
>> BrokeredIdentityContext context) {
>>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>>      if (!hasClaimValue(mapperModel, context)) {
>>          RoleModel role = KeycloakModelUtils.getRoleFromString(realm,
>> roleName);
>>          if (role == null) throw new IdentityBrokerException("Unable to
>> find role: " + roleName);
>>          user.deleteRoleMapping(role);
>>      }
>>
>> }
>>
>>
>>
>>
>> On Wed, Oct 25, 2017 at 2:46 PM, Simon Payne <simonpayne58 at gmail.com>
>> wrote:
>>
>> Hi, i think i may have found a bug in the identity provider mapping of
>>> claims to roles.
>>>
>>> it appears that if i have an identity provider with claims in the token,
>>> which i want to map to a role in the identity broker, then it only does
>>> this once during the first time login.  if i remove the claim from the
>>> identity provider token, then this successfully removes it from the
>>> broker
>>> - but never remaps if i then add it again.
>>>
>>> the scenario i am trying to create here is that the identity provider is
>>> responsible for authentication where active directory groups appears as
>>> claim in the token.  the broker then map this claim to the role providing
>>> the authorization.
>>>
>>> this behaviour appears to be the same whether i map a broker role to a
>>> custom claim or a realm role in the provider token.
>>>
>>> hope this makes sense, thanks
>>>
>>> Simon.
>>>
>>>
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From ben_redahan at trimble.com  Wed Nov  8 06:06:44 2017
From: ben_redahan at trimble.com (Ben Redahan)
Date: Wed, 8 Nov 2017 11:06:44 +0000
Subject: [keycloak-user] SAML IdP and ADFS trust
Message-ID: <CAB9d0kYkP4eHNh7=0_X1u2OWLCG1qcRQqEtu4uzpGVjYF_7U+Q@mail.gmail.com>

Hi all,

I'm configuring a SAML Identity Provider in Keycloak to allow single sign
on with a customer ADFS server. I'm following this guide:
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html

I'm working in a development environment with a test ADFS server using a
self-signed Service Communications certificate (I had to install and
configure this myself so I could have gone wrong here). Keycloak is running
on an AWS instance behind a load balancer, incoming https is handled by
that.
I've configured the Relying Party Trust on ADFS and the
FederationMetadata.xml in the Keycloak identity provider.

During testing I deployed a Keycloak image without a truststore or Service
Communications certificate, but the redirect still works. When I click the
SSO button from the Keycloak login page I am redirected to the ADFS login
page, though from my understanding the outbound https request to the ADFS
endpoint should fail, since Keycloak doesn't trust the ADFS server.
Shouldn't the first redirect fail if there's no truststore or SSL
certificate?

I'm a novice at this so there's almost certainly a gap in my understanding,
but I've searched through all the documentation I can find and can't make
sense of it. Can anyone help?

Thanks,

Ben

-- 


*Ben Redahan | Software Engineer*

*Phone **+353 1 539 8744 <%2B353%201%20539%208744>*

*TRIMBLE RAILWAY ASSET SOLUTIONS | NEXALA*

*www.trimble.com/rail-assets* <http://www.trimble.com/rail-assets>*| *
*www.nexala.com* <http://www.nexala.com/>* | **www.trimble.com/rail*
<http://www.trimble.com/rail>

*Newsletter Sign Up*
<http://infogeospatial.trimble.com/rail-asset-newsletter-signup.html>*
| **Request
Demo* <http://infogeospatial.trimble.com/rail-asset-newsletter-signup.html>*
| **LinkedIn <https://www.linkedin.com/company/trimble-railway-solutions>*

From rahul.pharande at gi-de.com  Wed Nov  8 06:20:26 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Wed, 8 Nov 2017 11:20:26 +0000
Subject: [keycloak-user] Access Token getting truncated when apache HTTPD is
	in front
Message-ID: <1230180e00d643bda0a0e36a610a59f2@gi-de.com>

Hello Team,

I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)

Below are more details on same.

Environnent :

o   Server : Keycloak v3.x

o   Proxy server :    Apache HTTPD 2.4.x

o   Client: Angular2 application using OIDC library.

Issue Description / Steps to reproduce:

*         Create realm in Keycloak

*         Create client for realm along with redirect url etc.

*         Create ~70 role/permissions for client with longer names ~25 characters in permission name.

*         Create user and assign all above permissions for newly created client.

*         Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.

*         After entering valid user credentials, keycloak redirects to Application's redirect URL

*         However error shown on browser console that, "failed at_hash".

o   This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:

*         Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.

My analysis:

*         As per my analysis, I see Keycloak returns access_token information in response header during redirect

*         Apache has restriction of handling response header  or cookies of size upto 8k

*         Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.


Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..

Thanks and Regards.
Rahul Pharande


From glareff at gmail.com  Wed Nov  8 09:47:06 2017
From: glareff at gmail.com (Elias Glareff)
Date: Wed, 8 Nov 2017 15:47:06 +0100
Subject: [keycloak-user] Configuring keycloak SAML adapter on tomcat with
	clockSkew
Message-ID: <CAGOgu7+3D2aQHBKAYSaqw0QnirZ-rW4dD6YL=1mY0Bn1R7KfMw@mail.gmail.com>

Hello,

I am trying to track down the information whether it is possible to set the
clockSkew in the keycloak tomcat adapter.
The problem is that Identity Provider is some time ahead of the Service
Provider, so whenever the SAML response arrives, the NotBefore time is
ahead of the SP clock, so the response is considered expired on arrival.
This is a known problem, described in
https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f.


In the keycloak source code in AssertionUtil there is a method hasExpired
to which you can provide a clockSkew variable which would remedy this
problem. The issue is that I see absolutely no place where I could let the
keycloak SAML adapter on the service provider know that I want to use a
clock skew and set it's value.

The only configuration from my side I see is the keycloak-saml.xml in the
WEB-INF folder of the application, but in the documentation for this
configuration it does not mention any possibility to set the clock skew.

Kindly share your knowledge on this issue if you can help.

Thanks,
Elias

From pinguwien at gmail.com  Wed Nov  8 11:05:26 2017
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 8 Nov 2017 17:05:26 +0100
Subject: [keycloak-user] Keycloak via reverse proxy: Mixed Mode errors.
Message-ID: <a846683c-0df8-76b9-5048-15f061879d30@gmail.com>

Hey all,

I've tried to set up keycloak to work behind a reverse proxy (via a kong 
route on openshift 3) today , but sadly I can't get it to work after 
trying many things. Here's a stackoverflow-post I've created with the 
exact problem definition:

https://stackoverflow.com/questions/47181821/using-keycloak-behind-a-reverse-proxy-could-not-open-admin-loginpage-because-mi

It would be absolutely great if someone could help me out here, because 
I am out of ideas for now.

Best regards,
Dominik

From sthorger at redhat.com  Wed Nov  8 13:23:07 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 8 Nov 2017 19:23:07 +0100
Subject: [keycloak-user] Keycloak 3.4.0.CR1 released
Message-ID: <CAJgngAdUGz+msagKEeN=sZ5oKsuY2seWNUH5jXzhT58yM_5KXg@mail.gmail.com>

We've just released Keycloak 3.4.0.CR1.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsToken exchange

The token exchange service allows clients to exchange tokens for different
tokens. There's quite a few options available so check out the docs
<http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange>
for
more details.
Fine-grained permissions for admin endpoints

By leveraging our authorization services we've made it possible to control
permissions in the admin endpoints almost exactly how you want. For more
details check the docs
<http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions>
.
Cross DC

A lot more work has gone into this release around cross DC support. Docs
are still not ready and there's still some minor polish left. This will
come soon.
Upgraded to WildFly 11 Final

We've upgraded the underlying container to WildFly 11 Final.
Support MySQL and PostgreSQL in main Keycloak Docker image

We used to have separate Docker images for MySQL and PostgreSQL, but now we
have one that supports them all.
AsciiDoctor

Our docs used to be built and hosted on GitBook. We've recently moved to
using pure AsciiDoctor to build the docs. The main reason behind this move
was to closer align with how we build documentation for the productized
version of Keycloak (RH-SSO).
Loads more..

   - Script based protocol mapper for OIDC - thanks to thomasdarimont
   <https://github.com/thomasdarimont>
   - Blacklisted password policy- thanks to thomasdarimont
   <https://github.com/thomasdarimont>
   - Login with PayPal - thanks to petlys <https://github.com/petlys>
   - Almost 200 - we almost resolved 200 issues for this one (197!)

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.4.0.CR1>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed. Release candidates are not recommended in
production and we do not support upgrading from release candidates.

From panayioc at amdocs.com  Wed Nov  8 17:01:02 2017
From: panayioc at amdocs.com (Pana)
Date: Wed, 8 Nov 2017 15:01:02 -0700 (MST)
Subject: [keycloak-user] Fuse Keycloak Adapter not performing Log out
Message-ID: <1510178462054-0.post@n6.nabble.com>

Hi

We are using JBOSS Fuse Keycloak adapter 2.5.5-final-redhat.
We observed that at each authorization request the adapter creates sessions
on the Keycloak Server  which are not released. As a result the number of
sessions is ever increasing impacting the performance on Keycloak Server.

In looking in the code, we saw that in many cases, the authorization flow
requests a token from the Keycloak Server but eventually it does not call
log out or does not cache the token in the deployment in order not to call
again. 

For example: KeycloakAdapterPolicyEnforcer::requestAuthorizationToken.
if configuration is User Managed Access, it will create a token with this
statement:
authzClient.protection().permission().forResource(permissionRequest);

At the end, it will not call log out and session will remain in the SSO
Server Cache.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From takashi.norimatsu.ws at hitachi.com  Wed Nov  8 20:28:02 2017
From: takashi.norimatsu.ws at hitachi.com (=?utf-8?B?5LmX5p2+6ZqG5b+XIC8gTk9SSU1BVFNV77yMVEFLQVNISQ==?=)
Date: Thu, 9 Nov 2017 01:28:02 +0000
Subject: [keycloak-user] JWS Client Assertion On Client Authentication
In-Reply-To: <d9fa574e-0cc9-1881-06a1-a861e596ed61@redhat.com>
References: <831D472326678942A9B4BB933AAA103D68D0B251@GSjpTK1DCembx01.service.hitachi.net>
	<d9fa574e-0cc9-1881-06a1-a861e596ed61@redhat.com>
Message-ID: <831D472326678942A9B4BB933AAA103D68D0D1A2@GSjpTK1DCembx01.service.hitachi.net>

Posolda-san, thanks a lot for your reply.

I've created its JIRA issue.
https://issues.jboss.org/browse/KEYCLOAK-5811

Compared with private_key_jwt in Client Authentication (http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication),
client_secret_jwt might be a moderate choice for Client App that feels managing its certificate difficult.

Best Regards
Takashi Norimatsu
Hitachi, Ltd.

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Monday, November 06, 2017 6:10 PM
To: ???? / NORIMATSU?TAKASHI; 'keycloak-user at lists.jboss.org'
Subject: [!]Re: [keycloak-user] JWS Client Assertion On Client Authentication

Yes, we don't yet have support for this. AFAIK nobody yet requested it and it wasn't strictly required for the OpenID Connect Certification as well (Note that Keycloak is OpenID Connect certified).

Feel free to create JIRA if it doesn't already exists. Ideally if you want to contribute this including tests, documentation and support on both the server and adapters side, it will be nice.

Thanks,
Marek


On 02/11/17 04:47, ???? / NORIMATSU?TAKASHI wrote:
> Hello.
>
> I'm interested in Client Authentication in JWS Client Assertion.
> It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
>
> In org.keycloak.protocol.oidc.OIDCLoginProtocol
>
>      // Client authentication methods
>      public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
>      public static final String CLIENT_SECRET_POST = "client_secret_post";
>      public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
>      public static final String PRIVATE_KEY_JWT = "private_key_jwt";
>
> PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
> Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
>
> Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
> (ex. security concerns, etc ...)
>
> And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From mkoken at condati.com  Wed Nov  8 23:59:04 2017
From: mkoken at condati.com (Matthew Koken)
Date: Wed, 8 Nov 2017 20:59:04 -0800
Subject: [keycloak-user] Keycloak with Snowflake DB
Message-ID: <CADKO=Xqi4Dy=GtgE8jsHpvm60OnfAdzFVSUq19OifqMAJ3F+yg@mail.gmail.com>

Has anybody tried using Snowflake DB as a datasource for Keycloak? I'm
attempting to set this up using Snowflake's snowflake-jdbc jar but I'm
having trouble adding the module following the guide in
http://www.keycloak.org/docs/latest/server_installation/index.html#_
rdbms-setup-checklist

From Chris.Brandhorst at topicus.nl  Thu Nov  9 02:35:24 2017
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Thu, 9 Nov 2017 07:35:24 +0000
Subject: [keycloak-user] Keycloak adapter hijacks all URL's ending in /saml
Message-ID: <3A40B978-5F54-4AA1-9496-08777D49DA85@topicus.nl>

We are having a problem with the Keycloak SAML Jetty adapter (8.1). We have an application which currently does its own SAML handling, for which we want to migrate all the authentication logic to Keycloak. So we have an existing SAML endpoint to which a large number of third-party applications connect. This endpoint is placed at /sso/saml. It seems that the Keycloak adapter hijacks all request coming to any URL ending in /saml, breaking the existing endpoint, which needs to be kept functional for a while (for future migration).

How can we make sure this existing endpoint is not affected by the adapter?

Thanks,
Chris Brandhorst



From mposolda at redhat.com  Thu Nov  9 03:31:59 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 9 Nov 2017 09:31:59 +0100
Subject: [keycloak-user] identity broker role mapping bug?
In-Reply-To: <CAPZw1G64NAxOnvQHxkRQAPmwt4u2aPm0QWrg4fknscdsZ8MbkA@mail.gmail.com>
References: <CAPZw1G5s+OQYqDKeAQJJ9QHmWegtYd3=JV3Vt7gTXj-QTiLDcA@mail.gmail.com>
	<CAPZw1G5nZYzRtN-UoGw07VtZAzc9g5BHZ13ScMYbcR3_hZh5vA@mail.gmail.com>
	<86543428-f370-0c06-0204-7aedf69c5478@redhat.com>
	<CAPZw1G64NAxOnvQHxkRQAPmwt4u2aPm0QWrg4fknscdsZ8MbkA@mail.gmail.com>
Message-ID: <6d2777ba-afbd-f057-8411-2a47a2635a70@redhat.com>

Feel free to create JIRA and send PR. Few points:

- In your changes, I can't see the check I mentioned below for checking 
if user is already in that role during upgrade. Again, it will be bad 
for performance if we don't do it as "user.grantRole" will be called 
during every broker login and will invalidate user from cache, which 
will result in additional uneccessary DB requests. You can test with 
Hibernate "show_sql" logging turned on to see the DB queries. This may 
help to make sure that there are no DB queries during broker login in 
case that user is already in that role.

- We will need automated test for the PR as well. Hopefully you can 
reuse some existing broker test. Actually we have broker tests in both 
old "integration-deprecated" testsuite and "integration-arquillian", 
hopefully you are able to find the existing test for this mapper and add 
the scenario for update.

Marek

On 08/11/17 11:30, Simon Payne wrote:
> i made the change on our system by rebuilding the keycloak-service at 
> 3.2.1.final jar and deployed separately. The code was changed as 
> follows and after some testing appears to provide the functionality we 
> need.  I can open a Jira ticket no problem as it would be useful to 
> get it pushed into the main build, as we have since upgraded to 
> 3.3.0.final and lost the changes.
>
> @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>      mapRole(realm, user, mapperModel, context);
> }
>
> @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>      mapRole(realm, user, mapperModel, context);
>
> }
>
> private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
>
>      String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
>      RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
>      if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName);
>
>      if (hasClaimValue(mapperModel, context)) {
>          user.grantRole(role);
>      }else{
>          user.deleteRoleMapping(role);
>      }
> }
>
> On Mon, Nov 6, 2017 at 8:56 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     It makes sense to me. Feel free to create JIRA and ideally also
>     submit PR with the test.
>
>     Just one note: Make sure that "user.grantRole" is called during
>     upgrade just in case that user doesn't yet have this role. I guess
>     you would need to add some additional check like:
>
>     if (!user.hasRole(role)) {
>         user.grantRole(role);
>     }
>
>     That's because of performance (Calling of user.grantRole always
>     invalidates the user in the cache and require to reload him from
>     DB, which is not needed if he has the role already).
>
>     Marek
>
>
>     On 26/10/17 11:54, Simon Payne wrote:
>
>         further to this, i think i've located the responsible code in
>         the class
>         org.keycloak.broker.oidc.mappers.ClaimToRoleMapper, which in
>         my opinion
>         doesn't perform the expected behavior as previously
>         highlighted.  I'm
>         making a couple of assumptions that importNewUser method only
>         gets called
>         on first broker login and that updateBrokeredUser gets called
>         on every
>         login thereafter.
>
>         we can see in the code below that importNewUser grants the
>         role if the
>         claim is found - which is fine.  However, updateBrokeredUser
>         only removes
>         if not found in the claim.
>
>         I'm proposing that we alter the method updateBrokeredUser to
>         include the
>         addition of the role as well.  I can't see how anyone is
>         currently using
>         this code in any meaningful way as currently the code doesn't
>         support the
>         addition of role after first login.
>
>         any thoughts?  i'm happy to make the changes myself.
>
>         Simon.
>
>
>
>         @Override
>         public void importNewUser(KeycloakSession session, RealmModel
>         realm,
>         UserModel user, IdentityProviderMapperModel mapperModel,
>         BrokeredIdentityContext context) {
>              String roleName =
>         mapperModel.getConfig().get(ConfigConstants.ROLE);
>              if (hasClaimValue(mapperModel, context)) {
>                  RoleModel role =
>         KeycloakModelUtils.getRoleFromString(realm, roleName);
>                  if (role == null) throw new
>         IdentityBrokerException("Unable to
>         find role: " + roleName);
>                  user.grantRole(role);
>              }
>         }
>
>         @Override
>         public void updateBrokeredUser(KeycloakSession session, RealmModel
>         realm, UserModel user, IdentityProviderMapperModel mapperModel,
>         BrokeredIdentityContext context) {
>              String roleName =
>         mapperModel.getConfig().get(ConfigConstants.ROLE);
>              if (!hasClaimValue(mapperModel, context)) {
>                  RoleModel role =
>         KeycloakModelUtils.getRoleFromString(realm, roleName);
>                  if (role == null) throw new
>         IdentityBrokerException("Unable to
>         find role: " + roleName);
>                  user.deleteRoleMapping(role);
>              }
>
>         }
>
>
>
>
>         On Wed, Oct 25, 2017 at 2:46 PM, Simon Payne
>         <simonpayne58 at gmail.com <mailto:simonpayne58 at gmail.com>> wrote:
>
>             Hi, i think i may have found a bug in the identity
>             provider mapping of
>             claims to roles.
>
>             it appears that if i have an identity provider with claims
>             in the token,
>             which i want to map to a role in the identity broker, then
>             it only does
>             this once during the first time login.  if i remove the
>             claim from the
>             identity provider token, then this successfully removes it
>             from the broker
>             - but never remaps if i then add it again.
>
>             the scenario i am trying to create here is that the
>             identity provider is
>             responsible for authentication where active directory
>             groups appears as
>             claim in the token.  the broker then map this claim to the
>             role providing
>             the authorization.
>
>             this behaviour appears to be the same whether i map a
>             broker role to a
>             custom claim or a realm role in the provider token.
>
>             hope this makes sense, thanks
>
>             Simon.
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>


From mahson1 at gmail.com  Thu Nov  9 04:27:06 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Thu, 9 Nov 2017 14:57:06 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
Message-ID: <CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>

Hi Team,

We are facing similar problem where kelcloak is not running in cluster and
giving the same error log as mentioned by Subash in jira.

https://issues.jboss.org/browse/KEYCLOAK-5013

I tried to use the private interface as suggested into the document but
still no luck.
am I missing anything else? CAN YOU please help??  I am using Keycloak -
Version 3.2.1.Final.
I have load balancer configured above 2 keycloak nodes (nodes are running in
on different VMs)

Start command :
nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b $HOSTNAME -u
230.0.0.4 &

HA configuration :
<interface name="private">
<inet-address value="$
{jboss.bind.address.private:(node1 IP address and on second node that IP
address)}
" />
</interface>
</interfaces>
<socket-binding-group name="standard-sockets"
default-interface="public" port-offset="$
{jboss.socket.binding.port-offset:0}
">
<socket-binding name="management-http" interface="private"
port="$
{jboss.management.http.port:9990}
" />
<socket-binding name="management-https" interface="private"
port="$
{jboss.management.https.port:9993}
" />
<socket-binding name="ajp" port="$
{jboss.ajp.port:8009}
" />
<socket-binding name="http" port="$
{jboss.http.port:8080}
" />
<socket-binding name="https" port="$
{jboss.https.port:8443}
" />
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="jgroups-mping" interface="private"
port="0" multicast-address="$
{jboss.default.multicast.address:230.0.0.4}
"
multicast-port="45700" />
<socket-binding name="jgroups-tcp" interface="private"
port="7600" />
<socket-binding name="jgroups-tcp-fd" interface="private"
port="57600" />
<socket-binding name="jgroups-udp" interface="private"
port="55200" multicast-address="$
{jboss.default.multicast.address:230.0.0.4}
"
multicast-port="45688" />
<socket-binding name="jgroups-udp-fd" interface="private"
port="54200" />
<socket-binding name="modcluster" port="0"
multicast-address="224.0.1.105" multicast-port="23364" />
<socket-binding name="txn-recovery-environment" port="4712" />
<socket-binding name="txn-status-manager" port="4713" />
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25" />
</outbound-socket-binding>
</socket-binding-group>
Log :
2017-11-09 04:38:22,749 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
[keycloak2|0] (1) [keycloak2]
2017-11-09 04:38:22,750 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
[keycloak2|0] (1) [keycloak2]
2017-11-09 04:38:22,749 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-4) ISPN000094: Received new cluster view for channel ejb:
[keycloak2|0] (1) [keycloak2]
2017-11-09 04:38:22,750 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000094: Received new cluster view for channel server:
[keycloak2|0] (1) [keycloak2]
2017-11-09 04:38:22,749 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000094: Received new cluster view for channel web:
[keycloak2|0] (1) [keycloak2]
2017-11-09 04:38:22,761 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
physical addresses are [**.**.**.**]
2017-11-09 04:38:22,763 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
addresses are [**.**.**.**]



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From andreas.tell+keycloak at callistaenterprise.se  Thu Nov  9 04:46:31 2017
From: andreas.tell+keycloak at callistaenterprise.se (Andreas Tell)
Date: Thu, 9 Nov 2017 10:46:31 +0100
Subject: [keycloak-user] Federated and Dynamic Users/Attributes
Message-ID: <CAF6us=raKOyZYcFejzhnBibs16QyK7mr6HMzzGA=t_TVNyzsBQ@mail.gmail.com>

Hi!

In an upcoming system we aim to use Keycloak as a "OIDC/OAuth security
proxy/broker".

All information basically resides in other systems (federated);
* An external IdP provides ID federation via SAML v2
* Permissions are fetched dynamically each time the user authenticates from
an external system via a web service call. KC is not the system of record
for this information.

After the user is authenticated, the client (web app) retrieves the full
set of permissions info via the /userinfo endpoint by providing an Access
Token (resource owner credentials grant).

My first question is; is this approach at all advisable? Can it be done
using KC?
I got a clue from this ; https://stackoverflow.com/
questions/44014260/how-to-programmatically-assign-particular-roles-at-user-
registration-in-keycloak

If so I assume we'd have to extend KC using one of the SPIs.
The documentation on the SPIs don't give me much confidence on where to
best put such extensions.

Where would I put a web service call?
How can I dynamically assign roles and/or attributes to a provisioned user?

Should I use the Authentication SPI, User Federation SPI, User Storage SPI
or possibly piggyback on a callback event of Event Listener SPI ?



Best Regards
Andreas Tell

From simonpayne58 at gmail.com  Thu Nov  9 04:46:44 2017
From: simonpayne58 at gmail.com (Simon Payne)
Date: Thu, 9 Nov 2017 09:46:44 +0000
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
Message-ID: <CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>

hi, we have a similar setup which is working with 3.2.1.Final.  we have
since upgraded to 3.3.0.Final.

I'm assuming that you are private interface because you are using a web
proxy?  however, to achieve what you need i think you may have to make the
jgroups public interface.  we have used tcp ping successfully in this way.




On Thu, Nov 9, 2017 at 9:27 AM, mahendra sonawale <mahson1 at gmail.com> wrote:

> Hi Team,
>
> We are facing similar problem where kelcloak is not running in cluster and
> giving the same error log as mentioned by Subash in jira.
>
> https://issues.jboss.org/browse/KEYCLOAK-5013
>
> I tried to use the private interface as suggested into the document but
> still no luck.
> am I missing anything else? CAN YOU please help??  I am using Keycloak -
> Version 3.2.1.Final.
> I have load balancer configured above 2 keycloak nodes (nodes are running
> in
> on different VMs)
>
> Start command :
> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b $HOSTNAME
> -u
> 230.0.0.4 &
>
> HA configuration :
> <interface name="private">
> <inet-address value="$
> {jboss.bind.address.private:(node1 IP address and on second node that IP
> address)}
> " />
> </interface>
> </interfaces>
> <socket-binding-group name="standard-sockets"
> default-interface="public" port-offset="$
> {jboss.socket.binding.port-offset:0}
> ">
> <socket-binding name="management-http" interface="private"
> port="$
> {jboss.management.http.port:9990}
> " />
> <socket-binding name="management-https" interface="private"
> port="$
> {jboss.management.https.port:9993}
> " />
> <socket-binding name="ajp" port="$
> {jboss.ajp.port:8009}
> " />
> <socket-binding name="http" port="$
> {jboss.http.port:8080}
> " />
> <socket-binding name="https" port="$
> {jboss.https.port:8443}
> " />
> <socket-binding name="proxy-https" port="443"/>
> <socket-binding name="jgroups-mping" interface="private"
> port="0" multicast-address="$
> {jboss.default.multicast.address:230.0.0.4}
> "
> multicast-port="45700" />
> <socket-binding name="jgroups-tcp" interface="private"
> port="7600" />
> <socket-binding name="jgroups-tcp-fd" interface="private"
> port="57600" />
> <socket-binding name="jgroups-udp" interface="private"
> port="55200" multicast-address="$
> {jboss.default.multicast.address:230.0.0.4}
> "
> multicast-port="45688" />
> <socket-binding name="jgroups-udp-fd" interface="private"
> port="54200" />
> <socket-binding name="modcluster" port="0"
> multicast-address="224.0.1.105" multicast-port="23364" />
> <socket-binding name="txn-recovery-environment" port="4712" />
> <socket-binding name="txn-status-manager" port="4713" />
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25" />
> </outbound-socket-binding>
> </socket-binding-group>
> Log :
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,750 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,750 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000094: Received new cluster view for channel server:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000094: Received new cluster view for channel web:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,761 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
> physical addresses are [**.**.**.**]
> 2017-11-09 04:38:22,763 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
> addresses are [**.**.**.**]
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From cedric.couralet at gmail.com  Thu Nov  9 05:23:22 2017
From: cedric.couralet at gmail.com (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Thu, 9 Nov 2017 11:23:22 +0100
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
Message-ID: <CAMwoAzd02w7A4+eZXgnf5PSgKHgF7XtqD7MwMeAy+xK86Wo6eA@mail.gmail.com>

We had a similar problem because we forgot to enable multicast on our linux box.
Are you sure it is enabled in your case?

(You can look for the value in
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)



2017-11-09 10:27 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> Hi Team,
>
> We are facing similar problem where kelcloak is not running in cluster and
> giving the same error log as mentioned by Subash in jira.
>
> https://issues.jboss.org/browse/KEYCLOAK-5013
>
> I tried to use the private interface as suggested into the document but
> still no luck.
> am I missing anything else? CAN YOU please help??  I am using Keycloak -
> Version 3.2.1.Final.
> I have load balancer configured above 2 keycloak nodes (nodes are running in
> on different VMs)
>
> Start command :
> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b $HOSTNAME -u
> 230.0.0.4 &
>
> HA configuration :
> <interface name="private">
> <inet-address value="$
> {jboss.bind.address.private:(node1 IP address and on second node that IP
> address)}
> " />
> </interface>
> </interfaces>
> <socket-binding-group name="standard-sockets"
> default-interface="public" port-offset="$
> {jboss.socket.binding.port-offset:0}
> ">
> <socket-binding name="management-http" interface="private"
> port="$
> {jboss.management.http.port:9990}
> " />
> <socket-binding name="management-https" interface="private"
> port="$
> {jboss.management.https.port:9993}
> " />
> <socket-binding name="ajp" port="$
> {jboss.ajp.port:8009}
> " />
> <socket-binding name="http" port="$
> {jboss.http.port:8080}
> " />
> <socket-binding name="https" port="$
> {jboss.https.port:8443}
> " />
> <socket-binding name="proxy-https" port="443"/>
> <socket-binding name="jgroups-mping" interface="private"
> port="0" multicast-address="$
> {jboss.default.multicast.address:230.0.0.4}
> "
> multicast-port="45700" />
> <socket-binding name="jgroups-tcp" interface="private"
> port="7600" />
> <socket-binding name="jgroups-tcp-fd" interface="private"
> port="57600" />
> <socket-binding name="jgroups-udp" interface="private"
> port="55200" multicast-address="$
> {jboss.default.multicast.address:230.0.0.4}
> "
> multicast-port="45688" />
> <socket-binding name="jgroups-udp-fd" interface="private"
> port="54200" />
> <socket-binding name="modcluster" port="0"
> multicast-address="224.0.1.105" multicast-port="23364" />
> <socket-binding name="txn-recovery-environment" port="4712" />
> <socket-binding name="txn-status-manager" port="4713" />
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25" />
> </outbound-socket-binding>
> </socket-binding-group>
> Log :
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,750 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,750 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000094: Received new cluster view for channel server:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,749 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000094: Received new cluster view for channel web:
> [keycloak2|0] (1) [keycloak2]
> 2017-11-09 04:38:22,761 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
> physical addresses are [**.**.**.**]
> 2017-11-09 04:38:22,763 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
> addresses are [**.**.**.**]
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mahson1 at gmail.com  Thu Nov  9 05:36:15 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Thu, 9 Nov 2017 16:06:15 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
Message-ID: <CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>

Hello Simon,

Thank you for the response.
yes, we are using proxy - APACHE HTTPD configuration PFB the same.
I tried to make the jpgroups public (kept the public interface IP as our
node server actual IP but no luck still the servers are logs are not
showing new cluster node.

apache proxy configuration:

-------------------------------------
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule remoteip_module modules/mod_remoteip.so

ProxyPreserveHost On
LimitRequestFieldSize 163840
LimitRequestLine 163840

#<VirtualHost _default_:80>
 ServerName rapid.gi-de.com:443
 ErrorLog /opt<dir>/fiam_error_log
 CustomLog /<dir>/fiam_access_log combined
 LogLevel warn

RequestHeader set X-Forwarded-Proto "https"

<Proxy https://abc.ac-bc.com/* >
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 # not rewrite css, js and images
 RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
 RewriteRule ^(.*)$ /auth [NC,L,QSA]
#Options -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 Allow from all
</Proxy>


ProxyPass /auth http://<server IP>:8080/auth
ProxyPassReverse /auth http://<server IP>:8080/auth

-------------------------------------------------

PFB the logs: (tried to run the changes only on 2nd node)

2017-11-09 11:26:20,169 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-6) ISPN000094: Received new cluster view for channel server:
[muc1rapidv2s|0] (1) [muc1rapidv2s]
2017-11-09 11:26:20,174 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000094: Received new cluster view for channel keycloak:
[muc1rapidv2s|0] (1) [muc1rapidv2s]
2017-11-09 11:26:20,174 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-5) ISPN000094: Received new cluster view for channel hibernate:
[muc1rapidv2s|0] (1) [muc1rapidv2s]
2017-11-09 11:26:20,174 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-4) ISPN000094: Received new cluster view for channel ejb:
[muc1rapidv2s|0] (1) [muc1rapidv2s]
2017-11-09 11:26:20,175 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000094: Received new cluster view for channel web:
[muc1rapidv2s|0] (1) [muc1rapidv2s]
2017-11-09 11:26:20,177 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-6) ISPN000079: Channel server local address is muc1rapidv2s,
physical addresses are  *******


Please guide.


Thanks,
Mahendra Sonawale
Ph +91 9130775865

On Thu, Nov 9, 2017 at 3:16 PM, Simon Payne <simonpayne58 at gmail.com> wrote:

> hi, we have a similar setup which is working with 3.2.1.Final.  we have
> since upgraded to 3.3.0.Final.
>
> I'm assuming that you are private interface because you are using a web
> proxy?  however, to achieve what you need i think you may have to make the
> jgroups public interface.  we have used tcp ping successfully in this way.
>
>
>
>
> On Thu, Nov 9, 2017 at 9:27 AM, mahendra sonawale <mahson1 at gmail.com>
> wrote:
>
>> Hi Team,
>>
>> We are facing similar problem where kelcloak is not running in cluster and
>> giving the same error log as mentioned by Subash in jira.
>>
>> https://issues.jboss.org/browse/KEYCLOAK-5013
>>
>> I tried to use the private interface as suggested into the document but
>> still no luck.
>> am I missing anything else? CAN YOU please help??  I am using Keycloak -
>> Version 3.2.1.Final.
>> I have load balancer configured above 2 keycloak nodes (nodes are running
>> in
>> on different VMs)
>>
>> Start command :
>> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b $HOSTNAME
>> -u
>> 230.0.0.4 &
>>
>> HA configuration :
>> <interface name="private">
>> <inet-address value="$
>> {jboss.bind.address.private:(node1 IP address and on second node that IP
>> address)}
>> " />
>> </interface>
>> </interfaces>
>> <socket-binding-group name="standard-sockets"
>> default-interface="public" port-offset="$
>> {jboss.socket.binding.port-offset:0}
>> ">
>> <socket-binding name="management-http" interface="private"
>> port="$
>> {jboss.management.http.port:9990}
>> " />
>> <socket-binding name="management-https" interface="private"
>> port="$
>> {jboss.management.https.port:9993}
>> " />
>> <socket-binding name="ajp" port="$
>> {jboss.ajp.port:8009}
>> " />
>> <socket-binding name="http" port="$
>> {jboss.http.port:8080}
>> " />
>> <socket-binding name="https" port="$
>> {jboss.https.port:8443}
>> " />
>> <socket-binding name="proxy-https" port="443"/>
>> <socket-binding name="jgroups-mping" interface="private"
>> port="0" multicast-address="$
>> {jboss.default.multicast.address:230.0.0.4}
>> "
>> multicast-port="45700" />
>> <socket-binding name="jgroups-tcp" interface="private"
>> port="7600" />
>> <socket-binding name="jgroups-tcp-fd" interface="private"
>> port="57600" />
>> <socket-binding name="jgroups-udp" interface="private"
>> port="55200" multicast-address="$
>> {jboss.default.multicast.address:230.0.0.4}
>> "
>> multicast-port="45688" />
>> <socket-binding name="jgroups-udp-fd" interface="private"
>> port="54200" />
>> <socket-binding name="modcluster" port="0"
>> multicast-address="224.0.1.105" multicast-port="23364" />
>> <socket-binding name="txn-recovery-environment" port="4712" />
>> <socket-binding name="txn-status-manager" port="4713" />
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost" port="25" />
>> </outbound-socket-binding>
>> </socket-binding-group>
>> Log :
>> 2017-11-09 04:38:22,749 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
>> [keycloak2|0] (1) [keycloak2]
>> 2017-11-09 04:38:22,750 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>> [keycloak2|0] (1) [keycloak2]
>> 2017-11-09 04:38:22,749 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
>> [keycloak2|0] (1) [keycloak2]
>> 2017-11-09 04:38:22,750 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-7) ISPN000094: Received new cluster view for channel server:
>> [keycloak2|0] (1) [keycloak2]
>> 2017-11-09 04:38:22,749 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-1) ISPN000094: Received new cluster view for channel web:
>> [keycloak2|0] (1) [keycloak2]
>> 2017-11-09 04:38:22,761 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
>> physical addresses are [**.**.**.**]
>> 2017-11-09 04:38:22,763 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
>> addresses are [**.**.**.**]
>>
>>
>>
>> --
>> Sent from: http://keycloak-user.88327.x6.nabble.com/
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From simonpayne58 at gmail.com  Thu Nov  9 06:17:38 2017
From: simonpayne58 at gmail.com (Simon Payne)
Date: Thu, 9 Nov 2017 11:17:38 +0000
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
Message-ID: <CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>

did you provide the machine ip address for the public interface when you
start keycloak?  i start my keycloak using
/opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml -b x.x.x.x

On Thu, Nov 9, 2017 at 10:36 AM, mahendra sonawale <mahson1 at gmail.com>
wrote:

> Hello Simon,
>
> Thank you for the response.
> yes, we are using proxy - APACHE HTTPD configuration PFB the same.
> I tried to make the jpgroups public (kept the public interface IP as our
> node server actual IP but no luck still the servers are logs are not
> showing new cluster node.
>
> apache proxy configuration:
>
> -------------------------------------
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> LoadModule remoteip_module modules/mod_remoteip.so
>
> ProxyPreserveHost On
> LimitRequestFieldSize 163840
> LimitRequestLine 163840
>
> #<VirtualHost _default_:80>
>  ServerName rapid.gi-de.com:443
>  ErrorLog /opt<dir>/fiam_error_log
>  CustomLog /<dir>/fiam_access_log combined
>  LogLevel warn
>
> RequestHeader set X-Forwarded-Proto "https"
>
> <Proxy https://abc.ac-bc.com/* >
>  RewriteEngine on
>  RewriteCond %{REQUEST_FILENAME} !-f
>  RewriteCond %{REQUEST_FILENAME} !-d
>  # not rewrite css, js and images
>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
> #Options -Indexes FollowSymLinks
>  AllowOverride None
>  Order allow,deny
>  Allow from all
> </Proxy>
>
>
> ProxyPass /auth http://<server IP>:8080/auth
> ProxyPassReverse /auth http://<server IP>:8080/auth
>
> -------------------------------------------------
>
> PFB the logs: (tried to run the changes only on 2nd node)
>
> 2017-11-09 11:26:20,169 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-6) ISPN000094: Received new cluster view for channel
> server: [muc1rapidv2s|0] (1) [muc1rapidv2s]
> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-7) ISPN000094: Received new cluster view for channel
> keycloak: [muc1rapidv2s|0] (1) [muc1rapidv2s]
> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-5) ISPN000094: Received new cluster view for channel
> hibernate: [muc1rapidv2s|0] (1) [muc1rapidv2s]
> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-4) ISPN000094: Received new cluster view for channel
> ejb: [muc1rapidv2s|0] (1) [muc1rapidv2s]
> 2017-11-09 11:26:20,175 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-3) ISPN000094: Received new cluster view for channel
> web: [muc1rapidv2s|0] (1) [muc1rapidv2s]
> 2017-11-09 11:26:20,177 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (MSC service thread 1-6) ISPN000079: Channel server local address is
> muc1rapidv2s, physical addresses are  *******
>
>
> Please guide.
>
>
> Thanks,
> Mahendra Sonawale
> Ph +91 9130775865 <+91%2091307%2075865>
>
> On Thu, Nov 9, 2017 at 3:16 PM, Simon Payne <simonpayne58 at gmail.com>
> wrote:
>
>> hi, we have a similar setup which is working with 3.2.1.Final.  we have
>> since upgraded to 3.3.0.Final.
>>
>> I'm assuming that you are private interface because you are using a web
>> proxy?  however, to achieve what you need i think you may have to make the
>> jgroups public interface.  we have used tcp ping successfully in this way.
>>
>>
>>
>>
>> On Thu, Nov 9, 2017 at 9:27 AM, mahendra sonawale <mahson1 at gmail.com>
>> wrote:
>>
>>> Hi Team,
>>>
>>> We are facing similar problem where kelcloak is not running in cluster
>>> and
>>> giving the same error log as mentioned by Subash in jira.
>>>
>>> https://issues.jboss.org/browse/KEYCLOAK-5013
>>>
>>> I tried to use the private interface as suggested into the document but
>>> still no luck.
>>> am I missing anything else? CAN YOU please help??  I am using Keycloak -
>>> Version 3.2.1.Final.
>>> I have load balancer configured above 2 keycloak nodes (nodes are
>>> running in
>>> on different VMs)
>>>
>>> Start command :
>>> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b
>>> $HOSTNAME -u
>>> 230.0.0.4 &
>>>
>>> HA configuration :
>>> <interface name="private">
>>> <inet-address value="$
>>> {jboss.bind.address.private:(node1 IP address and on second node that IP
>>> address)}
>>> " />
>>> </interface>
>>> </interfaces>
>>> <socket-binding-group name="standard-sockets"
>>> default-interface="public" port-offset="$
>>> {jboss.socket.binding.port-offset:0}
>>> ">
>>> <socket-binding name="management-http" interface="private"
>>> port="$
>>> {jboss.management.http.port:9990}
>>> " />
>>> <socket-binding name="management-https" interface="private"
>>> port="$
>>> {jboss.management.https.port:9993}
>>> " />
>>> <socket-binding name="ajp" port="$
>>> {jboss.ajp.port:8009}
>>> " />
>>> <socket-binding name="http" port="$
>>> {jboss.http.port:8080}
>>> " />
>>> <socket-binding name="https" port="$
>>> {jboss.https.port:8443}
>>> " />
>>> <socket-binding name="proxy-https" port="443"/>
>>> <socket-binding name="jgroups-mping" interface="private"
>>> port="0" multicast-address="$
>>> {jboss.default.multicast.address:230.0.0.4}
>>> "
>>> multicast-port="45700" />
>>> <socket-binding name="jgroups-tcp" interface="private"
>>> port="7600" />
>>> <socket-binding name="jgroups-tcp-fd" interface="private"
>>> port="57600" />
>>> <socket-binding name="jgroups-udp" interface="private"
>>> port="55200" multicast-address="$
>>> {jboss.default.multicast.address:230.0.0.4}
>>> "
>>> multicast-port="45688" />
>>> <socket-binding name="jgroups-udp-fd" interface="private"
>>> port="54200" />
>>> <socket-binding name="modcluster" port="0"
>>> multicast-address="224.0.1.105" multicast-port="23364" />
>>> <socket-binding name="txn-recovery-environment" port="4712" />
>>> <socket-binding name="txn-status-manager" port="4713" />
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost" port="25" />
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>> Log :
>>> 2017-11-09 04:38:22,749 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
>>> [keycloak2|0] (1) [keycloak2]
>>> 2017-11-09 04:38:22,750 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>> [keycloak2|0] (1) [keycloak2]
>>> 2017-11-09 04:38:22,749 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
>>> [keycloak2|0] (1) [keycloak2]
>>> 2017-11-09 04:38:22,750 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-7) ISPN000094: Received new cluster view for channel server:
>>> [keycloak2|0] (1) [keycloak2]
>>> 2017-11-09 04:38:22,749 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-1) ISPN000094: Received new cluster view for channel web:
>>> [keycloak2|0] (1) [keycloak2]
>>> 2017-11-09 04:38:22,761 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
>>> physical addresses are [**.**.**.**]
>>> 2017-11-09 04:38:22,763 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
>>> addresses are [**.**.**.**]
>>>
>>>
>>>
>>> --
>>> Sent from: http://keycloak-user.88327.x6.nabble.com/
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From mahson1 at gmail.com  Thu Nov  9 06:34:21 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Thu, 9 Nov 2017 17:04:21 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
Message-ID: <CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>

Hello Simon,

yes, I did provide server IP into public interface as well as into private
interface..

in another reply I have been asked to check multicast

(You can look for the value in
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)

In our production linux env the value is 1 --  does that really affect??
and would that be the only cause?

Currently configuration are as below: (changed the ip to some random)

<interfaces>
                <interface name="management">
                        <inet-address
value="${jboss.bind.address.management:127.0.0.1}" />
                </interface>
                <interface name="public">
                        <inet-address value="${jboss.bind.address:1.2.3.4}"
/>
                </interface>
                <interface name="private">
                        <inet-address
value="${jboss.bind.address.private:1.2.3.4}" />
                </interface>
        </interfaces>
        <socket-binding-group name="standard-sockets"
                default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
                <socket-binding name="management-http" interface="private"
                        port="${jboss.management.http.port:9990}" />
                <socket-binding name="management-https" interface="private"
                        port="${jboss.management.https.port:9993}" />
                <socket-binding name="ajp" port="${jboss.ajp.port:8009}" />
                <socket-binding name="http" port="${jboss.http.port:8080}"
/>
                <socket-binding name="https"
port="${jboss.https.port:8443}" />
                <socket-binding name="proxy-https" port="443"/>
                <socket-binding name="jgroups-mping" interface="public"
                        port="0"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
                        multicast-port="45700" />
                <socket-binding name="jgroups-tcp" interface="public"
                        port="7600" />
                <socket-binding name="jgroups-tcp-fd" interface="public"
                        port="57600" />
                <socket-binding name="jgroups-udp" interface="public"
                        port="55200"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
                        multicast-port="45688" />
                <socket-binding name="jgroups-udp-fd" interface="public"
                        port="54200" />
                <socket-binding name="modcluster" port="0"
                        multicast-address="224.0.1.105"
multicast-port="23364" />
                <socket-binding name="txn-recovery-environment" port="4712"
/>
                <socket-binding name="txn-status-manager" port="4713" />
                <outbound-socket-binding name="mail-smtp">
                        <remote-destination host="localhost" port="25" />
                </outbound-socket-binding>
        </socket-binding-group>


On Thu, Nov 9, 2017 at 4:47 PM, Simon Payne <simonpayne58 at gmail.com> wrote:

> did you provide the machine ip address for the public interface when you
> start keycloak?  i start my keycloak using /opt/jboss/keycloak/bin/standalone.sh
> -c standalone-ha.xml -b x.x.x.x
>
> On Thu, Nov 9, 2017 at 10:36 AM, mahendra sonawale <mahson1 at gmail.com>
> wrote:
>
>> Hello Simon,
>>
>> Thank you for the response.
>> yes, we are using proxy - APACHE HTTPD configuration PFB the same.
>> I tried to make the jpgroups public (kept the public interface IP as our
>> node server actual IP but no luck still the servers are logs are not
>> showing new cluster node.
>>
>> apache proxy configuration:
>>
>> -------------------------------------
>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>> LoadModule remoteip_module modules/mod_remoteip.so
>>
>> ProxyPreserveHost On
>> LimitRequestFieldSize 163840
>> LimitRequestLine 163840
>>
>> #<VirtualHost _default_:80>
>>  ServerName rapid.gi-de.com:443
>>  ErrorLog /opt<dir>/fiam_error_log
>>  CustomLog /<dir>/fiam_access_log combined
>>  LogLevel warn
>>
>> RequestHeader set X-Forwarded-Proto "https"
>>
>> <Proxy https://abc.ac-bc.com/* >
>>  RewriteEngine on
>>  RewriteCond %{REQUEST_FILENAME} !-f
>>  RewriteCond %{REQUEST_FILENAME} !-d
>>  # not rewrite css, js and images
>>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
>> #Options -Indexes FollowSymLinks
>>  AllowOverride None
>>  Order allow,deny
>>  Allow from all
>> </Proxy>
>>
>>
>> ProxyPass /auth http://<server IP>:8080/auth
>> ProxyPassReverse /auth http://<server IP>:8080/auth
>>
>> -------------------------------------------------
>>
>> PFB the logs: (tried to run the changes only on 2nd node)
>>
>> 2017-11-09 11:26:20,169 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-6) ISPN000094: Received new cluster view for channel
>> server: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-7) ISPN000094: Received new cluster view for channel
>> keycloak: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-5) ISPN000094: Received new cluster view for channel
>> hibernate: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-4) ISPN000094: Received new cluster view for channel
>> ejb: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,175 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-3) ISPN000094: Received new cluster view for channel
>> web: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,177 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-6) ISPN000079: Channel server local address is
>> muc1rapidv2s, physical addresses are  *******
>>
>>
>> Please guide.
>>
>>
>> Thanks,
>> Mahendra Sonawale
>> Ph +91 9130775865 <+91%2091307%2075865>
>>
>> On Thu, Nov 9, 2017 at 3:16 PM, Simon Payne <simonpayne58 at gmail.com>
>> wrote:
>>
>>> hi, we have a similar setup which is working with 3.2.1.Final.  we have
>>> since upgraded to 3.3.0.Final.
>>>
>>> I'm assuming that you are private interface because you are using a web
>>> proxy?  however, to achieve what you need i think you may have to make the
>>> jgroups public interface.  we have used tcp ping successfully in this way.
>>>
>>>
>>>
>>>
>>> On Thu, Nov 9, 2017 at 9:27 AM, mahendra sonawale <mahson1 at gmail.com>
>>> wrote:
>>>
>>>> Hi Team,
>>>>
>>>> We are facing similar problem where kelcloak is not running in cluster
>>>> and
>>>> giving the same error log as mentioned by Subash in jira.
>>>>
>>>> https://issues.jboss.org/browse/KEYCLOAK-5013
>>>>
>>>> I tried to use the private interface as suggested into the document but
>>>> still no luck.
>>>> am I missing anything else? CAN YOU please help??  I am using Keycloak -
>>>> Version 3.2.1.Final.
>>>> I have load balancer configured above 2 keycloak nodes (nodes are
>>>> running in
>>>> on different VMs)
>>>>
>>>> Start command :
>>>> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b
>>>> $HOSTNAME -u
>>>> 230.0.0.4 &
>>>>
>>>> HA configuration :
>>>> <interface name="private">
>>>> <inet-address value="$
>>>> {jboss.bind.address.private:(node1 IP address and on second node that
>>>> IP
>>>> address)}
>>>> " />
>>>> </interface>
>>>> </interfaces>
>>>> <socket-binding-group name="standard-sockets"
>>>> default-interface="public" port-offset="$
>>>> {jboss.socket.binding.port-offset:0}
>>>> ">
>>>> <socket-binding name="management-http" interface="private"
>>>> port="$
>>>> {jboss.management.http.port:9990}
>>>> " />
>>>> <socket-binding name="management-https" interface="private"
>>>> port="$
>>>> {jboss.management.https.port:9993}
>>>> " />
>>>> <socket-binding name="ajp" port="$
>>>> {jboss.ajp.port:8009}
>>>> " />
>>>> <socket-binding name="http" port="$
>>>> {jboss.http.port:8080}
>>>> " />
>>>> <socket-binding name="https" port="$
>>>> {jboss.https.port:8443}
>>>> " />
>>>> <socket-binding name="proxy-https" port="443"/>
>>>> <socket-binding name="jgroups-mping" interface="private"
>>>> port="0" multicast-address="$
>>>> {jboss.default.multicast.address:230.0.0.4}
>>>> "
>>>> multicast-port="45700" />
>>>> <socket-binding name="jgroups-tcp" interface="private"
>>>> port="7600" />
>>>> <socket-binding name="jgroups-tcp-fd" interface="private"
>>>> port="57600" />
>>>> <socket-binding name="jgroups-udp" interface="private"
>>>> port="55200" multicast-address="$
>>>> {jboss.default.multicast.address:230.0.0.4}
>>>> "
>>>> multicast-port="45688" />
>>>> <socket-binding name="jgroups-udp-fd" interface="private"
>>>> port="54200" />
>>>> <socket-binding name="modcluster" port="0"
>>>> multicast-address="224.0.1.105" multicast-port="23364" />
>>>> <socket-binding name="txn-recovery-environment" port="4712" />
>>>> <socket-binding name="txn-status-manager" port="4713" />
>>>> <outbound-socket-binding name="mail-smtp">
>>>> <remote-destination host="localhost" port="25" />
>>>> </outbound-socket-binding>
>>>> </socket-binding-group>
>>>> Log :
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,750 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,750 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-7) ISPN000094: Received new cluster view for channel server:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000094: Received new cluster view for channel web:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,761 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
>>>> physical addresses are [**.**.**.**]
>>>> 2017-11-09 04:38:22,763 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
>>>> addresses are [**.**.**.**]
>>>>
>>>>
>>>>
>>>> --
>>>> Sent from: http://keycloak-user.88327.x6.nabble.com/
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From Edgar at info.nl  Thu Nov  9 07:22:19 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Thu, 9 Nov 2017 12:22:19 +0000
Subject: [keycloak-user] Required user actions dropdown no longer working
 for user admin users because of missing select2.css
Message-ID: <5331108C-BCD3-4E34-8F04-5A1D45C716A6@info.nl>

Hi,

I think in a recent upgrade of Keycloak (we are now using 3.2.0.Final) the following issue was introduced:

When a ?user admin user? (this is a realm user who has permissions to manage and view users in Keycloak) logs in to Keycloak and this persion tries to add a new user the ?required user actions? dropdown is mangled and does not function properly. This seems to be caused by a permission issue or something regarding the ?select2.css? resource. In the browser I see that the select2.css file cannot be loaded.

However when an overall Keycloak admin logs in this dropdown just works fine.

Shall I report a JIRA issue for this? I do not really know what causes this but my guess is that the manage / view user roles in Keycloak are missing some permissions somewhere. 

These are the permissions the user admin user has:
- manage-users
- view-clients
- view-realm
- view-users


cheers

Edgar


From neo11078016 at gmail.com  Thu Nov  9 07:26:32 2017
From: neo11078016 at gmail.com (Min Han Lee)
Date: Thu, 9 Nov 2017 12:26:32 +0000
Subject: [keycloak-user] Can we map each realm into different URL?
Message-ID: <CAHKN4LO9uhqG4bh=ctFNn9=Yp5fx3+80so9zHFJzciTjJDuF6Q@mail.gmail.com>

Hello Guys,

As title, does keycloak has out of the box functionality to do so? or do we
need to use a reverse proxy to execute this?

Any help is much appreciated

Kind Regards

From cedric.couralet at gmail.com  Thu Nov  9 08:05:07 2017
From: cedric.couralet at gmail.com (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Thu, 9 Nov 2017 14:05:07 +0100
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
Message-ID: <CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>

2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> (You can look for the value in
> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
>
> In our production linux env the value is 1 --  does that really affect??
> and would that be the only cause?
>

Yes, it is important. At least for us, changing this value to 0 was
enough to have a working cluster.
As I understand it, the value 1 is a protection against DOS but, in
the case of Keycloak prevents each node to discover the others. In a
controlled environment (as recommended in the keycloak docs), I see no
problem enabling it.

I'm far for expert, so maybe someone will have a better idea.

From velias at redhat.com  Thu Nov  9 08:27:37 2017
From: velias at redhat.com (Vlastimil Elias)
Date: Thu, 9 Nov 2017 14:27:37 +0100
Subject: [keycloak-user] Is bearer token auth supported in commonly used
 REST client libraries?
Message-ID: <26d42fbb-d5d6-5ea5-e9f9-d1456d179046@redhat.com>

Hi,

is bearer token auth method supported in commonly used REST client 
libraries (eg. RESTEasy and HttpClient in java)? I tried to google 
around this, but no success. I was not able to find anything useful 
(except stuff implemented inside of Keycloak Admin Client).

You know, http basic auth and ssl client cert auth is commonly available 
and (relatively) easy to use, so it is widely used. I believe good, easy 
to use, support of bearer token auth in client libraries is crucial to 
drive adoption of this technology, including OpenID Connect protocol, 
which then can drive use of Keycloak itself.

By "good, easy to use, support" I mean things like automatic obtaining 
of access token based on the config (using OIDC "Client Credentials 
Grant" and "Direct Access Grants"), its automatic renewal, and automatic 
use of this token in REST calls performed by the client library, without 
any complicated coding.

Any references to existing libraries? Any plans in Keycloak project itself?

Vlastimil

-- 
Vlastimil Elias
Principal Software Engineer, Middleware Engineering Services
Red Hat


From corentin.dupont at gmail.com  Thu Nov  9 11:06:13 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Thu, 9 Nov 2017 17:06:13 +0100
Subject: [keycloak-user] Authz with nodejs
In-Reply-To: <CAEyhvmpL=ZOnh4nY7W7d387Hk1Apht44mpC=0Q8xk10rKZsB=w@mail.gmail.com>
References: <CAEyhvmpL=ZOnh4nY7W7d387Hk1Apht44mpC=0Q8xk10rKZsB=w@mail.gmail.com>
Message-ID: <CAEyhvmqbE4xqUsRbMZOpDsGWG6Y5fA_dozrxQ-FFfMYgunCutg@mail.gmail.com>

OK problem solved: I forgot to check "Full Scope Allowed" in the client...

On Tue, Nov 7, 2017 at 10:03 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I created a REST API that I would like to protect with keycloak.
> However, I don't find any example/tutorial on Internet that suits.
>
> At the moment I use keycloak-nodejs-connect:
> https://github.com/keycloak/keycloak-nodejs-connect/blob/mas
> ter/example/index.js
>
> This is the basic example given:
>
> var Keycloak = require('keycloak-connect');
> var express = require('express');
> var session = require('express-session');
>
> var app = express();
> var server = app.listen(3000, function () {});
> var memoryStore = new session.MemoryStore();
>
> app.use(session({
>   secret: 'mySecret',
>   resave: false,
>   saveUninitialized: true,
>   store: memoryStore,
> }));
>
> var keycloak = new Keycloak({
>   store: memoryStore
> });
>
> app.use(keycloak.middleware({
>   logout: '/logout',
>   admin: '/'
> }));
>
> app.get('/login', keycloak.protect(), function (req, res) {
>   res.render('index', {
>     result: JSON.stringify(JSON.parse(req.session['keycloak-token']),
> null, 4),
>     event: '1. Authentication\n2. Login'
>   });
> });
>
> But that doesn't corresponds to my need: in a REST API I have no login or
> logout and no memory.
> I think the user should always make requests with a bearer token. Based on
> that token I can identify the user and get his roles.
> Then I could use keycloak.protect('realm:myendpoint') to protect each of
> my endpoints. If the user have got that role, he is authorized.
> Did I understood correctly the flow?
> Is there some example or REST API with authz, using nodeJS?
>
> Thanks a lot!!!
> Corentin
>

From corentin.dupont at gmail.com  Thu Nov  9 11:06:52 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Thu, 9 Nov 2017 17:06:52 +0100
Subject: [keycloak-user] default permissions
Message-ID: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>

Another question: how to apply default authorizations?

I want to protect my API with authorization in Keycloak. However some
resources should be open to the public, accessible without any bearer token.
My idea was:
- create an "unregistered_user" composite role, containing some basic roles
- create a "guest" user, with the unregistered_user role
- on the API server, if there is no token in the request I will get the
roles of the guest user and user them. If there is a token, I'll use that
user permissions.
What do you think of that process?

Thanks

From sthorger at redhat.com  Fri Nov 10 01:02:47 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 10 Nov 2017 07:02:47 +0100
Subject: [keycloak-user] Bug squashing time
Message-ID: <CAJgngAcVxWJ=_zKi_vHJxvfZ0x7tZ3Lg1g1PUKe1SPzcGAycEQ@mail.gmail.com>

We're not accepting any contributions for new features until we start on
Keycloak 4.x. Most likely that'll be mid-December. Any PRs for new features
until then will not be reviewed or merged, but feel free to send if you
want.

We do however have a fair amount of outstanding bugs and would love help
from the community to get as many as possible resolved in the next month!

If you'd like to help take a look at
https://issues.jboss.org/projects/KEYCLOAK/versions/12333692 look for
issues that are not assigned to someone. Remember we want tests as well.

From rahul.pharande at gi-de.com  Fri Nov 10 02:30:16 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Fri, 10 Nov 2017 07:30:16 +0000
Subject: [keycloak-user] Access Token getting truncated when apache
 HTTPD is	in front
In-Reply-To: <b95fa46bd8be4ae4b101974f7b13e7ec@gi-de.com>
References: <1230180e00d643bda0a0e36a610a59f2@gi-de.com>
	<b95fa46bd8be4ae4b101974f7b13e7ec@gi-de.com>
Message-ID: <ebc7ca6f9a2446a8a613385c1d898555@gi-de.com>

Hi,

Any updates/hints on this issue?

Thanks
Rahul
-----Original Message-----
From: Shaikh Asrafali Anwarali 
Sent: Thursday, November 09, 2017 10:02 AM
To: stian at redhat.com; Pharande Rahul
Subject: RE: [keycloak-user] Access Token getting truncated when apache HTTPD is in front

Hi Stian,

Could you please share your views on the below issue, it's a blocker for us.
We have also posted this on keyclaok users forum, but we are still waiting for some kind of response.  

Scroll downwards for issue detail. 

Thanks in advance.

Regards,
Asraf Shaikh

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pharande Rahul
Sent: Wednesday, November 08, 2017 4:50 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Access Token getting truncated when apache HTTPD is in front

Hello Team,

I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)

Below are more details on same.

Environnent :

o   Server : Keycloak v3.x

o   Proxy server :    Apache HTTPD 2.4.x

o   Client: Angular2 application using OIDC library.

Issue Description / Steps to reproduce:

*         Create realm in Keycloak

*         Create client for realm along with redirect url etc.

*         Create ~70 role/permissions for client with longer names ~25 characters in permission name.

*         Create user and assign all above permissions for newly created client.

*         Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.

*         After entering valid user credentials, keycloak redirects to Application's redirect URL

*         However error shown on browser console that, "failed at_hash".

o   This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:

*         Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.

My analysis:

*         As per my analysis, I see Keycloak returns access_token information in response header during redirect

*         Apache has restriction of handling response header  or cookies of size upto 8k

*         Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.


Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..

Thanks and Regards.
Rahul Pharande

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Bart.Smits at planonsoftware.com  Fri Nov 10 03:59:35 2017
From: Bart.Smits at planonsoftware.com (Bart Smits)
Date: Fri, 10 Nov 2017 08:59:35 +0000
Subject: [keycloak-user] Complete export of a realm without shutdown
Message-ID: <AM4PR0202MB283385ECFF48D31E5C0C6D14F3540@AM4PR0202MB2833.eurprd02.prod.outlook.com>

Hello,


I need to migrate a realm from a running Keycloak server.

I have been looking at the REST API, the command line and finally the startup options.

The startup option provide the best way to export a realm but it requires a restart.


Am I missing something or is this not yet supported?

Would it be possible to use bits and pieces of the command line or REST API to construct a complete export?


Kind regards,

Bart

From sz.laszlo at falcon.io  Fri Nov 10 04:17:28 2017
From: sz.laszlo at falcon.io (Laszlo Szabo)
Date: Fri, 10 Nov 2017 10:17:28 +0100
Subject: [keycloak-user] Complete export of a realm without shutdown
In-Reply-To: <AM4PR0202MB283385ECFF48D31E5C0C6D14F3540@AM4PR0202MB2833.eurprd02.prod.outlook.com>
References: <AM4PR0202MB283385ECFF48D31E5C0C6D14F3540@AM4PR0202MB2833.eurprd02.prod.outlook.com>
Message-ID: <CALvkui_Y_D0y5i=TsLPoAC+v=onE8p6kJBK6dY1PNuzh+bR7WQ@mail.gmail.com>

Hi,

Why don't you just start a new instance pointing to the same db with export
args and then shut it down after it completed the export?

BR,
Laci

2017. nov. 10. 10:03 ezt ?rta ("Bart Smits" <Bart.Smits at planonsoftware.com
>):

> Hello,
>
>
> I need to migrate a realm from a running Keycloak server.
>
> I have been looking at the REST API, the command line and finally the
> startup options.
>
> The startup option provide the best way to export a realm but it requires
> a restart.
>
>
> Am I missing something or is this not yet supported?
>
> Would it be possible to use bits and pieces of the command line or REST
> API to construct a complete export?
>
>
> Kind regards,
>
> Bart
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov 10 05:30:10 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 10 Nov 2017 11:30:10 +0100
Subject: [keycloak-user] Keycloak 3.4.0.Final released
Message-ID: <CAJgngAdVqQPcM9bRh-tDEQpnHdp0ioSW8sKwYLKbtPLUvtv=jQ@mail.gmail.com>

We've just released Keycloak 3.4.0.Final.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.4.0.Final>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed.

From psilva at redhat.com  Fri Nov 10 05:33:07 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 10 Nov 2017 08:33:07 -0200
Subject: [keycloak-user] default permissions
In-Reply-To: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
Message-ID: <CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>

Hi,

I think you could probably change your application and remove the
resources/paths you want to make public from the list of resources
protected by the adapter.

On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Another question: how to apply default authorizations?
>
> I want to protect my API with authorization in Keycloak. However some
> resources should be open to the public, accessible without any bearer
> token.
> My idea was:
> - create an "unregistered_user" composite role, containing some basic roles
> - create a "guest" user, with the unregistered_user role
> - on the API server, if there is no token in the request I will get the
> roles of the guest user and user them. If there is a token, I'll use that
> user permissions.
> What do you think of that process?
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rgshepherd at gmail.com  Fri Nov 10 06:01:13 2017
From: rgshepherd at gmail.com (Rob Shepherd)
Date: Fri, 10 Nov 2017 11:01:13 +0000
Subject: [keycloak-user] docker image and database - 3 starts?
Message-ID: <DA6FF8C9-B264-4D1E-BF41-21FAEDD9EA33@gmail.com>

Hi,

I?m running kc 3.3.0.FINAL using the docker image.

I?ve setup my database using the POSTGRES_* env vars.

I notice that everytime the server is started, there are actually 3 starts

I?m guessing the issue with WFLYCTL0212 is that the batch CLI change is attempting to set the jdbc driver parameters that already exists.
But why does it attempt it a second time before finally starting properly?


Presumably the way to workaround this is to just overwrite the parameters in standalone.xml directly, avoiding POSTGRES_* style env vars which will then ignore the change-database stuff?

here are the pertinent snippets?




1.

10:53:47,050 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
10:53:47,054 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) started in 7188ms - Started 67 of 79 services (23 services are lazy, passive or on-demand)
The batch failed with the following error: :
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-9
Operation: /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
Failure: WFLYCTL0212: Duplicate resource [
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "postgresql")
]

10:53:47,388 INFO  [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) stopped in 25ms

2. 

10:54:00,061 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
10:54:00,067 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) started in 10751ms - Started 65 of 84 services (30 services are lazy, passive or on-demand)
The batch failed with the following error: :
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-9
Operation: /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
Failure: WFLYCTL0212: Duplicate resource [
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "postgresql")
]

10:54:00,720 INFO  [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) stopped in 49ms

3.rd time lucky?

=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/keycloak

  JAVA: /usr/lib/jvm/java/bin/java

  JAVA_OPTS:  -server -Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true -XX:MaxPermSize=256m

=========================================================================

OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
10:54:03,396 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
10:54:04,483 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
10:54:04,989 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) starting


From dev.ebondu at gmail.com  Fri Nov 10 06:07:20 2017
From: dev.ebondu at gmail.com (Emilien Bondu)
Date: Fri, 10 Nov 2017 12:07:20 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
Message-ID: <80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>

Hi,

Maybe you should have a look here :

http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html <http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html>


> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> 
> Hi,
> 
> I think you could probably change your application and remove the
> resources/paths you want to make public from the list of resources
> protected by the adapter.
> 
> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
> 
>> Another question: how to apply default authorizations?
>> 
>> I want to protect my API with authorization in Keycloak. However some
>> resources should be open to the public, accessible without any bearer
>> token.
>> My idea was:
>> - create an "unregistered_user" composite role, containing some basic roles
>> - create a "guest" user, with the unregistered_user role
>> - on the API server, if there is no token in the request I will get the
>> roles of the guest user and user them. If there is a token, I'll use that
>> user permissions.
>> What do you think of that process?
>> 
>> Thanks
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Fri Nov 10 06:12:04 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 10 Nov 2017 09:12:04 -0200
Subject: [keycloak-user] default permissions
In-Reply-To: <80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
Message-ID: <CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>

@Emilien Bondu, I was looking that thread again and now I'm wondering if
you end up with something you can share.

On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com> wrote:

> Hi,
>
> Maybe you should have a look here :
>
> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
>
>
> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>
> Hi,
>
> I think you could probably change your application and remove the
> resources/paths you want to make public from the list of resources
> protected by the adapter.
>
> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com
> >
> wrote:
>
> Another question: how to apply default authorizations?
>
> I want to protect my API with authorization in Keycloak. However some
> resources should be open to the public, accessible without any bearer
> token.
> My idea was:
> - create an "unregistered_user" composite role, containing some basic roles
> - create a "guest" user, with the unregistered_user role
> - on the API server, if there is no token in the request I will get the
> roles of the guest user and user them. If there is a token, I'll use that
> user permissions.
> What do you think of that process?
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From dev.ebondu at gmail.com  Fri Nov 10 07:51:27 2017
From: dev.ebondu at gmail.com (Emilien Bondu)
Date: Fri, 10 Nov 2017 13:51:27 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
Message-ID: <2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>

To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to handle requests, associated to an AnonymousActionsHandler (extending the official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending the official AbstractPolicyEnforcer). Do you think this code should be added to the official spring-adapter ?


> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> 
> @Emilien Bondu, I was looking that thread again and now I'm wondering if you end up with something you can share. 
> 
> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com <mailto:dev.ebondu at gmail.com>> wrote:
> Hi,
> 
> Maybe you should have a look here :
> 
> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html <http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html>
> 
> 
>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com <mailto:psilva at redhat.com>> a ?crit :
>> 
>> Hi,
>> 
>> I think you could probably change your application and remove the
>> resources/paths you want to make public from the list of resources
>> protected by the adapter.
>> 
>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com <mailto:corentin.dupont at gmail.com>>
>> wrote:
>> 
>>> Another question: how to apply default authorizations?
>>> 
>>> I want to protect my API with authorization in Keycloak. However some
>>> resources should be open to the public, accessible without any bearer
>>> token.
>>> My idea was:
>>> - create an "unregistered_user" composite role, containing some basic roles
>>> - create a "guest" user, with the unregistered_user role
>>> - on the API server, if there is no token in the request I will get the
>>> roles of the guest user and user them. If there is a token, I'll use that
>>> user permissions.
>>> What do you think of that process?
>>> 
>>> Thanks
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 


From psilva at redhat.com  Fri Nov 10 09:02:56 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 10 Nov 2017 12:02:56 -0200
Subject: [keycloak-user] default permissions
In-Reply-To: <2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
	<2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
Message-ID: <CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>

I'm glad to take a look on it and see how it could fit in our adapters.
Could you create a JIRA and give some link to your code so we can discuss
from there ?

Thanks.

On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com>
wrote:

> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to
> handle requests, associated to an AnonymousActionsHandler (extending the
> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending
> the official AbstractPolicyEnforcer). Do you think this code should be
> added to the official spring-adapter ?
>
>
> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>
> @Emilien Bondu, I was looking that thread again and now I'm wondering if
> you end up with something you can share.
>
> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
> wrote:
>
>> Hi,
>>
>> Maybe you should have a look here :
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
>>
>>
>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>>
>> Hi,
>>
>> I think you could probably change your application and remove the
>> resources/paths you want to make public from the list of resources
>> protected by the adapter.
>>
>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>> corentin.dupont at gmail.com>
>> wrote:
>>
>> Another question: how to apply default authorizations?
>>
>> I want to protect my API with authorization in Keycloak. However some
>> resources should be open to the public, accessible without any bearer
>> token.
>> My idea was:
>> - create an "unregistered_user" composite role, containing some basic
>> roles
>> - create a "guest" user, with the unregistered_user role
>> - on the API server, if there is no token in the request I will get the
>> roles of the guest user and user them. If there is a token, I'll use that
>> user permissions.
>> What do you think of that process?
>>
>> Thanks
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

From dev.ebondu at gmail.com  Fri Nov 10 12:40:40 2017
From: dev.ebondu at gmail.com (Emilien Bondu)
Date: Fri, 10 Nov 2017 18:40:40 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
	<2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
	<CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>
Message-ID: <350FF802-9E4E-4607-8DF9-18B7BE1E8679@gmail.com>

Great,

I would be pleased to see this feature as an official one. Of course some specificities due to my business use case will may not be relevant for the community but lets discuss them. I will create an issue and publish the code ASAP (next week hopefully, but as new features will not be accepted until 4.0...).

Emilien

> Le 10 nov. 2017 ? 15:02, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> 
> I'm glad to take a look on it and see how it could fit in our adapters. Could you create a JIRA and give some link to your code so we can discuss from there ?
> 
> Thanks.
> 
> On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com <mailto:dev.ebondu at gmail.com>> wrote:
> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to handle requests, associated to an AnonymousActionsHandler (extending the official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending the official AbstractPolicyEnforcer). Do you think this code should be added to the official spring-adapter ?
> 
> 
>> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com <mailto:psilva at redhat.com>> a ?crit :
>> 
>> @Emilien Bondu, I was looking that thread again and now I'm wondering if you end up with something you can share. 
>> 
>> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com <mailto:dev.ebondu at gmail.com>> wrote:
>> Hi,
>> 
>> Maybe you should have a look here :
>> 
>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html <http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html>
>> 
>> 
>>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com <mailto:psilva at redhat.com>> a ?crit :
>>> 
>>> Hi,
>>> 
>>> I think you could probably change your application and remove the
>>> resources/paths you want to make public from the list of resources
>>> protected by the adapter.
>>> 
>>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com <mailto:corentin.dupont at gmail.com>>
>>> wrote:
>>> 
>>>> Another question: how to apply default authorizations?
>>>> 
>>>> I want to protect my API with authorization in Keycloak. However some
>>>> resources should be open to the public, accessible without any bearer
>>>> token.
>>>> My idea was:
>>>> - create an "unregistered_user" composite role, containing some basic roles
>>>> - create a "guest" user, with the unregistered_user role
>>>> - on the API server, if there is no token in the request I will get the
>>>> roles of the guest user and user them. If there is a token, I'll use that
>>>> user permissions.
>>>> What do you think of that process?
>>>> 
>>>> Thanks
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> 
> 
> 


From stephen at saasindustries.com  Fri Nov 10 16:58:35 2017
From: stephen at saasindustries.com (Stephen Henrie)
Date: Fri, 10 Nov 2017 14:58:35 -0700
Subject: [keycloak-user] Keycloak as SSO
Message-ID: <CA+iPe9sRGVR-N1z2zB10W4fijmf6O2ToEDFC9RhzdatXnNG+LA@mail.gmail.com>

When running a Keycloak instance as a localhost using the default H2
database backend, I have been successful at configuring SSO identity
providers across Keycloak realms, so that one primary realm acts as the
identity provider and the other realms are authenticating against that
primary realm using an IP link.

However, when I try to do the same thing in our cloud environment using a
Postgres database backend,  I am getting the generic "Invalid username or
password."  error which happens during the default first broker login
authorization sequence. I have some debugging info below. Can someone help
me understand what it is trying to tell me?

I believe that I have things configured exactly the same in both my
localhost and in the cloud instances, so I am struggling to understand the
source of the problem.

Any help is appreciated.

Thanks
Stephen



21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN  [org.keycloak.services] (default task-50)
KC-SERVICES0020: Email is null. Reset flow and enforce showing
reviewProfile page
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) RESET FLOW
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE ONLY
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN  [org.keycloak.services] (default task-50)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException: Not found
serialized context in clientSession
    at
org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:264)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:201)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714)
    at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:279)
    at
org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:713)
    at
org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:632)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)


21:42:30,976 WARN  [org.keycloak.events] (default task-50)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment,
clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1,
error=invalid_user_credentials, identity_provider=chassi-oidc,
auth_method=openid-connect, redirect_uri=http://localhost:3000/,
identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465,
code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f
21:4

From rgshepherd at gmail.com  Sat Nov 11 14:20:51 2017
From: rgshepherd at gmail.com (Rob Shepherd)
Date: Sat, 11 Nov 2017 19:20:51 +0000
Subject: [keycloak-user] Enabling User Caching from Custom
 UserStorageProvider leads to MORE requests
Message-ID: <65B44926-E77D-4103-A587-CF6858A7E272@gmail.com>

Hi,

I?m having trouble getting UserModel caching to work properly.  It seems like a bug. 

I have a successful implementation of a UserStorageProvider using HTTP/REST calls to fetch user data. This has been working well in trials. 

I have just enabled caching in the Realm > User Federation > Cache Settings > Cache Policy and selected a MAX_LIFESPAN time of 300?000ms (5mins)

I have found that for a test loop  (1. login, 2. delete app session cookie, 3. authenticate by SSO cookie) this leads to MORE requests to the backend.


Below is the logging output which demonstrates this.

My question:

Could this be a bug? 
or are there particular UserModel classes/interfaces that must be used to permit caching?

it seems like even for an object loaded in memory for a running thread/request it is not being found in the cache and lookup happens everytime the user object is required.




Here is the fetching and caching over that time?. with caching enabled first??

19:13:29,102 INFO  [org.me.MyCustomUserStorageProvider] (default task-32) UserStorageProvider#getUserByEmail(): r... at gmail.com 
19:13:34,637 INFO  [org.me.MyCustomUserStorageProvider] (default task-43) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:34,706 INFO  [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:34,746 INFO  [org.me.MyCustomUserStorageProvider] (default task-38) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:34,754 INFO  [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:34,783 INFO  [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,454 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,496 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,501 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,540 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,570 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,605 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,631 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,661 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,689 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,714 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,751 INFO  [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,832 INFO  [org.me.MyCustomUserStorageProvider] (default task-50) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
19:13:37,882 INFO  [org.me.MyCustomUserStorageProvider] (default task-50) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df


That?s a total of 3 cache writes from 16 lookups for the same user in less than 1 minute, involving 3 requests to Keycloak in this session. 

And now with the cache turned off and the cache flushed?..

18:57:45,343 INFO  [org.me.MyCustomUserStorageProvider] (default task-58) UserStorageProvider#getUserByEmail(): r... at gmail.com 
18:57:45,534 INFO  [org.me.MyCustomUserStorageProvider] (default task-56) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:57:45,662 INFO  [org.me.MyCustomUserStorageProvider] (default task-61) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:57:56,208 INFO  [org.me.MyCustomUserStorageProvider] (default task-64) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:57:56,270 INFO  [org.me.MyCustomUserStorageProvider] (default task-60) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:58:01,186 INFO  [org.me.MyCustomUserStorageProvider] (default task-7) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:58:01,265 INFO  [org.me.MyCustomUserStorageProvider] (default task-9) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df
18:58:01,354 INFO  [org.me.MyCustomUserStorageProvider] (default task-12) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df

Thats a total of 8 lookups for the same user in less than 1 minute, involving 3 requests to Keycloak in this session. 




From stephen at saasindustries.com  Sat Nov 11 15:59:23 2017
From: stephen at saasindustries.com (Stephen Henrie)
Date: Sat, 11 Nov 2017 13:59:23 -0700
Subject: [keycloak-user] Keycloak as SSO
In-Reply-To: <CA+iPe9sRGVR-N1z2zB10W4fijmf6O2ToEDFC9RhzdatXnNG+LA@mail.gmail.com>
References: <CA+iPe9sRGVR-N1z2zB10W4fijmf6O2ToEDFC9RhzdatXnNG+LA@mail.gmail.com>
Message-ID: <CA+iPe9ua0RdzVuD1hnbToBo8zFeRSmOy9twL0fsgxX-BFZ+bEQ@mail.gmail.com>

I finally figured out the issue and want to respond to my question in case
this helps anyone else. I had configured the client on the SSO IP realm
using a client template that had no mappers defined. I was able to fix the
login issue by simply recreating that client without a template so the
default mappers would be configured.

The error message above is pretty useless in finding something like this.
The end user login error response is completely opaque and the above error
in the logs, "Not found serialized context in clientSession" may be useful
to those that understand the internals of Keycloak, but it is kinda useless
for kaylocak users like myself for figuring out configuration issues. I
also have not been able to find any documentation on what client session
notes really are nothing that would have helped me understand that client
mapping data is considered serialized context in a client session.



On Fri, Nov 10, 2017 at 2:58 PM, Stephen Henrie <stephen at saasindustries.com>
wrote:

>
> When running a Keycloak instance as a localhost using the default H2
> database backend, I have been successful at configuring SSO identity
> providers across Keycloak realms, so that one primary realm acts as the
> identity provider and the other realms are authenticating against that
> primary realm using an IP link.
>
> However, when I try to do the same thing in our cloud environment using a
> Postgres database backend,  I am getting the generic "Invalid username or
> password."  error which happens during the default first broker login
> authorization sequence. I have some debugging info below. Can someone help
> me understand what it is trying to tell me?
>
> I believe that I have things configured exactly the same in both my
> localhost and in the cloud instances, so I am struggling to understand the
> source of the problem.
>
> Any help is appreciated.
>
> Thanks
> Stephen
>
>
>
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) processFlow
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-review-profile requirement: DISABLED
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) execution is processed
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-create-user-if-unique requirement:
> ALTERNATIVE
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) authenticator: idp-create-user-if-unique
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) invoke authenticator.authenticate:
> idp-create-user-if-unique
> 21:42:30,975 WARN  [org.keycloak.services] (default task-50)
> KC-SERVICES0020: Email is null. Reset flow and enforce showing
> reviewProfile page
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) RESET FLOW
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) AUTHENTICATE
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) AUTHENTICATE ONLY
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) processFlow
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-review-profile requirement: DISABLED
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) execution is processed
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-create-user-if-unique requirement:
> ALTERNATIVE
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) authenticator: idp-create-user-if-unique
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) invoke authenticator.authenticate:
> idp-create-user-if-unique
> 21:42:30,975 WARN  [org.keycloak.services] (default task-50)
> KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException:
> Not found serialized context in clientSession
>     at org.keycloak.authentication.authenticators.broker.
> AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
> DefaultAuthenticationFlow.java:200)
>     at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:843)
>     at org.keycloak.authentication.AuthenticationProcessor.authenticate(
> AuthenticationProcessor.java:714)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.
> processResult(DefaultAuthenticationFlow.java:264)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
> DefaultAuthenticationFlow.java:201)
>     at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:843)
>     at org.keycloak.authentication.AuthenticationProcessor.authenticate(
> AuthenticationProcessor.java:714)
>     at org.keycloak.services.resources.LoginActionsService.processFlow(
> LoginActionsService.java:279)
>     at org.keycloak.services.resources.LoginActionsService.
> brokerLoginFlow(LoginActionsService.java:713)
>     at org.keycloak.services.resources.LoginActionsService.
> firstBrokerLoginGet(LoginActionsService.java:632)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:498)
>
>
> 21:42:30,976 WARN  [org.keycloak.events] (default task-50)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment,
> clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1,
> error=invalid_user_credentials, identity_provider=chassi-oidc,
> auth_method=openid-connect, redirect_uri=http://localhost:3000/,
> identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465,
> code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f
> 21:4
>

From rowatt at optusnet.com.au  Sat Nov 11 19:27:11 2017
From: rowatt at optusnet.com.au (Shane Rowatt)
Date: Sun, 12 Nov 2017 10:27:11 +1000
Subject: [keycloak-user] keycloak client protocol mapper (script mapper) to
	add request header into token
Message-ID: <047201d35b4c$fb9feac0$f2dfc040$@optusnet.com.au>

When I'm requesting a token from keycloak I want a specific header value (or
extra form data) that was supplied in the request to be put in the JWT
payload of the generated token. I've tried using a Script Mapper to get
access to header values but I can't see how to get access to header values
or data in the form data sent in any of the available script variables:
user, realm, userSession, keyclockSession.

 

I was hoping I could use a script something like this:

 

httpRequest.getHeader('X-CID');

 

 

 

 

 


From matienzar at umivale.es  Sun Nov 12 14:11:52 2017
From: matienzar at umivale.es (Atienzar Navarro, Marcial)
Date: Sun, 12 Nov 2017 19:11:52 +0000
Subject: [keycloak-user] Geeting user mapped attributes
Message-ID: <130E2100BA6D96439D21B0973D900A7D016AE5B806@SRVDAG2.mutuas.mut>

Hello,

    I've configure wildfly adapter, and I'm trying to get access to user mapped atriubutes with this code:

      private String getDniFromAccessToken() {
        String dni = null;

        Principal httpPrincipal = request.getUserPrincipal();
        if (httpPrincipal instanceof KeycloakPrincipal) {
            KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) httpPrincipal;

            AccessToken token = kp.getKeycloakSecurityContext().getToken();

            LOGGER.info("JWT {}",kp.getKeycloakSecurityContext().getTokenString());
            LOGGER.info("JWT ID {}",kp.getKeycloakSecurityContext().getIdTokenString());
            // Puede que no tengamos todav??a el token
            if (token != null) {


                // LOGGER.info("Email {}",token.getEmail());
                LOGGER.info("Tenemos un token de keycloak con el que podemos consultar sus atributos");
                Map<String, Object> atributos = token.getOtherClaims();

                if (atributos != null && !atributos.isEmpty()) {
                    if(LOGGER.isInfoEnabled()){
                        for(Map.Entry<String,Object> atts : atributos.entrySet()){
                            LOGGER.info("Atributos del token {} - {}",atts.getKey(),atts.getValue());
                        }
                    }
                    if (atributos.containsKey("dni")) {
                        dni = String.valueOf(atributos.get("dni"));
                        LOGGER.info("DINI recuperado de keycloak {}", dni);
                    }
                } else {
                    LOGGER.info("No nos llegan atributos de keycloak");
                }
            } else {
                LOGGER.info("No tenemos el ID del token de Keycloak");
            }

        }

        return dni;
    }

    I've try with getIdToken and getToken, but I only retrieve client_session.

    Is it possible to get this user mapped attributes?


--
Marcial Ati?nzar Navarro
Desarrollo

Avda. Real Monasterio de Poblet, 20
46930 Quart de Poblet (Valencia)
T?l.: +34 96 184 92 49 (corto 1249)
M?vil: +34 629 201 240 (corto 44249)
matienzar at umivale.es<mailto:matienzar at umivale.es>
www.umivale.es<http://www.umivale.es>

From corentin.dupont at gmail.com  Sun Nov 12 15:50:15 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sun, 12 Nov 2017 21:50:15 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
Message-ID: <CAEyhvmpy4-F8YLXEy1aP=RzZH2FshK+bfiUMvG92yZn_v78OfQ@mail.gmail.com>

Hi Pedro,
I don't really have public/private paths in the API.
Some resources under those paths can be either public or private, however.
For instance, a URL would be like that:

www.example.com/api/v1/cities/rome/houses

I would like that some cities be accessible by everybody without token,
while some others will be private and require auth token and specific roles
to be accessed.

Thanks!


On Fri, Nov 10, 2017 at 11:33 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Hi,
>
> I think you could probably change your application and remove the
> resources/paths you want to make public from the list of resources
> protected by the adapter.
>
> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Another question: how to apply default authorizations?
>>
>> I want to protect my API with authorization in Keycloak. However some
>> resources should be open to the public, accessible without any bearer
>> token.
>> My idea was:
>> - create an "unregistered_user" composite role, containing some basic
>> roles
>> - create a "guest" user, with the unregistered_user role
>> - on the API server, if there is no token in the request I will get the
>> roles of the guest user and user them. If there is a token, I'll use that
>> user permissions.
>> What do you think of that process?
>>
>> Thanks
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From corentin.dupont at gmail.com  Sun Nov 12 15:51:13 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sun, 12 Nov 2017 21:51:13 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
	<2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
Message-ID: <CAEyhvmog=XHpcOaKF6gJRpAEVkvMi4FW6MjeOrOa=e0ssjph1w@mail.gmail.com>

I see, but do I need to use Java/Spring to achieve this, or can I use
NodeJS (as my API server is in NodeJS)?

On Fri, Nov 10, 2017 at 1:51 PM, Emilien Bondu <dev.ebondu at gmail.com> wrote:

> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to
> handle requests, associated to an AnonymousActionsHandler (extending the
> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending
> the official AbstractPolicyEnforcer). Do you think this code should be
> added to the official spring-adapter ?
>
>
> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>
> @Emilien Bondu, I was looking that thread again and now I'm wondering if
> you end up with something you can share.
>
> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
> wrote:
>
>> Hi,
>>
>> Maybe you should have a look here :
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
>>
>>
>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>>
>> Hi,
>>
>> I think you could probably change your application and remove the
>> resources/paths you want to make public from the list of resources
>> protected by the adapter.
>>
>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>> corentin.dupont at gmail.com>
>> wrote:
>>
>> Another question: how to apply default authorizations?
>>
>> I want to protect my API with authorization in Keycloak. However some
>> resources should be open to the public, accessible without any bearer
>> token.
>> My idea was:
>> - create an "unregistered_user" composite role, containing some basic
>> roles
>> - create a "guest" user, with the unregistered_user role
>> - on the API server, if there is no token in the request I will get the
>> roles of the guest user and user them. If there is a token, I'll use that
>> user permissions.
>> What do you think of that process?
>>
>> Thanks
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

From corentin.dupont at gmail.com  Sun Nov 12 16:14:13 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sun, 12 Nov 2017 22:14:13 +0100
Subject: [keycloak-user] API Authorization: on request or response?
Message-ID: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>

Hi guys,
another small question :)

Suppose you have an API looking like this:
http://www.example.com/api/v1/cars

Cars have an owner:
{
  name: "my car"
  owner: "smith"
}

How to make sure that you can only get cars that are yours (you can have
several cars)?
If you make a simple GET on this endpoint, should I:
1. just reply with a "Access denied" because the request is too large: it
could yield cars that are not yours,
2. reply with "Access denied" if the response list contains some cars that
are not yours,
3. filter the response car list with only yours?

It seems that 1. is the simplest because it uses only the request to make
decisions.
2. uses the response to make decision, while 3. requires the collaboration
of the response handler in my API server, in order to implement the
filtering.
What is the most standard way?

I have also some trouble understanding how to implement that with Keycloak
protect in NodeJS.
Cheers!!
Corentin

From corentin.dupont at gmail.com  Sun Nov 12 16:29:37 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sun, 12 Nov 2017 22:29:37 +0100
Subject: [keycloak-user] AuthZ with realm roles
Message-ID: <CAEyhvmoosqqBUrM5evDuFwP3SQSpfmwMFm520d7zR7tC3aLVkA@mail.gmail.com>

Hi guys,
yet another question... AuthZ is quite mysterious!
I am trying to protect my API with realm roles.

I have an API looking like this:
http://www.example.com/api/v1/cities/rome/houses
http://www.example.com/api/v1/cities/rome/streets

Each endpoint supports GET/PUT/POST/DELETE.
Each role must have the form:

<view|manage>:<asset>[:<city>[:<resource filter>]]

For example roles can be:
- view:houses
- view:houses:rome
- view:houses:rome:owner==smith
- manage:houses:rome

"manage": gives you all CRUD operations, while with "view" you can only
read resources.

Do you think this design is correct? Any other suggestion?
What is not practical is that I have to force my users to use this role
format.
The resource filter part is also hard to implement, has it requires to
check the content of the responses...

From max.bruchmann at hotmail.com  Mon Nov 13 04:28:05 2017
From: max.bruchmann at hotmail.com (Max Bruchmann)
Date: Mon, 13 Nov 2017 09:28:05 +0000
Subject: [keycloak-user] example authz photos not working
Message-ID: <AM4P190MB0004F5E2468DD2854CEA9C34F72B0@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>

Hi,

maybe I'm doing something wrong but it looks like instructions of the 
photoz example are not working.

When importing the Authorization Setting 
"examples/authz/photoz/photoz-restful-api/src/main/resources/photoz-restful-api-authz-service.json" 
the "Only Owner Policy" entry contains "${project.version}" which leads 
to a failed import. It works with the processed version in 
target/classes since it is replaced during the build. Also as the "Only 
Owner Policy" is a maven entry and its pom depends on the parent and the 
parent on its parent you need to do mvn install in the root example folder.

The only thing I was not able to work arround was the deploying is the 
actual deployment of the photoz-restful-api

When I execute:

cd examples/authz/photoz/photoz-restful-api
mvn clean package wildfly:deploy


It results in:

[ERROR] Failed to execute goal 
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy 
(default-cli) on project photoz-restful-api: Failed to execute goal 
deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. 
Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed 
services" => 
{"jboss.module.service.\"deployment.photoz-restful-api.war\".main" => 
"WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war
[ERROR] Caused by: org.jboss.modules.ModuleNotFoundException: 
org.keycloak.keycloak-authz-client"}}}}


And the log on the server side:

00:20:22,098 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) 
MSC000001: Failed to start service 
jboss.module.service."deployment.photoz-restful-api.war".main: 
org.jboss.msc.service.StartException in service 
jboss.module.service."deployment.photoz-restful-api.war".main: 
WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war
 ??? at 
org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:91)
 ??? at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
 ??? at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
 ??? at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 ??? at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 ??? at java.lang.Thread.run(Thread.java:748)
Caused by: org.jboss.modules.ModuleNotFoundException: 
org.keycloak.keycloak-authz-client
 ??? at org.jboss.modules.Module.addPaths(Module.java:1217)
 ??? at org.jboss.modules.Module.link(Module.java:1573)
 ??? at org.jboss.modules.Module.relinkIfNecessary(Module.java:1601)
 ??? at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287)
 ??? at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271)
 ??? at 
org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:68)
 ??? ... 5 more


So if I understand it correctly there is no authz client module 
installed on keycloak. How do I solve this?


Kind Regards,

Max



From Edgar at info.nl  Mon Nov 13 05:25:37 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 13 Nov 2017 10:25:37 +0000
Subject: [keycloak-user] Required user actions dropdown no longer
 working for user admin users because of missing select2.css
In-Reply-To: <5331108C-BCD3-4E34-8F04-5A1D45C716A6@info.nl>
References: <5331108C-BCD3-4E34-8F04-5A1D45C716A6@info.nl>
Message-ID: <018BA408-BE02-4B7A-8C5C-A734473D7863@info.nl>


Hi,

I created a JIRA ticket for this problem:
https://issues.jboss.org/browse/KEYCLOAK-5835

As a workaround we now let our user admins log in with our overall Keycloak admin account. Something we want to avoid if we can of course.

cheers

Edgar

> On 9 Nov 2017, at 13:22, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
> 
> [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]
> 
> Hi,
> 
> I think in a recent upgrade of Keycloak (we are now using 3.2.0.Final) the following issue was introduced:
> 
> When a ?user admin user? (this is a realm user who has permissions to manage and view users in Keycloak) logs in to Keycloak and this persion tries to add a new user the ?required user actions? dropdown is mangled and does not function properly. This seems to be caused by a permission issue or something regarding the ?select2.css? resource. In the browser I see that the select2.css file cannot be loaded.
> 
> However when an overall Keycloak admin logs in this dropdown just works fine.
> 
> Shall I report a JIRA issue for this? I do not really know what causes this but my guess is that the manage / view user roles in Keycloak are missing some permissions somewhere.
> 
> These are the permissions the user admin user has:
> - manage-users
> - view-clients
> - view-realm
> - view-users
> 
> 
> cheers
> 
> Edgar
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From psilva at redhat.com  Mon Nov 13 06:12:06 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 13 Nov 2017 09:12:06 -0200
Subject: [keycloak-user] example authz photos not working
In-Reply-To: <AM4P190MB0004F5E2468DD2854CEA9C34F72B0@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
References: <AM4P190MB0004F5E2468DD2854CEA9C34F72B0@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBfAFsqwPa8gyOngee6QFUmgrPEM2HkY4ghUN4-17_9SzQ@mail.gmail.com>

Hi,

What version are you using of Keycloak adapters ?

On Mon, Nov 13, 2017 at 7:28 AM, Max Bruchmann <max.bruchmann at hotmail.com>
wrote:

> Hi,
>
> maybe I'm doing something wrong but it looks like instructions of the
> photoz example are not working.
>
> When importing the Authorization Setting
> "examples/authz/photoz/photoz-restful-api/src/main/
> resources/photoz-restful-api-authz-service.json"
> the "Only Owner Policy" entry contains "${project.version}" which leads
> to a failed import. It works with the processed version in
> target/classes since it is replaced during the build. Also as the "Only
> Owner Policy" is a maven entry and its pom depends on the parent and the
> parent on its parent you need to do mvn install in the root example folder.
>
> The only thing I was not able to work arround was the deploying is the
> actual deployment of the photoz-restful-api
>
> When I execute:
>
> cd examples/authz/photoz/photoz-restful-api
> mvn clean package wildfly:deploy
>
>
> It results in:
>
> [ERROR] Failed to execute goal
> org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy
> (default-cli) on project photoz-restful-api: Failed to execute goal
> deploy: {"WFLYCTL0062: Composite operation failed and was rolled back.
> Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed
> services" =>
> {"jboss.module.service.\"deployment.photoz-restful-api.war\".main" =>
> "WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war
> [ERROR] Caused by: org.jboss.modules.ModuleNotFoundException:
> org.keycloak.keycloak-authz-client"}}}}
>
>
> And the log on the server side:
>
> 00:20:22,098 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1)
> MSC000001: Failed to start service
> jboss.module.service."deployment.photoz-restful-api.war".main:
> org.jboss.msc.service.StartException in service
> jboss.module.service."deployment.photoz-restful-api.war".main:
> WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war
>      at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(
> ModuleLoadService.java:91)
>      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(
> ServiceControllerImpl.java:2032)
>      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(
> ServiceControllerImpl.java:1955)
>      at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>      at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>      at java.lang.Thread.run(Thread.java:748)
> Caused by: org.jboss.modules.ModuleNotFoundException:
> org.keycloak.keycloak-authz-client
>      at org.jboss.modules.Module.addPaths(Module.java:1217)
>      at org.jboss.modules.Module.link(Module.java:1573)
>      at org.jboss.modules.Module.relinkIfNecessary(Module.java:1601)
>      at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287)
>      at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271)
>      at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(
> ModuleLoadService.java:68)
>      ... 5 more
>
>
> So if I understand it correctly there is no authz client module
> installed on keycloak. How do I solve this?
>
>
> Kind Regards,
>
> Max
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Mon Nov 13 06:34:35 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 13 Nov 2017 09:34:35 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
Message-ID: <CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>

Hi,

It seems you are looking for fine-grained permissions. Could you take a
look at this example [1] and documentation [2] ?

One of the things shown by that example is how to protect resources based
on its owner.

[1] https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz
[2] http://www.keycloak.org/docs/latest/authorization_services/index.html

On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> another small question :)
>
> Suppose you have an API looking like this:
> http://www.example.com/api/v1/cars
>
> Cars have an owner:
> {
>   name: "my car"
>   owner: "smith"
> }
>
> How to make sure that you can only get cars that are yours (you can have
> several cars)?
> If you make a simple GET on this endpoint, should I:
> 1. just reply with a "Access denied" because the request is too large: it
> could yield cars that are not yours,
> 2. reply with "Access denied" if the response list contains some cars that
> are not yours,
> 3. filter the response car list with only yours?
>
> It seems that 1. is the simplest because it uses only the request to make
> decisions.
> 2. uses the response to make decision, while 3. requires the collaboration
> of the response handler in my API server, in order to implement the
> filtering.
> What is the most standard way?
>
> I have also some trouble understanding how to implement that with Keycloak
> protect in NodeJS.
> Cheers!!
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Nov 13 06:35:46 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 13 Nov 2017 09:35:46 -0200
Subject: [keycloak-user] AuthZ with realm roles
In-Reply-To: <CAEyhvmoosqqBUrM5evDuFwP3SQSpfmwMFm520d7zR7tC3aLVkA@mail.gmail.com>
References: <CAEyhvmoosqqBUrM5evDuFwP3SQSpfmwMFm520d7zR7tC3aLVkA@mail.gmail.com>
Message-ID: <CAJrcDBf16Z5b1mttnjLfQwwvSMM+XYU=87p8-e3gpo_1iT9pKw@mail.gmail.com>

You should probably take a look on Keycloak Authorization Services.

On Sun, Nov 12, 2017 at 7:29 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> yet another question... AuthZ is quite mysterious!
> I am trying to protect my API with realm roles.
>
> I have an API looking like this:
> http://www.example.com/api/v1/cities/rome/houses
> http://www.example.com/api/v1/cities/rome/streets
>
> Each endpoint supports GET/PUT/POST/DELETE.
> Each role must have the form:
>
> <view|manage>:<asset>[:<city>[:<resource filter>]]
>
> For example roles can be:
> - view:houses
> - view:houses:rome
> - view:houses:rome:owner==smith
> - manage:houses:rome
>
> "manage": gives you all CRUD operations, while with "view" you can only
> read resources.
>
> Do you think this design is correct? Any other suggestion?
> What is not practical is that I have to force my users to use this role
> format.
> The resource filter part is also hard to implement, has it requires to
> check the content of the responses...
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Nov 13 06:42:35 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 13 Nov 2017 09:42:35 -0200
Subject: [keycloak-user] default permissions
In-Reply-To: <CAEyhvmpy4-F8YLXEy1aP=RzZH2FshK+bfiUMvG92yZn_v78OfQ@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<CAEyhvmpy4-F8YLXEy1aP=RzZH2FshK+bfiUMvG92yZn_v78OfQ@mail.gmail.com>
Message-ID: <CAJrcDBfLNhT4SiLeNh7N52j5zh1+ym1B6efrQWq7hei+MvN8ZA@mail.gmail.com>

I see. We don't have anything like that, sorry. But a option to statically
DISABLE policy enforcement for a specific path in keycloak.json
(policy-enforcer settings).

Also, in order to achieve what you want you probably need to ignore bearer
token authentication for these paths you want to make public (although they
are intercepted by the adapter).

Could you fill a JIRA describing your use case and requirements ?

On Sun, Nov 12, 2017 at 6:50 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi Pedro,
> I don't really have public/private paths in the API.
> Some resources under those paths can be either public or private, however.
> For instance, a URL would be like that:
>
> www.example.com/api/v1/cities/rome/houses
>
> I would like that some cities be accessible by everybody without token,
> while some others will be private and require auth token and specific roles
> to be accessed.
>
> Thanks!
>
>
> On Fri, Nov 10, 2017 at 11:33 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> I think you could probably change your application and remove the
>> resources/paths you want to make public from the list of resources
>> protected by the adapter.
>>
>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Another question: how to apply default authorizations?
>>>
>>> I want to protect my API with authorization in Keycloak. However some
>>> resources should be open to the public, accessible without any bearer
>>> token.
>>> My idea was:
>>> - create an "unregistered_user" composite role, containing some basic
>>> roles
>>> - create a "guest" user, with the unregistered_user role
>>> - on the API server, if there is no token in the request I will get the
>>> roles of the guest user and user them. If there is a token, I'll use that
>>> user permissions.
>>> What do you think of that process?
>>>
>>> Thanks
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From corentin.dupont at gmail.com  Mon Nov 13 07:32:45 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 13 Nov 2017 13:32:45 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBfLNhT4SiLeNh7N52j5zh1+ym1B6efrQWq7hei+MvN8ZA@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<CAEyhvmpy4-F8YLXEy1aP=RzZH2FshK+bfiUMvG92yZn_v78OfQ@mail.gmail.com>
	<CAJrcDBfLNhT4SiLeNh7N52j5zh1+ym1B6efrQWq7hei+MvN8ZA@mail.gmail.com>
Message-ID: <CAEyhvmrwCiVx+i9F0VucEyMFKsb4NNhj9H7BCf_vddza6-WTEg@mail.gmail.com>

Done: https://issues.jboss.org/browse/KEYCLOAK-5839


On Mon, Nov 13, 2017 at 12:42 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> I see. We don't have anything like that, sorry. But a option to statically
> DISABLE policy enforcement for a specific path in keycloak.json
> (policy-enforcer settings).
>
> Also, in order to achieve what you want you probably need to ignore bearer
> token authentication for these paths you want to make public (although they
> are intercepted by the adapter).
>
> Could you fill a JIRA describing your use case and requirements ?
>
>
> On Sun, Nov 12, 2017 at 6:50 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi Pedro,
>> I don't really have public/private paths in the API.
>> Some resources under those paths can be either public or private, however.
>> For instance, a URL would be like that:
>>
>> www.example.com/api/v1/cities/rome/houses
>>
>> I would like that some cities be accessible by everybody without token,
>> while some others will be private and require auth token and specific roles
>> to be accessed.
>>
>> Thanks!
>>
>>
>> On Fri, Nov 10, 2017 at 11:33 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I think you could probably change your application and remove the
>>> resources/paths you want to make public from the list of resources
>>> protected by the adapter.
>>>
>>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Another question: how to apply default authorizations?
>>>>
>>>> I want to protect my API with authorization in Keycloak. However some
>>>> resources should be open to the public, accessible without any bearer
>>>> token.
>>>> My idea was:
>>>> - create an "unregistered_user" composite role, containing some basic
>>>> roles
>>>> - create a "guest" user, with the unregistered_user role
>>>> - on the API server, if there is no token in the request I will get the
>>>> roles of the guest user and user them. If there is a token, I'll use
>>>> that
>>>> user permissions.
>>>> What do you think of that process?
>>>>
>>>> Thanks
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From pskopek at redhat.com  Mon Nov 13 07:33:17 2017
From: pskopek at redhat.com (Peter Skopek)
Date: Mon, 13 Nov 2017 12:33:17 +0000
Subject: [keycloak-user] Configuring keycloak SAML adapter on tomcat
	with clockSkew
In-Reply-To: <CAGOgu7+3D2aQHBKAYSaqw0QnirZ-rW4dD6YL=1mY0Bn1R7KfMw@mail.gmail.com>
References: <CAGOgu7+3D2aQHBKAYSaqw0QnirZ-rW4dD6YL=1mY0Bn1R7KfMw@mail.gmail.com>
Message-ID: <CAM01pabkj9qWcdf9eorh+iOY_d_v9KANkzxs1NBSW-3uQq7SkQ@mail.gmail.com>

Hi Elias,
looks like the configuration option is missing.
Can you create a JIRA issue [1] for this, please.

Thanks,
Peter
[1] https://issues.jboss.org/projects/KEYCLOAK/summary


On Wed, Nov 8, 2017 at 5:09 PM Elias Glareff <glareff at gmail.com> wrote:

> Hello,
>
> I am trying to track down the information whether it is possible to set the
> clockSkew in the keycloak tomcat adapter.
> The problem is that Identity Provider is some time ahead of the Service
> Provider, so whenever the SAML response arrives, the NotBefore time is
> ahead of the SP clock, so the response is considered expired on arrival.
> This is a known problem, described in
>
> https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f
> .
>
>
> In the keycloak source code in AssertionUtil there is a method hasExpired
> to which you can provide a clockSkew variable which would remedy this
> problem. The issue is that I see absolutely no place where I could let the
> keycloak SAML adapter on the service provider know that I want to use a
> clock skew and set it's value.
>
> The only configuration from my side I see is the keycloak-saml.xml in the
> WEB-INF folder of the application, but in the documentation for this
> configuration it does not mention any possibility to set the clock skew.
>
> Kindly share your knowledge on this issue if you can help.
>
> Thanks,
> Elias
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Nov 13 07:40:58 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 13 Nov 2017 10:40:58 -0200
Subject: [keycloak-user] default permissions
In-Reply-To: <CAEyhvmrwCiVx+i9F0VucEyMFKsb4NNhj9H7BCf_vddza6-WTEg@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<CAEyhvmpy4-F8YLXEy1aP=RzZH2FshK+bfiUMvG92yZn_v78OfQ@mail.gmail.com>
	<CAJrcDBfLNhT4SiLeNh7N52j5zh1+ym1B6efrQWq7hei+MvN8ZA@mail.gmail.com>
	<CAEyhvmrwCiVx+i9F0VucEyMFKsb4NNhj9H7BCf_vddza6-WTEg@mail.gmail.com>
Message-ID: <CAJrcDBdO_A1L+S_Ybagyh+LggGZ0Oh4s_Ykk-z+HRv113bU=Hw@mail.gmail.com>

Tks.

On Mon, Nov 13, 2017 at 10:32 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> Done: https://issues.jboss.org/browse/KEYCLOAK-5839
>
>
> On Mon, Nov 13, 2017 at 12:42 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I see. We don't have anything like that, sorry. But a option to
>> statically DISABLE policy enforcement for a specific path in keycloak.json
>> (policy-enforcer settings).
>>
>> Also, in order to achieve what you want you probably need to ignore
>> bearer token authentication for these paths you want to make public
>> (although they are intercepted by the adapter).
>>
>> Could you fill a JIRA describing your use case and requirements ?
>>
>>
>> On Sun, Nov 12, 2017 at 6:50 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi Pedro,
>>> I don't really have public/private paths in the API.
>>> Some resources under those paths can be either public or private,
>>> however.
>>> For instance, a URL would be like that:
>>>
>>> www.example.com/api/v1/cities/rome/houses
>>>
>>> I would like that some cities be accessible by everybody without token,
>>> while some others will be private and require auth token and specific roles
>>> to be accessed.
>>>
>>> Thanks!
>>>
>>>
>>> On Fri, Nov 10, 2017 at 11:33 AM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I think you could probably change your application and remove the
>>>> resources/paths you want to make public from the list of resources
>>>> protected by the adapter.
>>>>
>>>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Another question: how to apply default authorizations?
>>>>>
>>>>> I want to protect my API with authorization in Keycloak. However some
>>>>> resources should be open to the public, accessible without any bearer
>>>>> token.
>>>>> My idea was:
>>>>> - create an "unregistered_user" composite role, containing some basic
>>>>> roles
>>>>> - create a "guest" user, with the unregistered_user role
>>>>> - on the API server, if there is no token in the request I will get the
>>>>> roles of the guest user and user them. If there is a token, I'll use
>>>>> that
>>>>> user permissions.
>>>>> What do you think of that process?
>>>>>
>>>>> Thanks
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Mon Nov 13 12:11:11 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 13 Nov 2017 18:11:11 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
Message-ID: <CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>

Hi again,
I looked everywhere but I couldn't find an Evaluation API for javascript...
In my nodeJS server, should I call UMA API endpoints?

On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Hi,
>
> It seems you are looking for fine-grained permissions. Could you take a
> look at this example [1] and documentation [2] ?
>
> One of the things shown by that example is how to protect resources based
> on its owner.
>
> [1] https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz
> [2] http://www.keycloak.org/docs/latest/authorization_services/index.html
>
> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> another small question :)
>>
>> Suppose you have an API looking like this:
>> http://www.example.com/api/v1/cars
>>
>> Cars have an owner:
>> {
>>   name: "my car"
>>   owner: "smith"
>> }
>>
>> How to make sure that you can only get cars that are yours (you can have
>> several cars)?
>> If you make a simple GET on this endpoint, should I:
>> 1. just reply with a "Access denied" because the request is too large: it
>> could yield cars that are not yours,
>> 2. reply with "Access denied" if the response list contains some cars that
>> are not yours,
>> 3. filter the response car list with only yours?
>>
>> It seems that 1. is the simplest because it uses only the request to make
>> decisions.
>> 2. uses the response to make decision, while 3. requires the collaboration
>> of the response handler in my API server, in order to implement the
>> filtering.
>> What is the most standard way?
>>
>> I have also some trouble understanding how to implement that with Keycloak
>> protect in NodeJS.
>> Cheers!!
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From d.weirshousky at xsb.com  Mon Nov 13 15:57:18 2017
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Mon, 13 Nov 2017 14:57:18 -0600 (CST)
Subject: [keycloak-user] Keycloak as SAML Service Provider problem
In-Reply-To: <1365135598.15413591.1510606169576.JavaMail.zimbra@xsb.com>
Message-ID: <975665734.15419805.1510606638324.JavaMail.zimbra@xsb.com>

Hi,
  I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP.  I am trying to initiate login from Okta.  After the initial user registration keycloak seems to fail while validating the signature on one of the SAML Responses.  The error in the browser is invalidFederatedIdentityActionMessage and the stack trace is below.

20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-18) validation failed: org.keycloak.common.VerificationException: Invalid signature on document
        at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83)
        at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:533)
        at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:471)
        at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:239)
        at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)

The X509 certificate is the same on both ends.  Am I missing a configuration setting some place else?  Any help would be apprectated.  Some googling brings up some old bugs but I believe they are all fixed in 3.2.1.

Thanks
Drew Weirshousky


From 1rahulr at gmail.com  Tue Nov 14 00:10:37 2017
From: 1rahulr at gmail.com (Rahul R)
Date: Tue, 14 Nov 2017 10:40:37 +0530
Subject: [keycloak-user] access token valid for more than expiry time by
	milli seconds
Message-ID: <CADDv_=FCpoiGws16RBchVMADgpeggWqCmerSiZQRQXSVfQ298g@mail.gmail.com>

Hi,
     We have a keycloak set up where the Access Token Lifespan is set to 5
minutes. Now we get the access token using the following command :
curl  -d "client_id=admin-cli" -d "username=admin_user"   -d
"password=admin_user"   -d "grant_type=password"   "
http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token"

Now if we use the following command to get the user details
 curl -H "Authorization: bearer "access token value got earlier"  "
http://192.168.56.101:8080/auth/realms/REALM/protocol/
openid-connect/userinfo"

The expectation is that the second command works till the token expiry time
which is 5 minutes and after 5 minutes the token not valid error should be
seen. But while running the tests multiple times,  we are seeing that
sometimes the token is valid for more than 5 minutes by almost 500
milliseconds.

Has anyone seen such a behaviour ? Is this is a keycloak bug  or a
behaviour only seen in my machine?

Thanks
Rahul

From by.xtazy at gmail.com  Tue Nov 14 02:39:51 2017
From: by.xtazy at gmail.com (Andrei Karabach)
Date: Tue, 14 Nov 2017 10:39:51 +0300
Subject: [keycloak-user] Fwd: keycloak-preview
In-Reply-To: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
References: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
Message-ID: <CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>

Hello. How to install keycloak-preview theme from https://github.com/
keycloak/keycloak/tree/master/themes/src/main/resources/
theme/keycloak-preview/account

From Athulya.Pillai at cybertech.com  Tue Nov 14 02:44:46 2017
From: Athulya.Pillai at cybertech.com (Athulya Pillai)
Date: Tue, 14 Nov 2017 07:44:46 +0000
Subject: [keycloak-user] LDAP user federation keycloak with  .net core
Message-ID: <5D7282EF8AC38B41BA812672DABBF6B6D0B9B86D@CSSLEX1.Cybertech.Com>

Hello,

Please help me to user keycload LDAP provider in .net core

Thanks and Regards
Athulya

From 1rahulr at gmail.com  Tue Nov 14 03:19:45 2017
From: 1rahulr at gmail.com (Rahul R)
Date: Tue, 14 Nov 2017 13:49:45 +0530
Subject: [keycloak-user] access token valid for more than expiry time by
	milli seconds
In-Reply-To: <CADDv_=FCpoiGws16RBchVMADgpeggWqCmerSiZQRQXSVfQ298g@mail.gmail.com>
References: <CADDv_=FCpoiGws16RBchVMADgpeggWqCmerSiZQRQXSVfQ298g@mail.gmail.com>
Message-ID: <CADDv_=EaJpsT7m4ov0eL0+4U6g4YcZApce_kygQ-K=6ZXYRmYg@mail.gmail.com>

Hi,

                  From the RFC for JWT  https://tools.ietf.org/html/rfc7519

4.1.4.  "exp" (Expiration Time) Claim

The "exp" (expiration time) claim identifies the expiration time on or
after which the JWT MUST NOT be accepted for processing.  The processing of
the "exp" claim requires that the current date/time MUST be before the
expiration date/time listed in the "exp" claim. Implementers MAY provide
for some small leeway, usually no more than a few minutes, to account for
clock skew.  Its value MUST be a number containing a NumericDate value.
Use of this claim is OPTIONAL.

So is this delay intentional from the keycloak implementators or a bug to
be fixed ?


Thanks
Rahul



On Tue, Nov 14, 2017 at 10:40 AM, Rahul R <1rahulr at gmail.com> wrote:

> Hi,
>      We have a keycloak set up where the Access Token Lifespan is set to 5
> minutes. Now we get the access token using the following command :
> curl  -d "client_id=admin-cli" -d "username=admin_user"   -d
> "password=admin_user"   -d "grant_type=password"   "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token
> "
>
> Now if we use the following command to get the user details
>  curl -H "Authorization: bearer "access token value got earlier"  "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openi
> d-connect/userinfo"
>
> The expectation is that the second command works till the token expiry
> time which is 5 minutes and after 5 minutes the token not valid error
> should be seen. But while running the tests multiple times,  we are seeing
> that sometimes the token is valid for more than 5 minutes by almost 500
> milliseconds.
>
> Has anyone seen such a behaviour ? Is this is a keycloak bug  or a
> behaviour only seen in my machine?
>
> Thanks
> Rahul
>

From lists at merit.unu.edu  Tue Nov 14 03:52:17 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 14 Nov 2017 09:52:17 +0100
Subject: [keycloak-user] Fwd: keycloak-preview
In-Reply-To: <CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
References: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
	<CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
Message-ID: <656d7f80-c3f4-5eac-6674-37088e5d3346@merit.unu.edu>

Hi,

No idea about your question, but we have an additional themes-question:

We recently discovered the (beautiful) sunrise theme 'by accident', and 
it made us wonder:

Is there an overview of available themes including samples on how they look?

MJ

On 14-11-2017 8:39, Andrei Karabach wrote:
> Hello. How to install keycloak-preview theme from https://github.com/
> keycloak/keycloak/tree/master/themes/src/main/resources/
> theme/keycloak-preview/account
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From sthorger at redhat.com  Tue Nov 14 04:16:26 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 14 Nov 2017 10:16:26 +0100
Subject: [keycloak-user] Fwd: keycloak-preview
In-Reply-To: <656d7f80-c3f4-5eac-6674-37088e5d3346@merit.unu.edu>
References: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
	<CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
	<656d7f80-c3f4-5eac-6674-37088e5d3346@merit.unu.edu>
Message-ID: <CAJgngAf8J6ipYbR6KzCNwdWxEmVWKQ2eT1W6Aam4ZbkVQ6MkQg@mail.gmail.com>

We don't have a list of supported "themes", but rather just the one sunrise
example on how to do it yourself.

On 14 November 2017 at 09:52, lists <lists at merit.unu.edu> wrote:

> Hi,
>
> No idea about your question, but we have an additional themes-question:
>
> We recently discovered the (beautiful) sunrise theme 'by accident', and
> it made us wonder:
>
> Is there an overview of available themes including samples on how they
> look?
>
> MJ
>
> On 14-11-2017 8:39, Andrei Karabach wrote:
> > Hello. How to install keycloak-preview theme from https://github.com/
> > keycloak/keycloak/tree/master/themes/src/main/resources/
> > theme/keycloak-preview/account
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From forums.akurathi at gmail.com  Tue Nov 14 04:36:25 2017
From: forums.akurathi at gmail.com (forums.akurathi at gmail.com)
Date: Tue, 14 Nov 2017 04:36:25 -0500
Subject: [keycloak-user] Fwd: OTP Policy updates not reflects in Google
	Authenticator
In-Reply-To: <15ed2d35a59-c0c-c297@webjas-vaa118.srv.aolmail.net>
References: <15ed2d35a59-c0c-c297@webjas-vaa118.srv.aolmail.net>
Message-ID: <15fb9e3088c-c0a-2fd80@webjas-vae184.srv.aolmail.net>

Hi Sitan,

I am not sure the rationale behind that my question didn?t receive any response though it?s posted more than a month ago.

 I am hoping you could be of some help with a problem that we are having with key cloak OTP changes not reflects in Google Authenticator.

Please review aforementioned issue description and do the needful.

Appreciate your quick response on this.

Thanks & Regards
Krishna Kumar Akurathi
On Saturday, September 30, 2017, forums.akurathi forums.akurathi at gmail.com wrote:

Dear all,

We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working.

A sequence of steps :

1) create realm, create user
2) enable OTP
3) login with the newly created user
4) system asks you to configure OTP
5) update OTP policy such as number of digits from 6 to 8
6) try login again
7) system asks you to enter OTP but authentication fails

We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails.

Your response is highly appreciated !!!

Thanks in advance

Regards
Krishna Kumar Akurathi



From corentin.dupont at gmail.com  Tue Nov 14 04:47:34 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 14 Nov 2017 10:47:34 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
Message-ID: <CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>

Thanks for the documentation, after reading it I found that I can use
"entitlement" endpoints for my use case.
So I do:

TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=username&password=password&grant_type=password&client_id=myclient&client_secret=myclientsecret'
"http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token" |
jq .access_token -r`

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "Houses",
            "scopes" : [
                "view"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement/myclient"

Is this correct? It seems to be working.
I am not sure how can I get/create resources via the API.
I tried:

curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Authorization: Bearer $TOKEN"
But I get:
{"error":"invalid_clientId","error_description":"Client application with id
[2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm [myrealm]"}



On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi again,
> I looked everywhere but I couldn't find an Evaluation API for javascript...
> In my nodeJS server, should I call UMA API endpoints?
>
> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> It seems you are looking for fine-grained permissions. Could you take a
>> look at this example [1] and documentation [2] ?
>>
>> One of the things shown by that example is how to protect resources based
>> on its owner.
>>
>> [1] https://github.com/keycloak/keycloak/tree/master/example
>> s/authz/photoz
>> [2] http://www.keycloak.org/docs/latest/authorization_services/index.html
>>
>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> another small question :)
>>>
>>> Suppose you have an API looking like this:
>>> http://www.example.com/api/v1/cars
>>>
>>> Cars have an owner:
>>> {
>>>   name: "my car"
>>>   owner: "smith"
>>> }
>>>
>>> How to make sure that you can only get cars that are yours (you can have
>>> several cars)?
>>> If you make a simple GET on this endpoint, should I:
>>> 1. just reply with a "Access denied" because the request is too large: it
>>> could yield cars that are not yours,
>>> 2. reply with "Access denied" if the response list contains some cars
>>> that
>>> are not yours,
>>> 3. filter the response car list with only yours?
>>>
>>> It seems that 1. is the simplest because it uses only the request to make
>>> decisions.
>>> 2. uses the response to make decision, while 3. requires the
>>> collaboration
>>> of the response handler in my API server, in order to implement the
>>> filtering.
>>> What is the most standard way?
>>>
>>> I have also some trouble understanding how to implement that with
>>> Keycloak
>>> protect in NodeJS.
>>> Cheers!!
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From lists at merit.unu.edu  Tue Nov 14 05:17:19 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 14 Nov 2017 11:17:19 +0100
Subject: [keycloak-user] upgrade to 3.4 issue
Message-ID: <14c26515-132d-1662-e629-dd47c79e9bb8@merit.unu.edu>

Hi,

Today we tried to upgrade our standalone 3.3 install to 3.4, following 
the docs:

- copied 3.3 /standalone/ over the 3.4 install, replacing all
- copied mysql connector in modules/system/layers/keycloak/org

But then, the standalone upgrade script doesn't work:

> root at server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh --file=bin/migrate-standalone.cli
> Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
> root at server:/opt/keycloak-3.4.0.Final#

When starting the 3.4 server without having run the upgrade script, we 
see what the actual problem appears to be:

> OPVDX001: Validation error in standalone.xml -----------------------------------
> |
> |  470:     </spi>
> |  471: </subsystem>
> |  472: <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
> |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |  473:     <providers>
> |  474:         <aggregate-providers name="combined-providers">
> |  475:             <providers name="elytron"/>
> |
> | The primary underlying error message was:
> | > ParseError at [row,col]:[472,9]
> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |-------------------------------------------------------------------------------

The same standalone.xml still works in the keycloak 3.3, so it basically 
seems to be ok, or not corrupt at least. This install has been upgraded 
from:
3.0 -> 3.1 -> 3.3 (we skipped 3.2)

It seems that our config has to be migrated using the script, but the 
upgrade-standalone.cli script will not run...

What to do?

MJ

From lists at merit.unu.edu  Tue Nov 14 05:18:06 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 14 Nov 2017 11:18:06 +0100
Subject: [keycloak-user] Fwd: keycloak-preview
In-Reply-To: <CAJgngAf8J6ipYbR6KzCNwdWxEmVWKQ2eT1W6Aam4ZbkVQ6MkQg@mail.gmail.com>
References: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
	<CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
	<656d7f80-c3f4-5eac-6674-37088e5d3346@merit.unu.edu>
	<CAJgngAf8J6ipYbR6KzCNwdWxEmVWKQ2eT1W6Aam4ZbkVQ6MkQg@mail.gmail.com>
Message-ID: <57a168ec-072d-3ef3-10b6-3e2a8da74b19@merit.unu.edu>



On 14-11-2017 10:16, Stian Thorgersen wrote:
> We don't have a list of supported "themes", but rather just the one 
> sunrise example on how to do it yourself.

ok, thanks.

From hmlnarik at redhat.com  Tue Nov 14 05:34:12 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 14 Nov 2017 11:34:12 +0100
Subject: [keycloak-user] Keycloak as SAML Service Provider problem
In-Reply-To: <975665734.15419805.1510606638324.JavaMail.zimbra@xsb.com>
References: <1365135598.15413591.1510606169576.JavaMail.zimbra@xsb.com>
	<975665734.15419805.1510606638324.JavaMail.zimbra@xsb.com>
Message-ID: <CAMvXD=EKcF=-N98J762TCROe=RuOD2zG2PCChUsFYF2AGi7+Yg@mail.gmail.com>

It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.

--Hynek

On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky at xsb.com>
wrote:

> Hi,
>   I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP.  I am
> trying to initiate login from Okta.  After the initial user registration
> keycloak seems to fail while validating the signature on one of the SAML
> Responses.  The error in the browser is invalidFederatedIdentityActionMessage
> and the stack trace is below.
>
> 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-18) validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
>         at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:83)
>         at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
> verifySignature(SAMLEndpoint.java:533)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.
> handleSamlResponse(SAMLEndpoint.java:471)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:239)
>         at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:159)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>
> The X509 certificate is the same on both ends.  Am I missing a
> configuration setting some place else?  Any help would be apprectated.
> Some googling brings up some old bugs but I believe they are all fixed in
> 3.2.1.
>
> Thanks
> Drew Weirshousky
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From matthew.broadhead at nbmlaw.co.uk  Tue Nov 14 07:05:51 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Tue, 14 Nov 2017 13:05:51 +0100
Subject: [keycloak-user] UserRepresentation enabled Boolean
Message-ID: <f5bfbf92-a373-9b5c-3269-d67043631256@nbmlaw.co.uk>

org.keycloak.representations.idm.UserRepresentation 
(https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java) 
has a property enabled which is of type java.lang.Boolean. Technically 
this should have getters and setters of getEnabled and setEnabled.? A 
type boolean would have isEnabled and setEnabled. This stops it from 
working with JSF 
(https://stackoverflow.com/questions/14400222/boolean-properties-starting-with-is-does-not-work) 


This also applies to totp and emailVerified in the same class.

From psilva at redhat.com  Tue Nov 14 07:20:02 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 Nov 2017 10:20:02 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
Message-ID: <CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>

The problem here is that you got an access token (that you are using as a
bearer to access Protection API) using resource owner password grant type
(direct grant). That means the subject of the token is an user (username)
and not the resource server itself.

Only resource servers (your client application) are allowed to access the
Protection API (and managed resources).

The access token you got is valid to query for permissions though. As you
want to obtain a set of permission an user has. Where the token represents
user identity.

You should fix that error by obtaining a access token for your client.
Something like that (from docs):

curl -X POST \
    -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'grant_type=client_credentials' \
    "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"


On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Thanks for the documentation, after reading it I found that I can use
> "entitlement" endpoints for my use case.
> So I do:
>
> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
> -d 'username=username&password=password&grant_type=password&
> client_id=myclient&client_secret=myclientsecret' "
> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
> | jq .access_token -r`
>
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "Houses",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement/myclient"
>
> Is this correct? It seems to be working.
> I am not sure how can I get/create resources via the API.
> I tried:
>
> curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set" -H "Authorization: Bearer $TOKEN"
> But I get:
> {"error":"invalid_clientId","error_description":"Client application with
> id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
> [myrealm]"}
>
>
>
> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi again,
>> I looked everywhere but I couldn't find an Evaluation API for
>> javascript...
>> In my nodeJS server, should I call UMA API endpoints?
>>
>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> It seems you are looking for fine-grained permissions. Could you take a
>>> look at this example [1] and documentation [2] ?
>>>
>>> One of the things shown by that example is how to protect resources
>>> based on its owner.
>>>
>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>> s/authz/photoz
>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>> es/index.html
>>>
>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> another small question :)
>>>>
>>>> Suppose you have an API looking like this:
>>>> http://www.example.com/api/v1/cars
>>>>
>>>> Cars have an owner:
>>>> {
>>>>   name: "my car"
>>>>   owner: "smith"
>>>> }
>>>>
>>>> How to make sure that you can only get cars that are yours (you can have
>>>> several cars)?
>>>> If you make a simple GET on this endpoint, should I:
>>>> 1. just reply with a "Access denied" because the request is too large:
>>>> it
>>>> could yield cars that are not yours,
>>>> 2. reply with "Access denied" if the response list contains some cars
>>>> that
>>>> are not yours,
>>>> 3. filter the response car list with only yours?
>>>>
>>>> It seems that 1. is the simplest because it uses only the request to
>>>> make
>>>> decisions.
>>>> 2. uses the response to make decision, while 3. requires the
>>>> collaboration
>>>> of the response handler in my API server, in order to implement the
>>>> filtering.
>>>> What is the most standard way?
>>>>
>>>> I have also some trouble understanding how to implement that with
>>>> Keycloak
>>>> protect in NodeJS.
>>>> Cheers!!
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From corentin.dupont at gmail.com  Tue Nov 14 07:37:09 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 14 Nov 2017 13:37:09 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
Message-ID: <CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>

Thanks, actually I saw it but I didn't understand where this bit came from:
aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==

On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> The problem here is that you got an access token (that you are using as a
> bearer to access Protection API) using resource owner password grant type
> (direct grant). That means the subject of the token is an user (username)
> and not the resource server itself.
>
> Only resource servers (your client application) are allowed to access the
> Protection API (and managed resources).
>
> The access token you got is valid to query for permissions though. As you
> want to obtain a set of permission an user has. Where the token represents
> user identity.
>
> You should fix that error by obtaining a access token for your client.
> Something like that (from docs):
>
> curl -X POST \
>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials' \
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>
>
> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks for the documentation, after reading it I found that I can use
>> "entitlement" endpoints for my use case.
>> So I do:
>>
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d 'username=username&password=password&grant_type=password&cli
>> ent_id=myclient&client_secret=myclientsecret' "
>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>> | jq .access_token -r`
>>
>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "Houses",
>>             "scopes" : [
>>                 "view"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>> /myclient"
>>
>> Is this correct? It seems to be working.
>> I am not sure how can I get/create resources via the API.
>> I tried:
>>
>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set" -H "Authorization: Bearer $TOKEN"
>> But I get:
>> {"error":"invalid_clientId","error_description":"Client application with
>> id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>> [myrealm]"}
>>
>>
>>
>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi again,
>>> I looked everywhere but I couldn't find an Evaluation API for
>>> javascript...
>>> In my nodeJS server, should I call UMA API endpoints?
>>>
>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> It seems you are looking for fine-grained permissions. Could you take a
>>>> look at this example [1] and documentation [2] ?
>>>>
>>>> One of the things shown by that example is how to protect resources
>>>> based on its owner.
>>>>
>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>> s/authz/photoz
>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>> es/index.html
>>>>
>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> another small question :)
>>>>>
>>>>> Suppose you have an API looking like this:
>>>>> http://www.example.com/api/v1/cars
>>>>>
>>>>> Cars have an owner:
>>>>> {
>>>>>   name: "my car"
>>>>>   owner: "smith"
>>>>> }
>>>>>
>>>>> How to make sure that you can only get cars that are yours (you can
>>>>> have
>>>>> several cars)?
>>>>> If you make a simple GET on this endpoint, should I:
>>>>> 1. just reply with a "Access denied" because the request is too large:
>>>>> it
>>>>> could yield cars that are not yours,
>>>>> 2. reply with "Access denied" if the response list contains some cars
>>>>> that
>>>>> are not yours,
>>>>> 3. filter the response car list with only yours?
>>>>>
>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>> make
>>>>> decisions.
>>>>> 2. uses the response to make decision, while 3. requires the
>>>>> collaboration
>>>>> of the response handler in my API server, in order to implement the
>>>>> filtering.
>>>>> What is the most standard way?
>>>>>
>>>>> I have also some trouble understanding how to implement that with
>>>>> Keycloak
>>>>> protect in NodeJS.
>>>>> Cheers!!
>>>>> Corentin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From ssilvert at redhat.com  Tue Nov 14 07:41:05 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 14 Nov 2017 07:41:05 -0500
Subject: [keycloak-user] Fwd: keycloak-preview
In-Reply-To: <CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
References: <CAADFEyqSZbjKO-J5xdN+M18An-cCiGU1cA_FH4Dx99vFCTZrdQ@mail.gmail.com>
	<CAADFEyqjNY9YnD__Aqy+tbnYoB_DFVWEFyk-RJP=6+2hmKGe_g@mail.gmail.com>
Message-ID: <77bcff42-f936-dba8-54f8-cd5535a760ec@redhat.com>

On 11/14/2017 2:39 AM, Andrei Karabach wrote:
> Hello. How to install keycloak-preview theme from https://github.com/
> keycloak/keycloak/tree/master/themes/src/main/resources/
> theme/keycloak-preview/account
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
Below are the instructions I posted to the dev list in September.  I 
haven't been able to work on it much since then and you will notice that 
i18n/l10n is broken right now.  Not sure how that happened but text in 
the UI will show the keys instead of the localized text. It's very much 
a work in progress and not very useful except to demonstrate some 
advancements in Keycloak/Angular2 integration. Once it gets cleaned up 
and stable again, I'll post and let everyone know.

-------------------------------------------------------------------------------

The new Angular 2 Account Management Console just got its first commit
to master.  This console will be extensible, allowing new pages to be
added.  It will have a better look and feel as it adheres to PatternFly
standards.  Also, it looks nice on your phone.

If you'd like to take a peek, you will need to build keycloak with an
"account2" profile ( mvn install -Paccount2 )

Then when you run the server, use this system property:
-Dkeycloak.profile.feature.account2=enabled

After that, just log in to the admin console and set the account theme
to "keycloak-preview"


From psilva at redhat.com  Tue Nov 14 07:44:17 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 Nov 2017 10:44:17 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
Message-ID: <CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>

Try this:

curl -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d
'grant_type=client_credentials&client_id=myclient&client_secret=myclientsecret'
    "
http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
"

Without BASIC but credentials as form parameters.

On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> Thanks, actually I saw it but I didn't understand where this bit came
> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>
> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> The problem here is that you got an access token (that you are using as a
>> bearer to access Protection API) using resource owner password grant type
>> (direct grant). That means the subject of the token is an user (username)
>> and not the resource server itself.
>>
>> Only resource servers (your client application) are allowed to access the
>> Protection API (and managed resources).
>>
>> The access token you got is valid to query for permissions though. As you
>> want to obtain a set of permission an user has. Where the token represents
>> user identity.
>>
>> You should fix that error by obtaining a access token for your client.
>> Something like that (from docs):
>>
>> curl -X POST \
>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>     -d 'grant_type=client_credentials' \
>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>
>>
>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks for the documentation, after reading it I found that I can use
>>> "entitlement" endpoints for my use case.
>>> So I do:
>>>
>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>> -d 'username=username&password=password&grant_type=password&cli
>>> ent_id=myclient&client_secret=myclientsecret' "
>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>>> | jq .access_token -r`
>>>
>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>> Bearer $TOKEN" -d '{
>>>     "permissions" : [
>>>         {
>>>             "resource_set_name" : "Houses",
>>>             "scopes" : [
>>>                 "view"
>>>             ]
>>>         }
>>>     ]
>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>> /myclient"
>>>
>>> Is this correct? It seems to be working.
>>> I am not sure how can I get/create resources via the API.
>>> I tried:
>>>
>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>> But I get:
>>> {"error":"invalid_clientId","error_description":"Client application
>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>>> [myrealm]"}
>>>
>>>
>>>
>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi again,
>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>> javascript...
>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>
>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> It seems you are looking for fine-grained permissions. Could you take
>>>>> a look at this example [1] and documentation [2] ?
>>>>>
>>>>> One of the things shown by that example is how to protect resources
>>>>> based on its owner.
>>>>>
>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>> s/authz/photoz
>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>> es/index.html
>>>>>
>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> another small question :)
>>>>>>
>>>>>> Suppose you have an API looking like this:
>>>>>> http://www.example.com/api/v1/cars
>>>>>>
>>>>>> Cars have an owner:
>>>>>> {
>>>>>>   name: "my car"
>>>>>>   owner: "smith"
>>>>>> }
>>>>>>
>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>> have
>>>>>> several cars)?
>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>> large: it
>>>>>> could yield cars that are not yours,
>>>>>> 2. reply with "Access denied" if the response list contains some cars
>>>>>> that
>>>>>> are not yours,
>>>>>> 3. filter the response car list with only yours?
>>>>>>
>>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>>> make
>>>>>> decisions.
>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>> collaboration
>>>>>> of the response handler in my API server, in order to implement the
>>>>>> filtering.
>>>>>> What is the most standard way?
>>>>>>
>>>>>> I have also some trouble understanding how to implement that with
>>>>>> Keycloak
>>>>>> protect in NodeJS.
>>>>>> Cheers!!
>>>>>> Corentin
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

From psilva at redhat.com  Tue Nov 14 07:44:55 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 Nov 2017 10:44:55 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
Message-ID: <CAJrcDBcr_ZzCE28gaxaN5cvrHKX2xEqSoKjFPO-J-X4rdrDH+Q@mail.gmail.com>

Btw. I should probably change documentation to reflect this. Thanks for the
feedback.

On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Try this:
>
> curl -X POST \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> myclientsecret'
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
>
> Without BASIC but credentials as form parameters.
>
> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks, actually I saw it but I didn't understand where this bit came
>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>
>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> The problem here is that you got an access token (that you are using as
>>> a bearer to access Protection API) using resource owner password grant type
>>> (direct grant). That means the subject of the token is an user (username)
>>> and not the resource server itself.
>>>
>>> Only resource servers (your client application) are allowed to access
>>> the Protection API (and managed resources).
>>>
>>> The access token you got is valid to query for permissions though. As
>>> you want to obtain a set of permission an user has. Where the token
>>> represents user identity.
>>>
>>> You should fix that error by obtaining a access token for your client.
>>> Something like that (from docs):
>>>
>>> curl -X POST \
>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials' \
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>
>>>
>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the documentation, after reading it I found that I can use
>>>> "entitlement" endpoints for my use case.
>>>> So I do:
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>> -d 'username=username&password=password&grant_type=password&cli
>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>>>> | jq .access_token -r`
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>>     "permissions" : [
>>>>         {
>>>>             "resource_set_name" : "Houses",
>>>>             "scopes" : [
>>>>                 "view"
>>>>             ]
>>>>         }
>>>>     ]
>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>> /myclient"
>>>>
>>>> Is this correct? It seems to be working.
>>>> I am not sure how can I get/create resources via the API.
>>>> I tried:
>>>>
>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>> But I get:
>>>> {"error":"invalid_clientId","error_description":"Client application
>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>>>> [myrealm]"}
>>>>
>>>>
>>>>
>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>> javascript...
>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>
>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It seems you are looking for fine-grained permissions. Could you take
>>>>>> a look at this example [1] and documentation [2] ?
>>>>>>
>>>>>> One of the things shown by that example is how to protect resources
>>>>>> based on its owner.
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>> s/authz/photoz
>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>> es/index.html
>>>>>>
>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> another small question :)
>>>>>>>
>>>>>>> Suppose you have an API looking like this:
>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>
>>>>>>> Cars have an owner:
>>>>>>> {
>>>>>>>   name: "my car"
>>>>>>>   owner: "smith"
>>>>>>> }
>>>>>>>
>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>> have
>>>>>>> several cars)?
>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>> large: it
>>>>>>> could yield cars that are not yours,
>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>> cars that
>>>>>>> are not yours,
>>>>>>> 3. filter the response car list with only yours?
>>>>>>>
>>>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>>>> make
>>>>>>> decisions.
>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>> collaboration
>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>> filtering.
>>>>>>> What is the most standard way?
>>>>>>>
>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>> Keycloak
>>>>>>> protect in NodeJS.
>>>>>>> Cheers!!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Tue Nov 14 08:13:29 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 14 Nov 2017 14:13:29 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
Message-ID: <CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>

This works great, thanks.

TOKEN=`curl -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'grant_type=client_credentials&client_id=myclient&client_secret=
myclientsecret'
    "http://localhost:8080/auth/realms/${realm_name}/protocol/
openid-connect/token" | jq .access_token -r`

Then I do:
$ curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Authorization: Bearer $TOKEN"
["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
$ curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set/
037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization: Bearer $TOKEN"
{
"name": "Sensors",
"uri": "/sensors/*",
"type": "http://localhost:3000/sensors",
"scopes": [
{
"id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
"name": "view"
},
{
"id": "2615157c-f588-4e2b-ba1c-720fe8394215",
"name": "manage"
}
],
"owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
"_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
"id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
}

Next I tried to POST a new resource:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{
"name": "My house",
"uri": "/houses/123",
"scopes": [
{
"id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
"name": "view"
},
{
"id": "2615157c-f588-4e2b-ba1c-720fe8394215",
"name": "manage"
}
],
"owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
}'

Everything seems OK.


On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Try this:
>
> curl -X POST \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> myclientsecret'
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
>
> Without BASIC but credentials as form parameters.
>
> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks, actually I saw it but I didn't understand where this bit came
>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>
>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> The problem here is that you got an access token (that you are using as
>>> a bearer to access Protection API) using resource owner password grant type
>>> (direct grant). That means the subject of the token is an user (username)
>>> and not the resource server itself.
>>>
>>> Only resource servers (your client application) are allowed to access
>>> the Protection API (and managed resources).
>>>
>>> The access token you got is valid to query for permissions though. As
>>> you want to obtain a set of permission an user has. Where the token
>>> represents user identity.
>>>
>>> You should fix that error by obtaining a access token for your client.
>>> Something like that (from docs):
>>>
>>> curl -X POST \
>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials' \
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>
>>>
>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the documentation, after reading it I found that I can use
>>>> "entitlement" endpoints for my use case.
>>>> So I do:
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>> -d 'username=username&password=password&grant_type=password&cli
>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>>>> | jq .access_token -r`
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>>     "permissions" : [
>>>>         {
>>>>             "resource_set_name" : "Houses",
>>>>             "scopes" : [
>>>>                 "view"
>>>>             ]
>>>>         }
>>>>     ]
>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>> /myclient"
>>>>
>>>> Is this correct? It seems to be working.
>>>> I am not sure how can I get/create resources via the API.
>>>> I tried:
>>>>
>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>> But I get:
>>>> {"error":"invalid_clientId","error_description":"Client application
>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>>>> [myrealm]"}
>>>>
>>>>
>>>>
>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>> javascript...
>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>
>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It seems you are looking for fine-grained permissions. Could you take
>>>>>> a look at this example [1] and documentation [2] ?
>>>>>>
>>>>>> One of the things shown by that example is how to protect resources
>>>>>> based on its owner.
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>> s/authz/photoz
>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>> es/index.html
>>>>>>
>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> another small question :)
>>>>>>>
>>>>>>> Suppose you have an API looking like this:
>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>
>>>>>>> Cars have an owner:
>>>>>>> {
>>>>>>>   name: "my car"
>>>>>>>   owner: "smith"
>>>>>>> }
>>>>>>>
>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>> have
>>>>>>> several cars)?
>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>> large: it
>>>>>>> could yield cars that are not yours,
>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>> cars that
>>>>>>> are not yours,
>>>>>>> 3. filter the response car list with only yours?
>>>>>>>
>>>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>>>> make
>>>>>>> decisions.
>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>> collaboration
>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>> filtering.
>>>>>>> What is the most standard way?
>>>>>>>
>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>> Keycloak
>>>>>>> protect in NodeJS.
>>>>>>> Cheers!!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Tue Nov 14 08:14:14 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 14 Nov 2017 14:14:14 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
Message-ID: <CAEyhvmoogh=y0NY2nVLxWpBwgoYbpZeC5DzbQs2bJzsB-=WfUA@mail.gmail.com>

I added this as a question on stackoverflow, just for future reference:
https://stackoverflow.com/questions/47282818/keycloak-authz-with-nodejs

On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> This works great, thanks.
>
> TOKEN=`curl -X POST \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials&client_id=myclient&client_
> secret=myclientsecret'
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
> enid-connect/token" | jq .access_token -r`
>
> Then I do:
> $ curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set" -H "Authorization: Bearer $TOKEN"
> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
> $ curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H
> "Authorization: Bearer $TOKEN"
> {
> "name": "Sensors",
> "uri": "/sensors/*",
> "type": "http://localhost:3000/sensors",
> "scopes": [
> {
> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
> "name": "view"
> },
> {
> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
> "name": "manage"
> }
> ],
> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
> }
>
> Next I tried to POST a new resource:
> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set" -H "Content-Type: application/json" -H
> "Authorization: Bearer $TOKEN" -d '{
> "name": "My house",
> "uri": "/houses/123",
> "scopes": [
> {
> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
> "name": "view"
> },
> {
> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
> "name": "manage"
> }
> ],
> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
> }'
>
> Everything seems OK.
>
>
> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Try this:
>>
>> curl -X POST \
>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>     -d 'grant_type=client_credentials&client_id=myclient&client_
>> secret=myclientsecret'
>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>> enid-connect/token"
>>
>> Without BASIC but credentials as form parameters.
>>
>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks, actually I saw it but I didn't understand where this bit came
>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>
>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> The problem here is that you got an access token (that you are using as
>>>> a bearer to access Protection API) using resource owner password grant type
>>>> (direct grant). That means the subject of the token is an user (username)
>>>> and not the resource server itself.
>>>>
>>>> Only resource servers (your client application) are allowed to access
>>>> the Protection API (and managed resources).
>>>>
>>>> The access token you got is valid to query for permissions though. As
>>>> you want to obtain a set of permission an user has. Where the token
>>>> represents user identity.
>>>>
>>>> You should fix that error by obtaining a access token for your client.
>>>> Something like that (from docs):
>>>>
>>>> curl -X POST \
>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>     -d 'grant_type=client_credentials' \
>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>
>>>>
>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Thanks for the documentation, after reading it I found that I can use
>>>>> "entitlement" endpoints for my use case.
>>>>> So I do:
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>>> -d 'username=username&password=password&grant_type=password&cli
>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>> onnect/token" | jq .access_token -r`
>>>>>
>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>>     "permissions" : [
>>>>>         {
>>>>>             "resource_set_name" : "Houses",
>>>>>             "scopes" : [
>>>>>                 "view"
>>>>>             ]
>>>>>         }
>>>>>     ]
>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>> /myclient"
>>>>>
>>>>> Is this correct? It seems to be working.
>>>>> I am not sure how can I get/create resources via the API.
>>>>> I tried:
>>>>>
>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>> But I get:
>>>>> {"error":"invalid_clientId","error_description":"Client application
>>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>>>> realm [myrealm]"}
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi again,
>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>> javascript...
>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>
>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>
>>>>>>> One of the things shown by that example is how to protect resources
>>>>>>> based on its owner.
>>>>>>>
>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>> s/authz/photoz
>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>> es/index.html
>>>>>>>
>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>> another small question :)
>>>>>>>>
>>>>>>>> Suppose you have an API looking like this:
>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>
>>>>>>>> Cars have an owner:
>>>>>>>> {
>>>>>>>>   name: "my car"
>>>>>>>>   owner: "smith"
>>>>>>>> }
>>>>>>>>
>>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>>> have
>>>>>>>> several cars)?
>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>> large: it
>>>>>>>> could yield cars that are not yours,
>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>> cars that
>>>>>>>> are not yours,
>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>
>>>>>>>> It seems that 1. is the simplest because it uses only the request
>>>>>>>> to make
>>>>>>>> decisions.
>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>> collaboration
>>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>>> filtering.
>>>>>>>> What is the most standard way?
>>>>>>>>
>>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>>> Keycloak
>>>>>>>> protect in NodeJS.
>>>>>>>> Cheers!!
>>>>>>>> Corentin
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From mhelmke at redhat.com  Tue Nov 14 08:23:59 2017
From: mhelmke at redhat.com (Matthew Helmke)
Date: Tue, 14 Nov 2017 07:23:59 -0600
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBcr_ZzCE28gaxaN5cvrHKX2xEqSoKjFPO-J-X4rdrDH+Q@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAJrcDBcr_ZzCE28gaxaN5cvrHKX2xEqSoKjFPO-J-X4rdrDH+Q@mail.gmail.com>
Message-ID: <CAOYg9PPaEGdv-dWh-DcfeK7dJoObWv8nL48ZcN5FvZ34MOtiTg@mail.gmail.com>

Pedro, I'm happy to help with docs changes, if you would like assistance.

On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Btw. I should probably change documentation to reflect this. Thanks for the
> feedback.
>
> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
> > Try this:
> >
> > curl -X POST \
> >     -H "Content-Type: application/x-www-form-urlencoded" \
> >     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> > myclientsecret'
> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> > openid-connect/token"
> >
> > Without BASIC but credentials as form parameters.
> >
> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> > corentin.dupont at gmail.com> wrote:
> >
> >> Thanks, actually I saw it but I didn't understand where this bit came
> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
> >>
> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
> >> wrote:
> >>
> >>> The problem here is that you got an access token (that you are using as
> >>> a bearer to access Protection API) using resource owner password grant
> type
> >>> (direct grant). That means the subject of the token is an user
> (username)
> >>> and not the resource server itself.
> >>>
> >>> Only resource servers (your client application) are allowed to access
> >>> the Protection API (and managed resources).
> >>>
> >>> The access token you got is valid to query for permissions though. As
> >>> you want to obtain a set of permission an user has. Where the token
> >>> represents user identity.
> >>>
> >>> You should fix that error by obtaining a access token for your client.
> >>> Something like that (from docs):
> >>>
> >>> curl -X POST \
> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
> \
> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
> >>>     -d 'grant_type=client_credentials' \
> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
> >>>
> >>>
> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
> >>> corentin.dupont at gmail.com> wrote:
> >>>
> >>>> Thanks for the documentation, after reading it I found that I can use
> >>>> "entitlement" endpoints for my use case.
> >>>> So I do:
> >>>>
> >>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-
> urlencoded"
> >>>> -d 'username=username&password=password&grant_type=password&cli
> >>>> ent_id=myclient&client_secret=myclientsecret' "
> >>>> http://localhost:8080/auth/realms/myrealm/protocol/
> openid-connect/token"
> >>>> | jq .access_token -r`
> >>>>
> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
> >>>> Bearer $TOKEN" -d '{
> >>>>     "permissions" : [
> >>>>         {
> >>>>             "resource_set_name" : "Houses",
> >>>>             "scopes" : [
> >>>>                 "view"
> >>>>             ]
> >>>>         }
> >>>>     ]
> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
> >>>> /myclient"
> >>>>
> >>>> Is this correct? It seems to be working.
> >>>> I am not sure how can I get/create resources via the API.
> >>>> I tried:
> >>>>
> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
> >>>> But I get:
> >>>> {"error":"invalid_clientId","error_description":"Client application
> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
> realm
> >>>> [myrealm]"}
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
> >>>> corentin.dupont at gmail.com> wrote:
> >>>>
> >>>>> Hi again,
> >>>>> I looked everywhere but I couldn't find an Evaluation API for
> >>>>> javascript...
> >>>>> In my nodeJS server, should I call UMA API endpoints?
> >>>>>
> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
> psilva at redhat.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> It seems you are looking for fine-grained permissions. Could you
> take
> >>>>>> a look at this example [1] and documentation [2] ?
> >>>>>>
> >>>>>> One of the things shown by that example is how to protect resources
> >>>>>> based on its owner.
> >>>>>>
> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
> >>>>>> s/authz/photoz
> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
> >>>>>> es/index.html
> >>>>>>
> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
> >>>>>> corentin.dupont at gmail.com> wrote:
> >>>>>>
> >>>>>>> Hi guys,
> >>>>>>> another small question :)
> >>>>>>>
> >>>>>>> Suppose you have an API looking like this:
> >>>>>>> http://www.example.com/api/v1/cars
> >>>>>>>
> >>>>>>> Cars have an owner:
> >>>>>>> {
> >>>>>>>   name: "my car"
> >>>>>>>   owner: "smith"
> >>>>>>> }
> >>>>>>>
> >>>>>>> How to make sure that you can only get cars that are yours (you can
> >>>>>>> have
> >>>>>>> several cars)?
> >>>>>>> If you make a simple GET on this endpoint, should I:
> >>>>>>> 1. just reply with a "Access denied" because the request is too
> >>>>>>> large: it
> >>>>>>> could yield cars that are not yours,
> >>>>>>> 2. reply with "Access denied" if the response list contains some
> >>>>>>> cars that
> >>>>>>> are not yours,
> >>>>>>> 3. filter the response car list with only yours?
> >>>>>>>
> >>>>>>> It seems that 1. is the simplest because it uses only the request
> to
> >>>>>>> make
> >>>>>>> decisions.
> >>>>>>> 2. uses the response to make decision, while 3. requires the
> >>>>>>> collaboration
> >>>>>>> of the response handler in my API server, in order to implement the
> >>>>>>> filtering.
> >>>>>>> What is the most standard way?
> >>>>>>>
> >>>>>>> I have also some trouble understanding how to implement that with
> >>>>>>> Keycloak
> >>>>>>> protect in NodeJS.
> >>>>>>> Cheers!!
> >>>>>>> Corentin
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

matthew helmke

technical writer, product documentation

CUSTOMER content services

mhelmke at redhat.com  T: +1-319-333-9638  irc:: mhelmke
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

From psilva at redhat.com  Tue Nov 14 08:40:10 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 Nov 2017 11:40:10 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAOYg9PPaEGdv-dWh-DcfeK7dJoObWv8nL48ZcN5FvZ34MOtiTg@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAJrcDBcr_ZzCE28gaxaN5cvrHKX2xEqSoKjFPO-J-X4rdrDH+Q@mail.gmail.com>
	<CAOYg9PPaEGdv-dWh-DcfeK7dJoObWv8nL48ZcN5FvZ34MOtiTg@mail.gmail.com>
Message-ID: <CAJrcDBf+954DxGe=nDnve1T74TmjgW9WHh5STjV8j7n1RcoyvQ@mail.gmail.com>

Thanks, Matthew. I've submitted a PR [1] with a fairly simple change
already. Please, let me know if you are OK with it.

[1] https://github.com/keycloak/keycloak-documentation/pull/236

On Tue, Nov 14, 2017 at 11:23 AM, Matthew Helmke <mhelmke at redhat.com> wrote:

> Pedro, I'm happy to help with docs changes, if you would like assistance.
>
> On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Btw. I should probably change documentation to reflect this. Thanks for
>> the
>> feedback.
>>
>> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>> > Try this:
>> >
>> > curl -X POST \
>> >     -H "Content-Type: application/x-www-form-urlencoded" \
>> >     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
>> > myclientsecret'
>> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
>> > openid-connect/token"
>> >
>> > Without BASIC but credentials as form parameters.
>> >
>> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>> > corentin.dupont at gmail.com> wrote:
>> >
>> >> Thanks, actually I saw it but I didn't understand where this bit came
>> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>> >>
>> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> >> wrote:
>> >>
>> >>> The problem here is that you got an access token (that you are using
>> as
>> >>> a bearer to access Protection API) using resource owner password
>> grant type
>> >>> (direct grant). That means the subject of the token is an user
>> (username)
>> >>> and not the resource server itself.
>> >>>
>> >>> Only resource servers (your client application) are allowed to access
>> >>> the Protection API (and managed resources).
>> >>>
>> >>> The access token you got is valid to query for permissions though. As
>> >>> you want to obtain a set of permission an user has. Where the token
>> >>> represents user identity.
>> >>>
>> >>> You should fix that error by obtaining a access token for your client.
>> >>> Something like that (from docs):
>> >>>
>> >>> curl -X POST \
>> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
>> \
>> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
>> >>>     -d 'grant_type=client_credentials' \
>> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/o
>> penid-connect/token"
>> >>>
>> >>>
>> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>> >>> corentin.dupont at gmail.com> wrote:
>> >>>
>> >>>> Thanks for the documentation, after reading it I found that I can use
>> >>>> "entitlement" endpoints for my use case.
>> >>>> So I do:
>> >>>>
>> >>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlenco
>> ded"
>> >>>> -d 'username=username&password=password&grant_type=password&cli
>> >>>> ent_id=myclient&client_secret=myclientsecret' "
>> >>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-
>> connect/token"
>> >>>> | jq .access_token -r`
>> >>>>
>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> >>>> Bearer $TOKEN" -d '{
>> >>>>     "permissions" : [
>> >>>>         {
>> >>>>             "resource_set_name" : "Houses",
>> >>>>             "scopes" : [
>> >>>>                 "view"
>> >>>>             ]
>> >>>>         }
>> >>>>     ]
>> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>> >>>> /myclient"
>> >>>>
>> >>>> Is this correct? It seems to be working.
>> >>>> I am not sure how can I get/create resources via the API.
>> >>>> I tried:
>> >>>>
>> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
>> >>>> But I get:
>> >>>> {"error":"invalid_clientId","error_description":"Client application
>> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>> realm
>> >>>> [myrealm]"}
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>> >>>> corentin.dupont at gmail.com> wrote:
>> >>>>
>> >>>>> Hi again,
>> >>>>> I looked everywhere but I couldn't find an Evaluation API for
>> >>>>> javascript...
>> >>>>> In my nodeJS server, should I call UMA API endpoints?
>> >>>>>
>> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>> psilva at redhat.com>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> Hi,
>> >>>>>>
>> >>>>>> It seems you are looking for fine-grained permissions. Could you
>> take
>> >>>>>> a look at this example [1] and documentation [2] ?
>> >>>>>>
>> >>>>>> One of the things shown by that example is how to protect resources
>> >>>>>> based on its owner.
>> >>>>>>
>> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>> >>>>>> s/authz/photoz
>> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>> >>>>>> es/index.html
>> >>>>>>
>> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>> >>>>>> corentin.dupont at gmail.com> wrote:
>> >>>>>>
>> >>>>>>> Hi guys,
>> >>>>>>> another small question :)
>> >>>>>>>
>> >>>>>>> Suppose you have an API looking like this:
>> >>>>>>> http://www.example.com/api/v1/cars
>> >>>>>>>
>> >>>>>>> Cars have an owner:
>> >>>>>>> {
>> >>>>>>>   name: "my car"
>> >>>>>>>   owner: "smith"
>> >>>>>>> }
>> >>>>>>>
>> >>>>>>> How to make sure that you can only get cars that are yours (you
>> can
>> >>>>>>> have
>> >>>>>>> several cars)?
>> >>>>>>> If you make a simple GET on this endpoint, should I:
>> >>>>>>> 1. just reply with a "Access denied" because the request is too
>> >>>>>>> large: it
>> >>>>>>> could yield cars that are not yours,
>> >>>>>>> 2. reply with "Access denied" if the response list contains some
>> >>>>>>> cars that
>> >>>>>>> are not yours,
>> >>>>>>> 3. filter the response car list with only yours?
>> >>>>>>>
>> >>>>>>> It seems that 1. is the simplest because it uses only the request
>> to
>> >>>>>>> make
>> >>>>>>> decisions.
>> >>>>>>> 2. uses the response to make decision, while 3. requires the
>> >>>>>>> collaboration
>> >>>>>>> of the response handler in my API server, in order to implement
>> the
>> >>>>>>> filtering.
>> >>>>>>> What is the most standard way?
>> >>>>>>>
>> >>>>>>> I have also some trouble understanding how to implement that with
>> >>>>>>> Keycloak
>> >>>>>>> protect in NodeJS.
>> >>>>>>> Cheers!!
>> >>>>>>> Corentin
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user at lists.jboss.org
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> matthew helmke
>
> technical writer, product documentation
>
> CUSTOMER content services
>
> mhelmke at redhat.com  T: +1-319-333-9638 <(319)%20333-9638>  irc:: mhelmke
> <https://red.ht/sig>
> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
>

From mhelmke at redhat.com  Tue Nov 14 08:44:20 2017
From: mhelmke at redhat.com (Matthew Helmke)
Date: Tue, 14 Nov 2017 07:44:20 -0600
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBf+954DxGe=nDnve1T74TmjgW9WHh5STjV8j7n1RcoyvQ@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAJrcDBcr_ZzCE28gaxaN5cvrHKX2xEqSoKjFPO-J-X4rdrDH+Q@mail.gmail.com>
	<CAOYg9PPaEGdv-dWh-DcfeK7dJoObWv8nL48ZcN5FvZ34MOtiTg@mail.gmail.com>
	<CAJrcDBf+954DxGe=nDnve1T74TmjgW9WHh5STjV8j7n1RcoyvQ@mail.gmail.com>
Message-ID: <CAOYg9PNj-b68Qez1QfLi4mG77B2ZQTiFPnhjnN_qv3CXa=ydEA@mail.gmail.com>

Looks good to me. Thanks.

On Tue, Nov 14, 2017 at 7:40 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Thanks, Matthew. I've submitted a PR [1] with a fairly simple change
> already. Please, let me know if you are OK with it.
>
> [1] https://github.com/keycloak/keycloak-documentation/pull/236
>
> On Tue, Nov 14, 2017 at 11:23 AM, Matthew Helmke <mhelmke at redhat.com>
> wrote:
>
>> Pedro, I'm happy to help with docs changes, if you would like assistance.
>>
>> On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Btw. I should probably change documentation to reflect this. Thanks for
>>> the
>>> feedback.
>>>
>>> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>> > Try this:
>>> >
>>> > curl -X POST \
>>> >     -H "Content-Type: application/x-www-form-urlencoded" \
>>> >     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>> ret=
>>> > myclientsecret'
>>> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
>>> > openid-connect/token"
>>> >
>>> > Without BASIC but credentials as form parameters.
>>> >
>>> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>> > corentin.dupont at gmail.com> wrote:
>>> >
>>> >> Thanks, actually I saw it but I didn't understand where this bit came
>>> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>> >>
>>> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>> >> wrote:
>>> >>
>>> >>> The problem here is that you got an access token (that you are using
>>> as
>>> >>> a bearer to access Protection API) using resource owner password
>>> grant type
>>> >>> (direct grant). That means the subject of the token is an user
>>> (username)
>>> >>> and not the resource server itself.
>>> >>>
>>> >>> Only resource servers (your client application) are allowed to access
>>> >>> the Protection API (and managed resources).
>>> >>>
>>> >>> The access token you got is valid to query for permissions though. As
>>> >>> you want to obtain a set of permission an user has. Where the token
>>> >>> represents user identity.
>>> >>>
>>> >>> You should fix that error by obtaining a access token for your
>>> client.
>>> >>> Something like that (from docs):
>>> >>>
>>> >>> curl -X POST \
>>> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
>>> \
>>> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>> >>>     -d 'grant_type=client_credentials' \
>>> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/o
>>> penid-connect/token"
>>> >>>
>>> >>>
>>> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> >>> corentin.dupont at gmail.com> wrote:
>>> >>>
>>> >>>> Thanks for the documentation, after reading it I found that I can
>>> use
>>> >>>> "entitlement" endpoints for my use case.
>>> >>>> So I do:
>>> >>>>
>>> >>>> TOKEN=`curl -X POST  -H "Content-Type:
>>> application/x-www-form-urlencoded"
>>> >>>> -d 'username=username&password=password&grant_type=password&cli
>>> >>>> ent_id=myclient&client_secret=myclientsecret' "
>>> >>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-co
>>> nnect/token"
>>> >>>> | jq .access_token -r`
>>> >>>>
>>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>> >>>> Bearer $TOKEN" -d '{
>>> >>>>     "permissions" : [
>>> >>>>         {
>>> >>>>             "resource_set_name" : "Houses",
>>> >>>>             "scopes" : [
>>> >>>>                 "view"
>>> >>>>             ]
>>> >>>>         }
>>> >>>>     ]
>>> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>> >>>> /myclient"
>>> >>>>
>>> >>>> Is this correct? It seems to be working.
>>> >>>> I am not sure how can I get/create resources via the API.
>>> >>>> I tried:
>>> >>>>
>>> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>> >>>> But I get:
>>> >>>> {"error":"invalid_clientId","error_description":"Client application
>>> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>> realm
>>> >>>> [myrealm]"}
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>> >>>> corentin.dupont at gmail.com> wrote:
>>> >>>>
>>> >>>>> Hi again,
>>> >>>>> I looked everywhere but I couldn't find an Evaluation API for
>>> >>>>> javascript...
>>> >>>>> In my nodeJS server, should I call UMA API endpoints?
>>> >>>>>
>>> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>> psilva at redhat.com>
>>> >>>>> wrote:
>>> >>>>>
>>> >>>>>> Hi,
>>> >>>>>>
>>> >>>>>> It seems you are looking for fine-grained permissions. Could you
>>> take
>>> >>>>>> a look at this example [1] and documentation [2] ?
>>> >>>>>>
>>> >>>>>> One of the things shown by that example is how to protect
>>> resources
>>> >>>>>> based on its owner.
>>> >>>>>>
>>> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>> >>>>>> s/authz/photoz
>>> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>> >>>>>> es/index.html
>>> >>>>>>
>>> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>> >>>>>> corentin.dupont at gmail.com> wrote:
>>> >>>>>>
>>> >>>>>>> Hi guys,
>>> >>>>>>> another small question :)
>>> >>>>>>>
>>> >>>>>>> Suppose you have an API looking like this:
>>> >>>>>>> http://www.example.com/api/v1/cars
>>> >>>>>>>
>>> >>>>>>> Cars have an owner:
>>> >>>>>>> {
>>> >>>>>>>   name: "my car"
>>> >>>>>>>   owner: "smith"
>>> >>>>>>> }
>>> >>>>>>>
>>> >>>>>>> How to make sure that you can only get cars that are yours (you
>>> can
>>> >>>>>>> have
>>> >>>>>>> several cars)?
>>> >>>>>>> If you make a simple GET on this endpoint, should I:
>>> >>>>>>> 1. just reply with a "Access denied" because the request is too
>>> >>>>>>> large: it
>>> >>>>>>> could yield cars that are not yours,
>>> >>>>>>> 2. reply with "Access denied" if the response list contains some
>>> >>>>>>> cars that
>>> >>>>>>> are not yours,
>>> >>>>>>> 3. filter the response car list with only yours?
>>> >>>>>>>
>>> >>>>>>> It seems that 1. is the simplest because it uses only the
>>> request to
>>> >>>>>>> make
>>> >>>>>>> decisions.
>>> >>>>>>> 2. uses the response to make decision, while 3. requires the
>>> >>>>>>> collaboration
>>> >>>>>>> of the response handler in my API server, in order to implement
>>> the
>>> >>>>>>> filtering.
>>> >>>>>>> What is the most standard way?
>>> >>>>>>>
>>> >>>>>>> I have also some trouble understanding how to implement that with
>>> >>>>>>> Keycloak
>>> >>>>>>> protect in NodeJS.
>>> >>>>>>> Cheers!!
>>> >>>>>>> Corentin
>>> >>>>>>> _______________________________________________
>>> >>>>>>> keycloak-user mailing list
>>> >>>>>>> keycloak-user at lists.jboss.org
>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>>
>>> >>>
>>> >>
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>>
>> matthew helmke
>>
>> technical writer, product documentation
>>
>> CUSTOMER content services
>>
>> mhelmke at redhat.com  T: +1-319-333-9638 <(319)%20333-9638>  irc:: mhelmke
>> <https://red.ht/sig>
>> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
>>
>
>


-- 

matthew helmke

technical writer, product documentation

CUSTOMER content services

mhelmke at redhat.com  T: +1-319-333-9638  irc:: mhelmke
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

From d.weirshousky at xsb.com  Tue Nov 14 10:48:30 2017
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Tue, 14 Nov 2017 09:48:30 -0600 (CST)
Subject: [keycloak-user] Keycloak as SAML Service Provider problem
In-Reply-To: <WM!98dab3ad144e208d2806675e7f5777e5abc59e1c6ef9eee1d0994d08497f5c97ce6982ae71074fdd4bd6be4dc8e516da!@mailstronghold-2.zmailcloud.com>
References: <1365135598.15413591.1510606169576.JavaMail.zimbra@xsb.com>
	<975665734.15419805.1510606638324.JavaMail.zimbra@xsb.com>
	<CAMvXD=EKcF=-N98J762TCROe=RuOD2zG2PCChUsFYF2AGi7+Yg@mail.gmail.com>
	<WM!98dab3ad144e208d2806675e7f5777e5abc59e1c6ef9eee1d0994d08497f5c97ce6982ae71074fdd4bd6be4dc8e516da!@mailstronghold-2.zmailcloud.com>
Message-ID: <1043533664.16294117.1510674510976.JavaMail.zimbra@xsb.com>

Hi Hynek,

  The signature algorithm is set to RSA_SHA256 in okta and keycloak.  I tried validating the XML response using https://www.samltool.com/validate_response.php and it fails with "Signature validation failed. Reference validation failed".  Which some googling made me change Okta to use SHA1 for the Digest Algorithm.  I received the same results using SHA1.  I can't seem to find a digest setting for Keycloak so I would assume SHA256 is being used?

  I've attached the data from SAML trace.  These are both test servers setup to figure out how to do this.

Thanks
Drew Weirshousky

----- Original Message -----
From: "Hynek Mlnarik" <hmlnarik at redhat.com>
To: "Drew Weirshousky" <d.weirshousky at xsb.com>
Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Tuesday, November 14, 2017 5:34:12 AM
Subject: Re: [keycloak-user] Keycloak as SAML Service Provider problem

It's hard to say. Make sure the settings of signature algorithms match in
Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g.
via SAML Tracer or similar tool) would help.

--Hynek

On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky at xsb.com>
wrote:

> Hi,
>   I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP.  I am
> trying to initiate login from Okta.  After the initial user registration
> keycloak seems to fail while validating the signature on one of the SAML
> Responses.  The error in the browser is invalidFederatedIdentityActionMessage
> and the stack trace is below.
>
> 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-18) validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
>         at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:83)
>         at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.
> verifySignature(SAMLEndpoint.java:533)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.
> handleSamlResponse(SAMLEndpoint.java:471)
>         at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:239)
>         at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:159)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>
> The X509 certificate is the same on both ends.  Am I missing a
> configuration setting some place else?  Any help would be apprectated.
> Some googling brings up some old bugs but I believe they are all fixed in
> 3.2.1.
>
> Thanks
> Drew Weirshousky
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From corentin.dupont at gmail.com  Tue Nov 14 11:32:52 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 14 Nov 2017 17:32:52 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
Message-ID: <CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>

I spotted something strange:
If I try with a non existing resource:

$ curl -X POST -H "Content-Type: application/json" -H "Authorization:
Bearer $TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "xxx",
            "scopes" : [
                "view"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"

It replies with 200:
{"rpt":"eyJhbG...}
Is this correct?

If I try also with a non existent scope (yes I'm nitpicking):

$ curl -X POST -H "Content-Type: application/json" -H "Authorization:
Bearer $TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "xxx",
            "scopes" : [
                "xxx"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"


It replies with 500: Internal Server Error

On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> This works great, thanks.
>
> TOKEN=`curl -X POST \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials&client_id=myclient&client_
> secret=myclientsecret'
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
> enid-connect/token" | jq .access_token -r`
>
> Then I do:
> $ curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set" -H "Authorization: Bearer $TOKEN"
> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
> $ curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H
> "Authorization: Bearer $TOKEN"
> {
> "name": "Sensors",
> "uri": "/sensors/*",
> "type": "http://localhost:3000/sensors",
> "scopes": [
> {
> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
> "name": "view"
> },
> {
> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
> "name": "manage"
> }
> ],
> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
> }
>
> Next I tried to POST a new resource:
> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set" -H "Content-Type: application/json" -H
> "Authorization: Bearer $TOKEN" -d '{
> "name": "My house",
> "uri": "/houses/123",
> "scopes": [
> {
> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
> "name": "view"
> },
> {
> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
> "name": "manage"
> }
> ],
> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
> }'
>
> Everything seems OK.
>
>
> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Try this:
>>
>> curl -X POST \
>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>     -d 'grant_type=client_credentials&client_id=myclient&client_
>> secret=myclientsecret'
>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>> enid-connect/token"
>>
>> Without BASIC but credentials as form parameters.
>>
>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks, actually I saw it but I didn't understand where this bit came
>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>
>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> The problem here is that you got an access token (that you are using as
>>>> a bearer to access Protection API) using resource owner password grant type
>>>> (direct grant). That means the subject of the token is an user (username)
>>>> and not the resource server itself.
>>>>
>>>> Only resource servers (your client application) are allowed to access
>>>> the Protection API (and managed resources).
>>>>
>>>> The access token you got is valid to query for permissions though. As
>>>> you want to obtain a set of permission an user has. Where the token
>>>> represents user identity.
>>>>
>>>> You should fix that error by obtaining a access token for your client.
>>>> Something like that (from docs):
>>>>
>>>> curl -X POST \
>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>     -d 'grant_type=client_credentials' \
>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>
>>>>
>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Thanks for the documentation, after reading it I found that I can use
>>>>> "entitlement" endpoints for my use case.
>>>>> So I do:
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>>> -d 'username=username&password=password&grant_type=password&cli
>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>> onnect/token" | jq .access_token -r`
>>>>>
>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>>     "permissions" : [
>>>>>         {
>>>>>             "resource_set_name" : "Houses",
>>>>>             "scopes" : [
>>>>>                 "view"
>>>>>             ]
>>>>>         }
>>>>>     ]
>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>> /myclient"
>>>>>
>>>>> Is this correct? It seems to be working.
>>>>> I am not sure how can I get/create resources via the API.
>>>>> I tried:
>>>>>
>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>> But I get:
>>>>> {"error":"invalid_clientId","error_description":"Client application
>>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>>>> realm [myrealm]"}
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi again,
>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>> javascript...
>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>
>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>
>>>>>>> One of the things shown by that example is how to protect resources
>>>>>>> based on its owner.
>>>>>>>
>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>> s/authz/photoz
>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>> es/index.html
>>>>>>>
>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>> another small question :)
>>>>>>>>
>>>>>>>> Suppose you have an API looking like this:
>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>
>>>>>>>> Cars have an owner:
>>>>>>>> {
>>>>>>>>   name: "my car"
>>>>>>>>   owner: "smith"
>>>>>>>> }
>>>>>>>>
>>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>>> have
>>>>>>>> several cars)?
>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>> large: it
>>>>>>>> could yield cars that are not yours,
>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>> cars that
>>>>>>>> are not yours,
>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>
>>>>>>>> It seems that 1. is the simplest because it uses only the request
>>>>>>>> to make
>>>>>>>> decisions.
>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>> collaboration
>>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>>> filtering.
>>>>>>>> What is the most standard way?
>>>>>>>>
>>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>>> Keycloak
>>>>>>>> protect in NodeJS.
>>>>>>>> Cheers!!
>>>>>>>> Corentin
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From john.ocallaghan at accenture.com  Tue Nov 14 11:40:55 2017
From: john.ocallaghan at accenture.com (O'Callaghan, John)
Date: Tue, 14 Nov 2017 16:40:55 +0000
Subject: [keycloak-user] API Keys
Message-ID: <32803703-9753-4E38-AFBE-71396C5FC767@accenture.com>


Hi

I?m trying to understand if it is possible to generate an API Key for a particular user in keycloak ?

What I would like to be able to do is to generate a key that is associated with a user (and their realm roles).
I?d like to then be able to use that key at some later date (days, weeks, months later) to generate an access token which I can then use as per normal.

I would also like to be able to manage api keys created in the past ? revoking them if needs be.

Is this something that is possible?
Thanks!
John


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

From pcfleischer at outlook.com  Tue Nov 14 12:06:55 2017
From: pcfleischer at outlook.com (Phillip Fleischer)
Date: Tue, 14 Nov 2017 17:06:55 +0000
Subject: [keycloak-user] loggin saml requests/responses
Message-ID: <CY1PR1001MB1177CE5673323D93149A7726A6280@CY1PR1001MB1177.namprd10.prod.outlook.com>

Hi,

I?m trying to debug using the saml clients and identity brokering, in the docs and several messages say that this can be done by turning on debug or trace.

I added the following to my standalone.xml but I?m not seeing anything.  I also tried on a remote host by using jboss-cli.sh command to add the logger to no avail.

Is there something I?m missing?


<logger category="org.keycloak.saml">
    <level name="TRACE"/>
</logger>


From jjfraney at gmail.com  Tue Nov 14 15:28:33 2017
From: jjfraney at gmail.com (John Franey)
Date: Tue, 14 Nov 2017 15:28:33 -0500
Subject: [keycloak-user] Authentication SPI implementation for RADIUS
Message-ID: <CACYKaEv2t_Tkdnc_A-2r9EBBih4RSt5abPnJoPTxRmGQK9hKDw@mail.gmail.com>

I'm not finding an implementation of Keycloak Authentication SPI for
RADIUS.  Am I crazy just for looking?  I mean, is the absence of such a
warning for folks?  Or has it simply not been tried?

I don't find much of a demand for one either.  So maybe that is the case, I
hope.

I think we'll have to write one to satisfy internal customer request.

Is there anyone willing to claim they attempted such?  I'd like to hear
from you regarding approach and success.

Thanks,
John

From psilva at redhat.com  Tue Nov 14 15:43:58 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 Nov 2017 18:43:58 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
	<CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
Message-ID: <CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>

In the first case you should get an error instead. Will check the second
case as in theory it should just ignore the scope.

On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> I spotted something strange:
> If I try with a non existing resource:
>
> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
> Bearer $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "xxx",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> It replies with 200:
> {"rpt":"eyJhbG...}
> Is this correct?
>
> If I try also with a non existent scope (yes I'm nitpicking):
>
> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
> Bearer $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "xxx",
>             "scopes" : [
>                 "xxx"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
>
> It replies with 500: Internal Server Error
>
> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> This works great, thanks.
>>
>> TOKEN=`curl -X POST \
>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>> ret=myclientsecret'
>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>> enid-connect/token" | jq .access_token -r`
>>
>> Then I do:
>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set" -H "Authorization: Bearer $TOKEN"
>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization:
>> Bearer $TOKEN"
>> {
>> "name": "Sensors",
>> "uri": "/sensors/*",
>> "type": "http://localhost:3000/sensors",
>> "scopes": [
>> {
>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>> "name": "view"
>> },
>> {
>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>> "name": "manage"
>> }
>> ],
>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>> }
>>
>> Next I tried to POST a new resource:
>> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/protection/
>> resource_set" -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>> "name": "My house",
>> "uri": "/houses/123",
>> "scopes": [
>> {
>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>> "name": "view"
>> },
>> {
>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>> "name": "manage"
>> }
>> ],
>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>> }'
>>
>> Everything seems OK.
>>
>>
>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Try this:
>>>
>>> curl -X POST \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>> ret=myclientsecret'
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>> enid-connect/token"
>>>
>>> Without BASIC but credentials as form parameters.
>>>
>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks, actually I saw it but I didn't understand where this bit came
>>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>
>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> The problem here is that you got an access token (that you are using
>>>>> as a bearer to access Protection API) using resource owner password grant
>>>>> type (direct grant). That means the subject of the token is an user
>>>>> (username) and not the resource server itself.
>>>>>
>>>>> Only resource servers (your client application) are allowed to access
>>>>> the Protection API (and managed resources).
>>>>>
>>>>> The access token you got is valid to query for permissions though. As
>>>>> you want to obtain a set of permission an user has. Where the token
>>>>> represents user identity.
>>>>>
>>>>> You should fix that error by obtaining a access token for your client.
>>>>> Something like that (from docs):
>>>>>
>>>>> curl -X POST \
>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>     -d 'grant_type=client_credentials' \
>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>
>>>>>
>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Thanks for the documentation, after reading it I found that I can use
>>>>>> "entitlement" endpoints for my use case.
>>>>>> So I do:
>>>>>>
>>>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>>>> -d 'username=username&password=password&grant_type=password&cli
>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>> onnect/token" | jq .access_token -r`
>>>>>>
>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>>     "permissions" : [
>>>>>>         {
>>>>>>             "resource_set_name" : "Houses",
>>>>>>             "scopes" : [
>>>>>>                 "view"
>>>>>>             ]
>>>>>>         }
>>>>>>     ]
>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>> /myclient"
>>>>>>
>>>>>> Is this correct? It seems to be working.
>>>>>> I am not sure how can I get/create resources via the API.
>>>>>> I tried:
>>>>>>
>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>> But I get:
>>>>>> {"error":"invalid_clientId","error_description":"Client application
>>>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>>>>> realm [myrealm]"}
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi again,
>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>> javascript...
>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>
>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>> psilva at redhat.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>>
>>>>>>>> One of the things shown by that example is how to protect resources
>>>>>>>> based on its owner.
>>>>>>>>
>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>> s/authz/photoz
>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>> es/index.html
>>>>>>>>
>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi guys,
>>>>>>>>> another small question :)
>>>>>>>>>
>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>
>>>>>>>>> Cars have an owner:
>>>>>>>>> {
>>>>>>>>>   name: "my car"
>>>>>>>>>   owner: "smith"
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> How to make sure that you can only get cars that are yours (you
>>>>>>>>> can have
>>>>>>>>> several cars)?
>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>>> large: it
>>>>>>>>> could yield cars that are not yours,
>>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>>> cars that
>>>>>>>>> are not yours,
>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>
>>>>>>>>> It seems that 1. is the simplest because it uses only the request
>>>>>>>>> to make
>>>>>>>>> decisions.
>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>> collaboration
>>>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>>>> filtering.
>>>>>>>>> What is the most standard way?
>>>>>>>>>
>>>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>>>> Keycloak
>>>>>>>>> protect in NodeJS.
>>>>>>>>> Cheers!!
>>>>>>>>> Corentin
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From sthorger at redhat.com  Wed Nov 15 03:26:13 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 Nov 2017 09:26:13 +0100
Subject: [keycloak-user] upgrade to 3.4 issue
In-Reply-To: <14c26515-132d-1662-e629-dd47c79e9bb8@merit.unu.edu>
References: <14c26515-132d-1662-e629-dd47c79e9bb8@merit.unu.edu>
Message-ID: <CAJgngAcc1GGNXzB2VE0oDd34e0BmKT5V0jnpjo6doFx4hmB7tQ@mail.gmail.com>

That seems like it could be an issue caused by the fact that KC 3.3 was
based on WildFly 11 Beta. You'll probably have to manually update the
standalone file (or grab the one from 3.2 release if you still have that).

On 14 November 2017 at 11:17, lists <lists at merit.unu.edu> wrote:

> Hi,
>
> Today we tried to upgrade our standalone 3.3 install to 3.4, following
> the docs:
>
> - copied 3.3 /standalone/ over the 3.4 install, replacing all
> - copied mysql connector in modules/system/layers/keycloak/org
>
> But then, the standalone upgrade script doesn't work:
>
> > root at server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh
> --file=bin/migrate-standalone.cli
> > Cannot start embedded server: WFLYEMB0021: Cannot start embedded
> process: Operation failed: WFLYSRV0056: Server boot has failed in an
> unrecoverable manner; exiting. See previous messages for details.
> > root at server:/opt/keycloak-3.4.0.Final#
>
> When starting the 3.4 server without having run the upgrade script, we
> see what the actual problem appears to be:
>
> > OPVDX001: Validation error in standalone.xml
> -----------------------------------
> > |
> > |  470:     </spi>
> > |  471: </subsystem>
> > |  472: <subsystem xmlns="urn:wildfly:elytron:1.2"
> final-providers="combined-providers" disallowed-providers="OracleUcrypto">
> > |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> > |
> > |  473:     <providers>
> > |  474:         <aggregate-providers name="combined-providers">
> > |  475:             <providers name="elytron"/>
> > |
> > | The primary underlying error message was:
> > | > ParseError at [row,col]:[472,9]
> > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> > |
> > |-----------------------------------------------------------
> --------------------
>
> The same standalone.xml still works in the keycloak 3.3, so it basically
> seems to be ok, or not corrupt at least. This install has been upgraded
> from:
> 3.0 -> 3.1 -> 3.3 (we skipped 3.2)
>
> It seems that our config has to be migrated using the script, but the
> upgrade-standalone.cli script will not run...
>
> What to do?
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Wed Nov 15 06:11:01 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 15 Nov 2017 12:11:01 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
	<CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
	<CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>
Message-ID: <CAEyhvmqfQJNZUOShZkRd=XOyrsR_5HStMt-1xSA4=B2cOfh76g@mail.gmail.com>

Sorry to disturb again, another small question:
It seems that with the Keycloak UI I cannot choose the owner of a resource,
but with the API I can? Is that correct?
Thanks

On Tue, Nov 14, 2017 at 9:43 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> In the first case you should get an error instead. Will check the second
> case as in theory it should just ignore the scope.
>
> On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> I spotted something strange:
>> If I try with a non existing resource:
>>
>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "xxx",
>>             "scopes" : [
>>                 "view"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>
>> It replies with 200:
>> {"rpt":"eyJhbG...}
>> Is this correct?
>>
>> If I try also with a non existent scope (yes I'm nitpicking):
>>
>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "xxx",
>>             "scopes" : [
>>                 "xxx"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>
>>
>> It replies with 500: Internal Server Error
>>
>> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> This works great, thanks.
>>>
>>> TOKEN=`curl -X POST \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>> ret=myclientsecret'
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>> enid-connect/token" | jq .access_token -r`
>>>
>>> Then I do:
>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization:
>>> Bearer $TOKEN"
>>> {
>>> "name": "Sensors",
>>> "uri": "/sensors/*",
>>> "type": "http://localhost:3000/sensors",
>>> "scopes": [
>>> {
>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>> "name": "view"
>>> },
>>> {
>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>> "name": "manage"
>>> }
>>> ],
>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>>> }
>>>
>>> Next I tried to POST a new resource:
>>> curl -X POST "http://localhost:8080/auth/re
>>> alms/waziup/authz/protection/resource_set" -H "Content-Type:
>>> application/json" -H "Authorization: Bearer $TOKEN" -d '{
>>> "name": "My house",
>>> "uri": "/houses/123",
>>> "scopes": [
>>> {
>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>> "name": "view"
>>> },
>>> {
>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>> "name": "manage"
>>> }
>>> ],
>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>>> }'
>>>
>>> Everything seems OK.
>>>
>>>
>>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Try this:
>>>>
>>>> curl -X POST \
>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>> ret=myclientsecret'
>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>> enid-connect/token"
>>>>
>>>> Without BASIC but credentials as form parameters.
>>>>
>>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Thanks, actually I saw it but I didn't understand where this bit came
>>>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>>
>>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> The problem here is that you got an access token (that you are using
>>>>>> as a bearer to access Protection API) using resource owner password grant
>>>>>> type (direct grant). That means the subject of the token is an user
>>>>>> (username) and not the resource server itself.
>>>>>>
>>>>>> Only resource servers (your client application) are allowed to access
>>>>>> the Protection API (and managed resources).
>>>>>>
>>>>>> The access token you got is valid to query for permissions though. As
>>>>>> you want to obtain a set of permission an user has. Where the token
>>>>>> represents user identity.
>>>>>>
>>>>>> You should fix that error by obtaining a access token for your
>>>>>> client. Something like that (from docs):
>>>>>>
>>>>>> curl -X POST \
>>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>     -d 'grant_type=client_credentials' \
>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Thanks for the documentation, after reading it I found that I can
>>>>>>> use "entitlement" endpoints for my use case.
>>>>>>> So I do:
>>>>>>>
>>>>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>>>>> -d 'username=username&password=password&grant_type=password&cli
>>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>>> onnect/token" | jq .access_token -r`
>>>>>>>
>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>>> Bearer $TOKEN" -d '{
>>>>>>>     "permissions" : [
>>>>>>>         {
>>>>>>>             "resource_set_name" : "Houses",
>>>>>>>             "scopes" : [
>>>>>>>                 "view"
>>>>>>>             ]
>>>>>>>         }
>>>>>>>     ]
>>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>>> /myclient"
>>>>>>>
>>>>>>> Is this correct? It seems to be working.
>>>>>>> I am not sure how can I get/create resources via the API.
>>>>>>> I tried:
>>>>>>>
>>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>>> But I get:
>>>>>>> {"error":"invalid_clientId","error_description":"Client application
>>>>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>>>>>> realm [myrealm]"}
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi again,
>>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>>> javascript...
>>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>>
>>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>>>
>>>>>>>>> One of the things shown by that example is how to protect
>>>>>>>>> resources based on its owner.
>>>>>>>>>
>>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>>> s/authz/photoz
>>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>>> es/index.html
>>>>>>>>>
>>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi guys,
>>>>>>>>>> another small question :)
>>>>>>>>>>
>>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>>
>>>>>>>>>> Cars have an owner:
>>>>>>>>>> {
>>>>>>>>>>   name: "my car"
>>>>>>>>>>   owner: "smith"
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> How to make sure that you can only get cars that are yours (you
>>>>>>>>>> can have
>>>>>>>>>> several cars)?
>>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>>>> large: it
>>>>>>>>>> could yield cars that are not yours,
>>>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>>>> cars that
>>>>>>>>>> are not yours,
>>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>>
>>>>>>>>>> It seems that 1. is the simplest because it uses only the request
>>>>>>>>>> to make
>>>>>>>>>> decisions.
>>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>>> collaboration
>>>>>>>>>> of the response handler in my API server, in order to implement
>>>>>>>>>> the
>>>>>>>>>> filtering.
>>>>>>>>>> What is the most standard way?
>>>>>>>>>>
>>>>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>>>>> Keycloak
>>>>>>>>>> protect in NodeJS.
>>>>>>>>>> Cheers!!
>>>>>>>>>> Corentin
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From MPoettgen at clifford-thames.com  Wed Nov 15 06:34:01 2017
From: MPoettgen at clifford-thames.com (Michael Poettgen)
Date: Wed, 15 Nov 2017 11:34:01 +0000
Subject: [keycloak-user] Mutual Trust via Identity Brokering
Message-ID: <A3CA801399E3DD4CB30EC5E78A762B8A042FE257@S315.ctglobal.cliffordthames.com>

Hello Everyone,

We would like to set up two (or more) Keycloak systems (in different, remote locations) and would like to establish something like mutual trust between them using Identity Brokering. For two IdPs A and B, each of the two should have their own accounts and should be set up to broker to the other IdP, e.g. via 'Keycloak OpenID Connect'. This would have the advantage that a client of A could be used by a user of B and vice versa.

Is this something that

*         Definitely works

*         Works, but with pitfalls ...

*         Should work

*         Doesn't work, because ...

Interesting situation may be, if a user tries to use a client and is redirect to IdP A, where he then clicks on "Authenticate via IdP B", where he then clicks on "Authenticate via IdP A", where he then clicks on "Authenticate via IdP B" and so on. Can this be avoided?

Thanks,
Michael



This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

From psilva at redhat.com  Wed Nov 15 06:48:11 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 15 Nov 2017 09:48:11 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmqfQJNZUOShZkRd=XOyrsR_5HStMt-1xSA4=B2cOfh76g@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
	<CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
	<CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>
	<CAEyhvmqfQJNZUOShZkRd=XOyrsR_5HStMt-1xSA4=B2cOfh76g@mail.gmail.com>
Message-ID: <CAJrcDBcARenCorkZ1NSG3W_KTFE26zj+qkBWJcTzO7QeK6J9fw@mail.gmail.com>

Yes, that is correct. When you create a resource via admin console, the
owner is always the resource itself. The resource can be considered as a
"common" or "general" resource, managed and owned by the resource server
itself.

When using the API, you can set the owner to any user you want (we have a
JIRA to also allow to set owner to a group), which means the resource
belongs to that  particular user.

Your question is very pertinent and allows me to clarify an interesting
behavior when permissions are evaluated for a given user. When you ask
permissions for a particular user (where the user's identity is represented
by the access token you send to both Entitlement or Authorization APIs)
Keycloak will evaluated permissions based on the resources owned by the
resource server (the general resources) plus the ones that belong to the
user.

When you set the owner to an user you can write policies like "Only the
Owner Can Access" as you can check if the identity seeking access
(represented by the access token) is the same as the owner of a resource.



On Wed, Nov 15, 2017 at 9:11 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Sorry to disturb again, another small question:
> It seems that with the Keycloak UI I cannot choose the owner of a
> resource, but with the API I can? Is that correct?
> Thanks
>
> On Tue, Nov 14, 2017 at 9:43 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> In the first case you should get an error instead. Will check the second
>> case as in theory it should just ignore the scope.
>>
>> On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> I spotted something strange:
>>> If I try with a non existing resource:
>>>
>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>> Bearer $TOKEN" -d '{
>>>     "permissions" : [
>>>         {
>>>             "resource_set_name" : "xxx",
>>>             "scopes" : [
>>>                 "view"
>>>             ]
>>>         }
>>>     ]
>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>
>>> It replies with 200:
>>> {"rpt":"eyJhbG...}
>>> Is this correct?
>>>
>>> If I try also with a non existent scope (yes I'm nitpicking):
>>>
>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>> Bearer $TOKEN" -d '{
>>>     "permissions" : [
>>>         {
>>>             "resource_set_name" : "xxx",
>>>             "scopes" : [
>>>                 "xxx"
>>>             ]
>>>         }
>>>     ]
>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>
>>>
>>> It replies with 500: Internal Server Error
>>>
>>> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> This works great, thanks.
>>>>
>>>> TOKEN=`curl -X POST \
>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>> ret=myclientsecret'
>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>> enid-connect/token" | jq .access_token -r`
>>>>
>>>> Then I do:
>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization:
>>>> Bearer $TOKEN"
>>>> {
>>>> "name": "Sensors",
>>>> "uri": "/sensors/*",
>>>> "type": "http://localhost:3000/sensors",
>>>> "scopes": [
>>>> {
>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>> "name": "view"
>>>> },
>>>> {
>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>> "name": "manage"
>>>> }
>>>> ],
>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>>>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>>>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>>>> }
>>>>
>>>> Next I tried to POST a new resource:
>>>> curl -X POST "http://localhost:8080/auth/re
>>>> alms/waziup/authz/protection/resource_set" -H "Content-Type:
>>>> application/json" -H "Authorization: Bearer $TOKEN" -d '{
>>>> "name": "My house",
>>>> "uri": "/houses/123",
>>>> "scopes": [
>>>> {
>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>> "name": "view"
>>>> },
>>>> {
>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>> "name": "manage"
>>>> }
>>>> ],
>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>>>> }'
>>>>
>>>> Everything seems OK.
>>>>
>>>>
>>>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Try this:
>>>>>
>>>>> curl -X POST \
>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>>> ret=myclientsecret'
>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>>> enid-connect/token"
>>>>>
>>>>> Without BASIC but credentials as form parameters.
>>>>>
>>>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Thanks, actually I saw it but I didn't understand where this bit came
>>>>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> The problem here is that you got an access token (that you are using
>>>>>>> as a bearer to access Protection API) using resource owner password grant
>>>>>>> type (direct grant). That means the subject of the token is an user
>>>>>>> (username) and not the resource server itself.
>>>>>>>
>>>>>>> Only resource servers (your client application) are allowed to
>>>>>>> access the Protection API (and managed resources).
>>>>>>>
>>>>>>> The access token you got is valid to query for permissions though.
>>>>>>> As you want to obtain a set of permission an user has. Where the token
>>>>>>> represents user identity.
>>>>>>>
>>>>>>> You should fix that error by obtaining a access token for your
>>>>>>> client. Something like that (from docs):
>>>>>>>
>>>>>>> curl -X POST \
>>>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>>     -d 'grant_type=client_credentials' \
>>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks for the documentation, after reading it I found that I can
>>>>>>>> use "entitlement" endpoints for my use case.
>>>>>>>> So I do:
>>>>>>>>
>>>>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>>> 'username=username&password=password&grant_type=password&cli
>>>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>>>> onnect/token" | jq .access_token -r`
>>>>>>>>
>>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>>>> Bearer $TOKEN" -d '{
>>>>>>>>     "permissions" : [
>>>>>>>>         {
>>>>>>>>             "resource_set_name" : "Houses",
>>>>>>>>             "scopes" : [
>>>>>>>>                 "view"
>>>>>>>>             ]
>>>>>>>>         }
>>>>>>>>     ]
>>>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>>>> /myclient"
>>>>>>>>
>>>>>>>> Is this correct? It seems to be working.
>>>>>>>> I am not sure how can I get/create resources via the API.
>>>>>>>> I tried:
>>>>>>>>
>>>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>>>> But I get:
>>>>>>>> {"error":"invalid_clientId","error_description":"Client
>>>>>>>> application with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does
>>>>>>>> not exist in realm [myrealm]"}
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi again,
>>>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>>>> javascript...
>>>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>>>
>>>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>>>>
>>>>>>>>>> One of the things shown by that example is how to protect
>>>>>>>>>> resources based on its owner.
>>>>>>>>>>
>>>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>>>> s/authz/photoz
>>>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>>>> es/index.html
>>>>>>>>>>
>>>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi guys,
>>>>>>>>>>> another small question :)
>>>>>>>>>>>
>>>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>>>
>>>>>>>>>>> Cars have an owner:
>>>>>>>>>>> {
>>>>>>>>>>>   name: "my car"
>>>>>>>>>>>   owner: "smith"
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> How to make sure that you can only get cars that are yours (you
>>>>>>>>>>> can have
>>>>>>>>>>> several cars)?
>>>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>>>>> large: it
>>>>>>>>>>> could yield cars that are not yours,
>>>>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>>>>> cars that
>>>>>>>>>>> are not yours,
>>>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>>>
>>>>>>>>>>> It seems that 1. is the simplest because it uses only the
>>>>>>>>>>> request to make
>>>>>>>>>>> decisions.
>>>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>>>> collaboration
>>>>>>>>>>> of the response handler in my API server, in order to implement
>>>>>>>>>>> the
>>>>>>>>>>> filtering.
>>>>>>>>>>> What is the most standard way?
>>>>>>>>>>>
>>>>>>>>>>> I have also some trouble understanding how to implement that
>>>>>>>>>>> with Keycloak
>>>>>>>>>>> protect in NodeJS.
>>>>>>>>>>> Cheers!!
>>>>>>>>>>> Corentin
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Wed Nov 15 08:00:23 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 15 Nov 2017 14:00:23 +0100
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAJrcDBcARenCorkZ1NSG3W_KTFE26zj+qkBWJcTzO7QeK6J9fw@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
	<CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
	<CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>
	<CAEyhvmqfQJNZUOShZkRd=XOyrsR_5HStMt-1xSA4=B2cOfh76g@mail.gmail.com>
	<CAJrcDBcARenCorkZ1NSG3W_KTFE26zj+qkBWJcTzO7QeK6J9fw@mail.gmail.com>
Message-ID: <CAEyhvmoGCpcYU0RRF-vjDz95+B5NhbsHAr49NVRSZujP+xLqew@mail.gmail.com>

Thanks.
Is it possible to define this policy "Only the Owner Can Access" in
Keycloak UI? Should I use a Javascript policy?

On Wed, Nov 15, 2017 at 12:48 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Yes, that is correct. When you create a resource via admin console, the
> owner is always the resource itself. The resource can be considered as a
> "common" or "general" resource, managed and owned by the resource server
> itself.
>
> When using the API, you can set the owner to any user you want (we have a
> JIRA to also allow to set owner to a group), which means the resource
> belongs to that  particular user.
>
> Your question is very pertinent and allows me to clarify an interesting
> behavior when permissions are evaluated for a given user. When you ask
> permissions for a particular user (where the user's identity is represented
> by the access token you send to both Entitlement or Authorization APIs)
> Keycloak will evaluated permissions based on the resources owned by the
> resource server (the general resources) plus the ones that belong to the
> user.
>
> When you set the owner to an user you can write policies like "Only the
> Owner Can Access" as you can check if the identity seeking access
> (represented by the access token) is the same as the owner of a resource.
>
>
>
> On Wed, Nov 15, 2017 at 9:11 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Sorry to disturb again, another small question:
>> It seems that with the Keycloak UI I cannot choose the owner of a
>> resource, but with the API I can? Is that correct?
>> Thanks
>>
>> On Tue, Nov 14, 2017 at 9:43 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> In the first case you should get an error instead. Will check the second
>>> case as in theory it should just ignore the scope.
>>>
>>> On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> I spotted something strange:
>>>> If I try with a non existing resource:
>>>>
>>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>>     "permissions" : [
>>>>         {
>>>>             "resource_set_name" : "xxx",
>>>>             "scopes" : [
>>>>                 "view"
>>>>             ]
>>>>         }
>>>>     ]
>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>>
>>>> It replies with 200:
>>>> {"rpt":"eyJhbG...}
>>>> Is this correct?
>>>>
>>>> If I try also with a non existent scope (yes I'm nitpicking):
>>>>
>>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>>     "permissions" : [
>>>>         {
>>>>             "resource_set_name" : "xxx",
>>>>             "scopes" : [
>>>>                 "xxx"
>>>>             ]
>>>>         }
>>>>     ]
>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>>
>>>>
>>>> It replies with 500: Internal Server Error
>>>>
>>>> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> This works great, thanks.
>>>>>
>>>>> TOKEN=`curl -X POST \
>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>>> ret=myclientsecret'
>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>>> enid-connect/token" | jq .access_token -r`
>>>>>
>>>>> Then I do:
>>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization:
>>>>> Bearer $TOKEN"
>>>>> {
>>>>> "name": "Sensors",
>>>>> "uri": "/sensors/*",
>>>>> "type": "http://localhost:3000/sensors",
>>>>> "scopes": [
>>>>> {
>>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>>> "name": "view"
>>>>> },
>>>>> {
>>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>>> "name": "manage"
>>>>> }
>>>>> ],
>>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>>>>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>>>>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>>>>> }
>>>>>
>>>>> Next I tried to POST a new resource:
>>>>> curl -X POST "http://localhost:8080/auth/re
>>>>> alms/waziup/authz/protection/resource_set" -H "Content-Type:
>>>>> application/json" -H "Authorization: Bearer $TOKEN" -d '{
>>>>> "name": "My house",
>>>>> "uri": "/houses/123",
>>>>> "scopes": [
>>>>> {
>>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>>> "name": "view"
>>>>> },
>>>>> {
>>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>>> "name": "manage"
>>>>> }
>>>>> ],
>>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>>>>> }'
>>>>>
>>>>> Everything seems OK.
>>>>>
>>>>>
>>>>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Try this:
>>>>>>
>>>>>> curl -X POST \
>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>>>> ret=myclientsecret'
>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>>>> enid-connect/token"
>>>>>>
>>>>>> Without BASIC but credentials as form parameters.
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Thanks, actually I saw it but I didn't understand where this bit
>>>>>>> came from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> The problem here is that you got an access token (that you are
>>>>>>>> using as a bearer to access Protection API) using resource owner password
>>>>>>>> grant type (direct grant). That means the subject of the token is an user
>>>>>>>> (username) and not the resource server itself.
>>>>>>>>
>>>>>>>> Only resource servers (your client application) are allowed to
>>>>>>>> access the Protection API (and managed resources).
>>>>>>>>
>>>>>>>> The access token you got is valid to query for permissions though.
>>>>>>>> As you want to obtain a set of permission an user has. Where the token
>>>>>>>> represents user identity.
>>>>>>>>
>>>>>>>> You should fix that error by obtaining a access token for your
>>>>>>>> client. Something like that (from docs):
>>>>>>>>
>>>>>>>> curl -X POST \
>>>>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>>>     -d 'grant_type=client_credentials' \
>>>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Thanks for the documentation, after reading it I found that I can
>>>>>>>>> use "entitlement" endpoints for my use case.
>>>>>>>>> So I do:
>>>>>>>>>
>>>>>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>>>> 'username=username&password=password&grant_type=password&cli
>>>>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>>>>> onnect/token" | jq .access_token -r`
>>>>>>>>>
>>>>>>>>> curl -X POST -H "Content-Type: application/json" -H
>>>>>>>>> "Authorization: Bearer $TOKEN" -d '{
>>>>>>>>>     "permissions" : [
>>>>>>>>>         {
>>>>>>>>>             "resource_set_name" : "Houses",
>>>>>>>>>             "scopes" : [
>>>>>>>>>                 "view"
>>>>>>>>>             ]
>>>>>>>>>         }
>>>>>>>>>     ]
>>>>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>>>>> /myclient"
>>>>>>>>>
>>>>>>>>> Is this correct? It seems to be working.
>>>>>>>>> I am not sure how can I get/create resources via the API.
>>>>>>>>> I tried:
>>>>>>>>>
>>>>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>>>>> But I get:
>>>>>>>>> {"error":"invalid_clientId","error_description":"Client
>>>>>>>>> application with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does
>>>>>>>>> not exist in realm [myrealm]"}
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi again,
>>>>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>>>>> javascript...
>>>>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>>>>
>>>>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>>>>>
>>>>>>>>>>> One of the things shown by that example is how to protect
>>>>>>>>>>> resources based on its owner.
>>>>>>>>>>>
>>>>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>>>>> s/authz/photoz
>>>>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>>>>> es/index.html
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi guys,
>>>>>>>>>>>> another small question :)
>>>>>>>>>>>>
>>>>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>>>>
>>>>>>>>>>>> Cars have an owner:
>>>>>>>>>>>> {
>>>>>>>>>>>>   name: "my car"
>>>>>>>>>>>>   owner: "smith"
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> How to make sure that you can only get cars that are yours (you
>>>>>>>>>>>> can have
>>>>>>>>>>>> several cars)?
>>>>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>>>>>> large: it
>>>>>>>>>>>> could yield cars that are not yours,
>>>>>>>>>>>> 2. reply with "Access denied" if the response list contains
>>>>>>>>>>>> some cars that
>>>>>>>>>>>> are not yours,
>>>>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>>>>
>>>>>>>>>>>> It seems that 1. is the simplest because it uses only the
>>>>>>>>>>>> request to make
>>>>>>>>>>>> decisions.
>>>>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>>>>> collaboration
>>>>>>>>>>>> of the response handler in my API server, in order to implement
>>>>>>>>>>>> the
>>>>>>>>>>>> filtering.
>>>>>>>>>>>> What is the most standard way?
>>>>>>>>>>>>
>>>>>>>>>>>> I have also some trouble understanding how to implement that
>>>>>>>>>>>> with Keycloak
>>>>>>>>>>>> protect in NodeJS.
>>>>>>>>>>>> Cheers!!
>>>>>>>>>>>> Corentin
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From georgijsr at scandiweb.com  Wed Nov 15 08:23:34 2017
From: georgijsr at scandiweb.com (Georgijs Radovs)
Date: Wed, 15 Nov 2017 15:23:34 +0200
Subject: [keycloak-user] Authenticate to Google Compute Cloud admin console
 using Open ID Connect.
Message-ID: <c41021f5-71d2-c686-9b8e-676420699349@scandiweb.com>

Hello, everyone!

My current setup:

Keycloak Version - 3.0.0.Final
Keycloak Server Profile - Community

A single test project in Google Compute Cloud.

My question:

Is this SSO scenario is possible:

* A User authenticates at Keycloak server and initiates configured Open
ID Connect client.

* Initiated Open ID Connect client sends a code request to Google,
requesting access token

* Google sends back the access token, Keycloak receives the access
token, redirects user to Google, and Google authenticates user by email
attribute.

?

Basically, I want to create this kind of workflow:

* A user logs into Keycloak server and initiates Open ID Connect client

* After the access code and token exchange has been completed, Keycloak
redirects user to Google, and user gains access to Google Cloud Compute
admin console.


Any help will be appriciated.

Thank you.

-- 

	
Georgijs Radovs
Sysadmin
Scandiweb.com <http://www.scandiweb.com> 	LinkedIn
<https://www.linkedin.com/company/scandiweb> 	Facebook
<https://www.facebook.com/scandiweb> 	Twitter
<https://twitter.com/scandiweb> 	Dropbox
<https://www.flickr.com/photos/126968098 at N04/> 	Youtube
<https://www.youtube.com/channel/UCQKucH_fDghjSM43QBX0itg/videos>


-- 
 <https://scandiweb.com/portfolio#pins-mobile-app>

From Gregor.Tudan at cofinpro.de  Wed Nov 15 08:37:05 2017
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Wed, 15 Nov 2017 13:37:05 +0000
Subject: [keycloak-user] Registration when already logged in
Message-ID: <B084CC74-BF29-41CC-9E84-8ED1ED0FDF4D@cofinpro.de>

Hello,

we recently upgraded Keycloak from version 3.0 to 3.2, and now we have run into a small problem, perhaps someone knows a clever solution?

In Keycloak 3.0, if a user registers while already being signed in, he would STILL be able to register a new user (with another user-name and e-mail), and would automatically be logged in to the NEW user.

After the Keycloak update, this no longer works. The user gets an error message AFTER registering a new user, stating he is already logged in as someone else, and can't go on.

I guess this was introduced by https://issues.jboss.org/browse/KEYCLOAK-4626

We redirect to the registration page using the javascript adapter. Is there some kind of parameter we can pass to:
a) get the old behaviour (user get?s logged in to the newly created account) or
b) see the error message on the registration page, instead of after registration has been completed?

Our application allows a user to have more than one account, so it?s not enough to just skip over the registration and log the user in under the old account.
Or is there another way that I?m missing?

Thanks, Gregor!


From mahson1 at gmail.com  Wed Nov 15 08:38:13 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Wed, 15 Nov 2017 19:08:13 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
Message-ID: <CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>

Hello Cedric/Keycloak User comm,

Sorry for getting back late over this. my set-up needs Admin team`s
intervention to change the broadcast value hence the delay in response.

I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0

And also tested the multicast set-up message test with "McastReceiverTest"
and "McastSenderTest" which works fine.

BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.

PFA the HA file which I am using in my configuration.

IP addresses are dummy.
Node 1 : 1.2.3.4
Node 2 : 1.2.3.5

This all I tried.
1) Start command - nohup ./bin/standalone.sh
--server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
2) Tried to run both the nodes with public as well as private interface -
but no luck.
3) I have hardware load balancer where SSL terminates. so domain will
communicate to the both the nodes in round robin and both nodes should be

4) PFB the HTTPD Conf

-------------------------
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule remoteip_module modules/mod_remoteip.so

ProxyPreserveHost On
LimitRequestFieldSize 163840
LimitRequestLine 163840

#<VirtualHost _default_:80>
 ServerName rapid.gi-de.com:443
 ErrorLog /opt/keycloak/fiam_error_log
 CustomLog /opt/keycloak/fiam_access_log combined
 LogLevel warn

RequestHeader set X-Forwarded-Proto "https"

<Proxy https://abc.com/* >
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 # not rewrite css, js and images
 RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
 RewriteRule ^(.*)$ /auth [NC,L,QSA]
#Options -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 Allow from all
</Proxy>


ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth

------------------
And on 2nd node only proxy pass has change in IP address as 1.2.3.5

6) Server logs:
2017-11-15 14:03:06,255 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,256 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,259 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-8) ISPN000094: Received new cluster view for channel web:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000094: Received new cluster view for channel server:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000079: Channel hibernate local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel server local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000094: Received new cluster view for channel ejb:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,265 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000079: Channel ejb local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]




ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth

Thanks,
Mahendra






On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <cedric.couralet at gmail.com>
wrote:

> 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> > (You can look for the value in
> > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
> >
> > In our production linux env the value is 1 --  does that really affect??
> > and would that be the only cause?
> >
>
> Yes, it is important. At least for us, changing this value to 0 was
> enough to have a working cluster.
> As I understand it, the value 1 is a protection against DOS but, in
> the case of Keycloak prevents each node to discover the others. In a
> controlled environment (as recommended in the keycloak docs), I see no
> problem enabling it.
>
> I'm far for expert, so maybe someone will have a better idea.
>

From sthorger at redhat.com  Wed Nov 15 09:55:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 Nov 2017 15:55:46 +0100
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
	<CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
Message-ID: <CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>

Did you check the docs? Specifically
http://www.keycloak.org/docs/latest/server_installation/index.html#multicast-network-setup

On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com> wrote:

> Hello Cedric/Keycloak User comm,
>
> Sorry for getting back late over this. my set-up needs Admin team`s
> intervention to change the broadcast value hence the delay in response.
>
> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
>
> And also tested the multicast set-up message test with "McastReceiverTest"
> and "McastSenderTest" which works fine.
>
> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>
> PFA the HA file which I am using in my configuration.
>
> IP addresses are dummy.
> Node 1 : 1.2.3.4
> Node 2 : 1.2.3.5
>
> This all I tried.
> 1) Start command - nohup ./bin/standalone.sh
> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
> 2) Tried to run both the nodes with public as well as private interface -
> but no luck.
> 3) I have hardware load balancer where SSL terminates. so domain will
> communicate to the both the nodes in round robin and both nodes should be
>
> 4) PFB the HTTPD Conf
>
> -------------------------
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> LoadModule remoteip_module modules/mod_remoteip.so
>
> ProxyPreserveHost On
> LimitRequestFieldSize 163840
> LimitRequestLine 163840
>
> #<VirtualHost _default_:80>
>  ServerName rapid.gi-de.com:443
>  ErrorLog /opt/keycloak/fiam_error_log
>  CustomLog /opt/keycloak/fiam_access_log combined
>  LogLevel warn
>
> RequestHeader set X-Forwarded-Proto "https"
>
> <Proxy https://abc.com/* >
>  RewriteEngine on
>  RewriteCond %{REQUEST_FILENAME} !-f
>  RewriteCond %{REQUEST_FILENAME} !-d
>  # not rewrite css, js and images
>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
> #Options -Indexes FollowSymLinks
>  AllowOverride None
>  Order allow,deny
>  Allow from all
> </Proxy>
>
>
> ProxyPass /auth http://1.2.3.4:8080/auth
> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>
> ------------------
> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>
> 6) Server logs:
> 2017-11-15 14:03:06,255 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,256 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,259 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-8) ISPN000094: Received new cluster view for channel web:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,263 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000094: Received new cluster view for channel server:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,263 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-7) ISPN000079: Channel hibernate local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
> 2017-11-15 14:03:06,264 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel server local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
> 2017-11-15 14:03:06,264 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
> 2017-11-15 14:03:06,265 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-3) ISPN000079: Channel ejb local address is
> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>
>
>
>
> ProxyPass /auth http://1.2.3.4:8080/auth
> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>
> Thanks,
> Mahendra
>
>
>
>
>
>
> On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <cedric.couralet at gmail.com
> >
> wrote:
>
> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> > > (You can look for the value in
> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
> > >
> > > In our production linux env the value is 1 --  does that really
> affect??
> > > and would that be the only cause?
> > >
> >
> > Yes, it is important. At least for us, changing this value to 0 was
> > enough to have a working cluster.
> > As I understand it, the value 1 is a protection against DOS but, in
> > the case of Keycloak prevents each node to discover the others. In a
> > controlled environment (as recommended in the keycloak docs), I see no
> > problem enabling it.
> >
> > I'm far for expert, so maybe someone will have a better idea.
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Wed Nov 15 09:57:22 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 15 Nov 2017 15:57:22 +0100
Subject: [keycloak-user] UserRepresentation enabled Boolean
In-Reply-To: <f5bfbf92-a373-9b5c-3269-d67043631256@nbmlaw.co.uk>
References: <f5bfbf92-a373-9b5c-3269-d67043631256@nbmlaw.co.uk>
Message-ID: <1bcaeb6e-009e-e120-f28b-07eef26c0872@redhat.com>

Interesting issue. Not sure if we're going to change something in the 
UserRepresentation class just because JSF limitations. Maybe the 
possibility is:

- Create some custom JSF renderer/handler/component (not sure what 
exactly, didn't work with the JSF in last few years) to be able to deal 
with it

- Create some wrapper/delegate object around Keycloak UserRepresentation 
and pass that one to JSF. For example something like:

public class MyUser {

    private final UserRepresentation delegate;

    public MyUser(UserRepresentation kcUser) {
      delegate = kcUser;
    }

     public String getFirstName() {
         // Just delegate to the underlying object
         return delegate.getFirstName();
     }

     // Convert "is" to "get"
     public Boolean getEnabled() {
         return deelgate.isEnabled();
     }

     // All the others...

}

Marek

On 14/11/17 13:05, Matthew Broadhead wrote:
> org.keycloak.representations.idm.UserRepresentation
> (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java)
> has a property enabled which is of type java.lang.Boolean. Technically
> this should have getters and setters of getEnabled and setEnabled.  A
> type boolean would have isEnabled and setEnabled. This stops it from
> working with JSF
> (https://stackoverflow.com/questions/14400222/boolean-properties-starting-with-is-does-not-work)
>
>
> This also applies to totp and emailVerified in the same class.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Nov 15 11:02:11 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 15 Nov 2017 17:02:11 +0100
Subject: [keycloak-user] Registration when already logged in
In-Reply-To: <B084CC74-BF29-41CC-9E84-8ED1ED0FDF4D@cofinpro.de>
References: <B084CC74-BF29-41CC-9E84-8ED1ED0FDF4D@cofinpro.de>
Message-ID: <d19db2f8-e016-3cce-bc8a-7a075df78e5b@redhat.com>

Could you please create the JIRA for this? I think it will be easier and 
more proper to go for (b), but not yet sure.

Thanks,
Marek

On 15/11/17 14:37, Gregor Tudan wrote:
> Hello,
>
> we recently upgraded Keycloak from version 3.0 to 3.2, and now we have run into a small problem, perhaps someone knows a clever solution?
>
> In Keycloak 3.0, if a user registers while already being signed in, he would STILL be able to register a new user (with another user-name and e-mail), and would automatically be logged in to the NEW user.
>
> After the Keycloak update, this no longer works. The user gets an error message AFTER registering a new user, stating he is already logged in as someone else, and can't go on.
>
> I guess this was introduced by https://issues.jboss.org/browse/KEYCLOAK-4626
>
> We redirect to the registration page using the javascript adapter. Is there some kind of parameter we can pass to:
> a) get the old behaviour (user get?s logged in to the newly created account) or
> b) see the error message on the registration page, instead of after registration has been completed?
>
> Our application allows a user to have more than one account, so it?s not enough to just skip over the registration and log the user in under the old account.
> Or is there another way that I?m missing?
>
> Thanks, Gregor!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mahson1 at gmail.com  Wed Nov 15 11:19:05 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Wed, 15 Nov 2017 21:49:05 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
	<CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
	<CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>
Message-ID: <CAKs2NGm7+R_8bsDHp3LQMaRpBs-eKLrxqKcGRu-wHY=thM_JdQ@mail.gmail.com>

Hello Stian,

Thank you for your reply.
I have gone through the links and reference links as well.
Trying Keycloak cluster with multicast over private interface and on
separate testing, messages are getting through with
(McastReceiverTest, McastSenderTest)
Tried my best to accommodate needed things into cluster environment and as
per my understanding looks same which is present the given guidelines .
Appreciate your help in identifying if anything is missing in config
I have been stuck here from couple of weeks :(

Have shared whatever set up we have in mail trail.

Thanks,
Mahendra Sonawale.


On Wed, Nov 15, 2017 at 8:25 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Did you check the docs? Specifically http://www.keycloak.org/docs/latest/
> server_installation/index.html#multicast-network-setup
>
> On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com> wrote:
>
>> Hello Cedric/Keycloak User comm,
>>
>> Sorry for getting back late over this. my set-up needs Admin team`s
>> intervention to change the broadcast value hence the delay in response.
>>
>> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
>>
>> And also tested the multicast set-up message test with "McastReceiverTest"
>> and "McastSenderTest" which works fine.
>>
>> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>>
>> PFA the HA file which I am using in my configuration.
>>
>> IP addresses are dummy.
>> Node 1 : 1.2.3.4
>> Node 2 : 1.2.3.5
>>
>> This all I tried.
>> 1) Start command - nohup ./bin/standalone.sh
>> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
>> 2) Tried to run both the nodes with public as well as private interface -
>> but no luck.
>> 3) I have hardware load balancer where SSL terminates. so domain will
>> communicate to the both the nodes in round robin and both nodes should be
>>
>> 4) PFB the HTTPD Conf
>>
>> -------------------------
>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>> LoadModule remoteip_module modules/mod_remoteip.so
>>
>> ProxyPreserveHost On
>> LimitRequestFieldSize 163840
>> LimitRequestLine 163840
>>
>> #<VirtualHost _default_:80>
>>  ServerName rapid.gi-de.com:443
>>  ErrorLog /opt/keycloak/fiam_error_log
>>  CustomLog /opt/keycloak/fiam_access_log combined
>>  LogLevel warn
>>
>> RequestHeader set X-Forwarded-Proto "https"
>>
>> <Proxy https://abc.com/* >
>>  RewriteEngine on
>>  RewriteCond %{REQUEST_FILENAME} !-f
>>  RewriteCond %{REQUEST_FILENAME} !-d
>>  # not rewrite css, js and images
>>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
>> #Options -Indexes FollowSymLinks
>>  AllowOverride None
>>  Order allow,deny
>>  Allow from all
>> </Proxy>
>>
>>
>> ProxyPass /auth http://1.2.3.4:8080/auth
>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>
>> ------------------
>> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>>
>> 6) Server logs:
>> 2017-11-15 14:03:06,255 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>> 2017-11-15 14:03:06,256 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>> 2017-11-15 14:03:06,259 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-8) ISPN000094: Received new cluster view for channel web:
>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>> 2017-11-15 14:03:06,263 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-1) ISPN000094: Received new cluster view for channel server:
>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>> 2017-11-15 14:03:06,263 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-7) ISPN000079: Channel hibernate local address is
>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>> 2017-11-15 14:03:06,264 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-1) ISPN000079: Channel server local address is
>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>> 2017-11-15 14:03:06,264 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>> 2017-11-15 14:03:06,265 INFO
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
>> thread 1-3) ISPN000079: Channel ejb local address is
>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>
>>
>>
>>
>> ProxyPass /auth http://1.2.3.4:8080/auth
>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>
>> Thanks,
>> Mahendra
>>
>>
>>
>>
>>
>>
>> On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <
>> cedric.couralet at gmail.com>
>> wrote:
>>
>> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
>> > > (You can look for the value in
>> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
>> > >
>> > > In our production linux env the value is 1 --  does that really
>> affect??
>> > > and would that be the only cause?
>> > >
>> >
>> > Yes, it is important. At least for us, changing this value to 0 was
>> > enough to have a working cluster.
>> > As I understand it, the value 1 is a protection against DOS but, in
>> > the case of Keycloak prevents each node to discover the others. In a
>> > controlled environment (as recommended in the keycloak docs), I see no
>> > problem enabling it.
>> >
>> > I'm far for expert, so maybe someone will have a better idea.
>> >
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From matthew.broadhead at nbmlaw.co.uk  Wed Nov 15 13:53:01 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Wed, 15 Nov 2017 19:53:01 +0100
Subject: [keycloak-user] UserRepresentation enabled Boolean
In-Reply-To: <1bcaeb6e-009e-e120-f28b-07eef26c0872@redhat.com>
References: <f5bfbf92-a373-9b5c-3269-d67043631256@nbmlaw.co.uk>
	<1bcaeb6e-009e-e120-f28b-07eef26c0872@redhat.com>
Message-ID: <9c56a5cf-08ac-f6e8-26d9-aec227092f0f@nbmlaw.co.uk>

yes i am already using a wrapper but i thought you might want to address 
the problem?

technically it is incorrect coding.
a boolean can be true or false, defaulting to false.? therefore 
isEnabled must be true or false
a Boolean can be true, false or null, defaulting to null.? therefore 
isEnabled can blow up with an NPE and doesn't truly represent an "is" 
statement.
how did it get coded as isEnabled and setEnabled in the first place?? is 
there something wrong with the IDE you are using?

On 15/11/2017 15:57, Marek Posolda wrote:
> Interesting issue. Not sure if we're going to change something in the 
> UserRepresentation class just because JSF limitations. Maybe the 
> possibility is:
>
> - Create some custom JSF renderer/handler/component (not sure what 
> exactly, didn't work with the JSF in last few years) to be able to 
> deal with it
>
> - Create some wrapper/delegate object around Keycloak 
> UserRepresentation and pass that one to JSF. For example something like:
>
> public class MyUser {
>
> ?? private final UserRepresentation delegate;
>
> ?? public MyUser(UserRepresentation kcUser) {
> ???? delegate = kcUser;
> ?? }
>
> ??? public String getFirstName() {
> ??????? // Just delegate to the underlying object
> ??????? return delegate.getFirstName();
> ??? }
>
> ??? // Convert "is" to "get"
> ??? public Boolean getEnabled() {
> ??????? return deelgate.isEnabled();
> ??? }
>
> ??? // All the others...
>
> }
>
> Marek
>
> On 14/11/17 13:05, Matthew Broadhead wrote:
>> org.keycloak.representations.idm.UserRepresentation
>> (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java) 
>>
>> has a property enabled which is of type java.lang.Boolean. Technically
>> this should have getters and setters of getEnabled and setEnabled.? A
>> type boolean would have isEnabled and setEnabled. This stops it from
>> working with JSF
>> (https://stackoverflow.com/questions/14400222/boolean-properties-starting-with-is-does-not-work) 
>>
>>
>>
>> This also applies to totp and emailVerified in the same class.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From sthorger at redhat.com  Wed Nov 15 14:17:45 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 Nov 2017 20:17:45 +0100
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGm7+R_8bsDHp3LQMaRpBs-eKLrxqKcGRu-wHY=thM_JdQ@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
	<CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
	<CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>
	<CAKs2NGm7+R_8bsDHp3LQMaRpBs-eKLrxqKcGRu-wHY=thM_JdQ@mail.gmail.com>
Message-ID: <CAJgngAfsnRnQeyQPaofQTVHZo9cd=Um9G=n+GFJ+bhzyzLVPOQ@mail.gmail.com>

Try using a fresh install of Keycloak with no modifications at all and try
running:

# bin/standalone.sh --server-config=standalone-ha.xml -b <IP> -bprivate <IP>

On 15 November 2017 at 17:19, mahendra sonawale <mahson1 at gmail.com> wrote:

> Hello Stian,
>
> Thank you for your reply.
> I have gone through the links and reference links as well.
> Trying Keycloak cluster with multicast over private interface and on
> separate testing, messages are getting through with (McastReceiverTest,
> McastSenderTest)
> Tried my best to accommodate needed things into cluster environment and as
> per my understanding looks same which is present the given guidelines .
> Appreciate your help in identifying if anything is missing in config
> I have been stuck here from couple of weeks :(
>
> Have shared whatever set up we have in mail trail.
>
> Thanks,
> Mahendra Sonawale.
>
>
> On Wed, Nov 15, 2017 at 8:25 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Did you check the docs? Specifically http://www.keyclo
>> ak.org/docs/latest/server_installation/index.html#multicast-network-setup
>>
>> On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com>
>> wrote:
>>
>>> Hello Cedric/Keycloak User comm,
>>>
>>> Sorry for getting back late over this. my set-up needs Admin team`s
>>> intervention to change the broadcast value hence the delay in response.
>>>
>>> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
>>>
>>> And also tested the multicast set-up message test with
>>> "McastReceiverTest"
>>> and "McastSenderTest" which works fine.
>>>
>>> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>>>
>>> PFA the HA file which I am using in my configuration.
>>>
>>> IP addresses are dummy.
>>> Node 1 : 1.2.3.4
>>> Node 2 : 1.2.3.5
>>>
>>> This all I tried.
>>> 1) Start command - nohup ./bin/standalone.sh
>>> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
>>> 2) Tried to run both the nodes with public as well as private interface -
>>> but no luck.
>>> 3) I have hardware load balancer where SSL terminates. so domain will
>>> communicate to the both the nodes in round robin and both nodes should be
>>>
>>> 4) PFB the HTTPD Conf
>>>
>>> -------------------------
>>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>>> LoadModule remoteip_module modules/mod_remoteip.so
>>>
>>> ProxyPreserveHost On
>>> LimitRequestFieldSize 163840
>>> LimitRequestLine 163840
>>>
>>> #<VirtualHost _default_:80>
>>>  ServerName rapid.gi-de.com:443
>>>  ErrorLog /opt/keycloak/fiam_error_log
>>>  CustomLog /opt/keycloak/fiam_access_log combined
>>>  LogLevel warn
>>>
>>> RequestHeader set X-Forwarded-Proto "https"
>>>
>>> <Proxy https://abc.com/* >
>>>  RewriteEngine on
>>>  RewriteCond %{REQUEST_FILENAME} !-f
>>>  RewriteCond %{REQUEST_FILENAME} !-d
>>>  # not rewrite css, js and images
>>>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>>>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
>>> #Options -Indexes FollowSymLinks
>>>  AllowOverride None
>>>  Order allow,deny
>>>  Allow from all
>>> </Proxy>
>>>
>>>
>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>
>>> ------------------
>>> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>>>
>>> 6) Server logs:
>>> 2017-11-15 14:03:06,255 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>> 2017-11-15 14:03:06,256 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>> 2017-11-15 14:03:06,259 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-8) ISPN000094: Received new cluster view for channel web:
>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>> 2017-11-15 14:03:06,263 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-1) ISPN000094: Received new cluster view for channel server:
>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>> 2017-11-15 14:03:06,263 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-7) ISPN000079: Channel hibernate local address is
>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>> 2017-11-15 14:03:06,264 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-1) ISPN000079: Channel server local address is
>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>> 2017-11-15 14:03:06,264 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>> 2017-11-15 14:03:06,265 INFO
>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>> service
>>> thread 1-3) ISPN000079: Channel ejb local address is
>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>
>>>
>>>
>>>
>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>
>>> Thanks,
>>> Mahendra
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <
>>> cedric.couralet at gmail.com>
>>> wrote:
>>>
>>> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
>>> > > (You can look for the value in
>>> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
>>> > >
>>> > > In our production linux env the value is 1 --  does that really
>>> affect??
>>> > > and would that be the only cause?
>>> > >
>>> >
>>> > Yes, it is important. At least for us, changing this value to 0 was
>>> > enough to have a working cluster.
>>> > As I understand it, the value 1 is a protection against DOS but, in
>>> > the case of Keycloak prevents each node to discover the others. In a
>>> > controlled environment (as recommended in the keycloak docs), I see no
>>> > problem enabling it.
>>> >
>>> > I'm far for expert, so maybe someone will have a better idea.
>>> >
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From mahson1 at gmail.com  Thu Nov 16 03:44:57 2017
From: mahson1 at gmail.com (mahendra sonawale)
Date: Thu, 16 Nov 2017 14:14:57 +0530
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAJgngAfsnRnQeyQPaofQTVHZo9cd=Um9G=n+GFJ+bhzyzLVPOQ@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
	<CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
	<CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>
	<CAKs2NGm7+R_8bsDHp3LQMaRpBs-eKLrxqKcGRu-wHY=thM_JdQ@mail.gmail.com>
	<CAJgngAfsnRnQeyQPaofQTVHZo9cd=Um9G=n+GFJ+bhzyzLVPOQ@mail.gmail.com>
Message-ID: <CAKs2NGn2=33HGe8DLBc0kdFLeo==jZOP1STgMN12K70RX6GXiA@mail.gmail.com>

Hello Stian/Keycloak User group,

Appreciate your help on this.
As mentioned earlier, system is currently in productions and it would be
long and lenghtly process for us to bring the higher version into live env.

Though I checked the HA config from 3.4 Final version and did not see much
difference with the existing HA configuration present into our env.

Would you please give a another look at our configuration and suggest a
solution.

Thanks,
Mahendra Sonawale.
+91 9130775865



On Thu, Nov 16, 2017 at 12:47 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Try using a fresh install of Keycloak with no modifications at all and try
> running:
>
> # bin/standalone.sh --server-config=standalone-ha.xml -b <IP> -bprivate
> <IP>
>
> On 15 November 2017 at 17:19, mahendra sonawale <mahson1 at gmail.com> wrote:
>
>> Hello Stian,
>>
>> Thank you for your reply.
>> I have gone through the links and reference links as well.
>> Trying Keycloak cluster with multicast over private interface and on
>> separate testing, messages are getting through with
>> (McastReceiverTest, McastSenderTest)
>> Tried my best to accommodate needed things into cluster environment and
>> as per my understanding looks same which is present the given guidelines .
>> Appreciate your help in identifying if anything is missing in config
>> I have been stuck here from couple of weeks :(
>>
>> Have shared whatever set up we have in mail trail.
>>
>> Thanks,
>> Mahendra Sonawale.
>>
>>
>> On Wed, Nov 15, 2017 at 8:25 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Did you check the docs? Specifically http://www.keyclo
>>> ak.org/docs/latest/server_installation/index.html#multicast-
>>> network-setup
>>>
>>> On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com>
>>> wrote:
>>>
>>>> Hello Cedric/Keycloak User comm,
>>>>
>>>> Sorry for getting back late over this. my set-up needs Admin team`s
>>>> intervention to change the broadcast value hence the delay in response.
>>>>
>>>> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0
>>>>
>>>> And also tested the multicast set-up message test with
>>>> "McastReceiverTest"
>>>> and "McastSenderTest" which works fine.
>>>>
>>>> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>>>>
>>>> PFA the HA file which I am using in my configuration.
>>>>
>>>> IP addresses are dummy.
>>>> Node 1 : 1.2.3.4
>>>> Node 2 : 1.2.3.5
>>>>
>>>> This all I tried.
>>>> 1) Start command - nohup ./bin/standalone.sh
>>>> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
>>>> 2) Tried to run both the nodes with public as well as private interface
>>>> -
>>>> but no luck.
>>>> 3) I have hardware load balancer where SSL terminates. so domain will
>>>> communicate to the both the nodes in round robin and both nodes should
>>>> be
>>>>
>>>> 4) PFB the HTTPD Conf
>>>>
>>>> -------------------------
>>>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>>>> LoadModule remoteip_module modules/mod_remoteip.so
>>>>
>>>> ProxyPreserveHost On
>>>> LimitRequestFieldSize 163840
>>>> LimitRequestLine 163840
>>>>
>>>> #<VirtualHost _default_:80>
>>>>  ServerName rapid.gi-de.com:443
>>>>  ErrorLog /opt/keycloak/fiam_error_log
>>>>  CustomLog /opt/keycloak/fiam_access_log combined
>>>>  LogLevel warn
>>>>
>>>> RequestHeader set X-Forwarded-Proto "https"
>>>>
>>>> <Proxy https://abc.com/* >
>>>>  RewriteEngine on
>>>>  RewriteCond %{REQUEST_FILENAME} !-f
>>>>  RewriteCond %{REQUEST_FILENAME} !-d
>>>>  # not rewrite css, js and images
>>>>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>>>>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
>>>> #Options -Indexes FollowSymLinks
>>>>  AllowOverride None
>>>>  Order allow,deny
>>>>  Allow from all
>>>> </Proxy>
>>>>
>>>>
>>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>>
>>>> ------------------
>>>> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>>>>
>>>> 6) Server logs:
>>>> 2017-11-15 14:03:06,255 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>> 2017-11-15 14:03:06,256 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>> 2017-11-15 14:03:06,259 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-8) ISPN000094: Received new cluster view for channel web:
>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>> 2017-11-15 14:03:06,263 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000094: Received new cluster view for channel server:
>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>> 2017-11-15 14:03:06,263 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-7) ISPN000079: Channel hibernate local address is
>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>> 2017-11-15 14:03:06,264 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000079: Channel server local address is
>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>> 2017-11-15 14:03:06,264 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>> 2017-11-15 14:03:06,265 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-3) ISPN000079: Channel ejb local address is
>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>>
>>>>
>>>>
>>>>
>>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>>
>>>> Thanks,
>>>> Mahendra
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <
>>>> cedric.couralet at gmail.com>
>>>> wrote:
>>>>
>>>> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
>>>> > > (You can look for the value in
>>>> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
>>>> > >
>>>> > > In our production linux env the value is 1 --  does that really
>>>> affect??
>>>> > > and would that be the only cause?
>>>> > >
>>>> >
>>>> > Yes, it is important. At least for us, changing this value to 0 was
>>>> > enough to have a working cluster.
>>>> > As I understand it, the value 1 is a protection against DOS but, in
>>>> > the case of Keycloak prevents each node to discover the others. In a
>>>> > controlled environment (as recommended in the keycloak docs), I see no
>>>> > problem enabling it.
>>>> >
>>>> > I'm far for expert, so maybe someone will have a better idea.
>>>> >
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From sthorger at redhat.com  Thu Nov 16 03:53:45 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 16 Nov 2017 09:53:45 +0100
Subject: [keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
In-Reply-To: <CAKs2NGn2=33HGe8DLBc0kdFLeo==jZOP1STgMN12K70RX6GXiA@mail.gmail.com>
References: <mailman.209941.1510214883.24293.keycloak-user@lists.jboss.org>
	<CAKs2NGnM3yWSg1Sn9rw0BLVtJ2GtGAEXbnGZJrQCPdZJTkcV7Q@mail.gmail.com>
	<CAPZw1G4Hg21D=ziB-5uAw_cPVQtJZ23gAsFj5HyggCF4yvZ_Zw@mail.gmail.com>
	<CAKs2NGn4nvtc78qnBU3ZqB2=HmK6on-UVQv6r4M4s1kF7rDwpQ@mail.gmail.com>
	<CAPZw1G7FuZuWEPBUUOPk=NubZSq1naWArDmy2-B-Y4MA0niTiA@mail.gmail.com>
	<CAKs2NGktUQTbDnzGBpqaVrzWM_=4Sp0JQYcS4SPjttSHrY1EJA@mail.gmail.com>
	<CAMwoAzd0_PLPjtOsPP=uhW3=ffC_dPPG4ZLUU8WHWz2AczacFQ@mail.gmail.com>
	<CAKs2NGmxgQ4kRx0NvHUAf1isGXZN_fY_Uh2PAc7Dcs=6g-0AOw@mail.gmail.com>
	<CAJgngAeRX+Ggaj1o4auOz4wG+Ek92XTqzeMXVTxPk4q0=18FpA@mail.gmail.com>
	<CAKs2NGm7+R_8bsDHp3LQMaRpBs-eKLrxqKcGRu-wHY=thM_JdQ@mail.gmail.com>
	<CAJgngAfsnRnQeyQPaofQTVHZo9cd=Um9G=n+GFJ+bhzyzLVPOQ@mail.gmail.com>
	<CAKs2NGn2=33HGe8DLBc0kdFLeo==jZOP1STgMN12K70RX6GXiA@mail.gmail.com>
Message-ID: <CAJgngAc6+G58ipR-FFCb2uKjqEUC6H1dR4-3p-H6jk3PhYbgRQ@mail.gmail.com>

I couldn't spot anything obviously wrong with your config, but I only took
a quick glance at it. We simply don't have capacity to debug issues for
users that are using Keycloak for free. Best I can do is give you some tips
on how to identify the issues yourself and the first thing I would
personally try is to go back to the clean config to see if the issues are
there as well. If they are then it's most likely something in your
environment, if it's not then there's probably something in your config.

If you want more support from Red Hat consider getting the supported RH-SSO
option.

On 16 November 2017 at 09:44, mahendra sonawale <mahson1 at gmail.com> wrote:

> Hello Stian/Keycloak User group,
>
> Appreciate your help on this.
> As mentioned earlier, system is currently in productions and it would be
> long and lenghtly process for us to bring the higher version into live env.
>
> Though I checked the HA config from 3.4 Final version and did not see much
> difference with the existing HA configuration present into our env.
>
> Would you please give a another look at our configuration and suggest a
> solution.
>
> Thanks,
> Mahendra Sonawale.
> +91 9130775865 <+91%2091307%2075865>
>
>
>
> On Thu, Nov 16, 2017 at 12:47 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Try using a fresh install of Keycloak with no modifications at all and
>> try running:
>>
>> # bin/standalone.sh --server-config=standalone-ha.xml -b <IP> -bprivate
>> <IP>
>>
>> On 15 November 2017 at 17:19, mahendra sonawale <mahson1 at gmail.com>
>> wrote:
>>
>>> Hello Stian,
>>>
>>> Thank you for your reply.
>>> I have gone through the links and reference links as well.
>>> Trying Keycloak cluster with multicast over private interface and on
>>> separate testing, messages are getting through with
>>> (McastReceiverTest, McastSenderTest)
>>> Tried my best to accommodate needed things into cluster environment and
>>> as per my understanding looks same which is present the given guidelines .
>>> Appreciate your help in identifying if anything is missing in config
>>> I have been stuck here from couple of weeks :(
>>>
>>> Have shared whatever set up we have in mail trail.
>>>
>>> Thanks,
>>> Mahendra Sonawale.
>>>
>>>
>>> On Wed, Nov 15, 2017 at 8:25 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Did you check the docs? Specifically http://www.keyclo
>>>> ak.org/docs/latest/server_installation/index.html#multicast-
>>>> network-setup
>>>>
>>>> On 15 November 2017 at 14:38, mahendra sonawale <mahson1 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Cedric/Keycloak User comm,
>>>>>
>>>>> Sorry for getting back late over this. my set-up needs Admin team`s
>>>>> intervention to change the broadcast value hence the delay in response.
>>>>>
>>>>> I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to
>>>>> 0
>>>>>
>>>>> And also tested the multicast set-up message test with
>>>>> "McastReceiverTest"
>>>>> and "McastSenderTest" which works fine.
>>>>>
>>>>> BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.
>>>>>
>>>>> PFA the HA file which I am using in my configuration.
>>>>>
>>>>> IP addresses are dummy.
>>>>> Node 1 : 1.2.3.4
>>>>> Node 2 : 1.2.3.5
>>>>>
>>>>> This all I tried.
>>>>> 1) Start command - nohup ./bin/standalone.sh
>>>>> --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
>>>>> 2) Tried to run both the nodes with public as well as private
>>>>> interface -
>>>>> but no luck.
>>>>> 3) I have hardware load balancer where SSL terminates. so domain will
>>>>> communicate to the both the nodes in round robin and both nodes should
>>>>> be
>>>>>
>>>>> 4) PFB the HTTPD Conf
>>>>>
>>>>> -------------------------
>>>>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>>>>> LoadModule remoteip_module modules/mod_remoteip.so
>>>>>
>>>>> ProxyPreserveHost On
>>>>> LimitRequestFieldSize 163840
>>>>> LimitRequestLine 163840
>>>>>
>>>>> #<VirtualHost _default_:80>
>>>>>  ServerName rapid.gi-de.com:443
>>>>>  ErrorLog /opt/keycloak/fiam_error_log
>>>>>  CustomLog /opt/keycloak/fiam_access_log combined
>>>>>  LogLevel warn
>>>>>
>>>>> RequestHeader set X-Forwarded-Proto "https"
>>>>>
>>>>> <Proxy https://abc.com/* >
>>>>>  RewriteEngine on
>>>>>  RewriteCond %{REQUEST_FILENAME} !-f
>>>>>  RewriteCond %{REQUEST_FILENAME} !-d
>>>>>  # not rewrite css, js and images
>>>>>  RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>>>>>  RewriteRule ^(.*)$ /auth [NC,L,QSA]
>>>>> #Options -Indexes FollowSymLinks
>>>>>  AllowOverride None
>>>>>  Order allow,deny
>>>>>  Allow from all
>>>>> </Proxy>
>>>>>
>>>>>
>>>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>>>
>>>>> ------------------
>>>>> And on 2nd node only proxy pass has change in IP address as 1.2.3.5
>>>>>
>>>>> 6) Server logs:
>>>>> 2017-11-15 14:03:06,255 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>>> 2017-11-15 14:03:06,256 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-7) ISPN000094: Received new cluster view for channel
>>>>> hibernate:
>>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>>> 2017-11-15 14:03:06,259 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-8) ISPN000094: Received new cluster view for channel web:
>>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>>> 2017-11-15 14:03:06,263 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-1) ISPN000094: Received new cluster view for channel server:
>>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>>> 2017-11-15 14:03:06,263 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-7) ISPN000079: Channel hibernate local address is
>>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>>> 2017-11-15 14:03:06,264 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-1) ISPN000079: Channel server local address is
>>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>>> 2017-11-15 14:03:06,264 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-3) ISPN000094: Received new cluster view for channel ejb:
>>>>> [keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
>>>>> 2017-11-15 14:03:06,265 INFO
>>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>>> service
>>>>> thread 1-3) ISPN000079: Channel ejb local address is
>>>>> keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ProxyPass /auth http://1.2.3.4:8080/auth
>>>>> ProxyPassReverse /auth http://1.2.3.4:8080/auth
>>>>>
>>>>> Thanks,
>>>>> Mahendra
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Nov 9, 2017 at 6:35 PM, C?dric Couralet <
>>>>> cedric.couralet at gmail.com>
>>>>> wrote:
>>>>>
>>>>> > 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
>>>>> > > (You can look for the value in
>>>>> > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
>>>>> > >
>>>>> > > In our production linux env the value is 1 --  does that really
>>>>> affect??
>>>>> > > and would that be the only cause?
>>>>> > >
>>>>> >
>>>>> > Yes, it is important. At least for us, changing this value to 0 was
>>>>> > enough to have a working cluster.
>>>>> > As I understand it, the value 1 is a protection against DOS but, in
>>>>> > the case of Keycloak prevents each node to discover the others. In a
>>>>> > controlled environment (as recommended in the keycloak docs), I see
>>>>> no
>>>>> > problem enabling it.
>>>>> >
>>>>> > I'm far for expert, so maybe someone will have a better idea.
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From neo11078016 at gmail.com  Thu Nov 16 04:18:50 2017
From: neo11078016 at gmail.com (Min Han Lee)
Date: Thu, 16 Nov 2017 09:18:50 +0000
Subject: [keycloak-user] SAML Logout url
Message-ID: <CAHKN4LNU6ufaX9HCXRs5u+qoQExdV=5AcTDvownXncgKaPenZg@mail.gmail.com>

Hello,

can anyone shed some light on how to configure SAML single log out, please,
I postfixed the POST binding by adding ?GLO=true but it didn't work.

Kind Regards

From psilva at redhat.com  Thu Nov 16 05:57:57 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 16 Nov 2017 08:57:57 -0200
Subject: [keycloak-user] API Authorization: on request or response?
In-Reply-To: <CAEyhvmoGCpcYU0RRF-vjDz95+B5NhbsHAr49NVRSZujP+xLqew@mail.gmail.com>
References: <CAEyhvmoFmDOW-8j3NHWrSKZbTsJ0c6VOACis6HtaQH=BD5qGmA@mail.gmail.com>
	<CAJrcDBdrZrybgwF94LHdy5mc7863jYgDC3opcgRQs+dD9jeNMw@mail.gmail.com>
	<CAEyhvmob3=fB=5rf3kCCZnToGE4tkGC+Nw=kCUYmcOiOY3YV+g@mail.gmail.com>
	<CAEyhvmoNX39khnuQF-jvnhG_OoEtvPfYS0n6OJdpt32qxdvacw@mail.gmail.com>
	<CAJrcDBcZwc=g_WOGA4OOjHP5T5PrU7rFdU46HJO3aRfx8=2bOw@mail.gmail.com>
	<CAEyhvmqKRsgD=320FmiT7tScFpiG75i7YZe3VRyoxsGr5kiG7g@mail.gmail.com>
	<CAJrcDBdixoXkbaYaQ0NKRQWnErhF36JVnC799mAwHHckCN5YBA@mail.gmail.com>
	<CAEyhvmqMFct2rUZ7hhdCCUZuz-CJ6ODYfx=-UsySBCOr--deTg@mail.gmail.com>
	<CAEyhvmoYsVB0w+51b7ANxr9LHMD8eZX=vS5v=SwOUG43cNffCA@mail.gmail.com>
	<CAJrcDBemRvTMDLQwm_nN9LQbq5TaJeJZzvzB806fXuW1j=ui6Q@mail.gmail.com>
	<CAEyhvmqfQJNZUOShZkRd=XOyrsR_5HStMt-1xSA4=B2cOfh76g@mail.gmail.com>
	<CAJrcDBcARenCorkZ1NSG3W_KTFE26zj+qkBWJcTzO7QeK6J9fw@mail.gmail.com>
	<CAEyhvmoGCpcYU0RRF-vjDz95+B5NhbsHAr49NVRSZujP+xLqew@mail.gmail.com>
Message-ID: <CAJrcDBe_76_17Bf0g8aMVyNiyCt2oXeNJB9hgidfVfu8Dz5RZg@mail.gmail.com>

Yes. Or Rule Policy (Drools).

On Wed, Nov 15, 2017 at 11:00 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> Thanks.
> Is it possible to define this policy "Only the Owner Can Access" in
> Keycloak UI? Should I use a Javascript policy?
>
> On Wed, Nov 15, 2017 at 12:48 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yes, that is correct. When you create a resource via admin console, the
>> owner is always the resource itself. The resource can be considered as a
>> "common" or "general" resource, managed and owned by the resource server
>> itself.
>>
>> When using the API, you can set the owner to any user you want (we have a
>> JIRA to also allow to set owner to a group), which means the resource
>> belongs to that  particular user.
>>
>> Your question is very pertinent and allows me to clarify an interesting
>> behavior when permissions are evaluated for a given user. When you ask
>> permissions for a particular user (where the user's identity is represented
>> by the access token you send to both Entitlement or Authorization APIs)
>> Keycloak will evaluated permissions based on the resources owned by the
>> resource server (the general resources) plus the ones that belong to the
>> user.
>>
>> When you set the owner to an user you can write policies like "Only the
>> Owner Can Access" as you can check if the identity seeking access
>> (represented by the access token) is the same as the owner of a resource.
>>
>>
>>
>> On Wed, Nov 15, 2017 at 9:11 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Sorry to disturb again, another small question:
>>> It seems that with the Keycloak UI I cannot choose the owner of a
>>> resource, but with the API I can? Is that correct?
>>> Thanks
>>>
>>> On Tue, Nov 14, 2017 at 9:43 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> In the first case you should get an error instead. Will check the
>>>> second case as in theory it should just ignore the scope.
>>>>
>>>> On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> I spotted something strange:
>>>>> If I try with a non existing resource:
>>>>>
>>>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>>     "permissions" : [
>>>>>         {
>>>>>             "resource_set_name" : "xxx",
>>>>>             "scopes" : [
>>>>>                 "view"
>>>>>             ]
>>>>>         }
>>>>>     ]
>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup
>>>>> "
>>>>>
>>>>> It replies with 200:
>>>>> {"rpt":"eyJhbG...}
>>>>> Is this correct?
>>>>>
>>>>> If I try also with a non existent scope (yes I'm nitpicking):
>>>>>
>>>>> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>>     "permissions" : [
>>>>>         {
>>>>>             "resource_set_name" : "xxx",
>>>>>             "scopes" : [
>>>>>                 "xxx"
>>>>>             ]
>>>>>         }
>>>>>     ]
>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup
>>>>> "
>>>>>
>>>>>
>>>>> It replies with 500: Internal Server Error
>>>>>
>>>>> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> This works great, thanks.
>>>>>>
>>>>>> TOKEN=`curl -X POST \
>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>>>> ret=myclientsecret'
>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>>>> enid-connect/token" | jq .access_token -r`
>>>>>>
>>>>>> Then I do:
>>>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>>>>>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H
>>>>>> "Authorization: Bearer $TOKEN"
>>>>>> {
>>>>>> "name": "Sensors",
>>>>>> "uri": "/sensors/*",
>>>>>> "type": "http://localhost:3000/sensors",
>>>>>> "scopes": [
>>>>>> {
>>>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>>>> "name": "view"
>>>>>> },
>>>>>> {
>>>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>>>> "name": "manage"
>>>>>> }
>>>>>> ],
>>>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>>>>>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>>>>>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>>>>>> }
>>>>>>
>>>>>> Next I tried to POST a new resource:
>>>>>> curl -X POST "http://localhost:8080/auth/re
>>>>>> alms/waziup/authz/protection/resource_set" -H "Content-Type:
>>>>>> application/json" -H "Authorization: Bearer $TOKEN" -d '{
>>>>>> "name": "My house",
>>>>>> "uri": "/houses/123",
>>>>>> "scopes": [
>>>>>> {
>>>>>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>>>>>> "name": "view"
>>>>>> },
>>>>>> {
>>>>>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>>>>>> "name": "manage"
>>>>>> }
>>>>>> ],
>>>>>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>>>>>> }'
>>>>>>
>>>>>> Everything seems OK.
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Try this:
>>>>>>>
>>>>>>> curl -X POST \
>>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>>>>>> ret=myclientsecret'
>>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>>>>>> enid-connect/token"
>>>>>>>
>>>>>>> Without BASIC but credentials as form parameters.
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks, actually I saw it but I didn't understand where this bit
>>>>>>>> came from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <
>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> The problem here is that you got an access token (that you are
>>>>>>>>> using as a bearer to access Protection API) using resource owner password
>>>>>>>>> grant type (direct grant). That means the subject of the token is an user
>>>>>>>>> (username) and not the resource server itself.
>>>>>>>>>
>>>>>>>>> Only resource servers (your client application) are allowed to
>>>>>>>>> access the Protection API (and managed resources).
>>>>>>>>>
>>>>>>>>> The access token you got is valid to query for permissions though.
>>>>>>>>> As you want to obtain a set of permission an user has. Where the token
>>>>>>>>> represents user identity.
>>>>>>>>>
>>>>>>>>> You should fix that error by obtaining a access token for your
>>>>>>>>> client. Something like that (from docs):
>>>>>>>>>
>>>>>>>>> curl -X POST \
>>>>>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>>>>     -d 'grant_type=client_credentials' \
>>>>>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Thanks for the documentation, after reading it I found that I can
>>>>>>>>>> use "entitlement" endpoints for my use case.
>>>>>>>>>> So I do:
>>>>>>>>>>
>>>>>>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>>>>> 'username=username&password=password&grant_type=password&cli
>>>>>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>>>>>> onnect/token" | jq .access_token -r`
>>>>>>>>>>
>>>>>>>>>> curl -X POST -H "Content-Type: application/json" -H
>>>>>>>>>> "Authorization: Bearer $TOKEN" -d '{
>>>>>>>>>>     "permissions" : [
>>>>>>>>>>         {
>>>>>>>>>>             "resource_set_name" : "Houses",
>>>>>>>>>>             "scopes" : [
>>>>>>>>>>                 "view"
>>>>>>>>>>             ]
>>>>>>>>>>         }
>>>>>>>>>>     ]
>>>>>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>>>>>> /myclient"
>>>>>>>>>>
>>>>>>>>>> Is this correct? It seems to be working.
>>>>>>>>>> I am not sure how can I get/create resources via the API.
>>>>>>>>>> I tried:
>>>>>>>>>>
>>>>>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>>>>>> But I get:
>>>>>>>>>> {"error":"invalid_clientId","error_description":"Client
>>>>>>>>>> application with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does
>>>>>>>>>> not exist in realm [myrealm]"}
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi again,
>>>>>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>>>>>> javascript...
>>>>>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> It seems you are looking for fine-grained permissions. Could
>>>>>>>>>>>> you take a look at this example [1] and documentation [2] ?
>>>>>>>>>>>>
>>>>>>>>>>>> One of the things shown by that example is how to protect
>>>>>>>>>>>> resources based on its owner.
>>>>>>>>>>>>
>>>>>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>>>>>> s/authz/photoz
>>>>>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>>>>>> es/index.html
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi guys,
>>>>>>>>>>>>> another small question :)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cars have an owner:
>>>>>>>>>>>>> {
>>>>>>>>>>>>>   name: "my car"
>>>>>>>>>>>>>   owner: "smith"
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> How to make sure that you can only get cars that are yours
>>>>>>>>>>>>> (you can have
>>>>>>>>>>>>> several cars)?
>>>>>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>>>>>> 1. just reply with a "Access denied" because the request is
>>>>>>>>>>>>> too large: it
>>>>>>>>>>>>> could yield cars that are not yours,
>>>>>>>>>>>>> 2. reply with "Access denied" if the response list contains
>>>>>>>>>>>>> some cars that
>>>>>>>>>>>>> are not yours,
>>>>>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>>>>>
>>>>>>>>>>>>> It seems that 1. is the simplest because it uses only the
>>>>>>>>>>>>> request to make
>>>>>>>>>>>>> decisions.
>>>>>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>>>>>> collaboration
>>>>>>>>>>>>> of the response handler in my API server, in order to
>>>>>>>>>>>>> implement the
>>>>>>>>>>>>> filtering.
>>>>>>>>>>>>> What is the most standard way?
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have also some trouble understanding how to implement that
>>>>>>>>>>>>> with Keycloak
>>>>>>>>>>>>> protect in NodeJS.
>>>>>>>>>>>>> Cheers!!
>>>>>>>>>>>>> Corentin
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From neo11078016 at gmail.com  Thu Nov 16 08:31:05 2017
From: neo11078016 at gmail.com (Min Han Lee)
Date: Thu, 16 Nov 2017 13:31:05 +0000
Subject: [keycloak-user] SP initiate SAML Logout
Message-ID: <CAHKN4LOZq7iiqO6bboG+CO0VPZyV8PfP0m5dzfUtCyEyX_jmVQ@mail.gmail.com>

Hello,

Does anybody know the SAML logout URL for the Keyclock please? The SSO SAML
IDPSSO descriptor on the installation tab is not really helpful.

I have an issue where my logout SAML is redirecting back to login SAML

Please, can anyone shed some lights on this?

Kind Regards

From ylevine20 at gmail.com  Thu Nov 16 14:45:42 2017
From: ylevine20 at gmail.com (Y Levine)
Date: Thu, 16 Nov 2017 11:45:42 -0800
Subject: [keycloak-user] Users -- Live lookup to AD
Message-ID: <CACMZ_TDstrVNRyusMQfiWCoJ-TLicdrtYekT4X_jE3kz2BzRfg@mail.gmail.com>

I have Keycloak which imported users from AD (with periodic sync).

Is it possible to leverage OIDC without importing users into Keycloak ---
hence when user authenticates, Keycloak will perform a live lookup on
credentials/attributes against AD?

From subhrajyotim at gmail.com  Fri Nov 17 02:23:56 2017
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Fri, 17 Nov 2017 12:53:56 +0530
Subject: [keycloak-user] UserRepresentation error in calling
 userResource.search(...) apis using keycloak-admin-client 3.4.0
Message-ID: <CAB6P+-F7F4NmxrW=JprY4YT1JQYAHV8O74VxsM_Y=eZXUU8ctw@mail.gmail.com>

Hello Friends,

I am getting the below exception when I call userResource.search(..) api in
keycloak-admin-client.

I am using wildfly-swarm to secure my rest services. One of the stateless
beans requires user details. So I am using keycloak-admin-client to get
user info from the Keycloak Server (standalone 3.2.1.Final) . I have tried
with admin-client 3.2.1.Final. I get the same error. What am i doing wrong?
I think some deps are messed. But which ones?

UserRepresentation is part of keycloak-core jar. I see the 3.4.0.Final jar
as expected.

Wildfly-swarm- 2017.11.0
keycloak-admin-client-3.4.0.Final
keycloak server- 3.2.1.Final

Please help. I am stuck and not able to proceed. Some pointers on the same
would be very helpful.


2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr
   - javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access" (class
org.keycloak.representations.idm.UserRepresentation), not marked as
ignorable (24 known properties: "disableableCredentialTypes", "enabled",
"emailVerified", "origin", "self", "applicationRoles", "createdTimestamp",
"clientRoles", "groups", "username", "totp", "id", "email",
"federationLink", "serviceAccountClientId", "lastName", "clientConsents",
"socialLinks", "realmRoles", "attributes", "firstName", "credentials",
"requiredActions", "federatedIdentities"])
2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr
   -  at [Source: org.apache.http.conn.EofSensorInputStream at 519efa33; line:
1, column: 300] (through reference chain:
java.util.ArrayList[0]->org.keycloak.representations.idm.UserRepresentation["access"])


Thanks a lot,
Subhro.

From mph at tecbakery.com  Fri Nov 17 08:11:54 2017
From: mph at tecbakery.com (mph at tecbakery.com)
Date: Fri, 17 Nov 2017 14:11:54 +0100
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
Message-ID: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>

Hi

I tried to upgrade our installation from 3.3 to 3.4, following the guide
at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
receiving the following error on startup.
Comparing both default standalone.xml I found that in 3.3 the
urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...

Any help is highly appreciated.

Martin

/opt/keycloak/keycloak-3.4.0# bin/standalone.sh
-Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
=========================================================================

? JBoss Bootstrap Environment

? JBOSS_HOME: /opt/keycloak/keycloak-3.4.0

? JAVA: /usr/lib/jvm/java-8-oracle/bin/java

? JAVA_OPTS:? -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

13:55:39,468 INFO? [org.jboss.modules] (main) JBoss Modules version
1.6.0.Final
13:55:40,161 INFO? [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
13:55:40,462 INFO? [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)

OPVDX001: Validation error in standalone.xml
-----------------------------------
|
|? 322:???? </deployment-permissions>
|? 323: </subsystem>
|? 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
final-providers="combined-providers" disallowed-providers="OracleUcrypto">
|?????? ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
|
|? 325:???? <providers>
|? 326:???????? <aggregate-providers name="combined-providers">
|? 327:???????????? <providers name="elytron"/>
|
| The primary underlying error message was:
| > ParseError at [row,col]:[324,9]
| > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
|
|-------------------------------------------------------------------------------

13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
??????? at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
??????? at org.jboss.as.server.ServerService.boot(ServerService.java:387)
??????? at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
??????? at java.lang.Thread.run(Thread.java:748)

13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
See previous messages for details.


From lists at merit.unu.edu  Fri Nov 17 08:38:57 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 17 Nov 2017 14:38:57 +0100
Subject: [keycloak-user] upgrade to 3.4 issue
In-Reply-To: <CAJgngAcc1GGNXzB2VE0oDd34e0BmKT5V0jnpjo6doFx4hmB7tQ@mail.gmail.com>
References: <14c26515-132d-1662-e629-dd47c79e9bb8@merit.unu.edu>
	<CAJgngAcc1GGNXzB2VE0oDd34e0BmKT5V0jnpjo6doFx4hmB7tQ@mail.gmail.com>
Message-ID: <055a2512-680f-f165-626a-824b45afed69@merit.unu.edu>

Hi Stian, list,

So, manually editing standalone.xml got me further, but not yet 100% 
succes. :-)

I edited standalone.xml by hand, and have things working on port 8080. 
But we have been using keycloak 2.x / 3.x through apache2 reverse https 
proxy, requiring the following config in standalone.xml:

> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>

However, keycloak 3.4 complains with this config:

> 14:34:18,158 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=default' are not available:
>     org.wildfly.network.socket-binding.proxy-https; Possible registration points for this capability: 
> 		/socket-binding-group=*/socket-binding=*
> 14:34:18,161 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
> 14:34:18,189 INFO  [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) stopped in 6ms

Some advise would be appreciated, as we are not that experienced in 
wildfly / java, etc.

Or is there perhaps another (new?) way to have keycloak running on https 
with an lets encrypt ssl certificate?

Using the apache2 reverse proxy way has served us very well, the last years.

Thanks!
MJ

On 11/15/2017 09:26 AM, Stian Thorgersen wrote:
> That seems like it could be an issue caused by the fact that KC 3.3 was 
> based on WildFly 11 Beta. You'll probably have to manually update the 
> standalone file (or grab the one from 3.2 release if you still have that).
> 
> On 14 November 2017 at 11:17, lists <lists at merit.unu.edu 
> <mailto:lists at merit.unu.edu>> wrote:
> 
>     Hi,
> 
>     Today we tried to upgrade our standalone 3.3 install to 3.4, following
>     the docs:
> 
>     - copied 3.3 /standalone/ over the 3.4 install, replacing all
>     - copied mysql connector in modules/system/layers/keycloak/org
> 
>     But then, the standalone upgrade script doesn't work:
> 
>      > root at server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh
>     --file=bin/migrate-standalone.cli
>      > Cannot start embedded server: WFLYEMB0021: Cannot start embedded
>     process: Operation failed: WFLYSRV0056: Server boot has failed in an
>     unrecoverable manner; exiting. See previous messages for details.
>      > root at server:/opt/keycloak-3.4.0.Final#
> 
>     When starting the 3.4 server without having run the upgrade script, we
>     see what the actual problem appears to be:
> 
>      > OPVDX001: Validation error in standalone.xml
>     -----------------------------------
>      > |
>      > |? 470:? ? ?</spi>
>      > |? 471: </subsystem>
>      > |? 472: <subsystem xmlns="urn:wildfly:elytron:1.2"
>     final-providers="combined-providers"
>     disallowed-providers="OracleUcrypto">
>      > |? ? ? ?^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>      > |
>      > |? 473:? ? ?<providers>
>      > |? 474:? ? ? ? ?<aggregate-providers name="combined-providers">
>      > |? 475:? ? ? ? ? ? ?<providers name="elytron"/>
>      > |
>      > | The primary underlying error message was:
>      > | > ParseError at [row,col]:[472,9]
>      > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>      > |
>      >
>     |-------------------------------------------------------------------------------
> 
>     The same standalone.xml still works in the keycloak 3.3, so it basically
>     seems to be ok, or not corrupt at least. This install has been upgraded
>     from:
>     3.0 -> 3.1 -> 3.3 (we skipped 3.2)
> 
>     It seems that our config has to be migrated using the script, but the
>     upgrade-standalone.cli script will not run...
> 
>     What to do?
> 
>     MJ
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 

From snehalata.nagaje at harbingergroup.com  Fri Nov 17 08:42:50 2017
From: snehalata.nagaje at harbingergroup.com (Snehalata Nagaje)
Date: Fri, 17 Nov 2017 19:12:50 +0530 (IST)
Subject: [keycloak-user] how to customize IDP initiated SSO login
Message-ID: <1753674778.15253837.1510926170057.JavaMail.zimbra@harbingergroup.com>


Hi Team, 


I have requirement to customize the IDP initiated SSO login. 

is it possible this using custom authenticator 

Thanks, 
Snehalata 

Disclaimer: This e-mail may contain Privileged/Confidential information and is intended
only for the individual(s) named. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon this information by persons or entities
other than the intended recipient is prohibited. Please notify the sender, if you have
received this e-mail by mistake and delete it from your system. Information in this
message that does not relate to the official business of the company shall be understood
as neither given nor endorsed by it. E-mail transmission cannot be guaranteed to be
secure or error-free. The sender does not accept liability for any errors or omissions in
the contents of this message which arise as a result of e-mail transmission.If
verification is required please request a hard-copy version.
Visit us at http://www.harbingergroup.com/

From lists at merit.unu.edu  Fri Nov 17 08:47:17 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 17 Nov 2017 14:47:17 +0100
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
Message-ID: <a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>

Hi,

See a similar thread this week by me, subject "upgrade to 3.4 issue".

I edited the standalone.xml that came with 3.4 by hand, putting in the 
changes we did. That made keycloak 3.4 start. Perhaps you can try that too.

However, we are running behind an apache2 proxy, and also that doesn't 
work anymore as it did in the past.

It seems only minor, 3.3 -> 3.4, but actually it's quite a big upgrade...

MJ

On 11/17/2017 02:11 PM, mph at tecbakery.com wrote:
> Hi
> 
> I tried to upgrade our installation from 3.3 to 3.4, following the guide
> at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
> receiving the following error on startup.
> Comparing both default standalone.xml I found that in 3.3 the
> urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
> 
> Any help is highly appreciated.
> 
> Martin
> 
> /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
> -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
> =========================================================================
> 
>  ? JBoss Bootstrap Environment
> 
>  ? JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
> 
>  ? JAVA: /usr/lib/jvm/java-8-oracle/bin/java
> 
>  ? JAVA_OPTS:? -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 
> =========================================================================
> 
> 13:55:39,468 INFO? [org.jboss.modules] (main) JBoss Modules version
> 1.6.0.Final
> 13:55:40,161 INFO? [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
> 13:55:40,462 INFO? [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
> Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
> 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
> 
> OPVDX001: Validation error in standalone.xml
> -----------------------------------
> |
> |? 322:???? </deployment-permissions>
> |? 323: </subsystem>
> |? 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
> final-providers="combined-providers" disallowed-providers="OracleUcrypto">
> |?????? ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |? 325:???? <providers>
> |? 326:???????? <aggregate-providers name="combined-providers">
> |? 327:???????????? <providers name="elytron"/>
> |
> | The primary underlying error message was:
> | > ParseError at [row,col]:[324,9]
> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |-------------------------------------------------------------------------------
> 
> 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085: Failed to parse configuration
>  ??????? at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
>  ??????? at org.jboss.as.server.ServerService.boot(ServerService.java:387)
>  ??????? at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
>  ??????? at java.lang.Thread.run(Thread.java:748)
> 
> 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
> See previous messages for details.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From psilva at redhat.com  Fri Nov 17 09:01:47 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 Nov 2017 12:01:47 -0200
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
Message-ID: <CAJrcDBdyY9fiOWc-+Te0UFN6U9HoQoSupbJGXuwem7UCVQWP4w@mail.gmail.com>

Hi,

Can you tell me the steps you took from that guide ?

On Fri, Nov 17, 2017 at 11:11 AM, <mph at tecbakery.com> wrote:

> Hi
>
> I tried to upgrade our installation from 3.3 to 3.4, following the guide
> at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
> receiving the following error on startup.
> Comparing both default standalone.xml I found that in 3.3 the
> urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
>
> Any help is highly appreciated.
>
> Martin
>
> /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
> -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
>
>   JAVA: /usr/lib/jvm/java-8-oracle/bin/java
>
>   JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> 13:55:39,468 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.6.0.Final
> 13:55:40,161 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
> 13:55:40,462 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
> Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
> 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
>
> OPVDX001: Validation error in standalone.xml
> -----------------------------------
> |
> |  322:     </deployment-permissions>
> |  323: </subsystem>
> |  324: <subsystem xmlns="urn:wildfly:elytron:1.2"
> final-providers="combined-providers" disallowed-providers="OracleUcrypto">
> |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |  325:     <providers>
> |  326:         <aggregate-providers name="combined-providers">
> |  327:             <providers name="elytron"/>
> |
> | The primary underlying error message was:
> | > ParseError at [row,col]:[324,9]
> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |-----------------------------------------------------------
> --------------------
>
> 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085: Failed to parse configuration
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:143)
>         at org.jboss.as.server.ServerService.boot(ServerService.java:387)
>         at
> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:370)
>         at java.lang.Thread.run(Thread.java:748)
>
> 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
> See previous messages for details.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mph at tecbakery.com  Fri Nov 17 09:06:43 2017
From: mph at tecbakery.com (mph at tecbakery.com)
Date: Fri, 17 Nov 2017 15:06:43 +0100
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <CAJrcDBdyY9fiOWc-+Te0UFN6U9HoQoSupbJGXuwem7UCVQWP4w@mail.gmail.com>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
	<CAJrcDBdyY9fiOWc-+Te0UFN6U9HoQoSupbJGXuwem7UCVQWP4w@mail.gmail.com>
Message-ID: <69856560-46d7-1c50-1f35-c2f60e9491d9@tecbakery.com>

Hi

  * 2.1
  * 2.2
      o 2.2 5 for standalone
  * 2.2.1
      o this already failed with an error

in words:

 1. created a full backup
 2. downloaded 3.4 tgz
 3. unzipped and copied standalone
 4. removed data/tx-object-store/
 5. tried to run "bin/jboss-cli.sh --file=bin/migrate-standalone.cli"
 6. this is failing with
    Cannot start embedded server: WFLYEMB0021: Cannot start embedded
    process: Operation failed: WFLYSRV0056: Server boot has failed in an
    unrecoverable manner; exiting. See previous messages for details.
 7. starting standalone yields the error reported

Did I miss something?


On 17.11.2017 15:01, Pedro Igor Silva wrote:
> Hi,
>
> Can you tell me the steps you took from that guide ?
>
> On Fri, Nov 17, 2017 at 11:11 AM, <mph at tecbakery.com
> <mailto:mph at tecbakery.com>> wrote:
>
>     Hi
>
>     I tried to upgrade our installation from 3.3 to 3.4, following the
>     guide
>     at http://www.keycloak.org/docs/latest/upgrading/index.html
>     <http://www.keycloak.org/docs/latest/upgrading/index.html>, and am
>     receiving the following error on startup.
>     Comparing both default standalone.xml I found that in 3.3 the
>     urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
>
>     Any help is highly appreciated.
>
>     Martin
>
>     /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
>     -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
>     =========================================================================
>
>     ? JBoss Bootstrap Environment
>
>     ? JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
>
>     ? JAVA: /usr/lib/jvm/java-8-oracle/bin/java
>
>     ? JAVA_OPTS:? -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
>     -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>     -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
>     =========================================================================
>
>     13:55:39,468 INFO? [org.jboss.modules] (main) JBoss Modules version
>     1.6.0.Final
>     13:55:40,161 INFO? [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
>     13:55:40,462 INFO? [org.jboss.as <http://org.jboss.as>] (MSC
>     service thread 1-8) WFLYSRV0049:
>     Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
>     13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
>
>     OPVDX001: Validation error in standalone.xml
>     -----------------------------------
>     |
>     |? 322:???? </deployment-permissions>
>     |? 323: </subsystem>
>     |? 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
>     final-providers="combined-providers"
>     disallowed-providers="OracleUcrypto">
>     |?????? ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>     |
>     |? 325:???? <providers>
>     |? 326:???????? <aggregate-providers name="combined-providers">
>     |? 327:???????????? <providers name="elytron"/>
>     |
>     | The primary underlying error message was:
>     | > ParseError at [row,col]:[324,9]
>     | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>     |
>     |-------------------------------------------------------------------------------
>
>     13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
>     WFLYSRV0055: Caught exception during boot:
>     org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>     WFLYCTL0085: Failed to parse configuration
>     ??????? at
>     org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
>     ??????? at
>     org.jboss.as.server.ServerService.boot(ServerService.java:387)
>     ??????? at
>     org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
>     ??????? at java.lang.Thread.run(Thread.java:748)
>
>     13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
>     WFLYSRV0056: Server boot has failed in an unrecoverable manner;
>     exiting.
>     See previous messages for details.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From khirschmann at huebinet.de  Fri Nov 17 09:11:39 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Fri, 17 Nov 2017 14:11:39 +0000
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
Message-ID: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>

Hello everybody,

I am setting up a new keycloak instance (3.4.0) resulting in the following error (Relation does not exist):

INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 78) Updating database. Using changelog META-INF/jpa-changelog-master.xml
ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78) Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-resource-server-pk-change-part2::glavoie at gmail.com failed.  Error: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]


The problem only occurs, if I do NOT use the default schema. If I use the default schema everything is great.
How can I work around this problem?

Thx for your help

Kevin Hirschmann

HUEBINET Informationsmanagement GmbH & Co. KG


Telefon:           +49 (0) 261 / 5 00 86 - 17
Telefax:           +49 (0) 261 / 5 00 86 - 29
E-Mail:             kevin.hirschmann at huebinet.de<mailto:kevin.hirschmann at huebinet.de>
Internet:            www.huebinet.de<http://www.huebinet.de/>

 HUEBINET Informationsmanagement GmbH & Co. KG
An der K?nigsbach 8
56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:
Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.


From mph at tecbakery.com  Fri Nov 17 09:45:11 2017
From: mph at tecbakery.com (mph at tecbakery.com)
Date: Fri, 17 Nov 2017 15:45:11 +0100
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
	<a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
Message-ID: <88ee1ee2-709e-69b1-c946-d808bb4a6091@tecbakery.com>

Can you tell me, what you changed?
I don't know much about jboss and the configuration syntax...

thx

On 17.11.2017 14:47, mj wrote:
> Hi,
>
> See a similar thread this week by me, subject "upgrade to 3.4 issue".
>
> I edited the standalone.xml that came with 3.4 by hand, putting in the 
> changes we did. That made keycloak 3.4 start. Perhaps you can try that too.
>
> However, we are running behind an apache2 proxy, and also that doesn't 
> work anymore as it did in the past.
>
> It seems only minor, 3.3 -> 3.4, but actually it's quite a big upgrade...
>
> MJ
>
> On 11/17/2017 02:11 PM, mph at tecbakery.com wrote:
>> Hi
>>
>> I tried to upgrade our installation from 3.3 to 3.4, following the guide
>> at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
>> receiving the following error on startup.
>> Comparing both default standalone.xml I found that in 3.3 the
>> urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
>>
>> Any help is highly appreciated.
>>
>> Martin
>>
>> /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
>> -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
>> =========================================================================
>>
>>  ? JBoss Bootstrap Environment
>>
>>  ? JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
>>
>>  ? JAVA: /usr/lib/jvm/java-8-oracle/bin/java
>>
>>  ? JAVA_OPTS:? -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>
>> =========================================================================
>>
>> 13:55:39,468 INFO? [org.jboss.modules] (main) JBoss Modules version
>> 1.6.0.Final
>> 13:55:40,161 INFO? [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
>> 13:55:40,462 INFO? [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
>> Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
>> 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
>>
>> OPVDX001: Validation error in standalone.xml
>> -----------------------------------
>> |
>> |? 322:???? </deployment-permissions>
>> |? 323: </subsystem>
>> |? 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
>> final-providers="combined-providers" disallowed-providers="OracleUcrypto">
>> |?????? ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>> |
>> |? 325:???? <providers>
>> |? 326:???????? <aggregate-providers name="combined-providers">
>> |? 327:???????????? <providers name="elytron"/>
>> |
>> | The primary underlying error message was:
>> | > ParseError at [row,col]:[324,9]
>> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>> |
>> |-------------------------------------------------------------------------------
>>
>> 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0055: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>> WFLYCTL0085: Failed to parse configuration
>>  ??????? at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
>>  ??????? at org.jboss.as.server.ServerService.boot(ServerService.java:387)
>>  ??????? at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
>>  ??????? at java.lang.Thread.run(Thread.java:748)
>>
>> 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
>> See previous messages for details.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From matthew.broadhead at nbmlaw.co.uk  Fri Nov 17 09:52:00 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Fri, 17 Nov 2017 15:52:00 +0100
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
	<a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
Message-ID: <656303cd-5094-97af-2dca-ab86a17ee3ca@nbmlaw.co.uk>

http://markus.co/howto/2017/07/27/keycloak-apache.html
this is the best tutorial i found for running keycloak behind an apache2 
proxy

On 17/11/2017 14:47, mj wrote:
> Hi,
>
> See a similar thread this week by me, subject "upgrade to 3.4 issue".
>
> I edited the standalone.xml that came with 3.4 by hand, putting in the
> changes we did. That made keycloak 3.4 start. Perhaps you can try that too.
>
> However, we are running behind an apache2 proxy, and also that doesn't
> work anymore as it did in the past.
>
> It seems only minor, 3.3 -> 3.4, but actually it's quite a big upgrade...
>
> MJ
>
> On 11/17/2017 02:11 PM, mph at tecbakery.com wrote:
>> Hi
>>
>> I tried to upgrade our installation from 3.3 to 3.4, following the guide
>> at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
>> receiving the following error on startup.
>> Comparing both default standalone.xml I found that in 3.3 the
>> urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
>>
>> Any help is highly appreciated.
>>
>> Martin
>>
>> /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
>> -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
>> =========================================================================
>>
>>   ? JBoss Bootstrap Environment
>>
>>   ? JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
>>
>>   ? JAVA: /usr/lib/jvm/java-8-oracle/bin/java
>>
>>   ? JAVA_OPTS:? -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>
>> =========================================================================
>>
>> 13:55:39,468 INFO? [org.jboss.modules] (main) JBoss Modules version
>> 1.6.0.Final
>> 13:55:40,161 INFO? [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
>> 13:55:40,462 INFO? [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
>> Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
>> 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
>>
>> OPVDX001: Validation error in standalone.xml
>> -----------------------------------
>> |
>> |? 322:???? </deployment-permissions>
>> |? 323: </subsystem>
>> |? 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
>> final-providers="combined-providers" disallowed-providers="OracleUcrypto">
>> |?????? ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>> |
>> |? 325:???? <providers>
>> |? 326:???????? <aggregate-providers name="combined-providers">
>> |? 327:???????????? <providers name="elytron"/>
>> |
>> | The primary underlying error message was:
>> | > ParseError at [row,col]:[324,9]
>> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>> |
>> |-------------------------------------------------------------------------------
>>
>> 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0055: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>> WFLYCTL0085: Failed to parse configuration
>>   ??????? at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
>>   ??????? at org.jboss.as.server.ServerService.boot(ServerService.java:387)
>>   ??????? at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
>>   ??????? at java.lang.Thread.run(Thread.java:748)
>>
>> 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
>> See previous messages for details.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Fri Nov 17 10:03:48 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 Nov 2017 13:03:48 -0200
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
	<a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
Message-ID: <CAJrcDBfUPdqXxEVNeSsSc+y5OZdaZpgKB5xwK=DOFm31SZ7+uw@mail.gmail.com>

There is something weird with 3.4.0.Final distribution. If you look Wildfly
Core version after booting the server, you'll see "WildFly Core
3.0.1.Final".

In 3.3.0.Final, the Wildfly Core version is "WildFly Core 3.0.8.Final",
which is correct. Something happened and downgraded WildFly Core in
3.4.0.Final during the release.

That is probably the root cause of the error you are getting.

On Fri, Nov 17, 2017 at 11:47 AM, mj <lists at merit.unu.edu> wrote:

> Hi,
>
> See a similar thread this week by me, subject "upgrade to 3.4 issue".
>
> I edited the standalone.xml that came with 3.4 by hand, putting in the
> changes we did. That made keycloak 3.4 start. Perhaps you can try that too.
>
> However, we are running behind an apache2 proxy, and also that doesn't
> work anymore as it did in the past.
>
> It seems only minor, 3.3 -> 3.4, but actually it's quite a big upgrade...
>
> MJ
>
> On 11/17/2017 02:11 PM, mph at tecbakery.com wrote:
> > Hi
> >
> > I tried to upgrade our installation from 3.3 to 3.4, following the guide
> > at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
> > receiving the following error on startup.
> > Comparing both default standalone.xml I found that in 3.3 the
> > urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
> >
> > Any help is highly appreciated.
> >
> > Martin
> >
> > /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
> > -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
> > ============================================================
> =============
> >
> >    JBoss Bootstrap Environment
> >
> >    JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
> >
> >    JAVA: /usr/lib/jvm/java-8-oracle/bin/java
> >
> >    JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> >
> > ============================================================
> =============
> >
> > 13:55:39,468 INFO  [org.jboss.modules] (main) JBoss Modules version
> > 1.6.0.Final
> > 13:55:40,161 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
> > 13:55:40,462 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
> > Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
> > 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
> >
> > OPVDX001: Validation error in standalone.xml
> > -----------------------------------
> > |
> > |  322:     </deployment-permissions>
> > |  323: </subsystem>
> > |  324: <subsystem xmlns="urn:wildfly:elytron:1.2"
> > final-providers="combined-providers" disallowed-providers="
> OracleUcrypto">
> > |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> > |
> > |  325:     <providers>
> > |  326:         <aggregate-providers name="combined-providers">
> > |  327:             <providers name="elytron"/>
> > |
> > | The primary underlying error message was:
> > | > ParseError at [row,col]:[324,9]
> > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> > |
> > |-----------------------------------------------------------
> --------------------
> >
> > 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0055: Caught exception during boot:
> > org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> > WFLYCTL0085: Failed to parse configuration
> >          at
> > org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:143)
> >          at org.jboss.as.server.ServerService.boot(
> ServerService.java:387)
> >          at
> > org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:370)
> >          at java.lang.Thread.run(Thread.java:748)
> >
> > 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
> > See previous messages for details.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Fri Nov 17 10:06:37 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 Nov 2017 13:06:37 -0200
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
In-Reply-To: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
Message-ID: <CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>

What is your database ?

On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <khirschmann at huebinet.de>
wrote:

> Hello everybody,
>
> I am setting up a new keycloak instance (3.4.0) resulting in the following
> error (Relation does not exist):
>
> INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
> (ServerService Thread Pool -- 78) Updating database. Using changelog
> META-INF/jpa-changelog-master.xml
> ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.
> DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78)
> Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.
> CR1-resource-server-pk-change-part2::glavoie at gmail.com failed.  Error:
> FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException:
> FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]
>
>
> The problem only occurs, if I do NOT use the default schema. If I use the
> default schema everything is great.
> How can I work around this problem?
>
> Thx for your help
>
> Kevin Hirschmann
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
> Telefon:           +49 (0) 261 / 5 00 86 - 17
> Telefax:           +49 (0) 261 / 5 00 86 - 29
> E-Mail:             kevin.hirschmann at huebinet.de<mailto:kevin.hirschmann@
> huebinet.de>
> Internet:            www.huebinet.de<http://www.huebinet.de/>
>
>  HUEBINET Informationsmanagement GmbH & Co. KG
> An der K?nigsbach 8
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
> HUEBINET GmbH;
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
> ------------------------------------------------------------
> ------------------------------------------------------------
> ------------------------------------------------
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
> KG, Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails and email contents.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Fri Nov 17 11:34:49 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 Nov 2017 14:34:49 -0200
Subject: [keycloak-user] keycloak upgrade 3.3 to 3.4
In-Reply-To: <88ee1ee2-709e-69b1-c946-d808bb4a6091@tecbakery.com>
References: <89d6e3eb-0073-fba3-aea6-5310b802cee9@tecbakery.com>
	<a3b3fd5d-80e4-16fe-6f17-6ecbd065bac2@merit.unu.edu>
	<88ee1ee2-709e-69b1-c946-d808bb4a6091@tecbakery.com>
Message-ID: <CAJrcDBcDXEUM-YBwkz3M3L5Ufsb4aPuPOQPWCwLL4KA3TCET7A@mail.gmail.com>

You should be able to safely remove elytron subsystem and still have a
working server.

On Fri, Nov 17, 2017 at 12:45 PM, <mph at tecbakery.com> wrote:

> Can you tell me, what you changed?
> I don't know much about jboss and the configuration syntax...
>
> thx
>
> On 17.11.2017 14:47, mj wrote:
> > Hi,
> >
> > See a similar thread this week by me, subject "upgrade to 3.4 issue".
> >
> > I edited the standalone.xml that came with 3.4 by hand, putting in the
> > changes we did. That made keycloak 3.4 start. Perhaps you can try that
> too.
> >
> > However, we are running behind an apache2 proxy, and also that doesn't
> > work anymore as it did in the past.
> >
> > It seems only minor, 3.3 -> 3.4, but actually it's quite a big upgrade...
> >
> > MJ
> >
> > On 11/17/2017 02:11 PM, mph at tecbakery.com wrote:
> >> Hi
> >>
> >> I tried to upgrade our installation from 3.3 to 3.4, following the guide
> >> at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
> >> receiving the following error on startup.
> >> Comparing both default standalone.xml I found that in 3.3 the
> >> urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
> >>
> >> Any help is highly appreciated.
> >>
> >> Martin
> >>
> >> /opt/keycloak/keycloak-3.4.0# bin/standalone.sh
> >> -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
> >> ============================================================
> =============
> >>
> >>    JBoss Bootstrap Environment
> >>
> >>    JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
> >>
> >>    JAVA: /usr/lib/jvm/java-8-oracle/bin/java
> >>
> >>    JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> >> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> >>
> >> ============================================================
> =============
> >>
> >> 13:55:39,468 INFO  [org.jboss.modules] (main) JBoss Modules version
> >> 1.6.0.Final
> >> 13:55:40,161 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
> >> 13:55:40,462 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
> >> Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
> >> 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
> >>
> >> OPVDX001: Validation error in standalone.xml
> >> -----------------------------------
> >> |
> >> |  322:     </deployment-permissions>
> >> |  323: </subsystem>
> >> |  324: <subsystem xmlns="urn:wildfly:elytron:1.2"
> >> final-providers="combined-providers" disallowed-providers="
> OracleUcrypto">
> >> |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> >> |
> >> |  325:     <providers>
> >> |  326:         <aggregate-providers name="combined-providers">
> >> |  327:             <providers name="elytron"/>
> >> |
> >> | The primary underlying error message was:
> >> | > ParseError at [row,col]:[324,9]
> >> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> >> |
> >> |-----------------------------------------------------------
> --------------------
> >>
> >> 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
> >> WFLYSRV0055: Caught exception during boot:
> >> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> >> WFLYCTL0085: Failed to parse configuration
> >>          at
> >> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:143)
> >>          at org.jboss.as.server.ServerService.boot(
> ServerService.java:387)
> >>          at
> >> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:370)
> >>          at java.lang.Thread.run(Thread.java:748)
> >>
> >> 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
> >> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
> >> See previous messages for details.
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Fri Nov 17 13:59:23 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 17 Nov 2017 19:59:23 +0100
Subject: [keycloak-user] Authorization transfer
Message-ID: <CAEyhvmon+Fv8G1iR-Bku7Pk-PoOpA-eHo0in1UmFmpGG_mCpaQ@mail.gmail.com>

Hi guys,
is it possible for an application user to grant some authorizations to
another user?
For example in the photoz example, how can I give access to my albums to
another user?
What would be the mechanism?

Thanks a lot
Corentin

From lists at merit.unu.edu  Fri Nov 17 14:02:22 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 17 Nov 2017 20:02:22 +0100
Subject: [keycloak-user] upgrade to 3.4 issue
In-Reply-To: <204d004b-d0d9-40e3-09da-29cbbaeefe08@tecbakery.com>
References: <14c26515-132d-1662-e629-dd47c79e9bb8@merit.unu.edu>
	<CAJgngAcc1GGNXzB2VE0oDd34e0BmKT5V0jnpjo6doFx4hmB7tQ@mail.gmail.com>
	<055a2512-680f-f165-626a-824b45afed69@merit.unu.edu>
	<204d004b-d0d9-40e3-09da-29cbbaeefe08@tecbakery.com>
Message-ID: <a5955066-6f47-f559-b5d2-19b6912bac08@merit.unu.edu>

Hi Martin,

And that fixed it! :-)

BTW we don't need the nocanon I guess. We don't see obvious style 
issues... :-)

Thanks!
MJ

On 11/17/2017 03:33 PM, mph at tecbakery.com wrote:
> Hi
> 
> sound familiar to me :-)
> guess you forgot to add
> 
>  ?<socket-binding name="proxy-https" port="443"/>
> in
> <socket-binding-group name="standard-sockets" [...]
> 
> in my standalone.xml at the very bottom.
> 
> in your apache conf you need these lines:
> 
>  ??????? RequestHeader set X-Forwarded-Proto "https"
>  ??????? RequestHeader set X-Forwarded-Port "443"
> 
>  ??? ??? [...]
> 
>  ??? ??? ProxyPass / http://localhost:[port]/ nocanon
> 
> (nocanon solved a style loading issue for me)
> 
> 
> Hope it helps
> 
> Martin
> 
> 
> 
> On 17.11.2017 14:38, mj wrote:
>> Hi Stian, list,
>>
>> So, manually editing standalone.xml got me further, but not yet 100%
>> succes. :-)
>>
>> I edited standalone.xml by hand, and have things working on port 8080.
>> But we have been using keycloak 2.x / 3.x through apache2 reverse https
>> proxy, requiring the following config in standalone.xml:
>>
>>> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>
>> However, keycloak 3.4 complains with this config:
>>
>>> 14:34:18,158 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=default' are not available:
>>>      org.wildfly.network.socket-binding.proxy-https; Possible registration points for this capability:
>>> 		/socket-binding-group=*/socket-binding=*
>>> 14:34:18,161 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
>>> 14:34:18,189 INFO  [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) stopped in 6ms
>> Some advise would be appreciated, as we are not that experienced in
>> wildfly / java, etc.
>>
>> Or is there perhaps another (new?) way to have keycloak running on https
>> with an lets encrypt ssl certificate?
>>
>> Using the apache2 reverse proxy way has served us very well, the last years.
>>
>> Thanks!
>> MJ
>>
>> On 11/15/2017 09:26 AM, Stian Thorgersen wrote:
>>> That seems like it could be an issue caused by the fact that KC 3.3 was
>>> based on WildFly 11 Beta. You'll probably have to manually update the
>>> standalone file (or grab the one from 3.2 release if you still have that).
>>>
>>> On 14 November 2017 at 11:17, lists <lists at merit.unu.edu
>>> <mailto:lists at merit.unu.edu>> wrote:
>>>
>>>      Hi,
>>>
>>>      Today we tried to upgrade our standalone 3.3 install to 3.4, following
>>>      the docs:
>>>
>>>      - copied 3.3 /standalone/ over the 3.4 install, replacing all
>>>      - copied mysql connector in modules/system/layers/keycloak/org
>>>
>>>      But then, the standalone upgrade script doesn't work:
>>>
>>>       > root at server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh
>>>      --file=bin/migrate-standalone.cli
>>>       > Cannot start embedded server: WFLYEMB0021: Cannot start embedded
>>>      process: Operation failed: WFLYSRV0056: Server boot has failed in an
>>>      unrecoverable manner; exiting. See previous messages for details.
>>>       > root at server:/opt/keycloak-3.4.0.Final#
>>>
>>>      When starting the 3.4 server without having run the upgrade script, we
>>>      see what the actual problem appears to be:
>>>
>>>       > OPVDX001: Validation error in standalone.xml
>>>      -----------------------------------
>>>       > |
>>>       > |? 470:? ? ?</spi>
>>>       > |? 471: </subsystem>
>>>       > |? 472: <subsystem xmlns="urn:wildfly:elytron:1.2"
>>>      final-providers="combined-providers"
>>>      disallowed-providers="OracleUcrypto">
>>>       > |? ? ? ?^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>>>       > |
>>>       > |? 473:? ? ?<providers>
>>>       > |? 474:? ? ? ? ?<aggregate-providers name="combined-providers">
>>>       > |? 475:? ? ? ? ? ? ?<providers name="elytron"/>
>>>       > |
>>>       > | The primary underlying error message was:
>>>       > | > ParseError at [row,col]:[472,9]
>>>       > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>>>       > |
>>>       >
>>>      |-------------------------------------------------------------------------------
>>>
>>>      The same standalone.xml still works in the keycloak 3.3, so it basically
>>>      seems to be ok, or not corrupt at least. This install has been upgraded
>>>      from:
>>>      3.0 -> 3.1 -> 3.3 (we skipped 3.2)
>>>
>>>      It seems that our config has to be migrated using the script, but the
>>>      upgrade-standalone.cli script will not run...
>>>
>>>      What to do?
>>>
>>>      MJ
>>>      _______________________________________________
>>>      keycloak-user mailing list
>>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From psilva at redhat.com  Fri Nov 17 15:06:25 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 Nov 2017 18:06:25 -0200
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAEyhvmon+Fv8G1iR-Bku7Pk-PoOpA-eHo0in1UmFmpGG_mCpaQ@mail.gmail.com>
References: <CAEyhvmon+Fv8G1iR-Bku7Pk-PoOpA-eHo0in1UmFmpGG_mCpaQ@mail.gmail.com>
Message-ID: <CAJrcDBeAWkta_yFfiWW2KR2L3m3dXgfv=P0D27xDAXmvWpACuA@mail.gmail.com>

Right now you can't do it. This is all about the work we are doing to
better support UMA protocol. Soon you'll be able to let your users to
manage their resources (and their policies) from Keycloak Account Service,
grant and revoke access to other users, authorization flows. We are really
missing this.

However, I think you can try to use the Policy Management API. It provides
a RESTful API that you can use to manage permissions and policies. As an
example
https://github.com/pedroigor/keycloak/blob/cedc095a9c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java.
There are other tests in the same package for other permission and policy
types.

Please, let me know about your achievements if you start doing something
with the Policy Management API. Any feedback is welcome and will probably
help with the work I mentioned before around UMA.

On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> is it possible for an application user to grant some authorizations to
> another user?
> For example in the photoz example, how can I give access to my albums to
> another user?
> What would be the mechanism?
>
> Thanks a lot
> Corentin
>

From msakho at redhat.com  Sat Nov 18 04:27:42 2017
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Sat, 18 Nov 2017 10:27:42 +0100
Subject: [keycloak-user] Keycloak 3.4.0.Final released
In-Reply-To: <CAJgngAdVqQPcM9bRh-tDEQpnHdp0ioSW8sKwYLKbtPLUvtv=jQ@mail.gmail.com>
References: <CAJgngAdVqQPcM9bRh-tDEQpnHdp0ioSW8sKwYLKbtPLUvtv=jQ@mail.gmail.com>
Message-ID: <CAF83W6LjZQzT3NqdOfy_-y-OPO5VPJM3ahVyOxKz89kTbNdOWQ@mail.gmail.com>

Hi,
Stian, I've read in the blog release note the support of mysql and
postgresql in the main Keycloak Docker image.
Can you tells us where we could the docker image?
Do we have some documentation about it?
thanks,
Meissa



On Fri, Nov 10, 2017 at 11:30 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We've just released Keycloak 3.4.0.Final.
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%
> 20keycloak%20and%20fixVersion%20%3D%203.4.0.Final>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From msakho at redhat.com  Sat Nov 18 05:37:23 2017
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Sat, 18 Nov 2017 11:37:23 +0100
Subject: [keycloak-user] Keycloak 3.4.0.Final released
In-Reply-To: <CAF83W6LjZQzT3NqdOfy_-y-OPO5VPJM3ahVyOxKz89kTbNdOWQ@mail.gmail.com>
References: <CAJgngAdVqQPcM9bRh-tDEQpnHdp0ioSW8sKwYLKbtPLUvtv=jQ@mail.gmail.com>
	<CAF83W6LjZQzT3NqdOfy_-y-OPO5VPJM3ahVyOxKz89kTbNdOWQ@mail.gmail.com>
Message-ID: <CAF83W6KK1zw0CQrvZqUKrkw6Hz7Q2Ks7-_avgh4ne+OTxC2F3g@mail.gmail.com>

Reply to myself,
I suppose it to be here?
https://hub.docker.com/r/jboss/keycloak/

Is it?
Meissa

On Sat, Nov 18, 2017 at 10:27 AM, Meissa M'baye Sakho <msakho at redhat.com>
wrote:

> Hi,
> Stian, I've read in the blog release note the support of mysql and
> postgresql in the main Keycloak Docker image.
> Can you tells us where we could the docker image?
> Do we have some documentation about it?
> thanks,
> Meissa
>
>
>
> On Fri, Nov 10, 2017 at 11:30 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We've just released Keycloak 3.4.0.Final.
>>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>.
>>
>> The full list of resolved issues is available in JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%20keyclo
>> ak%20and%20fixVersion%20%3D%203.4.0.Final>
>> .
>> Upgrading
>>
>> Before you upgrade remember to backup your database and check the upgrade
>> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> anything that may have changed.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From pcfleischer at outlook.com  Sat Nov 18 18:42:32 2017
From: pcfleischer at outlook.com (Phillip Fleischer)
Date: Sat, 18 Nov 2017 23:42:32 +0000
Subject: [keycloak-user] loggin saml requests/responses
In-Reply-To: <CDE62F4B-182B-4A53-835A-C63BF0A9EE6E@outlook.com>
References: <CDE62F4B-182B-4A53-835A-C63BF0A9EE6E@outlook.com>
Message-ID: <DM3PR1001MB1182E582C3FEB4A831CC0C45A62C0@DM3PR1001MB1182.namprd10.prod.outlook.com>

Turns out I was adding the logging level to the console but was viewing the log through docker which shows the file

So i just needed to add the log level to the file handler.

I didn?t want to add to the root logger cause it was too noisy? with it set this way everything looks perfect.


<console-handler name="CONSOLE">
    <level name="DEBUG"/>
    <formatter>
        <named-formatter name="COLOR-PATTERN"/>
    </formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
    <level name="DEBUG"/>
    <formatter>
        <named-formatter name="PATTERN"/>
    </formatter>
    <file relative-to="jboss.server.log.dir" path="server.log"/>
    <suffix value=".yyyy-MM-dd"/>
    <append value="true"/>
</periodic-rotating-file-handler>


On Nov 14, 2017, at 12:06 PM, Phillip Fleischer <pcfleischer at outlook.com<mailto:pcfleischer at outlook.com>> wrote:

Hi,

I?m trying to debug using the saml clients and identity brokering, in the docs and several messages say that this can be done by turning on debug or trace.

I added the following to my standalone.xml but I?m not seeing anything.  I also tried on a remote host by using jboss-cli.sh command to add the logger to no avail.

Is there something I?m missing?


<logger category="org.keycloak.saml">
    <level name="TRACE"/>
</logger>



From alex at iucc.ac.il  Sun Nov 19 01:39:15 2017
From: alex at iucc.ac.il (Alex Zeleznikov)
Date: Sun, 19 Nov 2017 06:39:15 +0000
Subject: [keycloak-user] Error in base64 decoding saml message
Message-ID: <AM3PR03MB627F2EA2D0E06F1D8CF284AF12D0@AM3PR03MB627.eurprd03.prod.outlook.com>

Hello, we are using keycloak as a local IDP, currently the keycloak server if being served to SPs via simplesamlphp, the connection to the simplesaml server works, a user can login and logout without issues, however, when a user tries to authneicate via an SP, the keycloak server login page shows "invalid request".
Looking at the logs I see:
`2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2) Error in base64 decoding saml message: java.lang.RuntimeException: PL00064: Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.XMLStreamLocation2$1 at 5917b7e5`

Here is the saml data when authenticate only via simplesaml (this works):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"
                    Version="2.0"
                    IssueInstant="2017-11-16T07:28:00Z"
                    Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
                    AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2YG9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWhwLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/5C6mw==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</samlp:AuthnRequest>


And here is the SAML data when authenticating vis an SP (this doesn't work):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
                    Version="2.0"
                    IssueInstant="2017-11-16T07:09:05Z"
                    Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
                    AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd98847b67cf18473">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdDKFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnuS1Q==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Scoping>
        <samlp:RequesterID>https://terena.org/sp</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>

From lists at merit.unu.edu  Sun Nov 19 10:29:54 2017
From: lists at merit.unu.edu (mj)
Date: Sun, 19 Nov 2017 16:29:54 +0100
Subject: [keycloak-user] extend theme with some extra text
Message-ID: <a3811452-6cf3-0a06-d03a-8fe1c20d5001@merit.unu.edu>

Hi,

We are trying to display some extra static text to the two pages where a 
password can be changed:

- the login theme (sunrise)
- the account theme (address)

We're trying to add text, to inform the users of *all* configured 
password requirements at once. Something like:

> Kindly be advised to use:
> - min. 8 characters
> - min. one lower case
> - min. one upper case
> - min. one special character

In the current situation during a password change, the user initially is 
not informed about the minimum requirements, and 'learns' a new 
requirement on each password rejection.

We know that this should be possible by editing the (in our case) themes 
"sunrise" and "address". But could someone point out where and how we 
can add some new extra text to these pages?

MJ

From lists at merit.unu.edu  Sun Nov 19 14:22:51 2017
From: lists at merit.unu.edu (mj)
Date: Sun, 19 Nov 2017 20:22:51 +0100
Subject: [keycloak-user] extend theme with some extra text
In-Reply-To: <a3811452-6cf3-0a06-d03a-8fe1c20d5001@merit.unu.edu>
References: <a3811452-6cf3-0a06-d03a-8fe1c20d5001@merit.unu.edu>
Message-ID: <68e97ce2-8f4b-1923-5c6c-98c5a674ecec@merit.unu.edu>

Hi,

For the archives, we have edited these two files:

     keycloak/themes/base/login/login-update-password.ftl
     keycloak/themes/base/account/password.ftl

And included the text:

>     <p>Please note our password requirements:</p>
>     <ul>
> 	<li style="color:red;">minimum eight characters total</li>
> 	<li style="color:red;">minimum one UPPER case character</li>
> 	<li style="color:red;">minimum one lower case character</li>
> 	<li style="color:red;">minimum one digit</li>
> 	<li style="color:red;">minimum one 'special' symbol, like - _ * !</li>
> 	<p>plus:</p>
> 	<li style="color:red;">It cannot contain "password"</li>
> 	<li style="color:red;">It cannot contain your username</li>
> 	<li style="color:red;">Your last ten (10) passwords cannot be re-used</li>
>     </ul>

Perhaps this info saves someone else some time.

MJ

On 11/19/2017 04:29 PM, mj wrote:
> Hi,
> 
> We are trying to display some extra static text to the two pages where a
> password can be changed:
> 
> - the login theme (sunrise)
> - the account theme (address)
> 
> We're trying to add text, to inform the users of *all* configured
> password requirements at once. Something like:
> 
>> Kindly be advised to use:
>> - min. 8 characters
>> - min. one lower case
>> - min. one upper case
>> - min. one special character
> 
> In the current situation during a password change, the user initially is
> not informed about the minimum requirements, and 'learns' a new
> requirement on each password rejection.
> 
> We know that this should be possible by editing the (in our case) themes
> "sunrise" and "address". But could someone point out where and how we
> can add some new extra text to these pages?
> 
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From the_fredo at yahoo.com  Mon Nov 20 03:09:06 2017
From: the_fredo at yahoo.com (The Fredo)
Date: Mon, 20 Nov 2017 08:09:06 +0000 (UTC)
Subject: [keycloak-user] how to force (kind-of) re-activation when user has
 logged in from a new location ?
References: <2022142914.1263739.1511165346748.ref@mail.yahoo.com>
Message-ID: <2022142914.1263739.1511165346748@mail.yahoo.com>

Hi all,
I'd like :   
   - to detect that a user has just logged in from a new "location" (e.g. userAgent, IP, etc..).
   - If such event happens, I'd like to make him perform a new account activation, like he did when he registered, i.e. send an activation email.

I read in the doc that Keycloak is open and offers the possibility to add custom behavior through plugins.But I don't know where to start exactly ie.   
   - how/where to intercept the login flow to add by own code (i.e. just after the successful authentication)
   - how to trigger this kind of new activation (probably by adding a required action, but how exactly?)

Any leads would be appreciated since I'm discovering Keycloak.
I'm currently using KC 2.5.4? + (KC proxy) but no problem to upgrade if necessary.
Thanks !


From corentin.dupont at gmail.com  Mon Nov 20 06:10:19 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 20 Nov 2017 12:10:19 +0100
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAJrcDBeAWkta_yFfiWW2KR2L3m3dXgfv=P0D27xDAXmvWpACuA@mail.gmail.com>
References: <CAEyhvmon+Fv8G1iR-Bku7Pk-PoOpA-eHo0in1UmFmpGG_mCpaQ@mail.gmail.com>
	<CAJrcDBeAWkta_yFfiWW2KR2L3m3dXgfv=P0D27xDAXmvWpACuA@mail.gmail.com>
Message-ID: <CAEyhvmpsZ8TRwVpiLsoUjU64fNkzYNTGTDJiE0C7KOZNUcPMzg@mail.gmail.com>

Thanks for the answer.
My plan is to make authorizations based on groups of resources, that we
call "domains".
Basically, when a user creates a resource, he can decide to put it in an
existing domain.
The URL reflects that domain:

http://www.example.com/api/v1/domains/mydomain/houses/myhouse

The user can also create domains with the domains endpoint:

POST http://www.example.com/api/v1/domains/

What is not clear for me is how users can get access to domains.
Probably users can have an attribute "domains", with the list of domains
they have access to?
Or should a domain be represented in Keycloak as a resource?
In this case, should we create roles to access that domain?
For example, the role "admin-mydomain" ?

Or should it be implemented with user groups in Keycloak? Or with User
policies?



On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Right now you can't do it. This is all about the work we are doing to
> better support UMA protocol. Soon you'll be able to let your users to
> manage their resources (and their policies) from Keycloak Account Service,
> grant and revoke access to other users, authorization flows. We are really
> missing this.
>
> However, I think you can try to use the Policy Management API. It provides
> a RESTful API that you can use to manage permissions and policies. As an
> example https://github.com/pedroigor/keycloak/blob/
> cedc095a9c50a1d16482acbbc9876de1730c9fb1/testsuite/
> integration-arquillian/tests/base/src/test/java/org/
> keycloak/testsuite/admin/client/authorization/
> UserPolicyManagementTest.java. There are other tests in the same package
> for other permission and policy types.
>
> Please, let me know about your achievements if you start doing something
> with the Policy Management API. Any feedback is welcome and will probably
> help with the work I mentioned before around UMA.
>
> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> is it possible for an application user to grant some authorizations to
>> another user?
>> For example in the photoz example, how can I give access to my albums to
>> another user?
>> What would be the mechanism?
>>
>> Thanks a lot
>> Corentin
>>
>
>

From rickt15392 at googlemail.com  Mon Nov 20 06:43:17 2017
From: rickt15392 at googlemail.com (RickT153 .)
Date: Mon, 20 Nov 2017 12:43:17 +0100
Subject: [keycloak-user] Error when using bookmarked login page
Message-ID: <CABvttmP7sr2M_dFEbcqOYpa1hFKxUEHF+pk3=s9-R2+YAUe_6w@mail.gmail.com>

Hello,



I am trying to secure a single page application with Keycloak. The setup is
the following: There are a few microservices and Keycloak behind an Apache
Reverse Proxy, which has mod_auth_openidc installed.



The authentication works fine. When a user visits my page www.example.com he
will be redirected to www.example.com/auth/realms/myrealm/protocol/openidc-
connect/auth?response_type=code&many_more=parameters. The Keycloak
login-page is presented to the user and when he enters his credentials
correctly he is redirected to my page www.example.com/main and can use the
application.



So far, so good.



Now the problem is, that a user might want to bookmark my site right after
visiting it. That means that he will bookmark the Keycloak login-page. But
there are some parameters (like state and nonce) in the login-page url that
are only valid for the initial login-session. Therefore, visiting the
bookmarked page at a later time will cause an error and the user will not
be able to access my page.



Do you have any tips on how I can fix this problem? Are there common ways
to allow a user to visit a bookmarked login page without breaking the
authentication flow?



Thanks,

Patrick

From the_fredo at yahoo.com  Mon Nov 20 08:01:17 2017
From: the_fredo at yahoo.com (The Fredo)
Date: Mon, 20 Nov 2017 13:01:17 +0000 (UTC)
Subject: [keycloak-user]  Detecting login attempt from a new "location"
References: <776103555.1355294.1511182877822.ref@mail.yahoo.com>
Message-ID: <776103555.1355294.1511182877822@mail.yahoo.com>


Hi all,

My requirement is to be able to detect a user's attempt to login from a new "location"

Which "location"-related (IP or user agent) infos does KC store in his database that would make it possible to detect such event ? Where is the history of closed user's sessions (if there is one) ? If not, is it possible to add the user agent somewhere ?

Thanks !

PS : I'm currently using KC 2.5.4? + (KC proxy) but no problem to upgrade if necessary.

From hmlnarik at redhat.com  Mon Nov 20 09:16:37 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 20 Nov 2017 15:16:37 +0100
Subject: [keycloak-user] Error in base64 decoding saml message
In-Reply-To: <AM3PR03MB627F2EA2D0E06F1D8CF284AF12D0@AM3PR03MB627.eurprd03.prod.outlook.com>
References: <AM3PR03MB627F2EA2D0E06F1D8CF284AF12D0@AM3PR03MB627.eurprd03.prod.outlook.com>
Message-ID: <CAMvXD=GOSvOagpoXuYxmmuSiDO8jhF7is8ZkoT0ja=E+BDP3gA@mail.gmail.com>

Please file a bug in JIRA with these details, this is an issue in parser.

On Sun, Nov 19, 2017 at 7:39 AM, Alex Zeleznikov <alex at iucc.ac.il> wrote:

> Hello, we are using keycloak as a local IDP, currently the keycloak server
> if being served to SPs via simplesamlphp, the connection to the simplesaml
> server works, a user can login and logout without issues, however, when a
> user tries to authneicate via an SP, the keycloak server login page shows
> "invalid request".
> Looking at the logs I see:
> `2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2)
> Error in base64 decoding saml message: java.lang.RuntimeException: PL00064:
> Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.
> XMLStreamLocation2$1 at 5917b7e5`
>
> Here is the saml data when authenticate only via simplesaml (this works):
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>                     ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"
>                     Version="2.0"
>                     IssueInstant="2017-11-16T07:28:00Z"
>                     Destination="https://iuccidp.iucc.ac.il/auth/realms/
> IUCCIDP/protocol/saml"
>                     AssertionConsumerServiceURL="h
> ttps://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
>                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:
> HTTP-POST"
>                     >
>     <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/
> metadata.php/default-sp</saml:Issuer>
>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>             <ds:SignatureMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#rsa-sha1" />
>             <ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f
> 128a59ac45f5">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#sha1" />
>                 <ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</
> ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1
> ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2Y
> G9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+
> zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWh
> wLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/
> wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/
> 5C6mw==</ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:X509Data>
>                 <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAx
> hYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1
> UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQ
> QKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMz
> EwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQ
> QHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdX
> RhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy
> 5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVy
> l6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vf
> X3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8I
> ZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/
> gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhn
> TClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+
> LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFG
> f9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6
> xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBA
> MCBaAwHQYDVR0lB!
>  BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0d
> HA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+
> gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmN
> ybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHR
> wczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQc
> BAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA
> 4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkV
> OQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+
> syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+
> bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mv
> FohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/
> eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/
> HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/
> miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
>             </ds:X509Data>
>         </ds:KeyInfo>
>     </ds:Signature>
> </samlp:AuthnRequest>
>
>
> And here is the SAML data when authenticating vis an SP (this doesn't
> work):
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>                     ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
>                     Version="2.0"
>                     IssueInstant="2017-11-16T07:09:05Z"
>                     Destination="https://iuccidp.iucc.ac.il/auth/realms/
> IUCCIDP/protocol/saml"
>                     AssertionConsumerServiceURL="h
> ttps://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
>                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:
> HTTP-POST"
>                     >
>     <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/
> metadata.php/default-sp</saml:Issuer>
>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>             <ds:SignatureMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#rsa-sha1" />
>             <ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd988
> 47b67cf18473">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>                     <ds:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="http://www.w3.org/
> 2000/09/xmldsig#sha1" />
>                 <ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</
> ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+
> nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdD
> KFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/
> 1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/
> spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/
> QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnu
> S1Q==</ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:X509Data>
>                 <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAx
> hYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1
> UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQ
> QKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMz
> EwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQ
> QHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdX
> RhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy
> 5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVy
> l6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vf
> X3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8I
> ZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/
> gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhn
> TClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+
> LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFG
> f9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6
> xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBA
> MCBaAwHQYDVR0lB!
>  BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0d
> HA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+
> gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmN
> ybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHR
> wczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQc
> BAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA
> 4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkV
> OQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+
> syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+
> bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mv
> FohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/
> eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/
> HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/
> miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
>             </ds:X509Data>
>         </ds:KeyInfo>
>     </ds:Signature>
>     <samlp:Scoping>
>         <samlp:RequesterID>https://terena.org/sp</samlp:RequesterID>
>     </samlp:Scoping>
> </samlp:AuthnRequest>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From khirschmann at huebinet.de  Mon Nov 20 09:36:31 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Mon, 20 Nov 2017 15:36:31 +0100
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
	<CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>
Message-ID: <002a01d3620c$f57b8980$e0729c80$@huebinet.de>

Hi,

 

It is postgres.

 

Von: Pedro Igor Silva [mailto:psilva at redhat.com] 
Gesendet: Freitag, 17. November 2017 16:07
An: Kevin Hirschmann <khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> >
Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation

 

What is your database ?

 

On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > wrote:

Hello everybody,

I am setting up a new keycloak instance (3.4.0) resulting in the following error (Relation does not exist):

INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 78) Updating database. Using changelog META-INF/jpa-changelog-master.xml
ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78) Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-resource-server-pk-change-part2::glavoie at gmail.com <mailto:jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.CR1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com>  failed.  Error: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]


The problem only occurs, if I do NOT use the default schema. If I use the default schema everything is great.
How can I work around this problem?

Thx for your help

Kevin Hirschmann

HUEBINET Informationsmanagement GmbH & Co. KG


Telefon:           +49 (0) 261 / 5 00 86 - 17 <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017> 
Telefax:           +49 (0) 261 / 5 00 86 - 29 <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029> 
E-Mail:             kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de> <mailto:kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de> >
Internet:            www.huebinet.de <http://www.huebinet.de> <http://www.huebinet.de/>

 HUEBINET Informationsmanagement GmbH & Co. KG
An der K?nigsbach 8
56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:
Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

 


From nijo.johny at aol.com  Mon Nov 20 09:57:10 2017
From: nijo.johny at aol.com (Nijo Johny)
Date: Mon, 20 Nov 2017 09:57:10 -0500
Subject: [keycloak-user] logout not working with IDPs
Message-ID: <15fd9eed3df-c0a-1353@webjas-vab122.srv.aolmail.net>

Hello,




My use case - Enables users SSO with multiple IDPs such as okta, one login, adfs etc.


I have single sign on working with all IDPs, no problems. But logout is now working.


Here is my setup.


Our front end (Single Page) application is configured with OICD client to keycloak. Keycloak acts as broker to all external IDPs using SAML. Okta, ADFS and One login are configured as Identity provides under the realm.


To enable logout on Okta side there an option "Allow application to initiate Single Logout" But for this, I need to provide 3 parameteres


1. Single Logout url (The location of where the logout response will be sent)
2. SP Issuer (The issuer of the service provider)
3. Signature Certificate. (Determines the public key certificate used to verify the digital signature).


I need help with 2 and 3. Keycloak Documentation says Realm Keys are used to sign, but 
how to export this from keycloak to import to Okta? Okta only allows to import it.
What should I provide for SP Issuer?


Note: Back channel logout is not enabled.


Regards,
NJ


From roderic.halleguen at capgemini.com  Mon Nov 20 10:20:51 2017
From: roderic.halleguen at capgemini.com (HALLEGUEN, Roderic)
Date: Mon, 20 Nov 2017 15:20:51 +0000
Subject: [keycloak-user] Unable to use Implicit Flow in Spring Security
Message-ID: <503E358238E8A342A4E99D51DC42B9850B265BDC@DE-CM-MBX23.corp.capgemini.com>

Hi,
I followed the two articles on the blog (https://developers.redhat.com/video/youtube/O5ePCWON08Y/) to make Keycoak work with Spring Security. It works nice, but I'm only able to use the standard flow. Is there something to configure in Spring Security to make it work with the Implicit flow ? I didn't find anything about this in the documentations.
Thank's for your help !
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

From hmlnarik at redhat.com  Mon Nov 20 11:46:18 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 20 Nov 2017 17:46:18 +0100
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
In-Reply-To: <002a01d3620c$f57b8980$e0729c80$@huebinet.de>
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
	<CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>
	<002a01d3620c$f57b8980$e0729c80$@huebinet.de>
Message-ID: <CAMvXD=F+0Vkog6Zg2LTzKJNFxCzE4HvpnLVf51szhi3ZG8QBoA@mail.gmail.com>

You might be able to set Postgres schema search_path via new-connection-sql
property set to "SET search_path TO <your_schema_name>" on Keycloak
datasource (untested).

You can set the default schema search path database-wise as per this
article:
https://stackoverflow.com/questions/2875610/permanently-set-postgresql-schema-path

--Hynek

On Mon, Nov 20, 2017 at 3:36 PM, Kevin Hirschmann <khirschmann at huebinet.de>
wrote:

> Hi,
>
>
>
> It is postgres.
>
>
>
> Von: Pedro Igor Silva [mailto:psilva at redhat.com]
> Gesendet: Freitag, 17. November 2017 16:07
> An: Kevin Hirschmann <khirschmann at huebinet.de <mailto:
> khirschmann at huebinet.de> >
> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation
>
>
>
> What is your database ?
>
>
>
> On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <
> khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > wrote:
>
> Hello everybody,
>
> I am setting up a new keycloak instance (3.4.0) resulting in the following
> error (Relation does not exist):
>
> INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
> (ServerService Thread Pool -- 78) Updating database. Using changelog
> META-INF/jpa-changelog-master.xml
> ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.
> DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78)
> Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.
> CR1-resource-server-pk-change-part2::glavoie at gmail.com <mailto:
> jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.
> CR1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com>  failed.
> Error: FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException:
> FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]
>
>
> The problem only occurs, if I do NOT use the default schema. If I use the
> default schema everything is great.
> How can I work around this problem?
>
> Thx for your help
>
> Kevin Hirschmann
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
> Telefon:           +49 (0) 261 / 5 00 86 - 17
> <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017>
> Telefax:           +49 (0) 261 / 5 00 86 - 29
> <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029>
> E-Mail:             kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann@
> huebinet.de> <mailto:kevin.hirschmann at huebinet.de <mailto:
> kevin.hirschmann at huebinet.de> >
> Internet:            www.huebinet.de <http://www.huebinet.de> <
> http://www.huebinet.de/>
>
>  HUEBINET Informationsmanagement GmbH & Co. KG
> An der K?nigsbach 8
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
> HUEBINET GmbH;
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
> ------------------------------------------------------------
> ------------------------------------------------------------
> ------------------------------------------------
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
> KG, Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails and email contents.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From robert.discussions at gmail.com  Mon Nov 20 11:48:18 2017
From: robert.discussions at gmail.com (Robert .)
Date: Mon, 20 Nov 2017 17:48:18 +0100
Subject: [keycloak-user]  Java EE server compatibility and JSR-375
Message-ID: <CAMPYDJp0ZDZdnbJpSDs2A7pDKyyyKxn7CH=yXS6inLk42=EOfQ@mail.gmail.com>

Is it possible to implement JSR-375 using Keycloak?
Will this allow you to use Keycloak on any Java EE server without the
Spring adapter and any of the server specific keycloak adapters?
Are there any plans to do something with Keycloak and JSR-375?

The Keycloak documentation gives a warning about the Java Servlet Filter
Adapter. It states that:
"Backchannel logout works a bit differently than the standard adapters.
Instead of invalidating the HTTP session it marks the session id as logged
out."
What are the implications of this? Will something not work properly? Will
the web application still think the user is logged in?
Or is the http session not cleaned up from memory?

From lilith.saer at cayuse.com  Mon Nov 20 18:07:08 2017
From: lilith.saer at cayuse.com (Lilith Saer)
Date: Mon, 20 Nov 2017 23:07:08 +0000
Subject: [keycloak-user] Keycloak OpenID Endpoint Configuration
Message-ID: <CAK34bTsn8cg=ppDdxqZDLzRs4saZEVq0EJAfDNKAZGygSmhy6Q@mail.gmail.com>

Hi there. I am looking to change the default URL that an unauthenticated
user is directed to (by default, the KC login page) after attempting to
access a resource that require authentication.

How can I do this?

Thank you!

From madhan.klazzez at gmail.com  Mon Nov 20 21:53:38 2017
From: madhan.klazzez at gmail.com (Madhan Kumar S P)
Date: Mon, 20 Nov 2017 18:53:38 -0800
Subject: [keycloak-user] Keycloak Facebook Social Login
Message-ID: <E0AAC2AA-20E1-4370-8790-41FCD05A8AF7@gmail.com>

Hello All,
	I am trying to integrate the Keycloak with Facebook social plugin. I had gone through the examples and documentation. This works fine if I use the Keycloak hosted Login Page. 

	What I need is that we want to host our own login page and use the Keycloak APIs to register the user and login.

	I mean, I want to host our Sign Up/Login Page. When the user clicks on the Login with Facebook, we want to redirect the user to FB and get the approval and collect the details, create the user details that we need for our application. Then register the user on the Keycloak. 
	
	I don?t see any documentation for this. I would be really grateful if you can shed some light on this and point to the documentation that would help me in achieving this.

Thanks & Regards,
Madhan Kumar S P

From hmlnarik at redhat.com  Tue Nov 21 03:58:59 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 21 Nov 2017 09:58:59 +0100
Subject: [keycloak-user] SAML Logout url
In-Reply-To: <CAHKN4LNU6ufaX9HCXRs5u+qoQExdV=5AcTDvownXncgKaPenZg@mail.gmail.com>
References: <CAHKN4LNU6ufaX9HCXRs5u+qoQExdV=5AcTDvownXncgKaPenZg@mail.gmail.com>
Message-ID: <CAMvXD=GGZ4QpP1-ne_jeA0m8r4U=yLhmxtaFvpK9ixyFpSbZMg@mail.gmail.com>

The ?GLO=true should be added to SAML client URL. This parameter invokes
code in Keycloak adapter that sends logout request to SAML server endpoint.
See [1]

[1] http://www.keycloak.org/docs/latest/securing_apps/index.html#logout-2

On Thu, Nov 16, 2017 at 10:18 AM, Min Han Lee <neo11078016 at gmail.com> wrote:

> Hello,
>
> can anyone shed some light on how to configure SAML single log out, please,
> I postfixed the POST binding by adding ?GLO=true but it didn't work.
>
> Kind Regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From dev.ebondu at gmail.com  Tue Nov 21 06:12:09 2017
From: dev.ebondu at gmail.com (Emilien Bondu)
Date: Tue, 21 Nov 2017 12:12:09 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
	<2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
	<CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>
Message-ID: <E21533CD-122E-4747-977A-591C9B71921A@gmail.com>

Hi,

As a first draft of an ? unauthenticated ? authz, you can have a look here :

https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/ <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/>

Interesting classes are :

keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/UnauthenticatedActionsHandler.java
keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/authorization <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization>/UnauthenticatedPolicyEnforcer.java
keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/spring-security <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters>/springsecurity <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity>/filter <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter>/KeycloakUnauthenticatedActionsFilter.java

Here a corresponding conf in spring to use it :

<beans:bean id="keycloakScopeProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakUnauthenticatedActionsFilter"/>
<http auto-config='false' pattern="/v1/public/**" entry-point-ref="authenticationEntryPoint" create-session="stateless" use-expressions="true">
    ...
   
    <custom-filter ref="keycloakScopeProcessingFilter" before="FORM_LOGIN_FILTER" />
    ...
</http>
Emilien

> Le 10 nov. 2017 ? 15:02, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> 
> I'm glad to take a look on it and see how it could fit in our adapters.
> Could you create a JIRA and give some link to your code so we can discuss
> from there ?
> 
> Thanks.
> 
> On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com>
> wrote:
> 
>> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to
>> handle requests, associated to an AnonymousActionsHandler (extending the
>> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending
>> the official AbstractPolicyEnforcer). Do you think this code should be
>> added to the official spring-adapter ?
>> 
>> 
>> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>> 
>> @Emilien Bondu, I was looking that thread again and now I'm wondering if
>> you end up with something you can share.
>> 
>> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
>> wrote:
>> 
>>> Hi,
>>> 
>>> Maybe you should have a look here :
>>> 
>>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
>>> 
>>> 
>>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit :
>>> 
>>> Hi,
>>> 
>>> I think you could probably change your application and remove the
>>> resources/paths you want to make public from the list of resources
>>> protected by the adapter.
>>> 
>>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com>
>>> wrote:
>>> 
>>> Another question: how to apply default authorizations?
>>> 
>>> I want to protect my API with authorization in Keycloak. However some
>>> resources should be open to the public, accessible without any bearer
>>> token.
>>> My idea was:
>>> - create an "unregistered_user" composite role, containing some basic
>>> roles
>>> - create a "guest" user, with the unregistered_user role
>>> - on the API server, if there is no token in the request I will get the
>>> roles of the guest user and user them. If there is a token, I'll use that
>>> user permissions.
>>> What do you think of that process?
>>> 
>>> Thanks
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> 
>>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Tue Nov 21 07:16:36 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 21 Nov 2017 10:16:36 -0200
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
In-Reply-To: <CAMvXD=F+0Vkog6Zg2LTzKJNFxCzE4HvpnLVf51szhi3ZG8QBoA@mail.gmail.com>
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
	<CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>
	<002a01d3620c$f57b8980$e0729c80$@huebinet.de>
	<CAMvXD=F+0Vkog6Zg2LTzKJNFxCzE4HvpnLVf51szhi3ZG8QBoA@mail.gmail.com>
Message-ID: <CAJrcDBdQCKoyQLHZJ1e9YxJvkukB4ET0zp1YeA9pofiK7dP_Sg@mail.gmail.com>

Although I just run a container with KC + PG (v10) and it just boots fine
...

On Mon, Nov 20, 2017 at 2:46 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> You might be able to set Postgres schema search_path
> via new-connection-sql property set to "SET search_path TO
> <your_schema_name>" on Keycloak datasource (untested).
>
> You can set the default schema search path database-wise as per this
> article: https://stackoverflow.com/questions/2875610/permanently-
> set-postgresql-schema-path
>
> --Hynek
>
> On Mon, Nov 20, 2017 at 3:36 PM, Kevin Hirschmann <khirschmann at huebinet.de
> > wrote:
>
>> Hi,
>>
>>
>>
>> It is postgres.
>>
>>
>>
>> Von: Pedro Igor Silva [mailto:psilva at redhat.com]
>> Gesendet: Freitag, 17. November 2017 16:07
>> An: Kevin Hirschmann <khirschmann at huebinet.de <mailto:
>> khirschmann at huebinet.de> >
>> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation
>>
>>
>>
>> What is your database ?
>>
>>
>>
>> On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <
>> khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > wrote:
>>
>> Hello everybody,
>>
>> I am setting up a new keycloak instance (3.4.0) resulting in the
>> following error (Relation does not exist):
>>
>> INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
>> (ServerService Thread Pool -- 78) Updating database. Using changelog
>> META-INF/jpa-changelog-master.xml
>> ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider]
>> (ServerService Thread Pool -- 78) Change Set META-INF/
>> jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-
>> resource-server-pk-change-part2::glavoie at gmail.com <mailto:
>> jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.C
>> R1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com>  failed.
>> Error: FEHLER: Relation ?esource_server_policy?existiert nicht
>>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
>> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
>> s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException:
>> FEHLER: Relation ?esource_server_policy?existiert nicht
>>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
>> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
>> s.ID = p.RESOURCE_SERVER_ID)]
>>
>>
>> The problem only occurs, if I do NOT use the default schema. If I use the
>> default schema everything is great.
>> How can I work around this problem?
>>
>> Thx for your help
>>
>> Kevin Hirschmann
>>
>> HUEBINET Informationsmanagement GmbH & Co. KG
>>
>>
>> Telefon:           +49 (0) 261 / 5 00 86 - 17
>> <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017>
>> Telefax:           +49 (0) 261 / 5 00 86 - 29
>> <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029>
>> E-Mail:             kevin.hirschmann at huebinet.de <mailto:
>> kevin.hirschmann at huebinet.de> <mailto:kevin.hirschmann at huebinet.de
>> <mailto:kevin.hirschmann at huebinet.de> >
>> Internet:            www.huebinet.de <http://www.huebinet.de> <
>> http://www.huebinet.de/>
>>
>>  HUEBINET Informationsmanagement GmbH & Co. KG
>> An der K?nigsbach 8
>> <https://maps.google.com/?q=An+der+K%C3%B6nigsbach+8+%0D+56075+Koblenz&entry=gmail&source=g>
>> 56075 Koblenz
>>
>> Sitz und Registergericht: Koblenz HRA 5329
>>
>> Pers?nlich haftender Gesellschafter der KG:
>> HUEBINET GmbH;
>> Sitz und Registergericht: Koblenz HRB 6857
>>
>> Gesch?ftsf?hrung:
>> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
>> ------------------------------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------------------
>>
>> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
>> KG, Koblenz via E-Mail dient lediglich zu Informationszwecken.
>> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
>> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
>> Dritte nicht ausgeschlossen werden kann.
>>
>> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
>> only intended to provide information of a general kind, and shall not be
>> used for any statement with binding contents in respect to legal relations.
>> It is not totally possible to prevent a third party from manipulating
>> emails and email contents.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> --Hynek
>

From psilva at redhat.com  Tue Nov 21 07:51:29 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 21 Nov 2017 10:51:29 -0200
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAEyhvmpsZ8TRwVpiLsoUjU64fNkzYNTGTDJiE0C7KOZNUcPMzg@mail.gmail.com>
References: <CAEyhvmon+Fv8G1iR-Bku7Pk-PoOpA-eHo0in1UmFmpGG_mCpaQ@mail.gmail.com>
	<CAJrcDBeAWkta_yFfiWW2KR2L3m3dXgfv=P0D27xDAXmvWpACuA@mail.gmail.com>
	<CAEyhvmpsZ8TRwVpiLsoUjU64fNkzYNTGTDJiE0C7KOZNUcPMzg@mail.gmail.com>
Message-ID: <CAJrcDBe=NP8j-tfULsTt2aTBbZpL8J_9hz=aC_pSRZmvWNO=5Q@mail.gmail.com>

Resources have a *type* field that can be used to group resources.
Permissions granted to a "typed resource" (which is created with the
resource server itself as the owner) applies to any other resource with the
same type and owned by an user. Think about a "typed resource" as a
general/parent resource.

If you have a "mydomain" typed resource and a "myhouse" resource, sharing
the same type, any permission you apply to "mydomain" is going to be
applied to "myhouse".

Does it makes sense ?

On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Thanks for the answer.
> My plan is to make authorizations based on groups of resources, that we
> call "domains".
> Basically, when a user creates a resource, he can decide to put it in an
> existing domain.
> The URL reflects that domain:
>
> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>
> The user can also create domains with the domains endpoint:
>
> POST http://www.example.com/api/v1/domains/
>
> What is not clear for me is how users can get access to domains.
> Probably users can have an attribute "domains", with the list of domains
> they have access to?
> Or should a domain be represented in Keycloak as a resource?
> In this case, should we create roles to access that domain?
> For example, the role "admin-mydomain" ?
>
> Or should it be implemented with user groups in Keycloak? Or with User
> policies?
>
>
>
> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Right now you can't do it. This is all about the work we are doing to
>> better support UMA protocol. Soon you'll be able to let your users to
>> manage their resources (and their policies) from Keycloak Account Service,
>> grant and revoke access to other users, authorization flows. We are really
>> missing this.
>>
>> However, I think you can try to use the Policy Management API. It
>> provides a RESTful API that you can use to manage permissions and policies.
>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-
>> arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/
>> authorization/UserPolicyManagementTest.java. There are other tests in
>> the same package for other permission and policy types.
>>
>> Please, let me know about your achievements if you start doing something
>> with the Policy Management API. Any feedback is welcome and will probably
>> help with the work I mentioned before around UMA.
>>
>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> is it possible for an application user to grant some authorizations to
>>> another user?
>>> For example in the photoz example, how can I give access to my albums to
>>> another user?
>>> What would be the mechanism?
>>>
>>> Thanks a lot
>>> Corentin
>>>
>>
>>
>

From corentin.dupont at gmail.com  Tue Nov 21 07:58:21 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 21 Nov 2017 13:58:21 +0100
Subject: [keycloak-user] default permissions
In-Reply-To: <E21533CD-122E-4747-977A-591C9B71921A@gmail.com>
References: <CAEyhvmpA8p5xwwE9n9qv09o3tEDD2tpVkh9A2X_p0iqALS5kCw@mail.gmail.com>
	<CAJrcDBeCrRpLqorU_vmEnT7st8ushsvKwdTJt+vKKghGh4iCWg@mail.gmail.com>
	<80B25B48-044B-4012-AD6A-2140CFEA051A@gmail.com>
	<CAJrcDBeRnU3WXHSbMFEynFcpqLQSjM=4rfk-PN7yw89A2qSB-g@mail.gmail.com>
	<2EA86335-8E36-446D-BC3D-EE9B14E92B5E@gmail.com>
	<CAJrcDBc7hLiXBLKEi97yEQFGOgG9FiwQz2r6Gfrsk+F+Y50zsw@mail.gmail.com>
	<E21533CD-122E-4747-977A-591C9B71921A@gmail.com>
Message-ID: <CAEyhvmpCpwcrCE32g2h6=K8xbtg1RHNG3YhB52tm7cNmc1Rgng@mail.gmail.com>

Interesting, thanks!

On Tue, Nov 21, 2017 at 12:12 PM, Emilien Bondu <dev.ebondu at gmail.com>
wrote:

> Hi,
>
> As a first draft of an ? unauthenticated ? authz, you can have a look here
> :
>
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/ <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/>
>
> Interesting classes are :
>
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/
> UnauthenticatedActionsHandler.java
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/authorization
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/
> adapters/authorization>/UnauthenticatedPolicyEnforcer.java
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/spring-security
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak/adapters>/springsecurity
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak/
> adapters/springsecurity>/filter <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/
> src/main/java/org/keycloak/adapters/springsecurity/filter>/
> KeycloakUnauthenticatedActionsFilter.java
>
> Here a corresponding conf in spring to use it :
>
> <beans:bean id="keycloakScopeProcessingFilter"
> class="org.keycloak.adapters.springsecurity.filter.
> KeycloakUnauthenticatedActionsFilter"/>
> <http auto-config='false' pattern="/v1/public/**" entry-point-ref="authenticationEntryPoint"
> create-session="stateless" use-expressions="true">
>     ...
>
>     <custom-filter ref="keycloakScopeProcessingFilter"
> before="FORM_LOGIN_FILTER" />
>     ...
> </http>
> Emilien
>
> > Le 10 nov. 2017 ? 15:02, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> >
> > I'm glad to take a look on it and see how it could fit in our adapters.
> > Could you create a JIRA and give some link to your code so we can discuss
> > from there ?
> >
> > Thanks.
> >
> > On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com>
> > wrote:
> >
> >> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter
> to
> >> handle requests, associated to an AnonymousActionsHandler (extending the
> >> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer
> (extending
> >> the official AbstractPolicyEnforcer). Do you think this code should be
> >> added to the official spring-adapter ?
> >>
> >>
> >> Le 10 nov. 2017 ? 12:12, Pedro Igor Silva <psilva at redhat.com> a ?crit :
> >>
> >> @Emilien Bondu, I was looking that thread again and now I'm wondering if
> >> you end up with something you can share.
> >>
> >> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> Maybe you should have a look here :
> >>>
> >>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
> >>>
> >>>
> >>> Le 10 nov. 2017 ? 11:33, Pedro Igor Silva <psilva at redhat.com> a ?crit
> :
> >>>
> >>> Hi,
> >>>
> >>> I think you could probably change your application and remove the
> >>> resources/paths you want to make public from the list of resources
> >>> protected by the adapter.
> >>>
> >>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
> >>> corentin.dupont at gmail.com>
> >>> wrote:
> >>>
> >>> Another question: how to apply default authorizations?
> >>>
> >>> I want to protect my API with authorization in Keycloak. However some
> >>> resources should be open to the public, accessible without any bearer
> >>> token.
> >>> My idea was:
> >>> - create an "unregistered_user" composite role, containing some basic
> >>> roles
> >>> - create a "guest" user, with the unregistered_user role
> >>> - on the API server, if there is no token in the request I will get the
> >>> roles of the guest user and user them. If there is a token, I'll use
> that
> >>> user permissions.
> >>> What do you think of that process?
> >>>
> >>> Thanks
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>>
> >>>
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From khirschmann at huebinet.de  Tue Nov 21 10:31:39 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Tue, 21 Nov 2017 16:31:39 +0100
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
In-Reply-To: <CAJrcDBdQCKoyQLHZJ1e9YxJvkukB4ET0zp1YeA9pofiK7dP_Sg@mail.gmail.com>
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
	<CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>
	<002a01d3620c$f57b8980$e0729c80$@huebinet.de>
	<CAMvXD=F+0Vkog6Zg2LTzKJNFxCzE4HvpnLVf51szhi3ZG8QBoA@mail.gmail.com>
	<CAJrcDBdQCKoyQLHZJ1e9YxJvkukB4ET0zp1YeA9pofiK7dP_Sg@mail.gmail.com>
Message-ID: <000001d362dd$d38aa690$7a9ff3b0$@huebinet.de>

Sorry, I have to ask it: You have set the schema in your standalone.xml to a schema which is not the ?public? schema?

Without the last property it works. No doubt about that. 

If I set the schema property the ?keycloak? schema gets populated with 91 tables till it exits with the error below.

 

<properties>

         <property name="dataSource" value="java:/KeycloakDS"/>

         <property name="initializeEmpty" value="true"/>

         <property name="migrationStrategy" value="update"/>

         <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>                        

          <property name="schema" value="keycloak"/>

</properties>

 

@Hynek: Thanks, I will give that a try.

 

Von: Pedro Igor Silva [mailto:psilva at redhat.com] 
Gesendet: Dienstag, 21. November 2017 13:17
An: Hynek Mlnarik <hmlnarik at redhat.com>
Cc: Kevin Hirschmann <khirschmann at huebinet.de>; keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation

 

Although I just run a container with KC + PG (v10) and it just boots fine ...

 

On Mon, Nov 20, 2017 at 2:46 PM, Hynek Mlnarik <hmlnarik at redhat.com <mailto:hmlnarik at redhat.com> > wrote:

You might be able to set Postgres schema search_path via new-connection-sql property set to "SET search_path TO <your_schema_name>" on Keycloak datasource (untested).

 

You can set the default schema search path database-wise as per this article: https://stackoverflow.com/questions/2875610/permanently-set-postgresql-schema-path

 

--Hynek

 

On Mon, Nov 20, 2017 at 3:36 PM, Kevin Hirschmann <khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > wrote:

Hi,



It is postgres.



Von: Pedro Igor Silva [mailto:psilva at redhat.com <mailto:psilva at redhat.com> ]
Gesendet: Freitag, 17. November 2017 16:07
An: Kevin Hirschmann <khirschmann at huebinet.de <mailto:khirschmann at huebinet.de>  <mailto:khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > >
Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>  <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >
Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation



What is your database ?



On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <khirschmann at huebinet.de <mailto:khirschmann at huebinet.de>  <mailto:khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > > wrote:

Hello everybody,

I am setting up a new keycloak instance (3.4.0) resulting in the following error (Relation does not exist):

INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 78) Updating database. Using changelog META-INF/jpa-changelog-master.xml
ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78) Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-resource-server-pk-change-part2::glavoie at gmail.com <mailto:jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.CR1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com>  <mailto:jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.CR1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com <mailto:jpa-changelog-authz-3.4.0.CR1.xml%253A%253Aauthz-3.4.0.CR1-resource-server-pk-change-part2%253A%253Aglavoie at gmail.com> >  failed.  Error: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException: FEHLER: Relation ?esource_server_policy?existiert nicht
  Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]


The problem only occurs, if I do NOT use the default schema. If I use the default schema everything is great.
How can I work around this problem?

Thx for your help

Kevin Hirschmann

HUEBINET Informationsmanagement GmbH & Co. KG


Telefon:           +49 (0) 261 / 5 00 86 - 17 <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017>  <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017>
Telefax:           +49 (0) 261 / 5 00 86 - 29 <tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029>
E-Mail:             kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de>  <mailto:kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de> > <mailto:kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de>  <mailto:kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann at huebinet.de> > >
Internet:            www.huebinet.de <http://www.huebinet.de>  <http://www.huebinet.de> <http://www.huebinet.de/>

 HUEBINET Informationsmanagement GmbH & Co. KG
An der K?nigsbach 8 <https://maps.google.com/?q=An+der+K%C3%B6nigsbach+8+%0D+56075+Koblenz&entry=gmail&source=g> 
56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:
Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>  <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >

https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user





 

-- 

 

--Hynek

 


From corentin.dupont at gmail.com  Tue Nov 21 12:54:41 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 21 Nov 2017 18:54:41 +0100
Subject: [keycloak-user] Authorization transfer
Message-ID: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>

I see, so I need to create "mydomain" as a resource.
But what should be the type for both "mydomain" and "myhouse"? Should it be
something like "domain:mydomain"?

What I would like is to grant different access to users to that domain.
For example: user Bob can only view resources in domain "mydomain".
User Alice can view and delete resources in "mydomain".
Should I create a "User Policy" with the list of users that have access?

If I understand, I need to use the "resource-based" permission. However it
does not seem to let me select the scopes (as in my example: Bob can only
view, but Alice can delete).

Another question: how to invoke the API for typed resources?
I have:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "Sensors",
            "scopes" : [
                "view"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"

But this uses the name of the resource, so I am not sure. Is there a
reference for this API?

Thanks a lot
PS. I found some minor bugs related to the API, should I report them here
or create a JIRA?



On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Resources have a *type* field that can be used to group resources.
> Permissions granted to a "typed resource" (which is created with the
> resource server itself as the owner) applies to any other resource with the
> same type and owned by an user. Think about a "typed resource" as a
> general/parent resource.
>
> If you have a "mydomain" typed resource and a "myhouse" resource, sharing
> the same type, any permission you apply to "mydomain" is going to be
> applied to "myhouse".
>
> Does it makes sense ?
>
> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks for the answer.
>> My plan is to make authorizations based on groups of resources, that we
>> call "domains".
>> Basically, when a user creates a resource, he can decide to put it in an
>> existing domain.
>> The URL reflects that domain:
>>
>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>
>> The user can also create domains with the domains endpoint:
>>
>> POST http://www.example.com/api/v1/domains/
>>
>> What is not clear for me is how users can get access to domains.
>> Probably users can have an attribute "domains", with the list of domains
>> they have access to?
>> Or should a domain be represented in Keycloak as a resource?
>> In this case, should we create roles to access that domain?
>> For example, the role "admin-mydomain" ?
>>
>> Or should it be implemented with user groups in Keycloak? Or with User
>> policies?
>>
>>
>>
>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Right now you can't do it. This is all about the work we are doing to
>>> better support UMA protocol. Soon you'll be able to let your users to
>>> manage their resources (and their policies) from Keycloak Account Service,
>>> grant and revoke access to other users, authorization flows. We are really
>>> missing this.
>>>
>>> However, I think you can try to use the Policy Management API. It
>>> provides a RESTful API that you can use to manage permissions and policies.
>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/
>>> client/authorization/UserPolicyManagementTest.java. There are other
>>> tests in the same package for other permission and policy types.
>>>
>>> Please, let me know about your achievements if you start doing something
>>> with the Policy Management API. Any feedback is welcome and will probably
>>> help with the work I mentioned before around UMA.
>>>
>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> is it possible for an application user to grant some authorizations to
>>>> another user?
>>>> For example in the photoz example, how can I give access to my albums
>>>> to another user?
>>>> What would be the mechanism?
>>>>
>>>> Thanks a lot
>>>> Corentin
>>>>
>>>
>>>
>>
>

From madhan.klazzez at gmail.com  Tue Nov 21 13:09:54 2017
From: madhan.klazzez at gmail.com (Madhan Kumar S P)
Date: Tue, 21 Nov 2017 18:09:54 +0000
Subject: [keycloak-user] Integrating Login With Facebook
Message-ID: <CAMwBVfxbw3W=Z-QJPvQjncF0LfZ2nuwcA47QKvoMR-HXxRuCTw@mail.gmail.com>

Hello,
        I am trying to integrate the Keycloak with Facebook social plugin.
I had gone through the examples and documentation. This works fine if I use
the Keycloak hosted Login Page.

        What I need is that we want to host our own login page and use the
Keycloak APIs to register the user and login.

        I mean, I want to host our Sign Up/Login Page. When the user clicks
on the Login with Facebook, we want to redirect the user to FB and get the
approval and collect the details, create the user details that we need for
our application. Then register the user on the Keycloak.

        I don?t see any documentation for this. I would be really grateful
if you can shed some light on this and point to the documentation that
would help me in achieving this.

Thanks & Regards,
Madhan Kumar S P

From corentin.dupont at gmail.com  Tue Nov 21 16:13:33 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 21 Nov 2017 22:13:33 +0100
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>
References: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>
Message-ID: <CAEyhvmrf63hNCBviF5-2Fb9WGjhK65ZFBvwGh0506J3V6Ku8RA@mail.gmail.com>

In parallel with the domains authorizations, I have other policies, such as
"owner" policies (similar to the photoz example).
I coded the owner policy with javascript:

var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
    $evaluation.grant();
}

But it leads to this result when evaluating a user:

Result*: DENY*

Policies:
- *Can access domain
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/resource/7323164c-3009-4cf8-9a48-b37cf009d2fe>*
decision was *PERMIT* by *UNANIMOUS* decision.

   - *Users in domain
   <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/user/ef112bc8-c7a8-4300-be92-d0c9d0300971>*
   voted to *PERMIT* .

*Can delete MyHouse
<http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/scope/53278490-b9c8-41f6-b2a5-bef5a0be6e73>*
decision was *DENY* by *UNANIMOUS* decision.

   - *owner can access
   <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/js/762cf51c-9ff1-4b44-ba79-6890189db0f2>*
   voted to *DENY*.


The two permissions are overlapping, so it seems normal that both got
evaluated.
But why the java policy ("Grant_owner") voted DENY?
I didn't mention explicitly the deny in the code...
I think that if you are the owner, you should be granted. But if you are
not the owner, no decision can be taken by the policy...




On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
> I see, so I need to create "mydomain" as a resource.
> But what should be the type for both "mydomain" and "myhouse"? Should it
> be something like "domain:mydomain"?
>
> What I would like is to grant different access to users to that domain.
> For example: user Bob can only view resources in domain "mydomain".
> User Alice can view and delete resources in "mydomain".
> Should I create a "User Policy" with the list of users that have access?
>
> If I understand, I need to use the "resource-based" permission. However it
> does not seem to let me select the scopes (as in my example: Bob can only
> view, but Alice can delete).
>
> Another question: how to invoke the API for typed resources?
> I have:
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "Sensors",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> But this uses the name of the resource, so I am not sure. Is there a
> reference for this API?
>
> Thanks a lot
> PS. I found some minor bugs related to the API, should I report them here
> or create a JIRA?
>
>
>
> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Resources have a *type* field that can be used to group resources.
>> Permissions granted to a "typed resource" (which is created with the
>> resource server itself as the owner) applies to any other resource with the
>> same type and owned by an user. Think about a "typed resource" as a
>> general/parent resource.
>>
>> If you have a "mydomain" typed resource and a "myhouse" resource, sharing
>> the same type, any permission you apply to "mydomain" is going to be
>> applied to "myhouse".
>>
>> Does it makes sense ?
>>
>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks for the answer.
>>> My plan is to make authorizations based on groups of resources, that we
>>> call "domains".
>>> Basically, when a user creates a resource, he can decide to put it in an
>>> existing domain.
>>> The URL reflects that domain:
>>>
>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>
>>> The user can also create domains with the domains endpoint:
>>>
>>> POST http://www.example.com/api/v1/domains/
>>>
>>> What is not clear for me is how users can get access to domains.
>>> Probably users can have an attribute "domains", with the list of
>>> domains they have access to?
>>> Or should a domain be represented in Keycloak as a resource?
>>> In this case, should we create roles to access that domain?
>>> For example, the role "admin-mydomain" ?
>>>
>>> Or should it be implemented with user groups in Keycloak? Or with User
>>> policies?
>>>
>>>
>>>
>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Right now you can't do it. This is all about the work we are doing to
>>>> better support UMA protocol. Soon you'll be able to let your users to
>>>> manage their resources (and their policies) from Keycloak Account Service,
>>>> grant and revoke access to other users, authorization flows. We are really
>>>> missing this.
>>>>
>>>> However, I think you can try to use the Policy Management API. It
>>>> provides a RESTful API that you can use to manage permissions and policies.
>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>> tests in the same package for other permission and policy types.
>>>>
>>>> Please, let me know about your achievements if you start doing
>>>> something with the Policy Management API. Any feedback is welcome and will
>>>> probably help with the work I mentioned before around UMA.
>>>>
>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> is it possible for an application user to grant some authorizations to
>>>>> another user?
>>>>> For example in the photoz example, how can I give access to my albums
>>>>> to another user?
>>>>> What would be the mechanism?
>>>>>
>>>>> Thanks a lot
>>>>> Corentin
>>>>>
>>>>
>>>>
>>>
>>
>

From tonnis at autonomic.ai  Tue Nov 21 18:12:31 2017
From: tonnis at autonomic.ai (Tonnis Wildeboer)
Date: Tue, 21 Nov 2017 15:12:31 -0800
Subject: [keycloak-user] offlineSessions data in cache vs db
Message-ID: <bae6fa59-6711-eeda-d196-f4529a167873@autonomic.ai>

Hello Keycloak Users,

Ultimately, what we want to do is have three nodes in one Kubernetes 
namespace that define a cluster. Then be able to add three more nodes to 
the cluster in a new namespace that shares the same subnet and database, 
then kill off the original three nodes, effectively migrating the 
cluster to the new namespace and do all this without anyone being logged 
out. The namespace distinction is invisible to Keycloak, as far as I can 
tell.

What we have tried:
* Start with 3 standalone-ha mode instances clustered with 
JGroups/JDBC_PING.
* Set the number of cache owners for sessions to 6.
* Start the three new instances in the new Kubernetes namespace, 
configured exactly the same as the first three - that is, same db, same 
number of cache owners.
* Kill the original three

But it seems this caused offlineSession tokens to be expired immediately.

I found this in the online documentation 
(http://www.keycloak.org/docs/latest/server_installation/index.html#server-cache-configuration):

 > The second type of cache handles managing user sessions, offline 
tokens, and keeping track of login failures... The data held in these 
caches is temporary, in memory only, but is possibly replicated across 
the cluster.

 > The sessions, authenticationSessions, offlineSessions and 
loginFailures caches are the only caches that may perform replication. 
Entries are not replicated to every single node, but instead one or more 
nodes is chosen as an owner of that data. If a node is not the owner of 
a specific cache entry it queries the cluster to obtain it. What this 
means for failover is that if all the nodes that own a piece of data go 
down, that data is lost forever. By default, Keycloak only specifies one 
owner for data. So if that one node goes down that data is lost. This 
usually means that users will be logged out and will have to login again.

It appears, based on these documentation comments and our experience, 
that the "source of truth" regarding offlineSessions is the data in the 
"owner" caches, is NOT the database, as I would have expected. It also 
seems to be the case that if a node joins the cluster (as defined by 
JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions 
cache from the database, but must rely on replication from one of the 
owner nodes.

Questions:
1. Is the above understanding regarding the db vs cache correct?
2. If so, please explain the design/reasoning behind this behavior. 
Otherwise, please correct my understanding.
3. Is there a way to perform this simple migration without losing any 
sessions?

Thanks,

--Tonnis

From llivezking at gmail.com  Tue Nov 21 18:53:45 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 22 Nov 2017 09:53:45 +1000
Subject: [keycloak-user] User registration outside of Keycloak login form
Message-ID: <d763d43f-b539-3492-2650-e0539f6d8ccf@gmail.com>

You should use your custom Authenticator (see docs for Server 
development -> Authentication SPI). So the idea is to put this 
authenticator (Optional requirement)? inside browser flow right after 
Cookie. It will check whether user is authenticated or not (if user was 
authenticated it means that Cookie worked). Then it will show form that 
you described via its challenge() method, and process user reaction in 
action() method. If you don't fully understand what i've wrote check 
docs and you definitely should get the idea. Cheers.


From llivezking at gmail.com  Tue Nov 21 19:20:36 2017
From: llivezking at gmail.com (Ilya Korol)
Date: Wed, 22 Nov 2017 10:20:36 +1000
Subject: [keycloak-user] org.hibernate.LazyInitializationException (could
 not initialize proxy - no Session) when getting user attributes
Message-ID: <5c3effc3-e583-dee0-6cb6-7f48b7847f03@gmail.com>

Hi. I've wrote some implementation of org.keycloak.timer.ScheduledTask 
that should periodically conditionally delete some users, depending on 
their attribute values:

 ??? @Override
 ??? public void run(KeycloakSession session) {
 ??????? long currentTime = 
TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis());

 ??????? RealmModel realm; ??? // appropriate realm was set
 ??????? GroupModel group; ??? // appropriate group was set
 ??????? session.userLocalStorage()
 ?? ???????????????????????? .getGroupMembers(realm, group).stream()
 ??????????????????????????? .filter(user -> isNotVerified(user) && 
isExpired(user, currentTime))
 ??????????????????????????? .forEach(user -> {
session.userLocalStorage().removeUser(realm, user);
 ??????????????????????????? });
 ??? }

 ??? private boolean isNotVerified(UserModel user) {
 ??????????? return user.getFirstAttribute(UserAttributes.STATUS) != null
 ??????????????????? && 
user.getFirstAttribute(UserAttributes.STATUS).equals(UserStatuses.NOT_VERIFIED);
 ??? }

 ??? private boolean isExpired(UserModel user, long currentTime) {
 ??????? return 
TimeUnit.MILLISECONDS.toSeconds(user.getCreatedTimestamp()) + 
expirationTimeout < currentTime;
 ??? }


When it runs i got following exception in method isNotVerified(UserModel 
user) for users that don't have any attributes. (For users with any 
attributes this will work)


2017-11-21 14:51:31,030 ERROR [org.keycloak.services] (Timer-2) 
KC-SERVICES0089: Failed to run scheduled task 
ClearExpiredOnboardingUsers: org.hibernate.LazyInitializationException: 
failed to lazily initialize a collection of role: 
org.keycloak.models.jpa.entities.UserEntity.attributes, could not 
initialize proxy - no Session
 ??????? at 
org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:567)
 ??????? at 
org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:205)
 ??????? at 
org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:546)
 ??????? at 
org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:133)
 ??????? at 
org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)
 ??????? at 
org.keycloak.models.jpa.UserAdapter.getFirstAttribute(UserAdapter.java:176)
 ??????? at 
company.utils.ClearExpiredOnboardingUsers.isNotVerified(ClearExpiredOnboardingUsers.java:50)
 ??????? at 
company.utils.ClearExpiredOnboardingUsers.lambda$run$0(ClearExpiredOnboardingUsers.java:41)
 ??????? at 
java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
 ??????? at 
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1380)
 ??????? at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
 ??????? at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
 ??????? at 
java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
 ??????? at 
java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
 ??????? at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
 ??????? at 
java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
 ??????? at 
company.utils.ClearExpiredOnboardingUsers.run(ClearExpiredOnboardingUsers.java:42)
 ??????? at 
org.keycloak.services.scheduled.ScheduledTaskRunner.runTask(ScheduledTaskRunner.java:61)
 ??????? at 
org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:45)
 ??????? at 
org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51)
 ??????? at java.util.TimerThread.mainLoop(Timer.java:555)
 ??????? at java.util.TimerThread.run(Timer.java:505)


I found a workaround by surrounding attributes verification with 
try/catch RuntimeException. In debugger i checked that 
session.getTransactionManager.isActive() returns true. So i'm 
interesting in possible problems here. Do i have any mistakes in my code 
or there is a some kind of bug? Should it be moved to Jira?


From noircc at gmail.com  Wed Nov 22 04:41:44 2017
From: noircc at gmail.com (SW)
Date: Wed, 22 Nov 2017 02:41:44 -0700 (MST)
Subject: [keycloak-user] Possible to configure CustomizedEmailSender for
	specific realm?
Message-ID: <1511343704708-0.post@n6.nabble.com>

Is it possible to configure a CustomizedEmailSender just for a specific
realm, so that other realms use the default one? 

I am thinking of something like this:

<spi name="emailSender">
                <provider name="customized" realm="MyAwesomeRealm"/>
</spi>



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From noircc at gmail.com  Wed Nov 22 04:44:43 2017
From: noircc at gmail.com (SW)
Date: Wed, 22 Nov 2017 02:44:43 -0700 (MST)
Subject: [keycloak-user] Is it possible that you delete not activated User
	after some time?
Message-ID: <1511343883963-0.post@n6.nabble.com>

I am thinking of an option, where you can decide, that after some time (24
Hours or so), the not activated user will be deleted.

Is this possible?

regards & tia
  SW



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From trojan295 at gmail.com  Wed Nov 22 04:55:00 2017
From: trojan295 at gmail.com (Damian Czaja)
Date: Wed, 22 Nov 2017 09:55:00 +0000
Subject: [keycloak-user] UMA Authorization
Message-ID: <CABBTxTUuObQuNmdNAxZhR=smN1B1giNhtOcTjQ2Lm7sLE1KwUw@mail.gmail.com>

Hello guys,

AFAIK Keycloak currently does not have full UMA support and for e.x. it's
not possible for users to manage resources they own. There already a PR for
KEYCLOAK-3169 on that.

First question:
How is the "owner" of the resource set when using the Resource Registration
Endpoint (
https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html)?
Is it set to the "subject" of the PAT token used to register the resource
or is it always the Resource Server, who registered it?

Second question:
>From what I know in UMA to get the Permission Ticket you need to use the
PAT of the Resource Owner. In case the Resource Owner is an End-User does
it mean the Resource Server will need to perform OAuth2 with the End-user
and store the PAT somewhere to be able to issue Permission Tickets to
Requesting Parties anytime, without the active present of the End-user?

Best regards,
Damian

From betalb at gmail.com  Wed Nov 22 04:56:45 2017
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Wed, 22 Nov 2017 09:56:45 +0000
Subject: [keycloak-user] Unable to use Implicit Flow in Spring Security
In-Reply-To: <503E358238E8A342A4E99D51DC42B9850B265BDC@DE-CM-MBX23.corp.capgemini.com>
References: <503E358238E8A342A4E99D51DC42B9850B265BDC@DE-CM-MBX23.corp.capgemini.com>
Message-ID: <CANYoZJk75+bisfxQOMw5bi_RJT-1M9eZvZ4WTPVryZv4FKWzPg@mail.gmail.com>

Without reponse_mode=form_post support in adapter, it will be tricky to
implement implicit flow in java-only adapter, as it will require some
javascript.

I found open JIRA for this https://issues.jboss.org/browse/KEYCLOAK-2153

On Mon, Nov 20, 2017 at 8:06 PM HALLEGUEN, Roderic <
roderic.halleguen at capgemini.com> wrote:

> Hi,
> I followed the two articles on the blog (
> https://developers.redhat.com/video/youtube/O5ePCWON08Y/) to make Keycoak
> work with Spring Security. It works nice, but I'm only able to use the
> standard flow. Is there something to configure in Spring Security to make
> it work with the Implicit flow ? I didn't find anything about this in the
> documentations.
> Thank's for your help !
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From snorre.lothar.von.gohren.edwin at entur.org  Wed Nov 22 05:15:56 2017
From: snorre.lothar.von.gohren.edwin at entur.org (Edwin Snorre Lothar von Gohren)
Date: Wed, 22 Nov 2017 10:15:56 +0000
Subject: [keycloak-user] NumberFormat exception on update password in self
 developed user-federation
In-Reply-To: <3E3C2C38-4764-48E2-B1E4-8EF496513B9D@entur.org>
References: <3E3C2C38-4764-48E2-B1E4-8EF496513B9D@entur.org>
Message-ID: <A4B7CC5B-E006-4AD6-94D2-E468DB3C03B9@bekk.no>

Hi guys, to keep my mail short i have an issue I struggle to solve.
So I have created posts on both stackoverflow, and on the JIRA, because I don?t know if it is a bug or not.
But here are the links:

https://issues.jboss.org/browse/KEYCLOAK-5874?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20NumberFormatException

https://stackoverflow.com/questions/47388978/keycloak-update-password-with-your-own-user-federation-throws-exception

Greetings
Tech-lead on Entur
www.entur.org



From psilva at redhat.com  Wed Nov 22 06:14:02 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 Nov 2017 09:14:02 -0200
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>
References: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>
Message-ID: <CAJrcDBfdZ=aaj+kC++u4d4Ze3wpBK5ZTB45WVetpHLAj8jLsog@mail.gmail.com>

On Tue, Nov 21, 2017 at 3:54 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
> I see, so I need to create "mydomain" as a resource.
> But what should be the type for both "mydomain" and "myhouse"? Should it
> be something like "domain:mydomain"?
>

You can use whatever value you want ...


>
> What I would like is to grant different access to users to that domain.
> For example: user Bob can only view resources in domain "mydomain".
> User Alice can view and delete resources in "mydomain".
> Should I create a "User Policy" with the list of users that have access?
>

A user or group policy should do the trick.


>
> If I understand, I need to use the "resource-based" permission. However it
> does not seem to let me select the scopes (as in my example: Bob can only
> view, but Alice can delete).
>

If you have permissions that should be applied to scopes, you need
scope-based permissions in order to tell the resource and scope you are
protecting.

I think we have a similar situation in that photoz example. If you take a
look there, there is a Delete Album Permission that by default grants
"delete" scope for resource owners and admin users. In this case, the
delete scope has its own permission. In case you want to change the
permission and only allow resource owners to delete resources, you just
remove from the permission the policy that grants access to admin users.

Note that whatever owned by an user, the permission will be applied even
though defined by the general/common "Album" resource and "delete" scope.


>
> Another question: how to invoke the API for typed resources?
> I have:
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "Sensors",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> But this uses the name of the resource, so I am not sure. Is there a
> reference for this API?
>

Only what we have in docs, which can be always improved.

But in a nutshell, there is no difference when asking permissions for a
typed resource. You just send the name of the resource (typed or not) that
you want to get permissions and KC takes care of the rest.


>
> Thanks a lot
> PS. I found some minor bugs related to the API, should I report them here
> or create a JIRA?
>

Yeah, please.


>
>
>
> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Resources have a *type* field that can be used to group resources.
>> Permissions granted to a "typed resource" (which is created with the
>> resource server itself as the owner) applies to any other resource with the
>> same type and owned by an user. Think about a "typed resource" as a
>> general/parent resource.
>>
>> If you have a "mydomain" typed resource and a "myhouse" resource, sharing
>> the same type, any permission you apply to "mydomain" is going to be
>> applied to "myhouse".
>>
>> Does it makes sense ?
>>
>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Thanks for the answer.
>>> My plan is to make authorizations based on groups of resources, that we
>>> call "domains".
>>> Basically, when a user creates a resource, he can decide to put it in an
>>> existing domain.
>>> The URL reflects that domain:
>>>
>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>
>>> The user can also create domains with the domains endpoint:
>>>
>>> POST http://www.example.com/api/v1/domains/
>>>
>>> What is not clear for me is how users can get access to domains.
>>> Probably users can have an attribute "domains", with the list of
>>> domains they have access to?
>>> Or should a domain be represented in Keycloak as a resource?
>>> In this case, should we create roles to access that domain?
>>> For example, the role "admin-mydomain" ?
>>>
>>> Or should it be implemented with user groups in Keycloak? Or with User
>>> policies?
>>>
>>>
>>>
>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Right now you can't do it. This is all about the work we are doing to
>>>> better support UMA protocol. Soon you'll be able to let your users to
>>>> manage their resources (and their policies) from Keycloak Account Service,
>>>> grant and revoke access to other users, authorization flows. We are really
>>>> missing this.
>>>>
>>>> However, I think you can try to use the Policy Management API. It
>>>> provides a RESTful API that you can use to manage permissions and policies.
>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>> tests in the same package for other permission and policy types.
>>>>
>>>> Please, let me know about your achievements if you start doing
>>>> something with the Policy Management API. Any feedback is welcome and will
>>>> probably help with the work I mentioned before around UMA.
>>>>
>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> is it possible for an application user to grant some authorizations to
>>>>> another user?
>>>>> For example in the photoz example, how can I give access to my albums
>>>>> to another user?
>>>>> What would be the mechanism?
>>>>>
>>>>> Thanks a lot
>>>>> Corentin
>>>>>
>>>>
>>>>
>>>
>>
>

From psilva at redhat.com  Wed Nov 22 06:22:14 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 Nov 2017 09:22:14 -0200
Subject: [keycloak-user] Authorization transfer
In-Reply-To: <CAEyhvmrf63hNCBviF5-2Fb9WGjhK65ZFBvwGh0506J3V6Ku8RA@mail.gmail.com>
References: <CAEyhvmrN+AQVh64fx6TNxWcedhVvuK5yytR-qQF+NeFFcr1c6w@mail.gmail.com>
	<CAEyhvmrf63hNCBviF5-2Fb9WGjhK65ZFBvwGh0506J3V6Ku8RA@mail.gmail.com>
Message-ID: <CAJrcDBfRjuzLA+YuZnVc2ZzjuR5gMVpNmXTfm61eBLkbMAni9w@mail.gmail.com>

On Tue, Nov 21, 2017 at 7:13 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> In parallel with the domains authorizations, I have other policies, such
> as "owner" policies (similar to the photoz example).
> I coded the owner policy with javascript:
>
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var identity = context.getIdentity();
> if (identity.id == permission.getResource().getOwner()) {
>     $evaluation.grant();
> }
>
> But it leads to this result when evaluating a user:
>
> Result*: DENY*
>
> Policies:
> - *Can access domain
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/resource/7323164c-3009-4cf8-9a48-b37cf009d2fe>*
> decision was *PERMIT* by *UNANIMOUS* decision.
>
>    - *Users in domain
>    <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/user/ef112bc8-c7a8-4300-be92-d0c9d0300971>*
>    voted to *PERMIT* .
>
> *Can delete MyHouse
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/scope/53278490-b9c8-41f6-b2a5-bef5a0be6e73>*
> decision was *DENY* by *UNANIMOUS* decision.
>
>    - *owner can access
>    <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/js/762cf51c-9ff1-4b44-ba79-6890189db0f2>*
>    voted to *DENY*.
>
>
> The two permissions are overlapping, so it seems normal that both got
> evaluated.
> But why the java policy ("Grant_owner") voted DENY?
> I didn't mention explicitly the deny in the code...
>

By default, if your policy doesn't call either deny or grant, the result is
a DENY.


> I think that if you are the owner, you should be granted. But if you are
> not the owner, no decision can be taken by the policy...
>

You need to check who is the owner of your resource. I guess the "Can
delete MyHouse" is a permission for some "delete" scope you have. Because
you got a DENY, it does not necessarily means that you won`t get the
sub-set of permissions that were granted. When using the Policy Evaluation
Tool, take a look at a link on the results page that is called "Show
Authorization Data". Once you click this link, you will be presented with a
page that shows how a RPT would look like, with the permissions actually
granted during the evaluation.


>
>
>
>
> On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>>
>> I see, so I need to create "mydomain" as a resource.
>> But what should be the type for both "mydomain" and "myhouse"? Should it
>> be something like "domain:mydomain"?
>>
>> What I would like is to grant different access to users to that domain.
>> For example: user Bob can only view resources in domain "mydomain".
>> User Alice can view and delete resources in "mydomain".
>> Should I create a "User Policy" with the list of users that have access?
>>
>> If I understand, I need to use the "resource-based" permission. However
>> it does not seem to let me select the scopes (as in my example: Bob can
>> only view, but Alice can delete).
>>
>> Another question: how to invoke the API for typed resources?
>> I have:
>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "Sensors",
>>             "scopes" : [
>>                 "view"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>
>> But this uses the name of the resource, so I am not sure. Is there a
>> reference for this API?
>>
>> Thanks a lot
>> PS. I found some minor bugs related to the API, should I report them here
>> or create a JIRA?
>>
>>
>>
>> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Resources have a *type* field that can be used to group resources.
>>> Permissions granted to a "typed resource" (which is created with the
>>> resource server itself as the owner) applies to any other resource with the
>>> same type and owned by an user. Think about a "typed resource" as a
>>> general/parent resource.
>>>
>>> If you have a "mydomain" typed resource and a "myhouse" resource,
>>> sharing the same type, any permission you apply to "mydomain" is going to
>>> be applied to "myhouse".
>>>
>>> Does it makes sense ?
>>>
>>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the answer.
>>>> My plan is to make authorizations based on groups of resources, that we
>>>> call "domains".
>>>> Basically, when a user creates a resource, he can decide to put it in
>>>> an existing domain.
>>>> The URL reflects that domain:
>>>>
>>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>>
>>>> The user can also create domains with the domains endpoint:
>>>>
>>>> POST http://www.example.com/api/v1/domains/
>>>>
>>>> What is not clear for me is how users can get access to domains.
>>>> Probably users can have an attribute "domains", with the list of
>>>> domains they have access to?
>>>> Or should a domain be represented in Keycloak as a resource?
>>>> In this case, should we create roles to access that domain?
>>>> For example, the role "admin-mydomain" ?
>>>>
>>>> Or should it be implemented with user groups in Keycloak? Or with User
>>>> policies?
>>>>
>>>>
>>>>
>>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Right now you can't do it. This is all about the work we are doing to
>>>>> better support UMA protocol. Soon you'll be able to let your users to
>>>>> manage their resources (and their policies) from Keycloak Account Service,
>>>>> grant and revoke access to other users, authorization flows. We are really
>>>>> missing this.
>>>>>
>>>>> However, I think you can try to use the Policy Management API. It
>>>>> provides a RESTful API that you can use to manage permissions and policies.
>>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>>> tests in the same package for other permission and policy types.
>>>>>
>>>>> Please, let me know about your achievements if you start doing
>>>>> something with the Policy Management API. Any feedback is welcome and will
>>>>> probably help with the work I mentioned before around UMA.
>>>>>
>>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> is it possible for an application user to grant some authorizations
>>>>>> to another user?
>>>>>> For example in the photoz example, how can I give access to my albums
>>>>>> to another user?
>>>>>> What would be the mechanism?
>>>>>>
>>>>>> Thanks a lot
>>>>>> Corentin
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

From psilva at redhat.com  Wed Nov 22 06:25:45 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 Nov 2017 09:25:45 -0200
Subject: [keycloak-user] keycloak 3.4.0 - Missing relation
In-Reply-To: <000001d362dd$d38aa690$7a9ff3b0$@huebinet.de>
References: <eb14aeaf447e4e8d967190fafe447a65@huebinet.de>
	<CAJrcDBcrfU_EqGA5WGOXvPKTigPZbdY5Wvkequtz9GiNNw7rMA@mail.gmail.com>
	<002a01d3620c$f57b8980$e0729c80$@huebinet.de>
	<CAMvXD=F+0Vkog6Zg2LTzKJNFxCzE4HvpnLVf51szhi3ZG8QBoA@mail.gmail.com>
	<CAJrcDBdQCKoyQLHZJ1e9YxJvkukB4ET0zp1YeA9pofiK7dP_Sg@mail.gmail.com>
	<000001d362dd$d38aa690$7a9ff3b0$@huebinet.de>
Message-ID: <CAJrcDBebAoRtFK+v16sWT=xytH=gAahgYQdpeSBQ6q41wkWSxA@mail.gmail.com>

Humm. I did not, will check this ... Thanks.

On Tue, Nov 21, 2017 at 1:31 PM, Kevin Hirschmann <khirschmann at huebinet.de>
wrote:

> Sorry, I have to ask it: You have set the schema in your standalone.xml to
> a schema which is not the ?public? schema?
>
> Without the last property it works. No doubt about that.
>
> If I set the schema property the ?keycloak? schema gets populated with 91
> tables till it exits with the error below.
>
>
>
> <properties>
>
>          <property name="dataSource" value="java:/KeycloakDS"/>
>
>          <property name="initializeEmpty" value="true"/>
>
>          <property name="migrationStrategy" value="update"/>
>
>          <property name="migrationExport" value="${jboss.home.dir}/
> keycloak-database-update.sql"/>
>
>           <property name="schema" value="keycloak"/>
>
> </properties>
>
>
>
> @Hynek: Thanks, I will give that a try.
>
>
>
> *Von:* Pedro Igor Silva [mailto:psilva at redhat.com]
> *Gesendet:* Dienstag, 21. November 2017 13:17
> *An:* Hynek Mlnarik <hmlnarik at redhat.com>
> *Cc:* Kevin Hirschmann <khirschmann at huebinet.de>; keycloak-user <
> keycloak-user at lists.jboss.org>
>
> *Betreff:* Re: [keycloak-user] keycloak 3.4.0 - Missing relation
>
>
>
> Although I just run a container with KC + PG (v10) and it just boots fine
> ...
>
>
>
> On Mon, Nov 20, 2017 at 2:46 PM, Hynek Mlnarik <hmlnarik at redhat.com>
> wrote:
>
> You might be able to set Postgres schema search_path
> via new-connection-sql property set to "SET search_path TO
> <your_schema_name>" on Keycloak datasource (untested).
>
>
>
> You can set the default schema search path database-wise as per this
> article: https://stackoverflow.com/questions/2875610/permanently-
> set-postgresql-schema-path
>
>
>
> --Hynek
>
>
>
> On Mon, Nov 20, 2017 at 3:36 PM, Kevin Hirschmann <khirschmann at huebinet.de>
> wrote:
>
> Hi,
>
>
>
> It is postgres.
>
>
>
> Von: Pedro Igor Silva [mailto:psilva at redhat.com]
> Gesendet: Freitag, 17. November 2017 16:07
> An: Kevin Hirschmann <khirschmann at huebinet.de <mailto:
> khirschmann at huebinet.de> >
> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Betreff: Re: [keycloak-user] keycloak 3.4.0 - Missing relation
>
>
>
> What is your database ?
>
>
>
> On Fri, Nov 17, 2017 at 12:11 PM, Kevin Hirschmann <
> khirschmann at huebinet.de <mailto:khirschmann at huebinet.de> > wrote:
>
> Hello everybody,
>
> I am setting up a new keycloak instance (3.4.0) resulting in the following
> error (Relation does not exist):
>
> INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
> (ServerService Thread Pool -- 78) Updating database. Using changelog
> META-INF/jpa-changelog-master.xml
> ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.
> DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78)
> Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.
> CR1-resource-server-pk-change-part2::glavoie at gmail.com <mailto:
> jpa-changelog-authz-3.4.0.CR1.xml%3A%3Aauthz-3.4.0.
> CR1-resource-server-pk-change-part2%3A%3Aglavoie at gmail.com>  failed.
> Error: FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException:
> FEHLER: Relation ?esource_server_policy?existiert nicht
>   Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET
> RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE
> s.ID = p.RESOURCE_SERVER_ID)]
>
>
> The problem only occurs, if I do NOT use the default schema. If I use the
> default schema everything is great.
> How can I work around this problem?
>
> Thx for your help
>
> Kevin Hirschmann
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
> Telefon:           +49 (0) 261 / 5 00 86 - 17 <
> tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017
> <%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2017>>
> Telefax:           +49 (0) 261 / 5 00 86 - 29 <
> tel:%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029
> <%2B49%20%280%29%20261%20%2F%205%2000%2086%20-%2029>>
> E-Mail:             kevin.hirschmann at huebinet.de <mailto:kevin.hirschmann@
> huebinet.de> <mailto:kevin.hirschmann at huebinet.de <mailto:
> kevin.hirschmann at huebinet.de> >
> Internet:            www.huebinet.de <http://www.huebinet.de> <
> http://www.huebinet.de/>
>
>  HUEBINET Informationsmanagement GmbH & Co. KG
> An der K?nigsbach 8
> <https://maps.google.com/?q=An+der+K%C3%B6nigsbach+8+%0D+56075+Koblenz&entry=gmail&source=g>
> 56075 Koblenz
> <https://maps.google.com/?q=An+der+K%C3%B6nigsbach+8+56075+Koblenz&entry=gmail&source=g>
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
> HUEBINET GmbH;
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
> ------------------------------------------------------------
> ------------------------------------------------------------
> ------------------------------------------------
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
> KG, Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails and email contents.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> --
>
>
>
> --Hynek
>
>
>

From asrafalianwarali.shaikh at gi-de.com  Wed Nov 22 06:42:19 2017
From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali)
Date: Wed, 22 Nov 2017 11:42:19 +0000
Subject: [keycloak-user] extend theme with some extra text
In-Reply-To: <68e97ce2-8f4b-1923-5c6c-98c5a674ecec@merit.unu.edu>
References: <a3811452-6cf3-0a06-d03a-8fe1c20d5001@merit.unu.edu>
	<68e97ce2-8f4b-1923-5c6c-98c5a674ecec@merit.unu.edu>
Message-ID: <23a5f8aa61604148b31a0536fca2975a@gi-de.com>

Hi,

We also have also raised similar concern, have also created JIRA task https://issues.jboss.org/browse/KEYCLOAK-5645 for the same.

Regards,
Asraf Shaikh


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of mj
Sent: Monday, November 20, 2017 12:53 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] extend theme with some extra text

Hi,

For the archives, we have edited these two files:

     keycloak/themes/base/login/login-update-password.ftl
     keycloak/themes/base/account/password.ftl

And included the text:

>     <p>Please note our password requirements:</p>
>     <ul>
> 	<li style="color:red;">minimum eight characters total</li>
> 	<li style="color:red;">minimum one UPPER case character</li>
> 	<li style="color:red;">minimum one lower case character</li>
> 	<li style="color:red;">minimum one digit</li>
> 	<li style="color:red;">minimum one 'special' symbol, like - _ * !</li>
> 	<p>plus:</p>
> 	<li style="color:red;">It cannot contain "password"</li>
> 	<li style="color:red;">It cannot contain your username</li>
> 	<li style="color:red;">Your last ten (10) passwords cannot be re-used</li>
>     </ul>

Perhaps this info saves someone else some time.

MJ

On 11/19/2017 04:29 PM, mj wrote:
> Hi,
> 
> We are trying to display some extra static text to the two pages where 
> a password can be changed:
> 
> - the login theme (sunrise)
> - the account theme (address)
> 
> We're trying to add text, to inform the users of *all* configured 
> password requirements at once. Something like:
> 
>> Kindly be advised to use:
>> - min. 8 characters
>> - min. one lower case
>> - min. one upper case
>> - min. one special character
> 
> In the current situation during a password change, the user initially 
> is not informed about the minimum requirements, and 'learns' a new 
> requirement on each password rejection.
> 
> We know that this should be possible by editing the (in our case) 
> themes "sunrise" and "address". But could someone point out where and 
> how we can add some new extra text to these pages?
> 
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From to_sud at yahoo.com  Wed Nov 22 08:24:43 2017
From: to_sud at yahoo.com (Sud Ramasamy)
Date: Wed, 22 Nov 2017 08:24:43 -0500
Subject: [keycloak-user] session timeout behavior when using the Spring
	Security adapter
Message-ID: <etPan.5a157a9b.7727d5f.9f57@yahoo.com>

It looks like when using Keycloak and Spring?Security with the OIDC Client protocol there is a way to hose the application session?unintentionally when the Keycloak SSO session timeout setting is lower?than the application (ie. Client) session timeout value.
If the user accesses any parts of the application which are protected by the Keycloak adapter after the access token has expired (configured for 5 minutes)?without first ending the application session, Spring Security still has the authentication object. But as part of the authentication flow in?the application, the Keycloak adapter checks to see if the Access token is active which it won't be at this point. So the Keycloak adapter (RefreshableKeycloakSecurityContext.java) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter receives a "Stale refresh token" error response from Keycloak. The "no access token" is propagated to the Keycloak adapter's OAuthRequestAuthenticator.java which proceeds to trigger a login redirect to Keycloak. Once the user is successfully authenticated in Keycloak and control is returned to the?KeycloakAuthenticationProcessingFilter.java as a final step it attempts to store the KeycloakAuthenticationToken in the Spring SecurityContextHolder (see SpringSecurityTokenStore.saveAccountInfo). Here the code throws an exception because there is already an existing?KeycloakAuthenticationToken in the SecurityContextHolder from the earlier login that wasn't cleared.
At this point SSO login into the application is hosed. A potential fix is to trigger a call to the application?s logout endpoint which will clear the Spring SecurityContextHolder object prior to?fetching a new access token.
I was wondering if?anyone has run into this?behavior. It seems like when using the OIDC Client protocol by it?s very nature of using short lived Access tokens and Refresh tokens that are tied to the Keycloak session we will have to set the Keycloak Session timeout to be the same or higher than the Client session timeout. But we do not necessarily have control over the clients. So we will have to set the Keycloak session timeout to the highest session timeout across all Clients since this is realm level setting and not a per?Client setting. But this breaks another use case since we are using Identity Brokering. We want the user to be bounced to the?external Identity Provider when their application session timeouts. If the Keycloak session timeout is higher than their application session timeout then they wouldn?t be bounced to the external Identity?Provider for authentication. Looks?like we might need to force Keycloak to initiate the authentication when we detect an application timeout.
-sud


From weil at redhat.com  Wed Nov 22 10:37:06 2017
From: weil at redhat.com (Wei Li)
Date: Wed, 22 Nov 2017 15:37:06 +0000
Subject: [keycloak-user] client certificate authentication using HAProxy and
	Keycloak
Message-ID: <CAHmyU2q1A9_1omvkRvv4mi-ZDmGSYO4i0ffoT9EFYEZ9ZSX+XQ@mail.gmail.com>

Hi,

We are using HAProxy as the reverse proxy for the Keycloak server, and we
are terminating the SSL connection at HAProxy.

Now we want to enable client certificate authentication. Because the SSL is
terminated at HAProxy, we can't use the existing CCA feature provided by
Keycloak. But we can get the client cert info in HAProxy and pass them onto
Keycloak in headers. So is there a way to allow Keycloak to get the user
info from the headers and perform authentication?

Thanks for your help in advance!

-- 

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>

From mitya at cargosoft.ru  Wed Nov 22 10:51:21 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Wed, 22 Nov 2017 18:51:21 +0300
Subject: [keycloak-user] BeerCloak update
Message-ID: <1511365881.2109.3.camel@cargosoft.ru>

Hi everyone,

BeerCloak[1] has just got a substantial update. Highlights are:

- EAR packaging. This is probably the most important item, as I
remember people here asking many times how to package providers into an
EAR together with external dependencies, so finally here is a complete
working example;
- more reliable initial data population;
- update to Keycloak 3.4.0.Final;
- minor fixes & refactoring;
- doc updates, especially on the installation procedure.

It still lacks tests, so I'd appreciate much if someone more
experienced would recommend me what exactly to test and how, or
probably even would help me with writing tests.

BeerCloak is a comprehensive Keycloak extension example, which
comprises different techniques, sometimes undocumented, to build a
complete real-life Keycloak extension. From the technical point of
view, it includes a custom JPA entity, custom admin REST resource,
admin GUI extensions and everything else needed to glue that together.
I'd be happy to see it as a semi-official blueprint, or a starting
point for those interested in extending Keycloak.

Cheers,
Dmitry

[1] https://github.com/dteleguin/beercloak

From pnalyvayko at agi.com  Wed Nov 22 11:25:15 2017
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Wed, 22 Nov 2017 16:25:15 +0000
Subject: [keycloak-user] client certificate authentication using HAProxy
 and	Keycloak
In-Reply-To: <CAHmyU2q1A9_1omvkRvv4mi-ZDmGSYO4i0ffoT9EFYEZ9ZSX+XQ@mail.gmail.com>
References: <CAHmyU2q1A9_1omvkRvv4mi-ZDmGSYO4i0ffoT9EFYEZ9ZSX+XQ@mail.gmail.com>
Message-ID: <CY1PR0701MB16946A5225E67103EEA9932ADA200@CY1PR0701MB1694.namprd07.prod.outlook.com>

Hi WEI LI,

Is this what you are looking for? https://github.com/keycloak/keycloak/pull/4546
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Wei Li [weil at redhat.com]
Sent: Wednesday, November 22, 2017 10:37 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] client certificate authentication using HAProxy and    Keycloak

Hi,

We are using HAProxy as the reverse proxy for the Keycloak server, and we
are terminating the SSL connection at HAProxy.

Now we want to enable client certificate authentication. Because the SSL is
terminated at HAProxy, we can't use the existing CCA feature provided by
Keycloak. But we can get the client cert info in HAProxy and pass them onto
Keycloak in headers. So is there a way to allow Keycloak to get the user
info from the headers and perform authentication?

Thanks for your help in advance!

--

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From weil at redhat.com  Wed Nov 22 11:30:57 2017
From: weil at redhat.com (Wei Li)
Date: Wed, 22 Nov 2017 16:30:57 +0000
Subject: [keycloak-user] client certificate authentication using HAProxy
 and Keycloak
In-Reply-To: <CY1PR0701MB16946A5225E67103EEA9932ADA200@CY1PR0701MB1694.namprd07.prod.outlook.com>
References: <CAHmyU2q1A9_1omvkRvv4mi-ZDmGSYO4i0ffoT9EFYEZ9ZSX+XQ@mail.gmail.com>
	<CY1PR0701MB16946A5225E67103EEA9932ADA200@CY1PR0701MB1694.namprd07.prod.outlook.com>
Message-ID: <CAHmyU2oXSqd-oyT8=FqH7R7Xoznek=4yMi0UXrstrE7YUzxCew@mail.gmail.com>

Hi Peter,

Yes, that is exactly what I am looking for. Thank you very much. Do you
have any idea when that PR can be merged?

Thanks.

On Wed, Nov 22, 2017 at 4:25 PM, Nalyvayko, Peter <pnalyvayko at agi.com>
wrote:

> Hi WEI LI,
>
> Is this what you are looking for? https://github.com/keycloak/
> keycloak/pull/4546
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.
> jboss.org] on behalf of Wei Li [weil at redhat.com]
> Sent: Wednesday, November 22, 2017 10:37 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] client certificate authentication using HAProxy
> and    Keycloak
>
> Hi,
>
> We are using HAProxy as the reverse proxy for the Keycloak server, and we
> are terminating the SSL connection at HAProxy.
>
> Now we want to enable client certificate authentication. Because the SSL is
> terminated at HAProxy, we can't use the existing CCA feature provided by
> Keycloak. But we can get the client cert info in HAProxy and pass them onto
> Keycloak in headers. So is there a way to allow Keycloak to get the user
> info from the headers and perform authentication?
>
> Thanks for your help in advance!
>
> --
>
> WEI LI
>
> SENIOR SOFTWARE ENGINEER
>
> Red Hat Mobile <https://www.redhat.com/>
>
> weil at redhat.com    M: +353862393272
> <https://red.ht/sig>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>

From pnalyvayko at agi.com  Wed Nov 22 11:35:13 2017
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Wed, 22 Nov 2017 16:35:13 +0000
Subject: [keycloak-user] client certificate authentication using HAProxy
 and Keycloak
In-Reply-To: <CAHmyU2oXSqd-oyT8=FqH7R7Xoznek=4yMi0UXrstrE7YUzxCew@mail.gmail.com>
References: <CAHmyU2q1A9_1omvkRvv4mi-ZDmGSYO4i0ffoT9EFYEZ9ZSX+XQ@mail.gmail.com>
	<CY1PR0701MB16946A5225E67103EEA9932ADA200@CY1PR0701MB1694.namprd07.prod.outlook.com>,
	<CAHmyU2oXSqd-oyT8=FqH7R7Xoznek=4yMi0UXrstrE7YUzxCew@mail.gmail.com>
Message-ID: <CY1PR0701MB1694E9506A056E64DE76AC0EDA200@CY1PR0701MB1694.namprd07.prod.outlook.com>

Hi WEI LI,
I cannot tell you when the PR will be merged, but I've been meaning to test the migration steps and follow up with Marek before the end of the month
--Peter

________________________________________
From: Wei Li [weil at redhat.com]
Sent: Wednesday, November 22, 2017 11:30 AM
To: Nalyvayko, Peter
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] client certificate authentication using HAProxy and Keycloak

Hi Peter,

Yes, that is exactly what I am looking for. Thank you very much. Do you have any idea when that PR can be merged?

Thanks.

On Wed, Nov 22, 2017 at 4:25 PM, Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>> wrote:
Hi WEI LI,

Is this what you are looking for? https://github.com/keycloak/keycloak/pull/4546
________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Wei Li [weil at redhat.com<mailto:weil at redhat.com>]
Sent: Wednesday, November 22, 2017 10:37 AM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] client certificate authentication using HAProxy and    Keycloak

Hi,

We are using HAProxy as the reverse proxy for the Keycloak server, and we
are terminating the SSL connection at HAProxy.

Now we want to enable client certificate authentication. Because the SSL is
terminated at HAProxy, we can't use the existing CCA feature provided by
Keycloak. But we can get the client cert info in HAProxy and pass them onto
Keycloak in headers. So is there a way to allow Keycloak to get the user
info from the headers and perform authentication?

Thanks for your help in advance!

--

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com<mailto:weil at redhat.com>    M: +353862393272<tel:%2B353862393272>
<https://red.ht/sig>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile<https://www.redhat.com/>

weil at redhat.com<mailto:weil at redhat.com>    M: +353862393272<tel:+353862393272>

[https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.ht/sig>


From corentin.dupont at gmail.com  Wed Nov 22 12:46:46 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 22 Nov 2017 18:46:46 +0100
Subject: [keycloak-user] Authorization: proof of ownership
Message-ID: <CAEyhvmoW4kCrf8HqbWaQVzDg+TdbjTUKucSygRRo0+yUL6QQRA@mail.gmail.com>

In my use case, the user can "claim" resources. But to do that, he need to
prove that he is the rightful owner.

In practice, the user possess objects called "sensor nodes". Those are just
little boxes with a tag on it.
The tag has a number that the user can transmit to prove that he is owning
physically the object.

So my idea was to provide an endpoint able to change the owner of the
resource, based on the tag number.
Using our example, the endpoint to claim a resource could look like:

curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
   "owner": "smith"
   "proof": "XXXXXXX"
}'

A policy would check that the proof is valid, by matching it against a
database.
If accepted, then the resource owner should be changed.

Do you think this is a good protocol?
How to write the policy to authorize the owner change at Keycloak level?
I don't see how to transmit the proof number when performing the
authorization request (with the entitlement API).

From psilva at redhat.com  Wed Nov 22 13:42:44 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 Nov 2017 16:42:44 -0200
Subject: [keycloak-user] Authorization: proof of ownership
In-Reply-To: <CAEyhvmoW4kCrf8HqbWaQVzDg+TdbjTUKucSygRRo0+yUL6QQRA@mail.gmail.com>
References: <CAEyhvmoW4kCrf8HqbWaQVzDg+TdbjTUKucSygRRo0+yUL6QQRA@mail.gmail.com>
Message-ID: <CAJrcDBdnh3=hVXPoobMkHyju-vEhQPN1jOgmVSu80gx8=LJedA@mail.gmail.com>

I see. But so I far I was considering that when you create "MyHouse" you
would already have the owner. In this case, you would just need to check
resource.owner == identity.id.

What you are looking for seems to be related with
https://issues.jboss.org/browse/KEYCLOAK-4903 and
https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about a
client pushing additional claims to the authorization request and the
latter that should allow you to delegate the decision to an external
resource or API (e.g.: some HTTP endpoint in your application).

On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> In my use case, the user can "claim" resources. But to do that, he need to
> prove that he is the rightful owner.
>
> In practice, the user possess objects called "sensor nodes". Those are
> just little boxes with a tag on it.
> The tag has a number that the user can transmit to prove that he is owning
> physically the object.
>
> So my idea was to provide an endpoint able to change the owner of the
> resource, based on the tag number.
> Using our example, the endpoint to claim a resource could look like:
>
> curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
>    "owner": "smith"
>    "proof": "XXXXXXX"
> }'
>
> A policy would check that the proof is valid, by matching it against a
> database.
> If accepted, then the resource owner should be changed.
>
> Do you think this is a good protocol?
> How to write the policy to authorize the owner change at Keycloak level?
> I don't see how to transmit the proof number when performing the
> authorization request (with the entitlement API).
>
>

From corentin.dupont at gmail.com  Wed Nov 22 16:29:44 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 22 Nov 2017 22:29:44 +0100
Subject: [keycloak-user] Authorization: proof of ownership
In-Reply-To: <CAJrcDBdnh3=hVXPoobMkHyju-vEhQPN1jOgmVSu80gx8=LJedA@mail.gmail.com>
References: <CAEyhvmoW4kCrf8HqbWaQVzDg+TdbjTUKucSygRRo0+yUL6QQRA@mail.gmail.com>
	<CAJrcDBdnh3=hVXPoobMkHyju-vEhQPN1jOgmVSu80gx8=LJedA@mail.gmail.com>
Message-ID: <CAEyhvmoMBC5OmNwXi9B0YQ4a+nfFAPzX7Abs_zNd64uBh3yneQ@mail.gmail.com>

Thanks for the issues, they are very relevant.
So at the moment, I think I will encode this "claiming" mechanism in the
API server.

On Wed, Nov 22, 2017 at 7:42 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see. But so I far I was considering that when you create "MyHouse" you
> would already have the owner. In this case, you would just need to check
> resource.owner == identity.id.
>
> What you are looking for seems to be related with
> https://issues.jboss.org/browse/KEYCLOAK-4903 and
> https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about
> a client pushing additional claims to the authorization request and the
> latter that should allow you to delegate the decision to an external
> resource or API (e.g.: some HTTP endpoint in your application).
>
> On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> In my use case, the user can "claim" resources. But to do that, he need
>> to prove that he is the rightful owner.
>>
>> In practice, the user possess objects called "sensor nodes". Those are
>> just little boxes with a tag on it.
>> The tag has a number that the user can transmit to prove that he is
>> owning physically the object.
>>
>> So my idea was to provide an endpoint able to change the owner of the
>> resource, based on the tag number.
>> Using our example, the endpoint to claim a resource could look like:
>>
>> curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
>>    "owner": "smith"
>>    "proof": "XXXXXXX"
>> }'
>>
>> A policy would check that the proof is valid, by matching it against a
>> database.
>> If accepted, then the resource owner should be changed.
>>
>> Do you think this is a good protocol?
>> How to write the policy to authorize the owner change at Keycloak level?
>> I don't see how to transmit the proof number when performing the
>> authorization request (with the entitlement API).
>>
>>
>

From orlicus at gmail.com  Thu Nov 23 03:32:49 2017
From: orlicus at gmail.com (Alexander Ionov)
Date: Thu, 23 Nov 2017 08:32:49 +0000
Subject: [keycloak-user] How to escape dot symbol in Token Claim Name
Message-ID: <CANSr9P-9exC9oJXLrzJUq+gr7g_5XKAWf=-DJhBN6vDz6-+G_A@mail.gmail.com>

Greetings,

When specifying Token Claim Name in a mapper, user can write claim name in
dot notation in order to create nested JSON objects.
The problem is, that I should do completley the opposite. I need a token
name that looks like "http://domain.name/claims/customer_number".
Keycloak sees the dot in the name and creates the following claim:
{
  "http://domain": {
    "name/claims/customer_number": "value"
  }
}

Is there any way to escape this dot in the claim name?
I've tried the backslash character but it didn't work.
And I didn't find the information about this anywhere.

Thanks,
Alexander

From sthorger at redhat.com  Thu Nov 23 06:41:39 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 Nov 2017 12:41:39 +0100
Subject: [keycloak-user] Keycloak Facebook Social Login
In-Reply-To: <E0AAC2AA-20E1-4370-8790-41FCD05A8AF7@gmail.com>
References: <E0AAC2AA-20E1-4370-8790-41FCD05A8AF7@gmail.com>
Message-ID: <CAJgngAd7Chngtw=CCjeoMYFMZR7UCPjF9qr_k--mQKTeO2y+LA@mail.gmail.com>

You can't. To user registration and login with external IdPs you need to
use the Keycloak login pages, which you should be using anyways.

On 21 November 2017 at 03:53, Madhan Kumar S P <madhan.klazzez at gmail.com>
wrote:

> Hello All,
>         I am trying to integrate the Keycloak with Facebook social plugin.
> I had gone through the examples and documentation. This works fine if I use
> the Keycloak hosted Login Page.
>
>         What I need is that we want to host our own login page and use the
> Keycloak APIs to register the user and login.
>
>         I mean, I want to host our Sign Up/Login Page. When the user
> clicks on the Login with Facebook, we want to redirect the user to FB and
> get the approval and collect the details, create the user details that we
> need for our application. Then register the user on the Keycloak.
>
>         I don?t see any documentation for this. I would be really grateful
> if you can shed some light on this and point to the documentation that
> would help me in achieving this.
>
> Thanks & Regards,
> Madhan Kumar S P
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Gael.THIABAUD at almerys.com  Thu Nov 23 08:39:11 2017
From: Gael.THIABAUD at almerys.com (Gael THIABAUD)
Date: Thu, 23 Nov 2017 13:39:11 +0000
Subject: [keycloak-user] Using Rest Services managed by another Realm and
 account linking issue
Message-ID: <2a9ed759eff3409da1bde54d30ff38fb@excmb02-prd.ressources.priv>

Dear Keycloak team,

Please find below?:
? Use case description 
? GOALS
? What I tried
? Question and Proposals

	Is the approach described the good one?
	Does-it exists another one?
	What is your preferred proposal?
	Do you have another ?

Use case description?:
	All applications and rest services secured by OpenID (Keycloak)
	User (Realm A) ? Web application Front end 1 (Realm A) --> Application Back End 1   (Realm A)? Rest Service 1 (Realm B)
													? Rest Service 2 (Realm C)

GOALS:
The solution must permit to identify the user himself into each component.
The User in Realm B must be linked to the User in Realm A.

What I tried:
	By using the "Internal Token to External Token Exchange" features of Keycloak it works if the user is existing in all the realms and if the account(s) are linked between them.
And it works, thank you for the job !

The current issue is that I want that the application back end 1 creates the account(s) into the required realms when it try to use the Rest Service in the other realm.
I try to implement the following use case:
User (Realm A) ? Web application Front end 1 (Realm A) --> Application Back End 1   (Realm A)	-- Request account creation and linking ? Keycloak Realm B
													-- Internal Token to External Token Exchange ? Keycloak Realm B
													? Rest Service 1 (Realm B)
													-- Request account creation and linking ? Keycloak Realm C
													-- Internal Token to External Token Exchange ? Keycloak Realm C
													? Rest Service 2 (Realm C)

I take a look into the chapter 5.2. Client Initiated Account Linking but it involve that it must be the user browser that trigger the http request.
I take look into IdentityBrokerService.clientInitiatedAccountLinking and it seems that all the secure mechanism used is related to the cookie and the Keycloak user session.
The approach that I try cannot work with the current implementation of clientInitiatedAccountLinking.

Question and Proposals:
Is the call flow that I try the right approach for achieving the goals ?
If yes and assuming that:
	1) the account creation and auto-linking must be included into the Keycloak solution in standard for managing the use case described (think about micro services)
	2) the OIDC Tokens are enough for securing the creation of new account into other realms, if a trusted relation exists between the realms of course !

Proposal 1: 
	clientInitiatedAccountLinking proposes 2 mode of securization, the current one based on the cookie and a new one based onto the Bearer token.

Proposal 2:
	A complete new HTTP request using the bearer token can be used for the account creation and linking.

Proposal 3:
	Keycloak exposes a new Rest method permitting to create and link account by using the Token Bearer only

Proposal 4:
	Keycloak exposes a new Rest method permitting to create an account into a realm by using the Token Bearer only.
	Keycloak exposes a new Rest method permitting to link two accounts into a realm by using the Token Bearer only.

Comment:
	For being able to create an account into an other realm without entering in conflict with an existing account we can propose to used the UUID of the account from the realm used for original authentication.
>From my point of view it could be a decision that must be done during the design of the security policy of the IT system. For example the administrator can decide to use the email like a common ID between the realms or the UUID or any value that he can apply onto the preferred_username like currently implemented for the account linking feature.




From aa.azizkhani at gmail.com  Thu Nov 23 09:06:12 2017
From: aa.azizkhani at gmail.com (ali akbar)
Date: Thu, 23 Nov 2017 14:06:12 +0000
Subject: [keycloak-user] spring-social-keycloak
Message-ID: <CANgxGCc+PXN0XYjNqTeAa9tDJ1R1oBKdPbrmktrapH1Wy+0Scw@mail.gmail.com>

Hi
I have more than 20 application that launch in private cloud with spring
security framework,after some search i decide to create IAM (SSO) for these
application
after search in  google ,i found Keycloak project that one of best project
for do that .
all my apps in organization have own user management and do not want to
change that . my idea is to launch Keycloak in our organization and each
user in organization have account in Keycloak,but both user have same
email  . when user want to login in app can login with app user and
Keycloak user .in this way Keycloak is like google for Github or Facebook
that each user can login with Github user or google account.
after read Keycloak documentation i do not see library that make this for
combining local authentication and keycloak authentication.i want when
kecloak authentication do success i setAuthentication with app
authentication  . after some google i found spring social project and i
decide to create spring-social-keycloak .but i do not see good
documentation for request response . or any sample for curl that i know how
can use that in my project
https://github.com/azizkhani/spring-social-keycloak

it is my idea is correct?
is any sample that show curl for authorization code flow and get user info ?
is keycloak is active in gitter.im for online question ?

From maurice at info.nl  Thu Nov 23 09:13:35 2017
From: maurice at info.nl (Maurice Mahieu)
Date: Thu, 23 Nov 2017 15:13:35 +0100
Subject: [keycloak-user] org.keycloak.keys.FailsafeAesKeyProvider] errors.
Message-ID: <5293f33a-0d9d-41a0-2bb4-7f3c04295ec3@info.nl>

Hello,

Since I upgraded my cluster consisting of 2 instances from 3.2.0 to 
3.4.0? I get the following messages in the log.

2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] 
(default task-6) No active keys found, using failsafe provider, please 
login to admin console to add keys. Clustering is not supported.
2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] 
(default task-59) No active keys found, using failsafe provider, please 
login to admin console to add keys. Clustering is not supported.
2017-11-23 13:31:27,239 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] 
(default task-10) No active keys found, using failsafe provider, please 
login to admin console to add keys. Clustering is not supported.

etc.

On the admin console of both serves there are 2 active keys. One RSA and 
on Hmac and the servers seem to be in sync if I compare the user 
sessions on both servers.


Does anybody know how I? can I resolve this / get rid of the messages ?


Regards,

-- 
Met vriendelijke groet,
Maurice Mahieu
system engineer
maurice at info.nl <mailto:maurice at info.nl> ?| LinkedIn 
<http://www.linkedin.com/in/maurice-mahieu-224a1821> ?| +31 (0)20 530 
9111 <tel:+31205309111>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 ?| ?1011 HB Amsterdam ?| +31 (0)20 530 9100 
<tel:+31205309100>


From juanignacioborda at gmail.com  Thu Nov 23 09:35:17 2017
From: juanignacioborda at gmail.com (juanignacioborda at gmail.com)
Date: Thu, 23 Nov 2017 14:35:17 +0000
Subject: [keycloak-user] Help with docker compose
Message-ID: <CAOZTX4SCGVuMtgFwq0nrmx0uKFK+dOJ4O0JhKEd8YT1Yt2erDQ@mail.gmail.com>

Hi there I'm having some issues setting up a docker-compose file
my file is as folows:

version: "3"

services:


 ###########################
 ##### Mysql server DB  ####
 ###########################
  mysql:
    image: mysql:5

    environment:
      MYSQL_ROOT_PASSWORD: developer
      MYSQL_DATABASE: keycloack
      MYSQL_USER: keycloak
      MYSQL_PASSWORD: developer

    volumes:
      - ./backups:/backups

###############################
##### KEYCLOAK server  ####
###############################
  server:
    image: jboss/keycloak
    depends_on:
      - mysql
    ports:
        - "9081:8080"

    environment:
      DB_VENDOR: MYSQL
      MYSQL_DATABASE: keycloak
      MYSQL_USERNAME: root
      MYSQL_PASSWORD: developer
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: keycloak
      VIRTUAL_HOST: keycloack.lab

    links:
        - mysql:mysql


But server refuses to start and throw db cant connect errors
Any help would be very appreciated
Thanks!

From Steve.Short at clearswift.com  Fri Nov 24 04:00:41 2017
From: Steve.Short at clearswift.com (Steve Short)
Date: Fri, 24 Nov 2017 09:00:41 +0000
Subject: [keycloak-user] Help with docker compose
In-Reply-To: <CAOZTX4SCGVuMtgFwq0nrmx0uKFK+dOJ4O0JhKEd8YT1Yt2erDQ@mail.gmail.com>
References: <CAOZTX4SCGVuMtgFwq0nrmx0uKFK+dOJ4O0JhKEd8YT1Yt2erDQ@mail.gmail.com>
Message-ID: <940ef3ba2b024952bef75f2e59db308b@UKTH-EX01.Clearswift.org>

Your compose file worked fine for me as a version 1 compose file once I took out the version, service and depends-on.
What are the version of your docker-compose and docker?
Rgds
Steve



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of juanignacioborda at gmail.com
Sent: 23 November 2017 14:35
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Help with docker compose

Hi there I'm having some issues setting up a docker-compose file my file is as folows:

version: "3"

services:


 ###########################
 ##### Mysql server DB  ####
 ###########################
  mysql:
    image: mysql:5

    environment:
      MYSQL_ROOT_PASSWORD: developer
      MYSQL_DATABASE: keycloack
      MYSQL_USER: keycloak
      MYSQL_PASSWORD: developer

    volumes:
      - ./backups:/backups

###############################
##### KEYCLOAK server  ####
###############################
  server:
    image: jboss/keycloak
    depends_on:
      - mysql
    ports:
        - "9081:8080"

    environment:
      DB_VENDOR: MYSQL
      MYSQL_DATABASE: keycloak
      MYSQL_USERNAME: root
      MYSQL_PASSWORD: developer
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: keycloak
      VIRTUAL_HOST: keycloack.lab

    links:
        - mysql:mysql


But server refuses to start and throw db cant connect errors Any help would be very appreciated Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats. 

To find out more about Clearswift?s solutions please visit www.clearswift.com


From corentin.dupont at gmail.com  Fri Nov 24 07:18:43 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 24 Nov 2017 13:18:43 +0100
Subject: [keycloak-user] Corrupted policies
Message-ID: <CAEyhvmpU5G+DaxQu7kPbNBoXTAmydywZjfYi0M1bj5QaWLZaxA@mail.gmail.com>

I guys,
I encountered this bug:
https://issues.jboss.org/browse/KEYCLOAK-4340

Basically after exporting, my policies are inaccessible.
My keycloak version is 3.1.0.Final.
Is there a workaround?
Can I delete the policies via API?
Should I edit the database?
I connected to H2 database but there is no tables.
What is the login/password when logging to H2?

Cheers

From psilva at redhat.com  Fri Nov 24 08:18:24 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 24 Nov 2017 11:18:24 -0200
Subject: [keycloak-user] Corrupted policies
In-Reply-To: <CAEyhvmpU5G+DaxQu7kPbNBoXTAmydywZjfYi0M1bj5QaWLZaxA@mail.gmail.com>
References: <CAEyhvmpU5G+DaxQu7kPbNBoXTAmydywZjfYi0M1bj5QaWLZaxA@mail.gmail.com>
Message-ID: <CAJrcDBdeD16nZE=LJpo7rGJpvkmpGeK36ycRd9JSV7jx7jP=Ug@mail.gmail.com>

Hi,

My suggestion is upgrade to latest version of Keycloak. This issues was
already fixed.

The issue is all about role policies (and I think user policies too)
getting corrupted after exporting settings given that the policy is updated
in the database with the name of the role instead of its ID.

For login/password to access H2, check
${KEYCLOAK_HOME}/standalone/configuration/standalone.xml. There you will
find the datasource configuration used by Keycloak (KeycloakDS).

Regards.

On Fri, Nov 24, 2017 at 10:18 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> I guys,
> I encountered this bug:
> https://issues.jboss.org/browse/KEYCLOAK-4340
>
> Basically after exporting, my policies are inaccessible.
> My keycloak version is 3.1.0.Final.
> Is there a workaround?
> Can I delete the policies via API?
> Should I edit the database?
> I connected to H2 database but there is no tables.
> What is the login/password when logging to H2?
>
> Cheers
>

From corentin.dupont at gmail.com  Fri Nov 24 09:42:17 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 24 Nov 2017 15:42:17 +0100
Subject: [keycloak-user] Corrupted policies
In-Reply-To: <CAJrcDBdeD16nZE=LJpo7rGJpvkmpGeK36ycRd9JSV7jx7jP=Ug@mail.gmail.com>
References: <CAEyhvmpU5G+DaxQu7kPbNBoXTAmydywZjfYi0M1bj5QaWLZaxA@mail.gmail.com>
	<CAJrcDBdeD16nZE=LJpo7rGJpvkmpGeK36ycRd9JSV7jx7jP=Ug@mail.gmail.com>
Message-ID: <CAEyhvmrcHb0shj3cz=Ppt64GzDipD0yunX-LdkPHoaqOgPYpRw@mail.gmail.com>

OK thanks I updated keycloak.
>From the standalone.xml, the default passwords seems to be sa/sa.

But this login/password is rejected when I try to connect to the data base.
I use:
Driver class: org.h2.Driver
JDBC URL
<http://localhost:8082/login.jsp?jsessionid=8257adbe62f2518bc2ca736c29de937b#>:
jdbc:h2:<folder containing my keycloak.h2.db>
username: sa
password: sa



On Fri, Nov 24, 2017 at 2:18 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> My suggestion is upgrade to latest version of Keycloak. This issues was
> already fixed.
>
> The issue is all about role policies (and I think user policies too)
> getting corrupted after exporting settings given that the policy is updated
> in the database with the name of the role instead of its ID.
>
> For login/password to access H2, check ${KEYCLOAK_HOME}/standalone/configuration/standalone.xml.
> There you will find the datasource configuration used by Keycloak
> (KeycloakDS).
>
> Regards.
>
> On Fri, Nov 24, 2017 at 10:18 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> I guys,
>> I encountered this bug:
>> https://issues.jboss.org/browse/KEYCLOAK-4340
>>
>> Basically after exporting, my policies are inaccessible.
>> My keycloak version is 3.1.0.Final.
>> Is there a workaround?
>> Can I delete the policies via API?
>> Should I edit the database?
>> I connected to H2 database but there is no tables.
>> What is the login/password when logging to H2?
>>
>> Cheers
>>
>
>

From corentin.dupont at gmail.com  Fri Nov 24 09:43:11 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 24 Nov 2017 15:43:11 +0100
Subject: [keycloak-user] Corrupted policies
In-Reply-To: <CAEyhvmrcHb0shj3cz=Ppt64GzDipD0yunX-LdkPHoaqOgPYpRw@mail.gmail.com>
References: <CAEyhvmpU5G+DaxQu7kPbNBoXTAmydywZjfYi0M1bj5QaWLZaxA@mail.gmail.com>
	<CAJrcDBdeD16nZE=LJpo7rGJpvkmpGeK36ycRd9JSV7jx7jP=Ug@mail.gmail.com>
	<CAEyhvmrcHb0shj3cz=Ppt64GzDipD0yunX-LdkPHoaqOgPYpRw@mail.gmail.com>
Message-ID: <CAEyhvmqJP4b-RR=wdApPFiMaiyr3rhBBoeGCGNyAkXxUjLXGTA@mail.gmail.com>

Ohhh OK it works without any login/password...

On Fri, Nov 24, 2017 at 3:42 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> OK thanks I updated keycloak.
> From the standalone.xml, the default passwords seems to be sa/sa.
>
> But this login/password is rejected when I try to connect to the data base.
> I use:
> Driver class: org.h2.Driver
> JDBC URL
> <http://localhost:8082/login.jsp?jsessionid=8257adbe62f2518bc2ca736c29de937b#>:
> jdbc:h2:<folder containing my keycloak.h2.db>
> username: sa
> password: sa
>
>
>
> On Fri, Nov 24, 2017 at 2:18 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> My suggestion is upgrade to latest version of Keycloak. This issues was
>> already fixed.
>>
>> The issue is all about role policies (and I think user policies too)
>> getting corrupted after exporting settings given that the policy is updated
>> in the database with the name of the role instead of its ID.
>>
>> For login/password to access H2, check ${KEYCLOAK_HOME}/standalone/configuration/standalone.xml.
>> There you will find the datasource configuration used by Keycloak
>> (KeycloakDS).
>>
>> Regards.
>>
>> On Fri, Nov 24, 2017 at 10:18 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> I guys,
>>> I encountered this bug:
>>> https://issues.jboss.org/browse/KEYCLOAK-4340
>>>
>>> Basically after exporting, my policies are inaccessible.
>>> My keycloak version is 3.1.0.Final.
>>> Is there a workaround?
>>> Can I delete the policies via API?
>>> Should I edit the database?
>>> I connected to H2 database but there is no tables.
>>> What is the login/password when logging to H2?
>>>
>>> Cheers
>>>
>>
>>
>

From corentin.dupont at gmail.com  Fri Nov 24 11:20:31 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 24 Nov 2017 17:20:31 +0100
Subject: [keycloak-user] Error in resource
Message-ID: <CAEyhvmqRsa4u3-Cvj7TMtQAOsDp_Jco32e3vq3d70nVJJCRMNg@mail.gmail.com>

Hi,
after creating a resource through the API, the "resources" panel on the UI
will not open anymore:
*Error!* An unexpected server error has occurred

In the keycloak traces there is:
keycloak_1        | 16:15:00,037 ERROR [io.undertow.request] (default
task-27) UT005023: Exception handling request to
/auth/admin/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-s
erver/resource: org.jboss.resteasy.spi.UnhandledException:
java.lang.RuntimeException: Could not find the user [guest] who owns the
Resource [062e4b4f-d931-42c1-8c88-117766797ecd].

The user guest exists...
I created the resource with something similar to:
curl -X POST "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{
    "name": "My house",
    "uri": "/houses/123",
    "scopes": ["view"],
    "owner": "guest"
}'

Thanks
Corentin

From corentin.dupont at gmail.com  Fri Nov 24 11:21:38 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 24 Nov 2017 17:21:38 +0100
Subject: [keycloak-user] Error in resource
In-Reply-To: <CAEyhvmqRsa4u3-Cvj7TMtQAOsDp_Jco32e3vq3d70nVJJCRMNg@mail.gmail.com>
References: <CAEyhvmqRsa4u3-Cvj7TMtQAOsDp_Jco32e3vq3d70nVJJCRMNg@mail.gmail.com>
Message-ID: <CAEyhvmpzJj55qkbUGBOOpBKujEEJM_kWw4mtRgF+943jx8yCaQ@mail.gmail.com>

PS. I have keycloak 3.4.0.Final now

On Fri, Nov 24, 2017 at 5:20 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> after creating a resource through the API, the "resources" panel on the UI
> will not open anymore:
> *Error!* An unexpected server error has occurred
>
> In the keycloak traces there is:
> keycloak_1        | 16:15:00,037 ERROR [io.undertow.request] (default
> task-27) UT005023: Exception handling request to /auth/admin/realms/waziup/
> clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-s
> erver/resource: org.jboss.resteasy.spi.UnhandledException:
> java.lang.RuntimeException: Could not find the user [guest] who owns the
> Resource [062e4b4f-d931-42c1-8c88-117766797ecd].
>
> The user guest exists...
> I created the resource with something similar to:
> curl -X POST "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set" -H "Content-Type: application/json" -H
> "Authorization: Bearer $TOKEN" -d '{
>     "name": "My house",
>     "uri": "/houses/123",
>     "scopes": ["view"],
>     "owner": "guest"
> }'
>
> Thanks
> Corentin
>

From psilva at redhat.com  Fri Nov 24 14:12:04 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 24 Nov 2017 17:12:04 -0200
Subject: [keycloak-user] Error in resource
In-Reply-To: <CAEyhvmpzJj55qkbUGBOOpBKujEEJM_kWw4mtRgF+943jx8yCaQ@mail.gmail.com>
References: <CAEyhvmqRsa4u3-Cvj7TMtQAOsDp_Jco32e3vq3d70nVJJCRMNg@mail.gmail.com>
	<CAEyhvmpzJj55qkbUGBOOpBKujEEJM_kWw4mtRgF+943jx8yCaQ@mail.gmail.com>
Message-ID: <CAJrcDBcprTNvLFbDvwLMQVfxZmNgzVQK78UsfOf_Ew4gEvO-bA@mail.gmail.com>

Created https://issues.jboss.org/browse/KEYCLOAK-5909. Right now the value
of field "owner" should be the user's identifier and not the username. I
changed to also supposed username and added more validations to avoid such
error.

Thanks.

On Fri, Nov 24, 2017 at 2:21 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> PS. I have keycloak 3.4.0.Final now
>
> On Fri, Nov 24, 2017 at 5:20 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi,
>> after creating a resource through the API, the "resources" panel on the
>> UI will not open anymore:
>> *Error!* An unexpected server error has occurred
>>
>> In the keycloak traces there is:
>> keycloak_1        | 16:15:00,037 ERROR [io.undertow.request] (default
>> task-27) UT005023: Exception handling request to
>> /auth/admin/realms/waziup/clients/0892e431-5daf-413e-b4cf-
>> eaee121ee447/authz/resource-s
>> erver/resource: org.jboss.resteasy.spi.UnhandledException:
>> java.lang.RuntimeException: Could not find the user [guest] who owns the
>> Resource [062e4b4f-d931-42c1-8c88-117766797ecd].
>>
>> The user guest exists...
>> I created the resource with something similar to:
>> curl -X POST "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set" -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "name": "My house",
>>     "uri": "/houses/123",
>>     "scopes": ["view"],
>>     "owner": "guest"
>> }'
>>
>> Thanks
>> Corentin
>>
>
>

From Bodo.Teichmann at brandad-systems.de  Sat Nov 25 09:55:51 2017
From: Bodo.Teichmann at brandad-systems.de (Bodo Teichmann)
Date: Sat, 25 Nov 2017 14:55:51 +0000
Subject: [keycloak-user] bug in keycloak-quickstarts/app-profile-jee-vanilla
 aquillian - tests?
Message-ID: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>

i just followed the "Getting Started"  Dokumentation 3.4.
Everything ok until it comes to :
Chapter 4.3.:
after git-clone and
>cd  keycloak-quickstarts/app-profile-jee-vanilla
i tried:
>mvn clean wildfly:deploy
but got the error:

-------------------------------------------------------------------------------
Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
-------------------------------------------------------------------------------
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 0.907 sec  <<< ERROR!
java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
... 15 more
Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
... 20 more
Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
... 44 more


until it tried

>mvn clean wildfly:deploy -DskipTests

which worked.

Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started??

bodo

From bruno at abstractj.org  Sat Nov 25 12:55:49 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Sat, 25 Nov 2017 17:55:49 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
Message-ID: <CAM5SUC6qSKWu6YGbcsxTfMhM5eGnq1f0UNXWe7OUTtB_MYKmJQ@mail.gmail.com>

Try to pass -Pwildfly-managed, it should work. We have some jiras to fix
the docs.

On Sat, Nov 25, 2017, 12:59 PM Bodo Teichmann <
Bodo.Teichmann at brandad-systems.de> wrote:

> i just followed the "Getting Started"  Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
> >cd  keycloak-quickstarts/app-profile-jee-vanilla
> i tried:
> >mvn clean wildfly:deploy
> but got the error:
>
>
> -------------------------------------------------------------------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> -------------------------------------------------------------------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec
> <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 0.907 sec  <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
> at
> org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> at
> org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> at
> org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException:
> Could not create Container jboss
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
> at
> org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at
> org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at
> org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must be
> specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at
> org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
> ... 44 more
>
>
> until it tried
>
> >mvn clean wildfly:deploy -DskipTests
>
> which worked.
>
> Do I need any other prerequisites in order to run the arquillian tests
> other than those described in the "Getting Started??
>
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Michael.Liebe at ist.com  Sat Nov 25 14:48:49 2017
From: Michael.Liebe at ist.com (Michael Liebe)
Date: Sat, 25 Nov 2017 19:48:49 +0000
Subject: [keycloak-user] Help with docker compose
In-Reply-To: <940ef3ba2b024952bef75f2e59db308b@UKTH-EX01.Clearswift.org>
References: <CAOZTX4SCGVuMtgFwq0nrmx0uKFK+dOJ4O0JhKEd8YT1Yt2erDQ@mail.gmail.com>
	<940ef3ba2b024952bef75f2e59db308b@UKTH-EX01.Clearswift.org>
Message-ID: <9C64FE0C-1AB5-404D-A0D2-6E64DE163505@ist.com>

I think it should be MYSQL_USER instead of MYSQL_USERNAME as environment variable name in the Keycloak configuration.

Regards,
Michael

On 2017-11-24, 10:00, "keycloak-user-bounces at lists.jboss.org on behalf of Steve Short" <keycloak-user-bounces at lists.jboss.org on behalf of Steve.Short at clearswift.com> wrote:

    Your compose file worked fine for me as a version 1 compose file once I took out the version, service and depends-on.
    What are the version of your docker-compose and docker?
    Rgds
    Steve
    
    
    
    -----Original Message-----
    From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of juanignacioborda at gmail.com
    Sent: 23 November 2017 14:35
    To: keycloak-user at lists.jboss.org
    Subject: [keycloak-user] Help with docker compose
    
    Hi there I'm having some issues setting up a docker-compose file my file is as folows:
    
    version: "3"
    
    services:
    
    
     ###########################
     ##### Mysql server DB  ####
     ###########################
      mysql:
        image: mysql:5
    
        environment:
          MYSQL_ROOT_PASSWORD: developer
          MYSQL_DATABASE: keycloack
          MYSQL_USER: keycloak
          MYSQL_PASSWORD: developer
    
        volumes:
          - ./backups:/backups
    
    ###############################
    ##### KEYCLOAK server  ####
    ###############################
      server:
        image: jboss/keycloak
        depends_on:
          - mysql
        ports:
            - "9081:8080"
    
        environment:
          DB_VENDOR: MYSQL
          MYSQL_DATABASE: keycloak
          MYSQL_USERNAME: root
          MYSQL_PASSWORD: developer
          KEYCLOAK_USER: admin
          KEYCLOAK_PASSWORD: keycloak
          VIRTUAL_HOST: keycloack.lab
    
        links:
            - mysql:mysql
    
    
    But server refuses to start and throw db cant connect errors Any help would be very appreciated Thanks!
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.
    
    This email message has been inspected by Clearswift for inappropriate content and security threats. 
    
    To find out more about Clearswift?s solutions please visit www.clearswift.com
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Sat Nov 25 15:42:07 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 25 Nov 2017 20:42:07 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
Message-ID: <CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>

Run with :
mvn clean install -Pwildfly-managed -Denforcer.skip=true

Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <
Bodo.Teichmann at brandad-systems.de> a ?crit :

> i just followed the "Getting Started"  Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
> >cd  keycloak-quickstarts/app-profile-jee-vanilla
> i tried:
> >mvn clean wildfly:deploy
> but got the error:
>
>
> -------------------------------------------------------------------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> -------------------------------------------------------------------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec
> <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 0.907 sec  <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
> at
> org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> at
> org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> at
> org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException:
> Could not create Container jboss
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
> at
> org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at
> org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at
> org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must be
> specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at
> org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
> ... 44 more
>
>
> until it tried
>
> >mvn clean wildfly:deploy -DskipTests
>
> which worked.
>
> Do I need any other prerequisites in order to run the arquillian tests
> other than those described in the "Getting Started??
>
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Bodo.Teichmann at brandad-systems.de  Sun Nov 26 12:58:38 2017
From: Bodo.Teichmann at brandad-systems.de (Bodo Teichmann)
Date: Sun, 26 Nov 2017 17:58:38 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
Message-ID: <133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>

No, with
>mvn clean install -Pwildfly-managed -Denforcer.skip=true
I got this same Error:

?.
18:52:16,546 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
18:52:16,547 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) started in 4322ms - Started 332 of 578 services (393 services are lazy, passive or on-demand)
Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 7.055 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.054 sec  <<< ERROR!
java.lang.ExceptionInInitializerError
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)

org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.055 sec  <<< ERROR!
java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest

Nov 26, 2017 6:52:17 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments
WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked.
18:52:17,956 INFO  [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0236: Suspending server with no timeout.
?.

Looks to me that somehow the Arquillian can not log into the managed wildly it just started, but I?m not good with Arquillian though?.
Although the wildfly seemed to have started without any issues.

Bodo

Am 25.11.2017 um 21:42 schrieb Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>:

Run with :
mvn clean install -Pwildfly-managed -Denforcer.skip=true

Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>> a ?crit :
i just followed the "Getting Started"  Dokumentation 3.4.
Everything ok until it comes to :
Chapter 4.3.:
after git-clone and
>cd  keycloak-quickstarts/app-profile-jee-vanilla
i tried:
>mvn clean wildfly:deploy
but got the error:

-------------------------------------------------------------------------------
Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
-------------------------------------------------------------------------------
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 0.907 sec  <<< ERROR!
java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
... 15 more
Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
... 20 more
Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
... 44 more


until it tried

>mvn clean wildfly:deploy -DskipTests

which worked.

Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started??

bodo
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bruno at abstractj.org  Sun Nov 26 14:13:04 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Sun, 26 Nov 2017 19:13:04 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
	<133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>
Message-ID: <CAM5SUC5BR1_BsAzC4kWC9YRFE-bd5kJGQcV5-GZveLci9ahLZg@mail.gmail.com>

In which host/port you have WildFly and Keycloak started?

Looking at this exception:

Caused by: java.net.ConnectException: Connection refused (Connection
refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>

Seems like ArquillianProfileJeeVanillaTest, could not connect.

On Sun, Nov 26, 2017, 4:38 PM Bodo Teichmann <
Bodo.Teichmann at brandad-systems.de> wrote:

> No, with
> >mvn clean install -Pwildfly-managed -Denforcer.skip=true
> I got this same Error:
>
> ?.
> 18:52:16,546 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://127.0.0.1:9990
> 18:52:16,547 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) started in 4322ms -
> Started 332 of 578 services (393 services are lazy, passive or on-demand)
> Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 7.055 sec
> <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 7.054 sec  <<< ERROR!
> java.lang.ExceptionInInitializerError
> at
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
> Caused by: java.net.ConnectException: Connection refused (Connection
> refused)
> at
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
>
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 7.055 sec  <<< ERROR!
> java.lang.NoClassDefFoundError: Could not initialize class
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> Nov 26, 2017 6:52:17 PM org.jboss.arquillian.core.impl.ObserverImpl
> resolveArguments
> WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It
> won't be invoked.
> 18:52:17,956 INFO  [org.jboss.as.server] (management-handler-thread - 2)
> WFLYSRV0236: Suspending server with no timeout.
> ?.
>
> Looks to me that somehow the Arquillian can not log into the managed
> wildly it just started, but I?m not good with Arquillian though?.
> Although the wildfly seemed to have started without any issues.
>
> Bodo
>
> Am 25.11.2017 um 21:42 schrieb Sebastien Blanc <sblanc at redhat.com<mailto:
> sblanc at redhat.com>>:
>
> Run with :
> mvn clean install -Pwildfly-managed -Denforcer.skip=true
>
> Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <
> Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>>
> a ?crit :
> i just followed the "Getting Started"  Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
> >cd  keycloak-quickstarts/app-profile-jee-vanilla
> i tried:
> >mvn clean wildfly:deploy
> but got the error:
>
>
> -------------------------------------------------------------------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> -------------------------------------------------------------------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec
> <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 0.907 sec  <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
> at
> org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
> at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> at
> org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> at
> org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException:
> Could not create Container jboss
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
> at
> org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at
> org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at
> org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at
> org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must be
> specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at
> org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
> at
> org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
> ... 44 more
>
>
> until it tried
>
> >mvn clean wildfly:deploy -DskipTests
>
> which worked.
>
> Do I need any other prerequisites in order to run the arquillian tests
> other than those described in the "Getting Started??
>
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From juanignacioborda at gmail.com  Sun Nov 26 17:24:13 2017
From: juanignacioborda at gmail.com (juanignacioborda at gmail.com)
Date: Sun, 26 Nov 2017 22:24:13 +0000
Subject: [keycloak-user] Help with docker compose
In-Reply-To: <9C64FE0C-1AB5-404D-A0D2-6E64DE163505@ist.com>
References: <CAOZTX4SCGVuMtgFwq0nrmx0uKFK+dOJ4O0JhKEd8YT1Yt2erDQ@mail.gmail.com>
	<940ef3ba2b024952bef75f2e59db308b@UKTH-EX01.Clearswift.org>
	<9C64FE0C-1AB5-404D-A0D2-6E64DE163505@ist.com>
Message-ID: <CAOZTX4THjar2tkWmT6XK=mtMXtLFMWPFa_eJ6cz+ipAvxsAzgg@mail.gmail.com>

Hi Steve Thanks for testing

I'm running on Debian stretch
Docker version 17.06.1-ce, build 874a737
docker-compose version 1.17.1, build 6d101fb




On Sat, Nov 25, 2017 at 4:48 PM Michael Liebe <Michael.Liebe at ist.com> wrote:

> I think it should be MYSQL_USER instead of MYSQL_USERNAME as environment
> variable name in the Keycloak configuration.
>
> Regards,
> Michael
>
> On 2017-11-24, 10:00, "keycloak-user-bounces at lists.jboss.org on behalf of
> Steve Short" <keycloak-user-bounces at lists.jboss.org on behalf of
> Steve.Short at clearswift.com> wrote:
>
>     Your compose file worked fine for me as a version 1 compose file once
> I took out the version, service and depends-on.
>     What are the version of your docker-compose and docker?
>     Rgds
>     Steve
>
>
>
>     -----Original Message-----
>     From: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] On Behalf Of
> juanignacioborda at gmail.com
>     Sent: 23 November 2017 14:35
>     To: keycloak-user at lists.jboss.org
>     Subject: [keycloak-user] Help with docker compose
>
>     Hi there I'm having some issues setting up a docker-compose file my
> file is as folows:
>
>     version: "3"
>
>     services:
>
>
>      ###########################
>      ##### Mysql server DB  ####
>      ###########################
>       mysql:
>         image: mysql:5
>
>         environment:
>           MYSQL_ROOT_PASSWORD: developer
>           MYSQL_DATABASE: keycloack
>           MYSQL_USER: keycloak
>           MYSQL_PASSWORD: developer
>
>         volumes:
>           - ./backups:/backups
>
>     ###############################
>     ##### KEYCLOAK server  ####
>     ###############################
>       server:
>         image: jboss/keycloak
>         depends_on:
>           - mysql
>         ports:
>             - "9081:8080"
>
>         environment:
>           DB_VENDOR: MYSQL
>           MYSQL_DATABASE: keycloak
>           MYSQL_USERNAME: root
>           MYSQL_PASSWORD: developer
>           KEYCLOAK_USER: admin
>           KEYCLOAK_PASSWORD: keycloak
>           VIRTUAL_HOST: keycloack.lab
>
>         links:
>             - mysql:mysql
>
>
>     But server refuses to start and throw db cant connect errors Any help
> would be very appreciated Thanks!
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     This e-mail and any files transmitted with it are strictly
> confidential, may be privileged and are intended only for use by the
> addressee unless otherwise indicated.  If you are not the intended
> recipient any use, dissemination, printing or copying is strictly
> prohibited and may be unlawful.  If you have received this e-mail in error,
> please delete it immediately and contact the sender as soon as possible.
> Clearswift cannot be held liable for delays in receipt of an email or any
> errors in its content. Clearswift accepts no responsibility once an e-mail
> and any attachments leave us. Unless expressly stated, opinions in this
> message are those of the individual sender and not of Clearswift.
>
>     This email message has been inspected by Clearswift for inappropriate
> content and security threats.
>
>     To find out more about Clearswift?s solutions please visit
> www.clearswift.com
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From anton.mazkovoi at cimenviro.com  Sun Nov 26 17:30:45 2017
From: anton.mazkovoi at cimenviro.com (Anton Mazkovoi)
Date: Mon, 27 Nov 2017 09:30:45 +1100
Subject: [keycloak-user] Keycloak plugin using keycloak-services
Message-ID: <2E33742E-30EF-4C5B-9A0C-C059D07589AF@cimenviro.com>

Hi,

I have a small plugin that adds a simple REST service to keycloak, which I would like to restrict access to members of the admin role.

I am following the example:
https://github.com/keycloak/keycloak/blob/3.2.1.Final/examples/providers/domain-extension/src/main/java/org/keycloak/examples/domainextension/rest/ExampleRestResource.java

I am deploying the plugin by copying into the "standalone/deployments? directory.

The plugin errors out with:
java.lang.NoClassDefFoundError: org/keycloak/services/managers/AppAuthManager

How do I declare the dependency on "keycloak-services??

Or is there a simpler way to restrict access to a REST service to admin role members?

Cheers,
Anton



From corentin.dupont at gmail.com  Mon Nov 27 04:40:58 2017
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 27 Nov 2017 10:40:58 +0100
Subject: [keycloak-user] get Authorization reasons
Message-ID: <CAEyhvmruYAQ2dru5fcCNtdo-+QT5+yAaDJnUx9vpWv7KQisT9w@mail.gmail.com>

Hi,
I'm using the entitlement API to protect the resources of my API.
Sometimes the user gets a "not authorized" message, and it's hard for him
to known why.
Is there any way to provide the user why more information with why it was
rejected?
Something similar with the infos provided by the "evaluate" panel, but with
the API.
Thanks
Corentin

From loic.lambrichts at lampiris.be  Mon Nov 27 04:41:06 2017
From: loic.lambrichts at lampiris.be (=?Windows-1252?Q?Lo=EFc_Lambrichts?=)
Date: Mon, 27 Nov 2017 09:41:06 +0000
Subject: [keycloak-user] Putting password update form on account update page
Message-ID: <D6419C40.8CBC%loic.lambrichts@lampiris.be>

Hi guys,

Im currently working on a project where we are using Keycloak as offsite SSO. To improve the user journey we are trying to put the password update form on the account update page. The idea is to have the password update on the same page where the user can change his email, first name and last name.

We tried to copy paste the code from the password template (the form only) to he account template but it didn't work.

Any idea how can I do that ?

Or maybe it?s no possible?

Thanks.
Have a good day.

From christophe.tafani-dereeper at epfl.ch  Mon Nov 27 04:57:07 2017
From: christophe.tafani-dereeper at epfl.ch (Christophe Tafani-Dereeper)
Date: Mon, 27 Nov 2017 09:57:07 +0000
Subject: [keycloak-user] [spring-adapter] Changing the redirect_uri
	parameter sent to Keycloak
Message-ID: <7563bec40b15465b9501b603e62a5617@rexf.intranet.epfl.ch>

Hi,


I'm using Keycloak with the Spring Boot Adapter. Is there any way to customize the redirect_uri parameter being sent to Keycloak when initiating a login? I went through the docs but couldn't find anything on the topic.


Thank you,


Christophe


From psilva at redhat.com  Mon Nov 27 06:09:32 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 27 Nov 2017 09:09:32 -0200
Subject: [keycloak-user] get Authorization reasons
In-Reply-To: <CAEyhvmruYAQ2dru5fcCNtdo-+QT5+yAaDJnUx9vpWv7KQisT9w@mail.gmail.com>
References: <CAEyhvmruYAQ2dru5fcCNtdo-+QT5+yAaDJnUx9vpWv7KQisT9w@mail.gmail.com>
Message-ID: <CAJrcDBciwfv3zpb=qdLFREBe=3g8k1n-u0gxL9Npzr1B4XwjxQ@mail.gmail.com>

Right now, there is no such thing. But we can think about it and see how to
include this RFE in a future release. Could you fill a JIRA and put some of
your requirements there, please ?

Regards.

On Mon, Nov 27, 2017 at 7:40 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> I'm using the entitlement API to protect the resources of my API.
> Sometimes the user gets a "not authorized" message, and it's hard for him
> to known why.
> Is there any way to provide the user why more information with why it was
> rejected?
> Something similar with the infos provided by the "evaluate" panel, but
> with the API.
> Thanks
> Corentin
>

From pieter at thehyve.nl  Mon Nov 27 06:11:22 2017
From: pieter at thehyve.nl (Pieter Lukasse)
Date: Mon, 27 Nov 2017 12:11:22 +0100
Subject: [keycloak-user] SAML login via python when using Keycloak as
	Identity broker
Message-ID: <CAN-eBc0mFe86BLrYVkCuzmES9Sd2VTa_qYNYZ2esEfTLPBZx-Q@mail.gmail.com>

Hi,

I have Keycloak as an identity broker for the a SAML SSO service. Login via
the browser works great. Now, I want to call the APIs of the SP's
application directly using python or java. Are these steps documented
somewhere? Should my python script send 2 authentication requests (e.g.
first to Keycloak and then to the real IDP)?

Thanks,

Pieter


www.thehyve.nl
E pieter at thehyve.nl


We empower scientists by building on open source software

From d.weirshousky at xsb.com  Mon Nov 27 09:53:00 2017
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Mon, 27 Nov 2017 08:53:00 -0600 (CST)
Subject: [keycloak-user] IDP initiated login redirect loop
In-Reply-To: <43472606.30793505.1511793881835.JavaMail.zimbra@xsb.com>
Message-ID: <2018116155.30802441.1511794380248.JavaMail.zimbra@xsb.com>

Hi,

  I'm having issues trying to get IDP inititated login to work.  I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also.  The IDP is Okta and Keycloak is the SP.  Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user.  "An error occurred, please login again through your application."  I suspect this is a configuration issue but I am not sure.  3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.

Thanks
Drew

From inofi at gmx.net  Mon Nov 27 11:31:39 2017
From: inofi at gmx.net (Malte Finsterwalder)
Date: Mon, 27 Nov 2017 17:31:39 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
Message-ID: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>

Hi there,

I have a service running in a JBoss server, that I want to secure via the
keycloak adapter.
The server is behind a proxy, that offloads SSL, so the server itself gets
traffic as http.
When the server redirects to keycloak for authentication, the redirect URL
supplied to keycloak is http, not https. How can I ensure, that a redirect
URL is an https URL?

Greetings,
   Malte

From Edgar at info.nl  Mon Nov 27 11:34:33 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 27 Nov 2017 16:34:33 +0000
Subject: [keycloak-user] Admin initiated login-actions emails with action
 tokens no longer redirect user to proper screen since upgrading to
 3.4.0.Final
Message-ID: <94DED19F-2072-46DB-96D3-A235D8019E93@info.nl>

Since upgrading from Keycloak 3.2.0.Final to 3.4.0.Final the links in the admin initiated login-actions emails no longer work for us. We use such emails e.g. to require the user to set his/her password before their account can be used.

Such login action links in the 'change password? emails are of the format:

https://HOSTNAME/auth/realms/graydon-customers/login-actions/action-token?key=XXX

when the user clicks this link Keycloak 3.2.0 redirected the user to:

https://HOSTNAME/auth/realms/graydon-customers/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=account


However since we upgraded to Keycloak 3.4.0.Final this is no longer the case and the user is not redirected to the required action page at all..


Does anyone have tips on what may be the issue? Was there anything changed from 3.2.0 to 3.4.0 that could explain this? Or is it perhaps a bug in Keycloak?

PS: we run Keycloak in a cluster with a persistent clustered Infinispan cache. So far we have not emptied our Keycloak database nor completely removed this cache when upgrading Keycloak.

cheers

From jdennis at redhat.com  Mon Nov 27 11:36:47 2017
From: jdennis at redhat.com (John Dennis)
Date: Mon, 27 Nov 2017 11:36:47 -0500
Subject: [keycloak-user] SAML login via python when using Keycloak as
 Identity broker
In-Reply-To: <CAN-eBc0mFe86BLrYVkCuzmES9Sd2VTa_qYNYZ2esEfTLPBZx-Q@mail.gmail.com>
References: <CAN-eBc0mFe86BLrYVkCuzmES9Sd2VTa_qYNYZ2esEfTLPBZx-Q@mail.gmail.com>
Message-ID: <7ac3c0fa-f9ed-35f1-7452-41b1849a1d0e@redhat.com>

On 11/27/2017 06:11 AM, Pieter Lukasse wrote:
> Hi,
> 
> I have Keycloak as an identity broker for the a SAML SSO service. Login via
> the browser works great. Now, I want to call the APIs of the SP's
> application directly using python or java. Are these steps documented
> somewhere? Should my python script send 2 authentication requests (e.g.
> first to Keycloak and then to the real IDP)?

The standard way to perform SAML authentication for command line clients 
is to utilize the SAML ECP (Enhanced Client & Proxy) profile. ECP *must* 
be supported on the SP, Keycloak already has the necessary components 
for ECP and has been tested.

I have a couple of Python scripts that use ECP and Openstack uses ECP in 
Python as well. However my ECP python code is not in a state for general 
consumption. Writing an ECP client is not hard, I'd suggest it be 
integrated with python-requests.

SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
transaction:

   1. ECP issues HTTP Request to SP
   2. SP issues <AuthnRequest> to ECP using PAOS
   3. ECP determines IdP
   4. ECP conveys <AuthnRequest> to IdP using SOAP
   5. IdP identifies principal
   6. IdP issues <Response> to ECP, targeted at SP using SOAP
   7. ECP conveys <Response> to SP using PAOS
   8. SP grants or denies access to principal

Before you go much further you will want to make sure your SP supports 
PAOS, this can easily be determined by examining the SP metadata and 
looking for an ACS (Assertion Consumer Service) endpoint with the paos 
binding. If your SP does not support PAOS you're likely limited to 
browser based access only.


-- 
John

From niko at n-k.de  Mon Nov 27 13:06:18 2017
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Mon, 27 Nov 2017 19:06:18 +0100
Subject: [keycloak-user] AuthzClient.create() for Spring Boot usage
Message-ID: <9C7DDA3C-4739-478A-9F8C-16DB43006E4C@n-k.de>

Hi,

the ?keycloak-authz-client? package provides the AuthzClient class, which can be created by calling ?AuthzClient.create()?.
This automatically detects a ?keycloak.json? file and reads values for the ?Configuration? object.
This is all good.

But when it comes to Spring Boot apps using the Spring Boot Adapter, there is no ?keycloak.json? file and instead the values are provided via the ?application.properties? (or .yml, or else).
I would appreciate, that ?AuthzClient.create()? would also be possible to detect the Spring Boot Property configuration and use it from there.

Was this already discussed? Is it planned? Should I create a ticket for it?
If you already have any ideas, share them with me, I could do a PR for it.

Currently, I?m using a workaround like this: https://gist.github.com/dasniko/2c64393da0bca89434670908141914c4 <https://gist.github.com/dasniko/2c64393da0bca89434670908141914c4>
So I can inject the AuthzClient everywhere I like and the KeycloakSpringBootProperties object is injected in the Bean definition.
It?s not a nice way, although it works.

The classes ?Configuration? and ?KeycloakSpringBootProperties? both extend ?AdapterConfig?. Perhaps AuthzClient could also use AdapterConfig, instead of only Configuration!?

Regards,
- Niko


From sthorger at redhat.com  Mon Nov 27 14:26:33 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 27 Nov 2017 20:26:33 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
Message-ID: <CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>

Read the docs. There's a section on how to configure Keycloak properly when
you're using a reverse proxy

On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net> wrote:

> Hi there,
>
> I have a service running in a JBoss server, that I want to secure via the
> keycloak adapter.
> The server is behind a proxy, that offloads SSL, so the server itself gets
> traffic as http.
> When the server redirects to keycloak for authentication, the redirect URL
> supplied to keycloak is http, not https. How can I ensure, that a redirect
> URL is an https URL?
>
> Greetings,
>    Malte
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jdennis at redhat.com  Mon Nov 27 15:17:47 2017
From: jdennis at redhat.com (John Dennis)
Date: Mon, 27 Nov 2017 15:17:47 -0500
Subject: [keycloak-user] SAML login via python when using Keycloak as
 Identity broker
In-Reply-To: <7ac3c0fa-f9ed-35f1-7452-41b1849a1d0e@redhat.com>
References: <CAN-eBc0mFe86BLrYVkCuzmES9Sd2VTa_qYNYZ2esEfTLPBZx-Q@mail.gmail.com>
	<7ac3c0fa-f9ed-35f1-7452-41b1849a1d0e@redhat.com>
Message-ID: <e2e50e2c-1ad2-a0d9-dbc4-ce0058154e0e@redhat.com>

On 11/27/2017 11:36 AM, John Dennis wrote:
> I have a couple of Python scripts that use ECP and Openstack uses ECP in
> Python as well. However my ECP python code is not in a state for general
> consumption. Writing an ECP client is not hard, I'd suggest it be
> integrated with python-requests.

Oh, I forgot to mention the pysaml2 library has an implementation of an 
ECP client in ecp_client.py. I have not actually used this code so I 
can't vouch for it, but it probably would get you a long ways down the 
road to using ECP in Python.


-- 
John

From mitya at cargosoft.ru  Mon Nov 27 19:54:29 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Tue, 28 Nov 2017 03:54:29 +0300
Subject: [keycloak-user] domain-extension example not working OOTB,
 need admin-cli scope tweaking
Message-ID: <1511830469.17675.3.camel@cargosoft.ru>

Hi,

The domain-extension example used to work out of the box as of KC
3.1.0, but no longer works with KC >= 3.2.0. That's because in 3.1.0
the "admin-cli" client's scope had the "admin" role mapped by default,
which is no longer the case for 3.2.0+, hence no "realm_access" field
in the JWT token, hence null auth.getToken().getRealmAccess() in
ExampleRestResource::checkRealmAdmin(), hence non-working
authorization.

I think either the 3.1.0 behavior should be restored, or the?domain-
extension readme should contain a line about the necessary manual tweak
to the admin-cli scope. What do you think?

Dmitry


From byteflinger at gmail.com  Tue Nov 28 02:23:50 2017
From: byteflinger at gmail.com (Byte Flinger)
Date: Tue, 28 Nov 2017 07:23:50 +0000
Subject: [keycloak-user] Idp thumbnail?
Message-ID: <CAELTqdo7a3Xe0QkyRGEE0B6upg=SjigVDv_oxcwaH-Y4UopCYg@mail.gmail.com>

When adding a new identity provider to Keycloak, such as a SAML IDP, is it
possible to setup so the button you click to login with that provider has a
nice icon/thumbnail instead of text (or both)?

Regards
Byte

From inofi at gmx.net  Tue Nov 28 04:57:17 2017
From: inofi at gmx.net (Malte Finsterwalder)
Date: Tue, 28 Nov 2017 10:57:17 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
Message-ID: <CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>

Thanks for your help, but I can't find anything helpfull in the docs. I
scanned the complete documentation and read a lot of it.
Could you point me to a particular chapter?

To clarify: I don't have a problem with Keycloak being behind a proxy, that
offloads SSL.

I have a problem with the service being behind a proxy. The service itself
is access via HTTP, since SSL is offloaded on the Proxy.
The client adapter then creates a redirect URL as HTTP, not HTTPS and
passes that to Keycloak. So when Keycloak redirects back to the service, it
uses the HTTP URL provided by the client adapter, which is "wrong".

Thanks,
   Malte

On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com> wrote:

> Read the docs. There's a section on how to configure Keycloak properly
> when you're using a reverse proxy
>
> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net> wrote:
>
>> Hi there,
>>
>> I have a service running in a JBoss server, that I want to secure via the
>> keycloak adapter.
>> The server is behind a proxy, that offloads SSL, so the server itself gets
>> traffic as http.
>> When the server redirects to keycloak for authentication, the redirect URL
>> supplied to keycloak is http, not https. How can I ensure, that a redirect
>> URL is an https URL?
>>
>> Greetings,
>>    Malte
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From matthew.broadhead at nbmlaw.co.uk  Tue Nov 28 05:07:38 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Tue, 28 Nov 2017 11:07:38 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
Message-ID: <277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>

which proxy are you using?? this guide helped me proxy behind apache2
http://markus.co/howto/2017/07/27/keycloak-apache.html

On 28/11/2017 10:57, Malte Finsterwalder wrote:
> Thanks for your help, but I can't find anything helpfull in the docs. I
> scanned the complete documentation and read a lot of it.
> Could you point me to a particular chapter?
>
> To clarify: I don't have a problem with Keycloak being behind a proxy, that
> offloads SSL.
>
> I have a problem with the service being behind a proxy. The service itself
> is access via HTTP, since SSL is offloaded on the Proxy.
> The client adapter then creates a redirect URL as HTTP, not HTTPS and
> passes that to Keycloak. So when Keycloak redirects back to the service, it
> uses the HTTP URL provided by the client adapter, which is "wrong".
>
> Thanks,
>     Malte
>
> On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Read the docs. There's a section on how to configure Keycloak properly
>> when you're using a reverse proxy
>>
>> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net> wrote:
>>
>>> Hi there,
>>>
>>> I have a service running in a JBoss server, that I want to secure via the
>>> keycloak adapter.
>>> The server is behind a proxy, that offloads SSL, so the server itself gets
>>> traffic as http.
>>> When the server redirects to keycloak for authentication, the redirect URL
>>> supplied to keycloak is http, not https. How can I ensure, that a redirect
>>> URL is an https URL?
>>>
>>> Greetings,
>>>     Malte
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From matthew.broadhead at nbmlaw.co.uk  Tue Nov 28 05:11:10 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Tue, 28 Nov 2017 11:11:10 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
Message-ID: <d9df93ac-e7a3-f4f8-16d8-ec5d4a722472@nbmlaw.co.uk>

also if you access the server through your proxy it should update all 
the links to be https rather than http.? for instance when you go to 
realm->clients->your client->installation->Keycloak OIDC JSON the 
auth-server-url will show the base url correctly depending on how you 
accessed the admin interface

On 28/11/2017 10:57, Malte Finsterwalder wrote:
> Thanks for your help, but I can't find anything helpfull in the docs. I
> scanned the complete documentation and read a lot of it.
> Could you point me to a particular chapter?
>
> To clarify: I don't have a problem with Keycloak being behind a proxy, that
> offloads SSL.
>
> I have a problem with the service being behind a proxy. The service itself
> is access via HTTP, since SSL is offloaded on the Proxy.
> The client adapter then creates a redirect URL as HTTP, not HTTPS and
> passes that to Keycloak. So when Keycloak redirects back to the service, it
> uses the HTTP URL provided by the client adapter, which is "wrong".
>
> Thanks,
>     Malte
>
> On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Read the docs. There's a section on how to configure Keycloak properly
>> when you're using a reverse proxy
>>
>> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net> wrote:
>>
>>> Hi there,
>>>
>>> I have a service running in a JBoss server, that I want to secure via the
>>> keycloak adapter.
>>> The server is behind a proxy, that offloads SSL, so the server itself gets
>>> traffic as http.
>>> When the server redirects to keycloak for authentication, the redirect URL
>>> supplied to keycloak is http, not https. How can I ensure, that a redirect
>>> URL is an https URL?
>>>
>>> Greetings,
>>>     Malte
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From inofi at gmx.net  Tue Nov 28 07:28:07 2017
From: inofi at gmx.net (Malte Finsterwalder)
Date: Tue, 28 Nov 2017 13:28:07 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
	<277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>
Message-ID: <CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>

Thanks for this reference.
But it still doesn't solve my problem.
I see I need to describe a little more, what my setup is and what my
problem is.

We use HAProxy.
I have one URL for my keycloak, say: https://keycloak.x.org
I have another URL for my service, say: https://service.x.org
These URLs go to HAProxy, which offloads SSL and then directs traffic as
HTTP to the servers, which are run in a Kubernetes Cluster.

My keycloak.json file stored in the service is as follow:

{

  "realm": "myrealm",
  "auth-server-url": "https://keycloak.x.org/auth",
  "ssl-required": "all",
  "resource": "my-client",
  "principal-attribute": "preferred_username",
  "public-client": true,
  "truststore" : "/truststore.jks",
  "truststore-password" : "mytruststorepassword"
}

I open the service: "https://service.x.org/somepage" in my browser.
I get redirected to Keycloak for authentication with this URL:
https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
Keycloak is accessed via https, as stated in the keycloak.json file.
But as you can see, the embedded redirect_uri is http, not https.
After Keycloak authenticated the user, keycloak issues a redirect to
http://service.x.org/somepage and not https://service.x.org/somepage
So after authentication my service is access via http and not https anymore.

Keycloaks standalone.xml is configured as described in the setup for
Apache2 you sent me:

        <subsystem xmlns="urn:jboss:domain:undertow:3.1">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener proxy-address-forwarding="true"
name="default"
                           socket-binding="http"
                           redirect-socket="https"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="server-header" header-name="Server"
header-value="JBoss-EAP/7"/>
                <response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>
        </subsystem>


    <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
        ....
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        ....
    </socket-binding-group>

Does that make things clearer?

What am I missing?!

Thanks for your help,
   Malte

On 28 November 2017 at 11:07, Matthew Broadhead <
matthew.broadhead at nbmlaw.co.uk> wrote:

> which proxy are you using?  this guide helped me proxy behind apache2
> http://markus.co/howto/2017/07/27/keycloak-apache.html
>
> On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > Thanks for your help, but I can't find anything helpfull in the docs. I
> > scanned the complete documentation and read a lot of it.
> > Could you point me to a particular chapter?
> >
> > To clarify: I don't have a problem with Keycloak being behind a proxy,
> that
> > offloads SSL.
> >
> > I have a problem with the service being behind a proxy. The service
> itself
> > is access via HTTP, since SSL is offloaded on the Proxy.
> > The client adapter then creates a redirect URL as HTTP, not HTTPS and
> > passes that to Keycloak. So when Keycloak redirects back to the service,
> it
> > uses the HTTP URL provided by the client adapter, which is "wrong".
> >
> > Thanks,
> >     Malte
> >
> > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> >
> >> Read the docs. There's a section on how to configure Keycloak properly
> >> when you're using a reverse proxy
> >>
> >> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net>
> wrote:
> >>
> >>> Hi there,
> >>>
> >>> I have a service running in a JBoss server, that I want to secure via
> the
> >>> keycloak adapter.
> >>> The server is behind a proxy, that offloads SSL, so the server itself
> gets
> >>> traffic as http.
> >>> When the server redirects to keycloak for authentication, the redirect
> URL
> >>> supplied to keycloak is http, not https. How can I ensure, that a
> redirect
> >>> URL is an https URL?
> >>>
> >>> Greetings,
> >>>     Malte
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From matthew.broadhead at nbmlaw.co.uk  Tue Nov 28 07:36:56 2017
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Tue, 28 Nov 2017 13:36:56 +0100
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
	<277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>
	<CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
Message-ID: <a8f26bd0-3d65-b297-d880-9329ab34cd9a@nbmlaw.co.uk>

section 1.5 of the article configures undertow in keycloak to proxy https
section 2.3 of the article shows how configure httpd to reverse proxy 
using forwarded port and protocol 443

i suspect your problem is to configure HAProxy to do the part in 2.3 - 
setting X-Forwarded-* headers

On 28/11/2017 13:28, Malte Finsterwalder wrote:
> Thanks for this reference.
> But it still doesn't solve my problem.
> I see I need to describe a little more, what my setup is and what my 
> problem is.
>
> We use HAProxy.
> I have one URL for my keycloak, say: https://keycloak.x.org
> I have another URL for my service, say: https://service.x.org
> These URLs go to HAProxy, which offloads SSL and then directs traffic 
> as HTTP to the servers, which are run in a Kubernetes Cluster.
>
> My keycloak.json file stored in the service is as follow:
>
> {
>    "realm":"myrealm",
>    "auth-server-url":"https://keycloak.x.org/auth",
>    "ssl-required":"all",
>    "resource":"my-client",
>    "principal-attribute":"preferred_username",
>    "public-client":true,
>    "truststore" :"/truststore.jks",
>    "truststore-password" :"mytruststorepassword" }
> I open the service: "https://service.x.org/somepage" in my browser.
> I get redirected to Keycloak for authentication with this URL:
> https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
> Keycloak is accessed via https, as stated in the keycloak.json file.
> But as you can see, the embedded redirect_uri is http, not https.
> After Keycloak authenticated the user, keycloak issues a redirect to 
> http://service.x.org/somepage and not https://service.x.org/somepage
> So after authentication my service is access via http and not https 
> anymore.
>
> Keycloaks standalone.xml is configured as described in the setup for 
> Apache2 you sent me:
>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:undertow:3.1">
> ? ? ? ? ? ? <buffer-cache name="default"/>
> ? ? ? ? ? ? <server name="default-server">
> ? ? ? ? ? ? ? ? <http-listener proxy-address-forwarding="true" 
> name="default"
> ? ? ? ? ? ? ? ? ? ? ? ? ? ?socket-binding="http"
> ? ? ? ? ? ? ? ? ? ? ? ? ? ?redirect-socket="https"/>
> ? ? ? ? ? ? ? ? <host name="default-host" alias="localhost">
> ? ? ? ? ? ? ? ? ? ? <location name="/" handler="welcome-content"/>
> ? ? ? ? ? ? ? ? ? ? <filter-ref name="server-header"/>
> ? ? ? ? ? ? ? ? ? ? <filter-ref name="x-powered-by-header"/>
> ? ? ? ? ? ? ? ? </host>
> ? ? ? ? ? ? </server>
> ? ? ? ? ? ? <servlet-container name="default">
> ? ? ? ? ? ? ? ? <jsp-config/>
> ? ? ? ? ? ? ? ? <websockets/>
> ? ? ? ? ? ? </servlet-container>
> ? ? ? ? ? ? <handlers>
> ? ? ? ? ? ? ? ? <file name="welcome-content" 
> path="${jboss.home.dir}/welcome-content"/>
> ? ? ? ? ? ? </handlers>
> ? ? ? ? ? ? <filters>
> ? ? ? ? ? ? ? ? <response-header name="server-header" 
> header-name="Server" header-value="JBoss-EAP/7"/>
> ? ? ? ? ? ? ? ? <response-header name="x-powered-by-header" 
> header-name="X-Powered-By" header-value="Undertow/1"/>
> ? ? ? ? ? ? </filters>
> ? ? ? ? </subsystem>
>
>
> ? ? <socket-binding-group name="standard-sockets" 
> default-interface="public" 
> port-offset="${jboss.socket.binding.port-offset:0}">
> ? ? ? ? ....
> ? ? ? ? <socket-binding name="https" port="${jboss.https.port:8443}"/>
> ? ? ? ? ....
> ? ? </socket-binding-group>
>
> Does that make things clearer?
>
> What am I missing?!
>
> Thanks for your help,
> ? ?Malte
>
> On 28 November 2017 at 11:07, Matthew Broadhead 
> <matthew.broadhead at nbmlaw.co.uk 
> <mailto:matthew.broadhead at nbmlaw.co.uk>> wrote:
>
>     which proxy are you using?? this guide helped me proxy behind apache2
>     http://markus.co/howto/2017/07/27/keycloak-apache.html
>     <http://markus.co/howto/2017/07/27/keycloak-apache.html>
>
>     On 28/11/2017 10:57, Malte Finsterwalder wrote:
>     > Thanks for your help, but I can't find anything helpfull in the
>     docs. I
>     > scanned the complete documentation and read a lot of it.
>     > Could you point me to a particular chapter?
>     >
>     > To clarify: I don't have a problem with Keycloak being behind a
>     proxy, that
>     > offloads SSL.
>     >
>     > I have a problem with the service being behind a proxy. The
>     service itself
>     > is access via HTTP, since SSL is offloaded on the Proxy.
>     > The client adapter then creates a redirect URL as HTTP, not
>     HTTPS and
>     > passes that to Keycloak. So when Keycloak redirects back to the
>     service, it
>     > uses the HTTP URL provided by the client adapter, which is "wrong".
>     >
>     > Thanks,
>     >? ? ?Malte
>     >
>     > On 27 November 2017 at 20:26, Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>     >
>     >> Read the docs. There's a section on how to configure Keycloak
>     properly
>     >> when you're using a reverse proxy
>     >>
>     >> On 27 November 2017 at 17:31, Malte Finsterwalder
>     <inofi at gmx.net <mailto:inofi at gmx.net>> wrote:
>     >>
>     >>> Hi there,
>     >>>
>     >>> I have a service running in a JBoss server, that I want to
>     secure via the
>     >>> keycloak adapter.
>     >>> The server is behind a proxy, that offloads SSL, so the server
>     itself gets
>     >>> traffic as http.
>     >>> When the server redirects to keycloak for authentication, the
>     redirect URL
>     >>> supplied to keycloak is http, not https. How can I ensure,
>     that a redirect
>     >>> URL is an https URL?
>     >>>
>     >>> Greetings,
>     >>>? ? ?Malte
>     >>> _______________________________________________
>     >>> keycloak-user mailing list
>     >>> keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >>>
>     >>
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From scotthezzell at hotmail.com  Tue Nov 28 07:40:14 2017
From: scotthezzell at hotmail.com (Scott Hezzell)
Date: Tue, 28 Nov 2017 12:40:14 +0000
Subject: [keycloak-user] Keycloak realm detection from email domain
Message-ID: <DB6P189MB0502AA827238CE78C7AADF39D83A0@DB6P189MB0502.EURP189.PROD.OUTLOOK.COM>

Hi


I am building a multi-tenant mobile application that uses keycloak as a SSO server.  We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?


My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.


Can anyone see any issues with this approach? Or a suggest a better approach?


Thanks

Scott


From sinan.mustafov619 at gmail.com  Tue Nov 28 07:42:34 2017
From: sinan.mustafov619 at gmail.com (Sinan Mustafov)
Date: Tue, 28 Nov 2017 14:42:34 +0200
Subject: [keycloak-user] When KeycloakSecurityContext is initialized and
	available?
Message-ID: <CACsqXZc_jerf=YcwxkcuS-jbsjkXcNrOqgpitY33K=D+zomDRg@mail.gmail.com>

Hello,

I have backend with JAX-RS REST endpoint secured with bearer token and
angular2 app as frontend (everything is the same like in the quickstarts).

What Im trying to do is to get the KeycloakSecurityContext in
ServletRequestListener, so I can get the authenticated user and initialize
my own context in the backend for the current request.

Here is the code:

@WebListener
public class RequestListener implements ServletRequestListener {

    @Override
    public void requestInitialized(ServletRequestEvent event) {
        ServletRequest servletRequest = event.getServletRequest();
        Object keycloakContext = servletRequest.getAttribute(
KeycloakSecurityContext.class.getName());
        System.out.println("INIT: " + keycloakContext);
    }

    @Override
    public void requestDestroyed(ServletRequestEvent event) {
        ServletRequest servletRequest = event.getServletRequest();
        Object keycloakContext = servletRequest.getAttribute(
KeycloakSecurityContext.class.getName());
        System.out.println("DESTROY: " + keycloakContext);
    }

}

What happens:
In requestInitialized method the context is null, but its available in
requestDestroyed method.

Do you have any idea why is this happening or when the
KeycloakSecurityContext is added to the request?

Regards.

From supittma at redhat.com  Tue Nov 28 07:47:42 2017
From: supittma at redhat.com (Summers Pittman)
Date: Tue, 28 Nov 2017 07:47:42 -0500
Subject: [keycloak-user] Keycloak Facebook Social Login
In-Reply-To: <E0AAC2AA-20E1-4370-8790-41FCD05A8AF7@gmail.com>
References: <E0AAC2AA-20E1-4370-8790-41FCD05A8AF7@gmail.com>
Message-ID: <CAEQz2CvkZOqPHMNEPN5-S1mFLxB19itzVxqo=9Y3WiUhJ0cr-w@mail.gmail.com>

So this is my best guess of where I would start developing this.

This is a bit complicated (and also my best guess), and I am basing my
answer a bit on : https://github.com/wpic/sample-keycloak-getting-token and
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Brokering-with-OIDC-and-Direct-Access-Grant-td2435.html

There are four components of this system : the User, Keycloak, Facebook,
and your Application (aka Broker).  The Client requests the login page on
your Broker, is redirected to Facebook, and returns to your Broker with
Facebook's authentication payload.  The Broker can verify this payload.  At
this point you either have a new user or an existing user.

For new users  use the KeyCloak Admin API to generate a new initial access
token and pre-populate your registration form. The User will receive this
form and register for your application.  The Broker can exchange the
registration form for a proper access token and life can go on like normal.

If you have an existing user, you will need to use an External to Internal
token exchange.  This is documented here :
http://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange.
There are limits to the token exchange, but I think that facebook returns a
compatible access_token.  I would suggest reviewing
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#token.
I
am looking forward to hearing if this works for you or not.

As I said in the opening, if I had your use case this is how I would try to
implement it.  I have not tested this myself.

On Mon, Nov 20, 2017 at 9:53 PM, Madhan Kumar S P <madhan.klazzez at gmail.com>
wrote:

> Hello All,
>         I am trying to integrate the Keycloak with Facebook social plugin.
> I had gone through the examples and documentation. This works fine if I use
> the Keycloak hosted Login Page.
>
>         What I need is that we want to host our own login page and use the
> Keycloak APIs to register the user and login.
>
>         I mean, I want to host our Sign Up/Login Page. When the user
> clicks on the Login with Facebook, we want to redirect the user to FB and
> get the approval and collect the details, create the user details that we
> need for our application. Then register the user on the Keycloak.
>
>         I don?t see any documentation for this. I would be really grateful
> if you can shed some light on this and point to the documentation that
> would help me in achieving this.
>
> Thanks & Regards,
> Madhan Kumar S P
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Michael.Liebe at ist.com  Tue Nov 28 08:14:24 2017
From: Michael.Liebe at ist.com (Michael Liebe)
Date: Tue, 28 Nov 2017 13:14:24 +0000
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
	<277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>
	<CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
Message-ID: <A3479BCB-54AB-402A-BEA3-2E4216FE77A8@ist.com>

Hi,

It seems that your application server doesn?t recognize the X-Forwarded-Proto header. I assume that your HA proxy already sends this header because Keycloak works correctly. Keycloak is aware of this header because you have set proxy-address-forwarding="true".  You wrote that your service is running in a JBoss server which I?m not familiar with but I would expect that there is a similar configuration.
I hope this helps.
Michael
   

On 2017-11-28, 13:28, "keycloak-user-bounces at lists.jboss.org on behalf of Malte Finsterwalder" <keycloak-user-bounces at lists.jboss.org on behalf of inofi at gmx.net> wrote:

    Thanks for this reference.
    But it still doesn't solve my problem.
    I see I need to describe a little more, what my setup is and what my
    problem is.
    
    We use HAProxy.
    I have one URL for my keycloak, say: https://keycloak.x.org
    I have another URL for my service, say: https://service.x.org
    These URLs go to HAProxy, which offloads SSL and then directs traffic as
    HTTP to the servers, which are run in a Kubernetes Cluster.
    
    My keycloak.json file stored in the service is as follow:
    
    {
    
      "realm": "myrealm",
      "auth-server-url": "https://keycloak.x.org/auth",
      "ssl-required": "all",
      "resource": "my-client",
      "principal-attribute": "preferred_username",
      "public-client": true,
      "truststore" : "/truststore.jks",
      "truststore-password" : "mytruststorepassword"
    }
    
    I open the service: "https://service.x.org/somepage" in my browser.
    I get redirected to Keycloak for authentication with this URL:
    https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=....&login=true&scope=openid
    Keycloak is accessed via https, as stated in the keycloak.json file.
    But as you can see, the embedded redirect_uri is http, not https.
    After Keycloak authenticated the user, keycloak issues a redirect to
    http://service.x.org/somepage and not https://service.x.org/somepage
    So after authentication my service is access via http and not https anymore.
    
    Keycloaks standalone.xml is configured as described in the setup for
    Apache2 you sent me:
    
            <subsystem xmlns="urn:jboss:domain:undertow:3.1">
                <buffer-cache name="default"/>
                <server name="default-server">
                    <http-listener proxy-address-forwarding="true"
    name="default"
                               socket-binding="http"
                               redirect-socket="https"/>
                    <host name="default-host" alias="localhost">
                        <location name="/" handler="welcome-content"/>
                        <filter-ref name="server-header"/>
                        <filter-ref name="x-powered-by-header"/>
                    </host>
                </server>
                <servlet-container name="default">
                    <jsp-config/>
                    <websockets/>
                </servlet-container>
                <handlers>
                    <file name="welcome-content"
    path="${jboss.home.dir}/welcome-content"/>
                </handlers>
                <filters>
                    <response-header name="server-header" header-name="Server"
    header-value="JBoss-EAP/7"/>
                    <response-header name="x-powered-by-header"
    header-name="X-Powered-By" header-value="Undertow/1"/>
                </filters>
            </subsystem>
    
    
        <socket-binding-group name="standard-sockets"
    default-interface="public"
    port-offset="${jboss.socket.binding.port-offset:0}">
            ....
            <socket-binding name="https" port="${jboss.https.port:8443}"/>
            ....
        </socket-binding-group>
    
    Does that make things clearer?
    
    What am I missing?!
    
    Thanks for your help,
       Malte
    
    On 28 November 2017 at 11:07, Matthew Broadhead <
    matthew.broadhead at nbmlaw.co.uk> wrote:
    
    > which proxy are you using?  this guide helped me proxy behind apache2
    > http://markus.co/howto/2017/07/27/keycloak-apache.html
    >
    > On 28/11/2017 10:57, Malte Finsterwalder wrote:
    > > Thanks for your help, but I can't find anything helpfull in the docs. I
    > > scanned the complete documentation and read a lot of it.
    > > Could you point me to a particular chapter?
    > >
    > > To clarify: I don't have a problem with Keycloak being behind a proxy,
    > that
    > > offloads SSL.
    > >
    > > I have a problem with the service being behind a proxy. The service
    > itself
    > > is access via HTTP, since SSL is offloaded on the Proxy.
    > > The client adapter then creates a redirect URL as HTTP, not HTTPS and
    > > passes that to Keycloak. So when Keycloak redirects back to the service,
    > it
    > > uses the HTTP URL provided by the client adapter, which is "wrong".
    > >
    > > Thanks,
    > >     Malte
    > >
    > > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.com>
    > wrote:
    > >
    > >> Read the docs. There's a section on how to configure Keycloak properly
    > >> when you're using a reverse proxy
    > >>
    > >> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.net>
    > wrote:
    > >>
    > >>> Hi there,
    > >>>
    > >>> I have a service running in a JBoss server, that I want to secure via
    > the
    > >>> keycloak adapter.
    > >>> The server is behind a proxy, that offloads SSL, so the server itself
    > gets
    > >>> traffic as http.
    > >>> When the server redirects to keycloak for authentication, the redirect
    > URL
    > >>> supplied to keycloak is http, not https. How can I ensure, that a
    > redirect
    > >>> URL is an https URL?
    > >>>
    > >>> Greetings,
    > >>>     Malte
    > >>> _______________________________________________
    > >>> keycloak-user mailing list
    > >>> keycloak-user at lists.jboss.org
    > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
    > >>>
    > >>
    > > _______________________________________________
    > > keycloak-user mailing list
    > > keycloak-user at lists.jboss.org
    > > https://lists.jboss.org/mailman/listinfo/keycloak-user
    >
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    >
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From kevin.berendsen at pharmapartners.nl  Tue Nov 28 08:23:39 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Tue, 28 Nov 2017 13:23:39 +0000
Subject: [keycloak-user] Keycloak realm detection from email domain
In-Reply-To: <DB6P189MB0502AA827238CE78C7AADF39D83A0@DB6P189MB0502.EURP189.PROD.OUTLOOK.COM>
References: <DB6P189MB0502AA827238CE78C7AADF39D83A0@DB6P189MB0502.EURP189.PROD.OUTLOOK.COM>
Message-ID: <89416374424943dd95047cbe0645a187@FERB.ppg.lan>

Hi Scott,

Wouldn't it be much easier to implement this "proxy" logic in the mobile app itself? Adding a new layer in your infrastructure could mean another single point of failure and doesn't add much value to it either. Of course, you can write some logic by modifying Keycloak but it could rejected by the community and then you'd have to main your logic in Keycloak yourself. It could break anytime Keycloak has another update and Keycloak is updated frequently. 

I'd honestly stick by implementing this behavior in your client. Before you redirect your user to the login page or pass his credentials to the Keycloak instance, validate the email and direct the user to the proper realm then. This way you'd have to maintain only a small part of your mobile app and doesn't contain the complexity by maintaining another component in your infrastructure. 

I hope this will give you some thoughts :-) !

Kind regards,

Kevin

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Scott Hezzell
Sent: Tuesday, November 28, 2017 1:40 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak realm detection from email domain

Hi


I am building a multi-tenant mobile application that uses keycloak as a SSO server.  We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?


My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.


Can anyone see any issues with this approach? Or a suggest a better approach?


Thanks

Scott

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mitya at cargosoft.ru  Tue Nov 28 09:22:38 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Tue, 28 Nov 2017 17:22:38 +0300
Subject: [keycloak-user] Services behind a Proxy that offloads SSL
In-Reply-To: <CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
References: <CALS12-P0xv8n4=kw2O4AOXFiDKK9X_tkEatNUZZFQFdWHdkGOg@mail.gmail.com>
	<CAJgngAdZWKd4azPU4NdpW1qQXQSGUucQNS5mPZyADTgKMgW+9g@mail.gmail.com>
	<CALS12-P+O3vMyash+U5t5eX5L3h-q28HH_oz1zj9Nf=LTVEfQw@mail.gmail.com>
	<277df0c7-9141-eabb-17b8-ee3d55960fcf@nbmlaw.co.uk>
	<CALS12-Mo1+m7x9hVwnz6yWBPO3w+PjfbLtw_0n4URMG1PA8p+A@mail.gmail.com>
Message-ID: <1511878958.4960.1.camel@cargosoft.ru>

Malte,

As the guys have already noticed, you need to make sure that your
*service* is proxy-aware, i.e. it has to be configured to recognize htt
ps://service.x.org as a legitimate external address.

If your service is deployed to JBoss/Wildfly, you should do the
following on the target server (not Keycloak):

????<subsystem xmlns="urn:jboss:domain:undertow:4.0">
????????<server
name="default-server">
????????????<http-listener name="default"
        
       socket-binding="http"
                redirect-socket="https"
    
           proxy-address-forwarding="true"
                enable-
http2="true"/>
            ...
        </server>
        ...
   
</subsystem>

Just FYI, for Tomcat/TomEE this is done like that:

????<Service name="Catalina">

????????<Connector
????????????protocol="HTTP/1.1"
????????????port="8085"
            ...
????????????redirectPort="8443"
????????????scheme="https" secure="true"
????????????proxyName="service.x.org"
????????????proxyPort="443"
????????????/>
        ....
    </Service>

Also make sure that on a HAProxy side forwarding of X-Forwarded-*
headers is turned on.

Regards,
Dmitry

? Tue, 28/11/2017 ? 13:28 +0100, Malte Finsterwalder ?????:
> Thanks for this reference.
> But it still doesn't solve my problem.
> I see I need to describe a little more, what my setup is and what my
> problem is.
> 
> We use HAProxy.
> I have one URL for my keycloak, say: https://keycloak.x.org
> I have another URL for my service, say: https://service.x.org
> These URLs go to HAProxy, which offloads SSL and then directs traffic
> as
> HTTP to the servers, which are run in a Kubernetes Cluster.
> 
> My keycloak.json file stored in the service is as follow:
> 
> {
> 
> ? "realm": "myrealm",
> ? "auth-server-url": "https://keycloak.x.org/auth",
> ? "ssl-required": "all",
> ? "resource": "my-client",
> ? "principal-attribute": "preferred_username",
> ? "public-client": true,
> ? "truststore" : "/truststore.jks",
> ? "truststore-password" : "mytruststorepassword"
> }
> 
> I open the service: "https://service.x.org/somepage" in my browser.
> I get redirected to Keycloak for authentication with this URL:
> https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/au
> th?response_type=code&client_id=my-
> client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=..
> ..&login=true&scope=openid
> Keycloak is accessed via https, as stated in the keycloak.json file.
> But as you can see, the embedded redirect_uri is http, not https.
> After Keycloak authenticated the user, keycloak issues a redirect to
> http://service.x.org/somepage and not https://service.x.org/somepage
> So after authentication my service is access via http and not https
> anymore.
> 
> Keycloaks standalone.xml is configured as described in the setup for
> Apache2 you sent me:
> 
> ????????<subsystem xmlns="urn:jboss:domain:undertow:3.1">
> ????????????<buffer-cache name="default"/>
> ????????????<server name="default-server">
> ????????????????<http-listener proxy-address-forwarding="true"
> name="default"
> ???????????????????????????socket-binding="http"
> ???????????????????????????redirect-socket="https"/>
> ????????????????<host name="default-host" alias="localhost">
> ????????????????????<location name="/" handler="welcome-content"/>
> ????????????????????<filter-ref name="server-header"/>
> ????????????????????<filter-ref name="x-powered-by-header"/>
> ????????????????</host>
> ????????????</server>
> ????????????<servlet-container name="default">
> ????????????????<jsp-config/>
> ????????????????<websockets/>
> ????????????</servlet-container>
> ????????????<handlers>
> ????????????????<file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>
> ????????????</handlers>
> ????????????<filters>
> ????????????????<response-header name="server-header" header-
> name="Server"
> header-value="JBoss-EAP/7"/>
> ????????????????<response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Undertow/1"/>
> ????????????</filters>
> ????????</subsystem>
> 
> 
> ????<socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
> ????????....
> ????????<socket-binding name="https"
> port="${jboss.https.port:8443}"/>
> ????????....
> ????</socket-binding-group>
> 
> Does that make things clearer?
> 
> What am I missing?!
> 
> Thanks for your help,
> ???Malte
> 
> On 28 November 2017 at 11:07, Matthew Broadhead <
> matthew.broadhead at nbmlaw.co.uk> wrote:
> 
> > which proxy are you using???this guide helped me proxy behind
> > apache2
> > http://markus.co/howto/2017/07/27/keycloak-apache.html
> > 
> > On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > > Thanks for your help, but I can't find anything helpfull in the
> > > docs. I
> > > scanned the complete documentation and read a lot of it.
> > > Could you point me to a particular chapter?
> > > 
> > > To clarify: I don't have a problem with Keycloak being behind a
> > > proxy,
> > 
> > that
> > > offloads SSL.
> > > 
> > > I have a problem with the service being behind a proxy. The
> > > service
> > 
> > itself
> > > is access via HTTP, since SSL is offloaded on the Proxy.
> > > The client adapter then creates a redirect URL as HTTP, not HTTPS
> > > and
> > > passes that to Keycloak. So when Keycloak redirects back to the
> > > service,
> > 
> > it
> > > uses the HTTP URL provided by the client adapter, which is
> > > "wrong".
> > > 
> > > Thanks,
> > > ????Malte
> > > 
> > > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger at redhat.c
> > > om>
> > 
> > wrote:
> > > 
> > > > Read the docs. There's a section on how to configure Keycloak
> > > > properly
> > > > when you're using a reverse proxy
> > > > 
> > > > On 27 November 2017 at 17:31, Malte Finsterwalder <inofi at gmx.ne
> > > > t>
> > 
> > wrote:
> > > > 
> > > > > Hi there,
> > > > > 
> > > > > I have a service running in a JBoss server, that I want to
> > > > > secure via
> > 
> > the
> > > > > keycloak adapter.
> > > > > The server is behind a proxy, that offloads SSL, so the
> > > > > server itself
> > 
> > gets
> > > > > traffic as http.
> > > > > When the server redirects to keycloak for authentication, the
> > > > > redirect
> > 
> > URL
> > > > > supplied to keycloak is http, not https. How can I ensure,
> > > > > that a
> > 
> > redirect
> > > > > URL is an https URL?
> > > > > 
> > > > > Greetings,
> > > > > ????Malte
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Nov 28 10:18:01 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 28 Nov 2017 13:18:01 -0200
Subject: [keycloak-user] AuthzClient.create() for Spring Boot usage
In-Reply-To: <9C7DDA3C-4739-478A-9F8C-16DB43006E4C@n-k.de>
References: <9C7DDA3C-4739-478A-9F8C-16DB43006E4C@n-k.de>
Message-ID: <CAJrcDBeNk_hB2BTp7BROALm3mSfyDz8pzPiHgbtnXRv7tov5Yg@mail.gmail.com>

Hi,

I see no issue with your workaround, but yeah, we can make this simpler for
SB. Could you please fill a JIRA ? if you already have an idea on how to
address this, please send us a PR and I'll review ...

Thanks.
Pedro Igor

On Mon, Nov 27, 2017 at 4:06 PM, Niko K?bler <niko at n-k.de> wrote:

> Hi,
>
> the ?keycloak-authz-client? package provides the AuthzClient class, which
> can be created by calling ?AuthzClient.create()?.
> This automatically detects a ?keycloak.json? file and reads values for the
> ?Configuration? object.
> This is all good.
>
> But when it comes to Spring Boot apps using the Spring Boot Adapter, there
> is no ?keycloak.json? file and instead the values are provided via the
> ?application.properties? (or .yml, or else).
> I would appreciate, that ?AuthzClient.create()? would also be possible to
> detect the Spring Boot Property configuration and use it from there.
>
> Was this already discussed? Is it planned? Should I create a ticket for it?
> If you already have any ideas, share them with me, I could do a PR for it.
>
> Currently, I?m using a workaround like this: https://gist.github.com/
> dasniko/2c64393da0bca89434670908141914c4 <https://gist.github.com/dasniko/
> 2c64393da0bca89434670908141914c4>
> So I can inject the AuthzClient everywhere I like and the
> KeycloakSpringBootProperties object is injected in the Bean definition.
> It?s not a nice way, although it works.
>
> The classes ?Configuration? and ?KeycloakSpringBootProperties? both extend
> ?AdapterConfig?. Perhaps AuthzClient could also use AdapterConfig, instead
> of only Configuration!?
>
> Regards,
> - Niko
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From noircc at gmail.com  Tue Nov 28 10:25:58 2017
From: noircc at gmail.com (SW)
Date: Tue, 28 Nov 2017 08:25:58 -0700 (MST)
Subject: [keycloak-user] KC-SERVICES0047: my-registration-action
 (test.extension.MyRegistrationFormActionFactory) is implementing the
 internal SPI form-action. This SPI is internal and may chang e without
 notice ---> Should I be concerned?
Message-ID: <1511882758065-0.post@n6.nabble.com>

I created my own KeycloakRegistrationAction and it gives me this warning.
Should I be concerned when upgrading to newer versions in the future?





--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From mitya at cargosoft.ru  Tue Nov 28 10:39:44 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Tue, 28 Nov 2017 18:39:44 +0300
Subject: [keycloak-user] Keycloak plugin using keycloak-services
In-Reply-To: <2E33742E-30EF-4C5B-9A0C-C059D07589AF@cimenviro.com>
References: <2E33742E-30EF-4C5B-9A0C-C059D07589AF@cimenviro.com>
Message-ID: <1511883584.4960.3.camel@cargosoft.ru>

Hi Anton,

Please mind that in order to run the domainextension example under KC
>= 3.2.0, first you'll need to manually add the "admin" role to the
"admin-cli" client scope, see my previous posting here. Other answers
inline.

? Mon, 27/11/2017 ? 09:30 +1100, Anton Mazkovoi ?????:
> Hi,
> 
> I have a small plugin that adds a simple REST service to keycloak,
> which I would like to restrict access to members of the admin role.
> 
> I am following the example:
> https://github.com/keycloak/keycloak/blob/3.2.1.Final/examples/provid
> ers/domain-
> extension/src/main/java/org/keycloak/examples/domainextension/rest/Ex
> ampleRestResource.java
> 
> I am deploying the plugin by copying into the
> "standalone/deployments? directory.
> 
> The plugin errors out with:
> java.lang.NoClassDefFoundError:
> org/keycloak/services/managers/AppAuthManager
> 
> How do I declare the dependency on "keycloak-services??

If you're intended to deploy via standalone/deployments, you'll need to
define your deps in META-INF/jboss-deployment-structure.xml, like here:
https://github.com/dteleguin/beercloak/blob/14da8578310f2d257bdc1b059a8
d355343174180/src/main/resources/META-INF/jboss-deployment-
structure.xml

You should know that if your plugin contains an EntityProvider and
custom JPA entities, you won't be able to hot (re)deploy your code
(that means, onto a running Keycloak instance), see KEYCLOAK-5782 for
more info.

Another option is to deploy your provider as a JBoss module, exactly as
described in the README for domain-extension example. In this case, you
won't need META-INF/jboss-deployment-structure.xml.

> 
> Or is there a simpler way to restrict access to a REST service to
> admin role members?

I'm afraid not. I myself would be happy to see some declarative way to
secure custom REST endpoints, but that would be possible only upon the
introduction of the hypothetical Admin REST Resource SPI, which is
unfortunately not going to happen anytime soon.

In the meantime, I suggest that you take a look at BeerCloak: https://g
ithub.com/dteleguin/beercloak

The domain-extension example is limited in a way that it doesn't
support multiple realms; try adding a non-master realm, tweak invoke-
authenticated.sh accordingly, and you'll get 401 everywhere. In
BeerCloak, there's no such limitation, however the implementation is a
bit more complex. I'd recommend that you use
beercloak.resources.AbstractAdminResource as a base class for your
resource. Additionally, BeerCloak uses EAR packaging, something that I
would also strongly recommend - this allows you to package your
provider together with dependencies, which frees you from deploying
dependencies separately.

Don't hesitate to write me if you have further questions.

Cheers,
Dmitry

> 
> Cheers,
> Anton
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jfherouard.almerys at gmail.com  Tue Nov 28 10:52:02 2017
From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=)
Date: Tue, 28 Nov 2017 16:52:02 +0100
Subject: [keycloak-user] Token exchange in java client
Message-ID: <CAKWZXaE=AarDjguO4xUgYpToSqY+qfsT+GrK=g9FZRF-06b14w@mail.gmail.com>

Hi,

I am using the token exchange feature of Keycloak 3.4, which is really
great and useful in my REST backoffice (before the only way i found was to
do a lot of 302 in browser to get needed access tokens).

Everything is documented for server configuration, but in java client is
there a new function to exchange a token ?

I wrote some code extending the current AuthzClient if anybody is looking
for the same thing :

    public AccessTokenResponse exchangeAccessToken(String bearer, String
bearerIdpName) {
        return
this.http.<AccessTokenResponse>post(authzClient.getServerConfiguration().getTokenEndpoint())
                .authentication()
                    .client()
                .param("grant_type",
"urn:ietf:params:oauth:grant-type:token-exchange")
                .param("subject_token", bearer)
                .param("subject_issuer", bearerIdpName)
                .param("subject_token_type",
"urn:ietf:params:oauth:token-type:access_token")
                .param("audience",
authzClient.getConfiguration().getResource())
                .response()
                    .json(AccessTokenResponse.class)
                .execute();
    }
Thanks

From mitya at cargosoft.ru  Tue Nov 28 11:00:48 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Tue, 28 Nov 2017 19:00:48 +0300
Subject: [keycloak-user] domain-extension example not working OOTB,
 need admin-cli scope tweaking
In-Reply-To: <1511830469.17675.3.camel@cargosoft.ru>
References: <1511830469.17675.3.camel@cargosoft.ru>
Message-ID: <1511884848.4960.4.camel@cargosoft.ru>

https://issues.jboss.org/browse/KEYCLOAK-5927


From moon3854 at gmail.com  Tue Nov 28 12:47:26 2017
From: moon3854 at gmail.com (Dmitry Korchemkin)
Date: Tue, 28 Nov 2017 20:47:26 +0300
Subject: [keycloak-user] Operations through keycloak-spring-security-adapter
 produce status 500 when token is expired
Message-ID: <CAHpfDHP6j3eENWxsj-fY4v00ywojtSRQt8BOVK8Y5sWKRhHt0Q@mail.gmail.com>

Hello,

We're facing a problem with operations performed through a gateway (using
keycloak spring-security-adapter 3.4.0.Final). They result in
"org.keycloak.exceptions.TokenNotActiveException: Token is not active" if
attempted with expired token. Unlike "token is almost expired" error, which
correctly returns 401, this one throws NullPointerException and as a result
produces 500 status code, not 401:
 Caused by: java.lang.NullPointerException: null
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)

This is observed even when accessing keycloak's own endponts (/users).
I've seen an issue on JIRA https://issues.jboss.org/browse/KEYCLOAK-5195
which looks like it describes exactly out problem, but it's supposed to be
fixed in 3.4.0.Final.

Here's relevant part of our http security config (requestMatcher filters
some requests bound for IdP itself) from the gateway:

    @Override
    @Bean
    @Primary
    protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
        return new
KeycloakAuthenticationProcessingFilter(authenticationManagerBean(),
                new NeedValidateJwtTokenRequestMatcher(gatewayRoute));
    }

    @Bean
    public HttpSecurityConfigurer getHttpSecurityConfigurer() {
        return httpSecurity -> {
            httpSecurity.authorizeRequests()
                    .anyRequest().permitAll();
            httpSecurity.addFilterBefore(traceMethodFilter,
CorsFilter.class);
            httpSecurity.addFilterBefore(corsFilter,
KeycloakAuthenticationProcessingFilter.class);
        };
    }

Is it something with how we use the adapter in the gateway or the fix from
KEYCLOAK-5195 is missing from 3.4.0.Final (or maybe it is not even relevant
in this case)?

Best regards,
Dmitry

From Bodo.Teichmann at brandad-systems.de  Tue Nov 28 13:15:51 2017
From: Bodo.Teichmann at brandad-systems.de (Bodo Teichmann)
Date: Tue, 28 Nov 2017 18:15:51 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <CAM5SUC5BR1_BsAzC4kWC9YRFE-bd5kJGQcV5-GZveLci9ahLZg@mail.gmail.com>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
	<133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>
	<CAM5SUC5BR1_BsAzC4kWC9YRFE-bd5kJGQcV5-GZveLci9ahLZg@mail.gmail.com>
Message-ID: <4F79653E-7692-40E9-A34B-90F0A6332D5E@brandad-systems.de>

Started keycloak demo server (before starting the app-profile-jee-vanilla aquillian - tests) with
./standalone.sh -Djboss.socket.binding.port-offset=100
Just as its described in the ?getting started? and
because when I would omit the "-Djboss.socket.binding.port-offset=100", then the

mvn clean install -Pwildfly-managed -Denforcer.skip=true

Will give me another error of course :
org.jboss.arquillian.container.spi.client.container.LifecycleException:
The port 9990 is already in use. It means that either the server might be already running or there is another process using port 9990.
Managed containers do not support connecting to running server instances due to the possible harmful effect of connecting to the wrong server.

Is that what you are asking about ?

Bodo

Am 26.11.2017 um 20:13 schrieb Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>>:

In which host/port you have WildFly and Keycloak started?

Looking at this exception:

Caused by: java.net.ConnectException: Connection refused (Connection refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>

Seems like ArquillianProfileJeeVanillaTest, could not connect.

On Sun, Nov 26, 2017, 4:38 PM Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>> wrote:
No, with
>mvn clean install -Pwildfly-managed -Denforcer.skip=true
I got this same Error:

?.
18:52:16,546 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990<http://127.0.0.1:9990/>
18:52:16,547 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0025: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) started in 4322ms - Started 332 of 578 services (393 services are lazy, passive or on-demand)
Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 7.055 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.054 sec  <<< ERROR!
java.lang.ExceptionInInitializerError
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)

org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.055 sec  <<< ERROR!
java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest

Nov 26, 2017 6:52:17 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments
WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked.
18:52:17,956 INFO  [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0236: Suspending server with no timeout.
?.

Looks to me that somehow the Arquillian can not log into the managed wildly it just started, but I?m not good with Arquillian though?.
Although the wildfly seemed to have started without any issues.

Bodo

Am 25.11.2017 um 21:42 schrieb Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com><mailto:sblanc at redhat.com<mailto:sblanc at redhat.com>>>:

Run with :
mvn clean install -Pwildfly-managed -Denforcer.skip=true

Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de><mailto:Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>>> a ?crit :
i just followed the "Getting Started"  Dokumentation 3.4.
Everything ok until it comes to :
Chapter 4.3.:
after git-clone and
>cd  keycloak-quickstarts/app-profile-jee-vanilla
i tried:
>mvn clean wildfly:deploy
but got the error:

-------------------------------------------------------------------------------
Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
-------------------------------------------------------------------------------
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 0.907 sec  <<< ERROR!
java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
... 15 more
Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
... 20 more
Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
... 44 more


until it tried

>mvn clean wildfly:deploy -DskipTests

which worked.

Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started??

bodo
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From orivat at janua.fr  Tue Nov 28 13:20:19 2017
From: orivat at janua.fr (Olivier Rivat)
Date: Tue, 28 Nov 2017 19:20:19 +0100
Subject: [keycloak-user] Issue with RH-SSO 7.1 domain clustered mode example
 deployment (Cannot authenticate)
Message-ID: <5f234afb-9fb3-23d4-79e5-d22b5034195b@janua.fr>

Hi,


I have an issue authenticating againt the RH-SSO installed in domain 
cluster mode.
I have am using RH-SSO server 7.1, and have just deployed a fresh new 
install of the rh-sso ZIP file


I am following step-by-step
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/server_installation_and_configuration_guide/operating-mode#domain-mode


1)? I have first created master and and slaves in teh domain

~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$ 
../../bin/domain.sh --host-config=host-master.xml

~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$ 
../../bin/domain.sh --host-config=host-slave.xml

2) I have added the admin user user running add-user.sh

~/redhat/cluster_rh_7.1/rh-sso-7.1/bin$ ./add-user.sh

Quel type d'utilisateur souhaitez-vous ajouter ?
 ?a) Management User (mgmt-users.properties)
 ?b) Application User (application-users.properties)
(a):

Saisir les informations sur le nouvel utilisateur
Utiliser le domaine 'ManagementRealm' selon les fichiers de propri?t?s 
existants.
Nom d'utilisateur : admin
Le nom d'utilisateur 'admin' est facile ? deviner
?tes-vous certain de vouloir ajouter l'utilisateur 'admin' oui/non ? oui
Les recommandations de mot de passe sont ?num?r?s ci-dessous. Pour 
modifier ces restrictions, modifier le fichier de configuration 
add-user.properties.
 ?- Le mot de passe doit ?tre diff?rent du nom d'utilisateur
 ?- Le mot de passe doit correspondre ? une des valeurs limit?es 
suivantes {root, admin, administrator}
 ?- Le mot de passe doit contenir au moins 8 caract?res, 1 caract?re(s) 
alphab?tique(s), 1 chiffre (s), 1 symbole(s) non alpha-num?riques
Mot de passe :
Saisir mot de passe ? nouveau :
Quels groupes souhaitez-vous impartir ? cet utilisateur ? (Veuillez 
saisir une liste s?par?e par des virgules, ou laisser vide)[? ]:
L'utilisateur 'admin' va ?tre ajout? pour le domaine 'ManagementRealm'
Est-ce correct ? oui/non? oui
Utilisateur 'admin' ajout? au fichier 
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-users.properties'
Utilisateur 'admin' ajout? au fichier 
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-users.properties'
Utilisateur 'admin' ajout? aux groupes? dans le fichier 
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-groups.properties'
Utilisateur 'admin' ajout? aux groupes? dans le fichier 
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-groups.properties'
Est-ce que ce nouvel utilisateur va ?tre utilis? pour qu'un processus AS 
puisse se connecter ? un autre processus AS, comme par exemple
 ?pour qu'un contr?leur d'h?te esclave se connecte au master ou pour une 
connexion distante de serveur ? serveur pour les appels EJB.
oui/non ? oui
Pour repr?senter l'utilisateur, ajouter ce qui suit ? la d?finition des 
identit?s du serveur <secret value="IXRhS2V6bzkw" />

3) I have added <secret value="IXRhS2V6bzkw" /> to host-slave.xml

4) I have restarted both servers

5) The issue:
When I connecting to http://localhost:8080/auth with admin and the 
password, I obtain the message

Server:server-one] 18:41:37,959 WARN? [org.keycloak.events] (default 
task-15) type=LOGIN_ERROR, realmId=master, 
clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, 
error=user_not_found, auth_method=openid-connect, auth_type=code, 
redirect_uri=http://localhost:8080/auth/admin/master/console/, 
code_id=c66df7c9-1bba-47f4-b7ff-280905d53185, username=admin


6)Further troubleshooting:
Only thing missing is that I have not found where to grab 
keycloak-server.json to copy it to 
server-one/configuration/keycloak-server.json (as descrined in RH-SSO 7.1 ).
But is really needed ? I am a little bit confused
If it is really missing and the reason why I am failing on this example, 
where can it be found, as it is not described in teh RH-SSO 7.1 where to 
grab it ?



(I have also found following POST:
http://blog.keycloak.org/2016/09/keycloak-serverjson-rip.html

 >>>>>>>>>>>>>>>>>>>>>>>
We have moved configuration of the Keycloak server from 
keycloak-server.json to standalone.xml, standalone-ha.xml, or 
domain.xml.? Which xml file you use will depend on how you run your 
server.? I'll reference standalone.xml from here on out, but 
configuration is the same for each file.

As of version 2.2.0, keycloak-server.json will no longer be shipped with 
Keycloak.? We do provide a conversion tool to help you make the switch.

So now, you can configure the entire server from a single xml file.? 
Keycloak server configuration is done in the same file where you 
configure data sources, socket bindings, logging, and clustering.

But there are other advantages...
 >>>>>>>>>>>>>>>>>>>>>>>

7) So, from all what I have described, how is it possible to overcome this ?
Is it a mistake of mine ?
Is it due to something not being clearly documented ?
or other ?

Waiting for your comments and suggestions,

Regards,
Olivier Rivat


From Bodo.Teichmann at brandad-systems.de  Tue Nov 28 13:42:05 2017
From: Bodo.Teichmann at brandad-systems.de (Bodo Teichmann)
Date: Tue, 28 Nov 2017 18:42:05 +0000
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <4F79653E-7692-40E9-A34B-90F0A6332D5E@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
	<133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>
	<CAM5SUC5BR1_BsAzC4kWC9YRFE-bd5kJGQcV5-GZveLci9ahLZg@mail.gmail.com>
	<4F79653E-7692-40E9-A34B-90F0A6332D5E@brandad-systems.de>
Message-ID: <2FFF4234-CE56-4A32-AFA2-A49559CAC739@brandad-systems.de>

I mean, actually the maven-arquillian should start its own managed wildly, which it does, according to the logs.
This wildlfy is starting ok on the default ports for wildfly.
But to me it looks like the arquillian-test can not connect to this running wildly for some reason, I don?t understand.
As far as I do understand when running the maven build/test no other wildfly or keycloak server should be necessary to start before , right ?
The maven build should be self-contained, shouldn?t it?
Bodo

Am 28.11.2017 um 19:15 schrieb Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>:

Started keycloak demo server (before starting the app-profile-jee-vanilla aquillian - tests) with
./standalone.sh -Djboss.socket.binding.port-offset=100
Just as its described in the ?getting started? and
because when I would omit the "-Djboss.socket.binding.port-offset=100", then the

mvn clean install -Pwildfly-managed -Denforcer.skip=true

Will give me another error of course :
org.jboss.arquillian.container.spi.client.container.LifecycleException:
The port 9990 is already in use. It means that either the server might be already running or there is another process using port 9990.
Managed containers do not support connecting to running server instances due to the possible harmful effect of connecting to the wrong server.

Is that what you are asking about ?

Bodo

Am 26.11.2017 um 20:13 schrieb Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org><mailto:bruno at abstractj.org>>:

In which host/port you have WildFly and Keycloak started?

Looking at this exception:

Caused by: java.net.ConnectException: Connection refused (Connection refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>

Seems like ArquillianProfileJeeVanillaTest, could not connect.

On Sun, Nov 26, 2017, 4:38 PM Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de><mailto:Bodo.Teichmann at brandad-systems.de>> wrote:
No, with
mvn clean install -Pwildfly-managed -Denforcer.skip=true
I got this same Error:

?.
18:52:16,546 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990<http://127.0.0.1:9990/>
18:52:16,547 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0025: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) started in 4322ms - Started 332 of 578 services (393 services are lazy, passive or on-demand)
Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 7.055 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.054 sec  <<< ERROR!
java.lang.ExceptionInInitializerError
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)

org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 7.055 sec  <<< ERROR!
java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest

Nov 26, 2017 6:52:17 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments
WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked.
18:52:17,956 INFO  [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0236: Suspending server with no timeout.
?.

Looks to me that somehow the Arquillian can not log into the managed wildly it just started, but I?m not good with Arquillian though?.
Although the wildfly seemed to have started without any issues.

Bodo

Am 25.11.2017 um 21:42 schrieb Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com><mailto:sblanc at redhat.com><mailto:sblanc at redhat.com<mailto:sblanc at redhat.com>>>:

Run with :
mvn clean install -Pwildfly-managed -Denforcer.skip=true

Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de><mailto:Bodo.Teichmann at brandad-systems.de><mailto:Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>>> a ?crit :
i just followed the "Getting Started"  Dokumentation 3.4.
Everything ok until it comes to :
Chapter 4.3.:
after git-clone and
cd  keycloak-quickstarts/app-profile-jee-vanilla
i tried:
mvn clean wildfly:deploy
but got the error:

-------------------------------------------------------------------------------
Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
-------------------------------------------------------------------------------
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 0.907 sec  <<< ERROR!
java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
... 15 more
Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
... 20 more
Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
... 44 more


until it tried

mvn clean wildfly:deploy -DskipTests

which worked.

Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started??

bodo
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Tue Nov 28 13:45:50 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 28 Nov 2017 19:45:50 +0100
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <2FFF4234-CE56-4A32-AFA2-A49559CAC739@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAMZCGg8yKRz+b10e7bxXr2QmqFAZU2=qABhi9pSjY0m8BV7N6g@mail.gmail.com>
	<133DBDB9-433B-496C-B965-97A8D4FDC9A3@brandad-systems.de>
	<CAM5SUC5BR1_BsAzC4kWC9YRFE-bd5kJGQcV5-GZveLci9ahLZg@mail.gmail.com>
	<4F79653E-7692-40E9-A34B-90F0A6332D5E@brandad-systems.de>
	<2FFF4234-CE56-4A32-AFA2-A49559CAC739@brandad-systems.de>
Message-ID: <CAMZCGg8EVr3Jkte4aDUQgeNvhmsF6p3aHuEcBMyOhiWUQQwj3w@mail.gmail.com>

On Tue, Nov 28, 2017 at 7:42 PM, Bodo Teichmann <
Bodo.Teichmann at brandad-systems.de> wrote:

> I mean, actually the maven-arquillian should start its own managed wildly,
> which it does, according to the logs.
> This wildlfy is starting ok on the default ports for wildfly.
> But to me it looks like the arquillian-test can not connect to this
> running wildly for some reason, I don?t understand.
> As far as I do understand when running the maven build/test no other
> wildfly or keycloak server should be necessary to start before , right ?
> The maven build should be self-contained, shouldn?t it?
>
Right, are you sure you have nothing else running on port 9990 ?

> Bodo
>
> Am 28.11.2017 um 19:15 schrieb Bodo.Teichmann at brandad-systems.de:
>
> Started keycloak demo server (before starting the app-profile-jee-vanilla
> aquillian - tests) with
> ./standalone.sh -Djboss.socket.binding.port-offset=100
> Just as its described in the ?getting started? and
> because when I would omit the "-Djboss.socket.binding.port-offset=100",
> then the
>
> mvn clean install -Pwildfly-managed -Denforcer.skip=true
>
> Will give me another error of course :
> org.jboss.arquillian.container.spi.client.container.LifecycleException:
> The port 9990 is already in use. It means that either the server might be
> already running or there is another process using port 9990.
> Managed containers do not support connecting to running server instances
> due to the possible harmful effect of connecting to the wrong server.
>
> Is that what you are asking about ?
>
> Bodo
>
> Am 26.11.2017 um 20:13 schrieb Bruno Oliveira <bruno at abstractj.org<mailto:
> bruno at abstractj.org <bruno at abstractj.org>>>:
>
> In which host/port you have WildFly and Keycloak started?
>
> Looking at this exception:
>
> Caused by: java.net.ConnectException: Connection refused (Connection
> refused)
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>
>
> Seems like ArquillianProfileJeeVanillaTest, could not connect.
>
> On Sun, Nov 26, 2017, 4:38 PM Bodo Teichmann <Bodo.Teichmann at brandad-
> systems.de<mailto:Bodo.Teichmann at brandad-systems.de
> <Bodo.Teichmann at brandad-systems.de>>> wrote:
> No, with
>
> mvn clean install -Pwildfly-managed -Denforcer.skip=true
>
> I got this same Error:
>
> ?.
> 18:52:16,546 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot
> Thread) WFLYSRV0051: Admin console listening on
> http://127.0.0.1:9990<http://127.0.0.1:9990/>
> 18:52:16,547 INFO  [org.jboss.as<http://org.jboss.as/>] (Controller Boot
> Thread) WFLYSRV0025: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final)
> started in 4322ms - Started 332 of 578 services (393 services are lazy,
> passive or on-demand)
> Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 7.055 sec
> <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 7.054 sec  <<< ERROR!
> java.lang.ExceptionInInitializerError
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(
> ArquillianProfileJeeVanillaTest.java:81)
> Caused by: java.net.ConnectException: Connection refused (Connection
> refused)
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(
> ArquillianProfileJeeVanillaTest.java:81)
>
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 7.055 sec  <<< ERROR!
> java.lang.NoClassDefFoundError: Could not initialize class
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> Nov 26, 2017 6:52:17 PM org.jboss.arquillian.core.impl.ObserverImpl
> resolveArguments
> WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It
> won't be invoked.
> 18:52:17,956 INFO  [org.jboss.as.server] (management-handler-thread - 2)
> WFLYSRV0236: Suspending server with no timeout.
> ?.
>
> Looks to me that somehow the Arquillian can not log into the managed
> wildly it just started, but I?m not good with Arquillian though?.
> Although the wildfly seemed to have started without any issues.
>
> Bodo
>
> Am 25.11.2017 um 21:42 schrieb Sebastien Blanc <sblanc at redhat.com<mailto:
> sblanc at redhat.com <sblanc at redhat.com>><mailto:sblanc at redhat.com
> <sblanc at redhat.com><mailto:sblanc at redhat.com <sblanc at redhat.com>>>>:
>
> Run with :
> mvn clean install -Pwildfly-managed -Denforcer.skip=true
>
> Le sam. 25 nov. 2017 ? 16:02, Bodo Teichmann <Bodo.Teichmann at brandad-
> systems.de<mailto:Bodo.Teichmann at brandad-systems.de
> <Bodo.Teichmann at brandad-systems.de>><mailto:Bodo.Teichmann at brandad-
> systems.de <Bodo.Teichmann at brandad-systems.de><mailto:Bodo.
> Teichmann at brandad-systems.de <Bodo.Teichmann at brandad-systems.de>>>> a
> ?crit :
> i just followed the "Getting Started"  Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
>
> cd  keycloak-quickstarts/app-profile-jee-vanilla
>
> i tried:
>
> mvn clean wildfly:deploy
>
> but got the error:
>
> ------------------------------------------------------------
> -------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> ------------------------------------------------------------
> -------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec
> <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed:
> 0.907 sec  <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class
> org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(
> SecurityActions.java:166)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(
> SecurityActions.java:103)
> at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(
> TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at org.apache.maven.surefire.junit4.JUnit4Provider.execute(
> JUnit4Provider.java:252)
> at org.apache.maven.surefire.junit4.JUnit4Provider.
> executeTestSet(JUnit4Provider.java:141)
> at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(
> JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(
> ReflectionUtils.java:189)
> at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(
> ProviderFactory.java:165)
> at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(
> ProviderFactory.java:85)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(
> ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(
> ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(
> SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException:
> Could not create Container jboss
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(
> LocalContainerRegistry.java:85)
> at org.jboss.arquillian.container.impl.client.container.
> ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(
> ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(
> EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(
> EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(
> ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.
> loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(
> ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(
> EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(
> EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<
> init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must
> be specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at org.jboss.arquillian.container.impl.ContainerImpl.<
> init>(ContainerImpl.java:71)
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(
> LocalContainerRegistry.java:80)
> ... 44 more
>
>
> until it tried
>
> mvn clean wildfly:deploy -DskipTests
>
>
> which worked.
>
> Do I need any other prerequisites in order to run the arquillian tests
> other than those described in the "Getting Started??
>
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> <keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org
> <keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org
> <keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> <keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From vikrant02.work at gmail.com  Tue Nov 28 14:32:02 2017
From: vikrant02.work at gmail.com (Vikrant Singh)
Date: Wed, 29 Nov 2017 01:02:02 +0530
Subject: [keycloak-user] Keycloak 3.4.0 cross datacenter issue with external
	Infinispan
Message-ID: <CACackcu_DhNcm6rvK1uH3e+vwUtLhx6tWWgSvECb2AZ_NMjfPA@mail.gmail.com>

Hi All,

We are running Cross dc setup with 2 data centers. In this setup we are
using external infinispan server 9.1.2.Final. Each dc will have its own
external infinispan cluster. And cross dc infinispan cluster is formed
using Relay2 protocol.

We haven't faced any issues till 3.2.1.Final. When we trying to upgrade
Keycloak to 3.4.0.Final we are facing the following issue: Keycloak in
first data center are starting up fine but keycloak in second data center
fails to start with below error

16:18:58,473 WARN  [org.infinispan.client.hotrod.impl.protocol.Codec21]
(pool-13-thread-1) ISPN004005: Error received from the server:
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
2017-11-28 16:18:58,473 DEBG 'Keycloak' stdout output:
16:18:58,473 WARN  [org.infinispan.client.hotrod.impl.protocol.Codec21]
(pool-13-thread-1) ISPN004005: Error received from the server:
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]

16:18:58,474 ERROR
[org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer]
(ServerService Thread Pool -- 57) ExecutionException when computed future.
Errors: 1: java.util.concurrent.ExecutionException:
org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for
messageId=23 returned server error (status=0x85):
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
 at java.util.concurrent.FutureTask.report(Unknown Source)
 at java.util.concurrent.FutureTask.get(Unknown Source)
 at
org.infinispan.commons.util.concurrent.NotifyingFutureImpl.get(NotifyingFutureImpl.java:88)
 at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart.getResult(DefaultExecutorService.java:1083)
 at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.innerGet(DefaultExecutorService.java:868)
 at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.get(DefaultExecutorService.java:848)
 at
org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoading(InfinispanCacheInitializer.java:102)
 at
org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:41)
 at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:273)
 at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
 at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:263)
 at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:255)
 at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$200(InfinispanUserSessionProviderFactory.java:62)
 at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:110)
 at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:68)
 at
org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:165)
 at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
 at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:158)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown
Source)
 at java.lang.reflect.Constructor.newInstance(Unknown Source)
 at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
 at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
 at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
 at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
 at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
 at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
 at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
 at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
 at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
 at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:265)
 at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
 at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
 at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
 at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
 at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
 at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
 at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
 at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
 at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
 at java.util.concurrent.FutureTask.run(Unknown Source)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
 at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by:
org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for
messageId=23 returned server error (status=0x85):
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
 at
org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:350)
 at
org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:139)
 at
org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:125)
 at
org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
 at
org.infinispan.client.hotrod.impl.operations.ExecuteOperation.executeOperation(ExecuteOperation.java:48)
 at
org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:54)
 at
org.infinispan.client.hotrod.impl.RemoteCacheImpl.execute(RemoteCacheImpl.java:724)
 at
org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader.loadSessions(RemoteCacheSessionsLoader.java:109)
 at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
 at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
 at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
 at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
 at
org.infinispan.commands.read.DistributedExecuteCommand.perform(DistributedExecuteCommand.java:107)
 at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.doLocalInvoke(DefaultExecutorService.java:1112)
 at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.call(DefaultExecutorService.java:1102)
 at java.util.concurrent.FutureTask.run(Unknown Source)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

At the same time we are getting below in external Infinispan

2017-11-28 16:51:37,357 DEBUG
[org.infinispan.server.hotrod.HotRodExceptionHandler]
(HotRod-ServerWorker-9-3) Exception caught:
org.infinispan.commons.CacheException: java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roo
ts:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at
org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:36)
at
org.infinispan.cache.impl.EncoderEntryMapper.decode(EncoderEntryMapper.java:43)
at
org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:57)
at
org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:23)
at
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at
java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1812)
at
org.infinispan.commons.util.Closeables$SpliteratorAsCloseableSpliterator.tryAdvance(Closeables.java:143)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at
org.infinispan.stream.impl.local.LocalCacheStream.collect(LocalCacheStream.java:258)
at
org.infinispan.util.AbstractDelegatingCacheStream.collect(AbstractDelegatingCacheStream.java:273)
at
jdk.nashorn.internal.scripts.Script$Recompilation$1$58$\^eval\_.loadSessions(<eval>:5)
at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:22)
at
jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
at
jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:421)
at
jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73)
at
jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:514)
at javax.script.CompiledScript.eval(CompiledScript.java:92)
at
org.infinispan.scripting.impl.ScriptingManagerImpl.execute(ScriptingManagerImpl.java:239)
at org.infinispan.scripting.impl.LocalRunner.runScript(LocalRunner.java:19)
at
org.infinispan.scripting.impl.ScriptingManagerImpl.runScript(ScriptingManagerImpl.java:222)
at
org.infinispan.scripting.impl.ScriptingTaskEngine.runTask(ScriptingTaskEngine.java:44)
at
org.infinispan.tasks.impl.TaskManagerImpl.runTask(TaskManagerImpl.java:99)
at
org.infinispan.server.hotrod.ContextHandler.realRead(ContextHandler.java:120)
at
org.infinispan.server.hotrod.ContextHandler.lambda$channelRead0$0(ContextHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at
org.jboss.marshalling.AbstractClassResolver.loadClass(AbstractClassResolver.java:131)
at
org.jboss.marshalling.AbstractClassResolver.resolveClass(AbstractClassResolver.java:112)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadClassDescriptor(RiverUnmarshaller.java:1087)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1354)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:275)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:208)
at
org.jboss.marshalling.AbstractObjectInput.readObject(AbstractObjectInput.java:41)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromObjectStream(AbstractJBossMarshaller.java:134)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:112)
at
org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82)
at
org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:34)
... 35 more

I believe the error might be due to the latest code addition for supporting
cross dc. Any help on this issue is appreciated.

Thanks,
Vikrant

From bruno at abstractj.org  Wed Nov 29 02:14:12 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 29 Nov 2017 05:14:12 -0200
Subject: [keycloak-user] bug in
 keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
In-Reply-To: <9AA7D336-4481-4AE6-B254-BE94FC1BFA5B@brandad-systems.de>
References: <97E07FA4-E8CF-4A6D-A942-67C191C3B54A@brandad-systems.de>
	<CAM5SUC6qSKWu6YGbcsxTfMhM5eGnq1f0UNXWe7OUTtB_MYKmJQ@mail.gmail.com>
	<9AA7D336-4481-4AE6-B254-BE94FC1BFA5B@brandad-systems.de>
Message-ID: <20171129071412.GA3621@abstractj.org>

There are some possibilities that I can think for "Connection
refused"

1. Not having services-jaxrs deployed. Or deployed in the incorrect
port.

Most of the quickstarts require this service

2. Trying to follow the instructions to deploy the quickstarts without -DskipTests

This was already fixed in this PR https://github.com/keycloak/keycloak-quickstarts/pull/70/files

The reason why you *must* use -DskipTests for deployment, is because
Arquillian will run integration tests and deploy on the same port. If
you don't like it, there are two options: change Arquillian port or
start WildFly in a different port.

On 2017-11-25, Bodo Teichmann wrote:
> -Pwildfly-managed didn?t work either, just got other errors:
> 
> ?.
>  Started 332 of 578 services (393 services are lazy, passive or on-demand)
> Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 6.892 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 6.891 sec  <<< ERROR!
> java.lang.ExceptionInInitializerError
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
> Caused by: java.net.ConnectException: Connection refused (Connection refused)
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
> 
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 6.892 sec  <<< ERROR!
> java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> 
> Nov 25, 2017 7:06:11 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments
> WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked.
> 19:06:11,395 INFO  [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0236: Suspending server with no timeout.
> 19:06:11,402 INFO  [org.jboss.as.server] (Management Triggered Shutdown) WFLYSRV0241: Shutting down in response to management operation 'shutdown'
> 19:06:11,429 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]
> 19:06:11,431 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0019: Host default-host stopping
> 19:06:11,432 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending
> 19:06:11,436 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 127.0.0.1:8443
> 19:06:11,441 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0019: Stopped Driver service with driver-name = h2
> 19:06:11,442 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspending
> 19:06:11,443 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 127.0.0.1:8080
> 19:06:11,443 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0004: Undertow 1.4.0.Final stopping
> 19:06:11,533 INFO  [org.jboss.as] (MSC service thread 1-5) WFLYSRV0050: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) stopped in 118ms
> 
> Results :
> 
> Tests in error:
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>   Run 1: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest ? ExceptionInInitializer
>   Run 2: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest ? NoClassDefFound
> 
> 
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] ------------------------------------------------------------------------
> 
> 
> Am 25.11.2017 um 18:55 schrieb Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>>:
> 
> 
> Try to pass -Pwildfly-managed, it should work. We have some jiras to fix the docs.
> 
> On Sat, Nov 25, 2017, 12:59 PM Bodo Teichmann <Bodo.Teichmann at brandad-systems.de<mailto:Bodo.Teichmann at brandad-systems.de>> wrote:
> i just followed the "Getting Started"  Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
> >cd  keycloak-quickstarts/app-profile-jee-vanilla
> i tried:
> >mvn clean wildfly:deploy
> but got the error:
> 
> -------------------------------------------------------------------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> -------------------------------------------------------------------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest  Time elapsed: 0.907 sec  <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
> at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
> at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
> at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
> ... 44 more
> 
> 
> until it tried
> 
> >mvn clean wildfly:deploy -DskipTests
> 
> which worked.
> 
> Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started??
> 
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-- 

abstractj

From hylton.peimer at datos-health.com  Wed Nov 29 03:49:45 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Wed, 29 Nov 2017 08:49:45 +0000
Subject: [keycloak-user] Convert Keycloak tokens to "cookies" for a
	Spring-boot app
Message-ID: <CACGrZesL_3bYObJQjh8HA7Fms49E6M0NjN5RN_WO2rY1FPwPWA@mail.gmail.com>

I have a backend server secured using Keycloak Spring web security adaptor.

The UI uses the cookies to store the session reference.

Now another website would like to implement "SSO" - have a link in their
page to connect directly into my application. This other website is able to
obtain access/refresh tokens directly from the Keycloak.

How can I "convert" the access token to a cookie, which will be recognized
by my Spring backend?

From mikolaj.buda at contractors.roche.com  Wed Nov 29 04:31:54 2017
From: mikolaj.buda at contractors.roche.com (Buda, Mikolaj)
Date: Wed, 29 Nov 2017 10:31:54 +0100
Subject: [keycloak-user] Importing big realms
Message-ID: <CADdJyKoLQqZD6VSpPTX56DzcJMq3gynsF7AX3deeK80XorGQ0w@mail.gmail.com>

Hi,

I've just created a tool that prepares a full backup of realm in json (the
same as during export at standalone startup). Sometime it is 60MB of data
(many users). Import process takes a long time. Do you have any ideas how
to speed up this process?

From sthorger at redhat.com  Wed Nov 29 05:00:07 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 11:00:07 +0100
Subject: [keycloak-user] Importing big realms
In-Reply-To: <CADdJyKoLQqZD6VSpPTX56DzcJMq3gynsF7AX3deeK80XorGQ0w@mail.gmail.com>
References: <CADdJyKoLQqZD6VSpPTX56DzcJMq3gynsF7AX3deeK80XorGQ0w@mail.gmail.com>
Message-ID: <CAJgngAd6H44Pnb9GLnzLTVD=e1ozX1PaURTbRxNgWwftqSVfNw@mail.gmail.com>

How many users and how long time?

With a large amount of users you should split the user into separate files,
see
http://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
for more details.

On 29 November 2017 at 10:31, Buda, Mikolaj <
mikolaj.buda at contractors.roche.com> wrote:

> Hi,
>
> I've just created a tool that prepares a full backup of realm in json (the
> same as during export at standalone startup). Sometime it is 60MB of data
> (many users). Import process takes a long time. Do you have any ideas how
> to speed up this process?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Nov 29 06:17:51 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 12:17:51 +0100
Subject: [keycloak-user] Issue with RH-SSO 7.1 domain clustered mode
 example deployment (Cannot authenticate)
In-Reply-To: <5f234afb-9fb3-23d4-79e5-d22b5034195b@janua.fr>
References: <5f234afb-9fb3-23d4-79e5-d22b5034195b@janua.fr>
Message-ID: <CAJgngAe5yaDXxyoO4+KdS-VyAOGKfNyyyFqEmGL65Whcts8CVQ@mail.gmail.com>

For RH-SSO issues I'd recommend creating a support ticket through the
correct cfhannels

On 28 November 2017 at 19:20, Olivier Rivat <orivat at janua.fr> wrote:

> Hi,
>
>
> I have an issue authenticating againt the RH-SSO installed in domain
> cluster mode.
> I have am using RH-SSO server 7.1, and have just deployed a fresh new
> install of the rh-sso ZIP file
>
>
> I am following step-by-step
> https://access.redhat.com/documentation/en-us/red_hat_
> single_sign-on/7.1/html/server_installation_and_
> configuration_guide/operating-mode#domain-mode
>
>
> 1)  I have first created master and and slaves in teh domain
>
> ~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$
> ../../bin/domain.sh --host-config=host-master.xml
>
> ~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$
> ../../bin/domain.sh --host-config=host-slave.xml
>
> 2) I have added the admin user user running add-user.sh
>
> ~/redhat/cluster_rh_7.1/rh-sso-7.1/bin$ ./add-user.sh
>
> Quel type d'utilisateur souhaitez-vous ajouter ?
>   a) Management User (mgmt-users.properties)
>   b) Application User (application-users.properties)
> (a):
>
> Saisir les informations sur le nouvel utilisateur
> Utiliser le domaine 'ManagementRealm' selon les fichiers de propri?t?s
> existants.
> Nom d'utilisateur : admin
> Le nom d'utilisateur 'admin' est facile ? deviner
> ?tes-vous certain de vouloir ajouter l'utilisateur 'admin' oui/non ? oui
> Les recommandations de mot de passe sont ?num?r?s ci-dessous. Pour
> modifier ces restrictions, modifier le fichier de configuration
> add-user.properties.
>   - Le mot de passe doit ?tre diff?rent du nom d'utilisateur
>   - Le mot de passe doit correspondre ? une des valeurs limit?es
> suivantes {root, admin, administrator}
>   - Le mot de passe doit contenir au moins 8 caract?res, 1 caract?re(s)
> alphab?tique(s), 1 chiffre (s), 1 symbole(s) non alpha-num?riques
> Mot de passe :
> Saisir mot de passe ? nouveau :
> Quels groupes souhaitez-vous impartir ? cet utilisateur ? (Veuillez
> saisir une liste s?par?e par des virgules, ou laisser vide)[  ]:
> L'utilisateur 'admin' va ?tre ajout? pour le domaine 'ManagementRealm'
> Est-ce correct ? oui/non? oui
> Utilisateur 'admin' ajout? au fichier
> '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/
> configuration/mgmt-users.properties'
> Utilisateur 'admin' ajout? au fichier
> '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/
> configuration/mgmt-users.properties'
> Utilisateur 'admin' ajout? aux groupes  dans le fichier
> '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/
> configuration/mgmt-groups.properties'
> Utilisateur 'admin' ajout? aux groupes  dans le fichier
> '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/
> configuration/mgmt-groups.properties'
> Est-ce que ce nouvel utilisateur va ?tre utilis? pour qu'un processus AS
> puisse se connecter ? un autre processus AS, comme par exemple
>   pour qu'un contr?leur d'h?te esclave se connecte au master ou pour une
> connexion distante de serveur ? serveur pour les appels EJB.
> oui/non ? oui
> Pour repr?senter l'utilisateur, ajouter ce qui suit ? la d?finition des
> identit?s du serveur <secret value="IXRhS2V6bzkw" />
>
> 3) I have added <secret value="IXRhS2V6bzkw" /> to host-slave.xml
>
> 4) I have restarted both servers
>
> 5) The issue:
> When I connecting to http://localhost:8080/auth with admin and the
> password, I obtain the message
>
> Server:server-one] 18:41:37,959 WARN  [org.keycloak.events] (default
> task-15) type=LOGIN_ERROR, realmId=master,
> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
> error=user_not_found, auth_method=openid-connect, auth_type=code,
> redirect_uri=http://localhost:8080/auth/admin/master/console/,
> code_id=c66df7c9-1bba-47f4-b7ff-280905d53185, username=admin
>
>
> 6)Further troubleshooting:
> Only thing missing is that I have not found where to grab
> keycloak-server.json to copy it to
> server-one/configuration/keycloak-server.json (as descrined in RH-SSO 7.1
> ).
> But is really needed ? I am a little bit confused
> If it is really missing and the reason why I am failing on this example,
> where can it be found, as it is not described in teh RH-SSO 7.1 where to
> grab it ?
>
>
>
> (I have also found following POST:
> http://blog.keycloak.org/2016/09/keycloak-serverjson-rip.html
>
>  >>>>>>>>>>>>>>>>>>>>>>>
> We have moved configuration of the Keycloak server from
> keycloak-server.json to standalone.xml, standalone-ha.xml, or
> domain.xml.  Which xml file you use will depend on how you run your
> server.  I'll reference standalone.xml from here on out, but
> configuration is the same for each file.
>
> As of version 2.2.0, keycloak-server.json will no longer be shipped with
> Keycloak.  We do provide a conversion tool to help you make the switch.
>
> So now, you can configure the entire server from a single xml file.
> Keycloak server configuration is done in the same file where you
> configure data sources, socket bindings, logging, and clustering.
>
> But there are other advantages...
>  >>>>>>>>>>>>>>>>>>>>>>>
>
> 7) So, from all what I have described, how is it possible to overcome this
> ?
> Is it a mistake of mine ?
> Is it due to something not being clearly documented ?
> or other ?
>
> Waiting for your comments and suggestions,
>
> Regards,
> Olivier Rivat
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mikolaj.buda at contractors.roche.com  Wed Nov 29 06:30:48 2017
From: mikolaj.buda at contractors.roche.com (Buda, Mikolaj)
Date: Wed, 29 Nov 2017 12:30:48 +0100
Subject: [keycloak-user] Importing big realms
In-Reply-To: <CAJgngAc7pPY9nQBsnCfGb8jh4zJg6v5PLZS2D4vKdOUxBx13_A@mail.gmail.com>
References: <CADdJyKoLQqZD6VSpPTX56DzcJMq3gynsF7AX3deeK80XorGQ0w@mail.gmail.com>
	<CAJgngAd6H44Pnb9GLnzLTVD=e1ozX1PaURTbRxNgWwftqSVfNw@mail.gmail.com>
	<CADdJyKo2=UQV2uxbN_uKeEVJPoQra1Qyrj6AwBPJPjDDNLmvuw@mail.gmail.com>
	<CAJgngAc7pPY9nQBsnCfGb8jh4zJg6v5PLZS2D4vKdOUxBx13_A@mail.gmail.com>
Message-ID: <CADdJyKoAcp6mJ3snUQLows1xTN4tsQ+zYhq9VedZYDxED9V5pA@mail.gmail.com>

I managed to fix the problem by exporting users to separate files each 5000
and then perform a partialImport on imported realm.

On Wed, Nov 29, 2017 at 12:16 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Please don't drop the mailing list
>
> On 29 November 2017 at 11:08, Buda, Mikolaj <mikolaj.buda at contractors.
> roche.com> wrote:
>
>> The problem is, we cannot use this Export/Import functionality as it
>> requires to restart the Keycloak. I managed to build the same json file
>> using many GET requests and now I would like to upload it on another
>> instance without restarting the application.
>>
>> On Wed, Nov 29, 2017 at 11:00 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> How many users and how long time?
>>>
>>> With a large amount of users you should split the user into separate
>>> files, see http://www.keycloak.org/docs/latest/server_admin/index.h
>>> tml#_export_import for more details.
>>>
>>> On 29 November 2017 at 10:31, Buda, Mikolaj <
>>> mikolaj.buda at contractors.roche.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I've just created a tool that prepares a full backup of realm in json
>>>> (the
>>>> same as during export at standalone startup). Sometime it is 60MB of
>>>> data
>>>> (many users). Import process takes a long time. Do you have any ideas
>>>> how
>>>> to speed up this process?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From sthorger at redhat.com  Wed Nov 29 06:51:48 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 12:51:48 +0100
Subject: [keycloak-user] Importing big realms
In-Reply-To: <CADdJyKoAcp6mJ3snUQLows1xTN4tsQ+zYhq9VedZYDxED9V5pA@mail.gmail.com>
References: <CADdJyKoLQqZD6VSpPTX56DzcJMq3gynsF7AX3deeK80XorGQ0w@mail.gmail.com>
	<CAJgngAd6H44Pnb9GLnzLTVD=e1ozX1PaURTbRxNgWwftqSVfNw@mail.gmail.com>
	<CADdJyKo2=UQV2uxbN_uKeEVJPoQra1Qyrj6AwBPJPjDDNLmvuw@mail.gmail.com>
	<CAJgngAc7pPY9nQBsnCfGb8jh4zJg6v5PLZS2D4vKdOUxBx13_A@mail.gmail.com>
	<CADdJyKoAcp6mJ3snUQLows1xTN4tsQ+zYhq9VedZYDxED9V5pA@mail.gmail.com>
Message-ID: <CAJgngAewQzt-K9TLwOGb6JijjAiRWBiM8KyYC=+FF5OXj-Urtg@mail.gmail.com>

That's a nice approach

On 29 November 2017 at 12:30, Buda, Mikolaj <
mikolaj.buda at contractors.roche.com> wrote:

> I managed to fix the problem by exporting users to separate files each
> 5000 and then perform a partialImport on imported realm.
>
> On Wed, Nov 29, 2017 at 12:16 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Please don't drop the mailing list
>>
>> On 29 November 2017 at 11:08, Buda, Mikolaj <
>> mikolaj.buda at contractors.roche.com> wrote:
>>
>>> The problem is, we cannot use this Export/Import functionality as it
>>> requires to restart the Keycloak. I managed to build the same json file
>>> using many GET requests and now I would like to upload it on another
>>> instance without restarting the application.
>>>
>>> On Wed, Nov 29, 2017 at 11:00 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> How many users and how long time?
>>>>
>>>> With a large amount of users you should split the user into separate
>>>> files, see http://www.keycloak.org/docs/latest/server_admin/index.h
>>>> tml#_export_import for more details.
>>>>
>>>> On 29 November 2017 at 10:31, Buda, Mikolaj <
>>>> mikolaj.buda at contractors.roche.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I've just created a tool that prepares a full backup of realm in json
>>>>> (the
>>>>> same as during export at standalone startup). Sometime it is 60MB of
>>>>> data
>>>>> (many users). Import process takes a long time. Do you have any ideas
>>>>> how
>>>>> to speed up this process?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From rahul.pharande at gi-de.com  Wed Nov 29 07:35:00 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Wed, 29 Nov 2017 12:35:00 +0000
Subject: [keycloak-user] =?windows-1252?q?Using_keycloak-spring-boot-start?=
 =?windows-1252?q?er_throws_NullPointerException_when_=93keycloak=2Eenable?=
 =?windows-1252?q?d_=3D_false=94_in_spring_boot_application=2Eproperties?=
Message-ID: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>

Hi,

While using ?keycloak-spring-boot-starter v3.4.0.Final? with ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting NullPointerException as described below.
Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter.

Precondition ?

?         Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A).

?         Disable keycloak in spring boot?s Application property as ?keycloak.enabled = false?

Expected Result ?

?         When Keycloak is disabled, spring security should handle authentication OR should not perform authentication.

Actual Result ?
                java.lang.NullPointerException: null
        at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
                 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar!/:4.3.12.RELEASE]

What can be done here:

?         Ideal Option: Keycloak adapter classes like ?KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s filters when ?keycloak.enabled? property is false.

?         Temporary Option: we can handle this at application config level by defining  on SecurityConfig class

o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")

Example Section A:

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
        keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

        auth.authenticationProvider(keyCloakAuthProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
            .and()
            .authorizeRequests()
            .antMatchers("/test*").hasRole("ADMIN")
            .anyRequest().permitAll();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver KeyCloakConfigResolver(){
        return new KeycloakSpringBootConfigResolver();
    }
}

Thanks and Regards.
Rahul Pharande


From mposolda at redhat.com  Wed Nov 29 08:36:55 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Nov 2017 14:36:55 +0100
Subject: [keycloak-user] IDP initiated login redirect loop
In-Reply-To: <2018116155.30802441.1511794380248.JavaMail.zimbra@xsb.com>
References: <2018116155.30802441.1511794380248.JavaMail.zimbra@xsb.com>
Message-ID: <6d4c63bd-4067-3534-30f4-18e7d47eea5d@redhat.com>

I think it's going to be fixed in 3.4.1 release. You can try with latest 
Keycloak master, I think it's already fixed there (not 100% sure).

Marek

On 27/11/17 15:53, Drew Weirshousky wrote:
> Hi,
>
>    I'm having issues trying to get IDP inititated login to work.  I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also.  The IDP is Okta and Keycloak is the SP.  Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user.  "An error occurred, please login again through your application."  I suspect this is a configuration issue but I am not sure.  3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.
>
> Thanks
> Drew
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From d.weirshousky at xsb.com  Wed Nov 29 08:58:11 2017
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Wed, 29 Nov 2017 07:58:11 -0600 (CST)
Subject: [keycloak-user] IDP initiated login redirect loop
In-Reply-To: <WM!f2ee2359cbcc991eaccf39bb7589b2ff4cc7d114955b94d290079689e36eb721b5a7f1fd2ae90dc8301af8feeaa936f9!@mailstronghold-1.zmailcloud.com>
References: <2018116155.30802441.1511794380248.JavaMail.zimbra@xsb.com>
	<6d4c63bd-4067-3534-30f4-18e7d47eea5d@redhat.com>
	<WM!f2ee2359cbcc991eaccf39bb7589b2ff4cc7d114955b94d290079689e36eb721b5a7f1fd2ae90dc8301af8feeaa936f9!@mailstronghold-1.zmailcloud.com>
Message-ID: <1360391929.32928671.1511963891266.JavaMail.zimbra@xsb.com>

Hi Marek,
  Thanks, I was just looking at the commits and see some fixes for issues I have run into.  Is there a timeline for a 3.4.1 release yet?

Drew

----- Original Message -----
From: "Marek Posolda" <mposolda at redhat.com>
To: "Drew Weirshousky" <d.weirshousky at xsb.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, November 29, 2017 8:36:55 AM
Subject: Re: [keycloak-user] IDP initiated login redirect loop

I think it's going to be fixed in 3.4.1 release. You can try with latest 
Keycloak master, I think it's already fixed there (not 100% sure).

Marek

On 27/11/17 15:53, Drew Weirshousky wrote:
> Hi,
>
>    I'm having issues trying to get IDP inititated login to work.  I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also.  The IDP is Okta and Keycloak is the SP.  Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user.  "An error occurred, please login again through your application."  I suspect this is a configuration issue but I am not sure.  3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.
>
> Thanks
> Drew
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sinan.mustafov619 at gmail.com  Wed Nov 29 09:05:43 2017
From: sinan.mustafov619 at gmail.com (Sinan Mustafov)
Date: Wed, 29 Nov 2017 16:05:43 +0200
Subject: [keycloak-user] Migration to Keycloak from WSO2 IS
Message-ID: <CACsqXZeQnm+vSWWFYO8ZmZFiEiAEgPBbtTaO0QjQta486wT7cA@mail.gmail.com>

Hi,

Has anyone migrated from WSO2 IS to Keycloak?

If yes, what actions did you take to migrate tenants, users, groups and
authentication?

I'd like to know if anyone done this or have some experience and whether
some major issues arised which introduced a lot of difficulties and even
stopped them from migrating to Keycloak*.*

Any advise and feedback would be very appreciated.


Regards,
Sinan.

From mposolda at redhat.com  Wed Nov 29 09:10:22 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Nov 2017 15:10:22 +0100
Subject: [keycloak-user] IDP initiated login redirect loop
In-Reply-To: <1360391929.32928671.1511963891266.JavaMail.zimbra@xsb.com>
References: <2018116155.30802441.1511794380248.JavaMail.zimbra@xsb.com>
	<6d4c63bd-4067-3534-30f4-18e7d47eea5d@redhat.com>
	<WM!f2ee2359cbcc991eaccf39bb7589b2ff4cc7d114955b94d290079689e36eb721b5a7f1fd2ae90dc8301af8feeaa936f9!@mailstronghold-1.zmailcloud.com>
	<1360391929.32928671.1511963891266.JavaMail.zimbra@xsb.com>
Message-ID: <f26b827e-cbe4-6d9e-f890-d06b76928cd3@redhat.com>

On 29/11/17 14:58, Drew Weirshousky wrote:
> Hi Marek,
>    Thanks, I was just looking at the commits and see some fixes for issues I have run into.  Is there a timeline for a 3.4.1 release yet?
Hopefully will be later this week.

Marek
>
> Drew
>
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Drew Weirshousky" <d.weirshousky at xsb.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, November 29, 2017 8:36:55 AM
> Subject: Re: [keycloak-user] IDP initiated login redirect loop
>
> I think it's going to be fixed in 3.4.1 release. You can try with latest
> Keycloak master, I think it's already fixed there (not 100% sure).
>
> Marek
>
> On 27/11/17 15:53, Drew Weirshousky wrote:
>> Hi,
>>
>>     I'm having issues trying to get IDP inititated login to work.  I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also.  The IDP is Okta and Keycloak is the SP.  Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user.  "An error occurred, please login again through your application."  I suspect this is a configuration issue but I am not sure.  3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.
>>
>> Thanks
>> Drew
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From sblanc at redhat.com  Wed Nov 29 10:02:27 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 29 Nov 2017 16:02:27 +0100
Subject: [keycloak-user]
	=?utf-8?q?Using_keycloak-spring-boot-starter_thro?=
	=?utf-8?q?ws_NullPointerException_when_=E2=80=9Ckeycloak=2Eenabled?=
	=?utf-8?q?_=3D_false=E2=80=9D_in_spring_boot_application=2Epropert?=
	=?utf-8?q?ies?=
In-Reply-To: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
References: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
Message-ID: <CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>

keycloak.enable property only works for the Spring Boot Adapter, not for
the Spring Security Adapter. There is already a ticket opened to align the
feature.



On Wed, Nov 29, 2017 at 1:35 PM, Pharande Rahul <rahul.pharande at gi-de.com>
wrote:

> Hi,
>
> While using ?keycloak-spring-boot-starter v3.4.0.Final? with
> ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting
> NullPointerException as described below.
> Please let me know if anyone has suggestion on this, OR this is really
> defect in keycloak adapter.
>
> Precondition ?
>
> ?         Application configured to use spring-security with
> KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig
> in Example section (A).
>
> ?         Disable keycloak in spring boot?s Application property as
> ?keycloak.enabled = false?
>
> Expected Result ?
>
> ?         When Keycloak is disabled, spring security should handle
> authentication OR should not perform authentication.
>
> Actual Result ?
>                 java.lang.NullPointerException: null
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(
> KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.build(
> KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolv
> er.resolve(KeycloakSpringBootConfigResolver.java:37)
> ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.AdapterDeploymentContext.
> resolveDeployment(AdapterDeploymentContext.java:88)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(
> PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springsecurity.filter.
> KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
> ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
>         at org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
>         at org.springframework.security.web.csrf.CsrfFilter.
> doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.
> RELEASE.jar!/:4.2.3.RELEASE]
>                  at org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.
> jar!/:4.3.12.RELEASE]
>
> What can be done here:
>
> ?         Ideal Option: Keycloak adapter classes like ?
> KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s
> filters when ?keycloak.enabled? property is false.
>
> ?         Temporary Option: we can handle this at application config level
> by defining  on SecurityConfig class
>
> o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")
>
> Example Section A:
>
> @KeycloakConfiguration
> public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
>
>     @Autowired
>     public void configureGlobal(AuthenticationManagerBuilder auth) throws
> Exception {
>         KeycloakAuthenticationProvider keyCloakAuthProvider =
> keycloakAuthenticationProvider();
>         keyCloakAuthProvider.setGrantedAuthoritiesMapper(new
> SimpleAuthorityMapper());
>
>         auth.authenticationProvider(keyCloakAuthProvider);
>     }
>
>     @Override
>     protected void configure(HttpSecurity http) throws Exception
>     {
>         super.configure(http);
>         http
>             .sessionManagement().sessionCreationPolicy(
> SessionCreationPolicy.STATELESS)
>             .sessionAuthenticationStrategy(sessionAuthenticationStrategy(
> ))
>             .and()
>             .authorizeRequests()
>             .antMatchers("/test*").hasRole("ADMIN")
>             .anyRequest().permitAll();
>     }
>
>     @Override
>     protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
> {
>         return new NullAuthenticatedSessionStrategy();
>     }
>
>     @Bean
>     public KeycloakConfigResolver KeyCloakConfigResolver(){
>         return new KeycloakSpringBootConfigResolver();
>     }
> }
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From to_sud at yahoo.com  Wed Nov 29 11:13:56 2017
From: to_sud at yahoo.com (Sud Ramasamy)
Date: Wed, 29 Nov 2017 11:13:56 -0500
Subject: [keycloak-user] automatic node registration on startup
In-Reply-To: <etPan.5a157a9b.7727d5f.9f57@yahoo.com>
References: <etPan.5a157a9b.7727d5f.9f57@yahoo.com>
Message-ID: <etPan.5a1edcc4.620011b0.a1ae@yahoo.com>

Hi,

On reading this documentation it appears that the application clustering capabilities only work with applications deployed on JBoss EAP, WildFly and JBoss AS.

http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/application-clustering.html

We have a Spring Boot application (using embedded Tomcat) and I was specifically interested in the automatic node registration on startup. I dug into the code a little bit to see if I could identity what dependencies there might be on these specific application servers and I do not see any calls to the NodesRegistrationManagement.tryRefresh() method nor any obvious dependencies on these specific application servers.

I just wanted to confirm that indeed the Application Clustering functionality documented on the above page is limited to applications deployed on this limited set of application servers.

Thanks
-sud?

From to_sud at yahoo.com  Wed Nov 29 11:58:27 2017
From: to_sud at yahoo.com (Sud Ramasamy)
Date: Wed, 29 Nov 2017 11:58:27 -0500
Subject: [keycloak-user] automatic node registration on startup
In-Reply-To: <etPan.5a1edcc4.620011b0.a1ae@yahoo.com>
References: <etPan.5a157a9b.7727d5f.9f57@yahoo.com>
	<etPan.5a1edcc4.620011b0.a1ae@yahoo.com>
Message-ID: <etPan.5a1ee733.8c5c372.a1ae@yahoo.com>

I realized I didn?t look far enough. The NodesRegistrationManagement.tryRefresh() is indeed invoked from the Undertow, JBoss, Tomcat and Servlet adapters. I don?t see it for the Spring Security adapter though. We use the Spring Security adapter in a Spring Boot application. Is there a way to configure node registration for such a setup.?

-sud

On November 29, 2017 at 11:14:06 AM, Sud Ramasamy (to_sud at yahoo.com) wrote:

Hi,

On reading this documentation it appears that the application clustering capabilities only work with applications deployed on JBoss EAP, WildFly and JBoss AS.

http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/application-clustering.html

We have a Spring Boot application (using embedded Tomcat) and I was specifically interested in the automatic node registration on startup. I dug into the code a little bit to see if I could identity what dependencies there might be on these specific application servers and I do not see any calls to the NodesRegistrationManagement.tryRefresh() method nor any obvious dependencies on these specific application servers.

I just wanted to confirm that indeed the Application Clustering functionality documented on the above page is limited to applications deployed on this limited set of application servers.

Thanks
-sud?

From diegodiez.ddr at gmail.com  Wed Nov 29 12:24:57 2017
From: diegodiez.ddr at gmail.com (Diego Diez)
Date: Wed, 29 Nov 2017 18:24:57 +0100
Subject: [keycloak-user] Impersonate user feature stop working after
	3.2.0.Final
Message-ID: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>

Hi Keycloak Community,


After successfully upgrade our servers from keycloak 2.5.4.Final to
3.4.0.Final, we have notice that the impersonation feature isn't
working anymore.

We have tested other versions with a vanilla install and the first
version with this problem is 3.2.0.Final.

Are you experiencing this problem? Impersonation is a quite useful
feature to us, so any workaround until next release would be great.


Regards,

Diego D?ez

From jeremy.michael7373 at gmail.com  Wed Nov 29 12:46:02 2017
From: jeremy.michael7373 at gmail.com (Jeremy Michael)
Date: Wed, 29 Nov 2017 12:46:02 -0500
Subject: [keycloak-user] kc_idp_hint parameter is being ignored
Message-ID: <CAAOwxdq2_G9JbQGU_t5VwSg4iWoePXEjO0Ps8+jyQpHjL+5VBA@mail.gmail.com>

Hello all,

I?m trying to do something that looks like it should be very easy, but is
not working for me. Hopefully someone can help me figure out what I?m doing
wrong.

We have an application secured by Keycloak and have two Identity Providers
set up. Clicking the buttons on the standard Keycloak login screen works
fine for both Identity Providers. We can also set up either provider as a
default (in the browser Authentication flow) to bypass the login screen,
and that works fine. However, in some cases, we want to bypass the login
screen and use Identity Provider 1, and in others we want to bypass the
login screen and use Identity Provider 2.

It looks like we should be able to achieve what we want by using the
kc_idp_hint parameter. But, when I try to test it out, the
kc_idp_hint seems to be ignored.

I tried the following, where the URL is the address of my app secured by
Keycloak, and idp1alias is the alias of the Identity Provider I want to use:
https://www.myapp.com?kc_idp_hint=idp1alias
<https://www.myapp.com/?kc_idp_hint=idp1alias>

However, instead of bypassing the login screen and automatically beginning
the authentication process with Identity Provider 1, I am landing on the
standard Keycloak login screen.

As another test, I tried just going to the built in,
?/auth/realms/<realm>/account? with the "kc_idp_hint" parameter added and I
got the same behavior (i.e., I saw the Keycloak login screen):
https://mykeycloakurl.com/auth/realms/myrealm/account?kc_idp_hint=idp1alias.

I?m clearly missing something, or misunderstanding how this should work.
Can someone help get me pointed in the right direction?

Thanks!
Jeremy

From sthorger at redhat.com  Wed Nov 29 15:32:13 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 21:32:13 +0100
Subject: [keycloak-user] kc_idp_hint parameter is being ignored
In-Reply-To: <CAAOwxdq2_G9JbQGU_t5VwSg4iWoePXEjO0Ps8+jyQpHjL+5VBA@mail.gmail.com>
References: <CAAOwxdq2_G9JbQGU_t5VwSg4iWoePXEjO0Ps8+jyQpHjL+5VBA@mail.gmail.com>
Message-ID: <CAJgngAc_gwF4+tc+zeCk3E=U_5=T7T-pR+qpNs7ijW89TX_0DQ@mail.gmail.com>

The kc_idp_hint param isn't set on your app, but rather it's a query param
that needs to be included when the app is doing the login. What adapter are
you using?

On 29 November 2017 at 18:46, Jeremy Michael <jeremy.michael7373 at gmail.com>
wrote:

> Hello all,
>
> I?m trying to do something that looks like it should be very easy, but is
> not working for me. Hopefully someone can help me figure out what I?m doing
> wrong.
>
> We have an application secured by Keycloak and have two Identity Providers
> set up. Clicking the buttons on the standard Keycloak login screen works
> fine for both Identity Providers. We can also set up either provider as a
> default (in the browser Authentication flow) to bypass the login screen,
> and that works fine. However, in some cases, we want to bypass the login
> screen and use Identity Provider 1, and in others we want to bypass the
> login screen and use Identity Provider 2.
>
> It looks like we should be able to achieve what we want by using the
> kc_idp_hint parameter. But, when I try to test it out, the
> kc_idp_hint seems to be ignored.
>
> I tried the following, where the URL is the address of my app secured by
> Keycloak, and idp1alias is the alias of the Identity Provider I want to
> use:
> https://www.myapp.com?kc_idp_hint=idp1alias
> <https://www.myapp.com/?kc_idp_hint=idp1alias>
>
> However, instead of bypassing the login screen and automatically beginning
> the authentication process with Identity Provider 1, I am landing on the
> standard Keycloak login screen.
>
> As another test, I tried just going to the built in,
> ?/auth/realms/<realm>/account? with the "kc_idp_hint" parameter added and I
> got the same behavior (i.e., I saw the Keycloak login screen):
> https://mykeycloakurl.com/auth/realms/myrealm/account?
> kc_idp_hint=idp1alias.
>
> I?m clearly missing something, or misunderstanding how this should work.
> Can someone help get me pointed in the right direction?
>
> Thanks!
> Jeremy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Wed Nov 29 15:33:40 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 21:33:40 +0100
Subject: [keycloak-user] Impersonate user feature stop working after
	3.2.0.Final
In-Reply-To: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>
References: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>
Message-ID: <CAJgngAd4Xx0cHCxQrK9eN5CthsSff8qYo1HQ+x5HeUjPtay0nw@mail.gmail.com>

Just tried it here and works just fine for me.

On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr at gmail.com> wrote:

> Hi Keycloak Community,
>
>
> After successfully upgrade our servers from keycloak 2.5.4.Final to
> 3.4.0.Final, we have notice that the impersonation feature isn't
> working anymore.
>
> We have tested other versions with a vanilla install and the first
> version with this problem is 3.2.0.Final.
>
> Are you experiencing this problem? Impersonation is a quite useful
> feature to us, so any workaround until next release would be great.
>
>
> Regards,
>
> Diego D?ez
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Wed Nov 29 15:33:50 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Nov 2017 21:33:50 +0100
Subject: [keycloak-user] Impersonate user feature stop working after
	3.2.0.Final
In-Reply-To: <CAJgngAd4Xx0cHCxQrK9eN5CthsSff8qYo1HQ+x5HeUjPtay0nw@mail.gmail.com>
References: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>
	<CAJgngAd4Xx0cHCxQrK9eN5CthsSff8qYo1HQ+x5HeUjPtay0nw@mail.gmail.com>
Message-ID: <CAJgngAcqO7+ygjPS4YQ4JB+tfSLhEcrVdk5dC0uQM4AdJyzJ+A@mail.gmail.com>

Oh and we do have tests as well for it ;)

On 29 November 2017 at 21:33, Stian Thorgersen <sthorger at redhat.com> wrote:

> Just tried it here and works just fine for me.
>
> On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr at gmail.com> wrote:
>
>> Hi Keycloak Community,
>>
>>
>> After successfully upgrade our servers from keycloak 2.5.4.Final to
>> 3.4.0.Final, we have notice that the impersonation feature isn't
>> working anymore.
>>
>> We have tested other versions with a vanilla install and the first
>> version with this problem is 3.2.0.Final.
>>
>> Are you experiencing this problem? Impersonation is a quite useful
>> feature to us, so any workaround until next release would be great.
>>
>>
>> Regards,
>>
>> Diego D?ez
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From diegodiez.ddr at gmail.com  Wed Nov 29 16:13:37 2017
From: diegodiez.ddr at gmail.com (Diego Diez)
Date: Wed, 29 Nov 2017 22:13:37 +0100
Subject: [keycloak-user] Impersonate user feature stop working after
	3.2.0.Final
In-Reply-To: <CAGsgRRUtVDZHyWtN2AQexeGKxyM7Jb3t+16HFMTt7ZJLbEKcMA@mail.gmail.com>
References: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>
	<CAJgngAd4Xx0cHCxQrK9eN5CthsSff8qYo1HQ+x5HeUjPtay0nw@mail.gmail.com>
	<CAJgngAcqO7+ygjPS4YQ4JB+tfSLhEcrVdk5dC0uQM4AdJyzJ+A@mail.gmail.com>
	<CAGsgRRUtVDZHyWtN2AQexeGKxyM7Jb3t+16HFMTt7ZJLbEKcMA@mail.gmail.com>
Message-ID: <CAGsgRRVUg9cDd5GZW4Fh6JRrYLS7HsnuL7nW-NFJFCu0nfMFTw@mail.gmail.com>

After clicking the button I can see the account of the impersonated user,
but the SSO doesn't seem to work.

When I go to another app, the login form is prompt again instead of a new
redirect with the user logged in to the app automatically.

That's the issue I meant in the first place. Sorry for the lack of details.

PD: the app I used to reproduce the problem was secured using the spring
security adapter for spring boot

El 29 nov. 2017 9:33 p. m., "Stian Thorgersen" <sthorger at redhat.com>
escribi?:

Oh and we do have tests as well for it ;)

On 29 November 2017 at 21:33, Stian Thorgersen <sthorger at redhat.com> wrote:

> Just tried it here and works just fine for me.
>
> On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr at gmail.com> wrote:
>
>> Hi Keycloak Community,
>>
>>
>> After successfully upgrade our servers from keycloak 2.5.4.Final to
>> 3.4.0.Final, we have notice that the impersonation feature isn't
>> working anymore.
>>
>> We have tested other versions with a vanilla install and the first
>> version with this problem is 3.2.0.Final.
>>
>> Are you experiencing this problem? Impersonation is a quite useful
>> feature to us, so any workaround until next release would be great.
>>
>>
>> Regards,
>>
>> Diego D?ez
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From orefalo at yahoo.com  Wed Nov 29 17:47:00 2017
From: orefalo at yahoo.com (Olivier Refalo)
Date: Wed, 29 Nov 2017 17:47:00 -0500
Subject: [keycloak-user] nodejs keycloak connect
Message-ID: <1A83AE89-19F9-480A-A4BC-00EC4D2E93E5@yahoo.com>

Hi everyone,

I am playing with KeyCloak in order to protect my nodeJS API.

Looking at the node connector, there are areas which I don't understand....

First and foremost, why does the connector creates a SessionStore???

I mean it makes perfect sense when it's a web application, but for a stateless API (protected by a BearerToken), it sounds overkill to think in terms of "session"

Directly related, I see a BearerStore, which I don't know how to use..  Should I use it as the store to protect an API?

Last but not least, and this is a broader question, How would you protect a GraphQL Schema?
    FYI, a typical GraphQL API only has one endpoint. authorization would be defined in the data schema itself, using some @directives.   

Thanks for the help,

Sincerely,
Olivier




From rahul.pharande at gi-de.com  Thu Nov 30 00:01:51 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Thu, 30 Nov 2017 05:01:51 +0000
Subject: [keycloak-user]
 =?utf-8?q?Using_keycloak-spring-boot-starter_thro?=
 =?utf-8?q?ws_NullPointerException_when_=E2=80=9Ckeycloak=2Eenabled_=3D_fa?=
 =?utf-8?q?lse=E2=80=9D_in_spring_boot_application=2Eproperties?=
In-Reply-To: <CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>
References: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
	<CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>
Message-ID: <f27c9ac274474413bbf9e203b59a4f51@gi-de.com>

I believe I?m using Spring-boot Adapter here ?keycloak-spring-boot-starter v3.4.0.Final? so as per your comment ?keycloak.enabled? property should work out of the box here.
Did I miss understood something here ..

-Rahul
From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: Wednesday, November 29, 2017 8:32 PM
To: Pharande Rahul
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Using keycloak-spring-boot-starter throws NullPointerException when ?keycloak.enabled = false? in spring boot application.properties

keycloak.enable property only works for the Spring Boot Adapter, not for the Spring Security Adapter. There is already a ticket opened to align the feature.


On Wed, Nov 29, 2017 at 1:35 PM, Pharande Rahul <rahul.pharande at gi-de.com<mailto:rahul.pharande at gi-de.com>> wrote:
Hi,

While using ?keycloak-spring-boot-starter v3.4.0.Final? with ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting NullPointerException as described below.
Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter.

Precondition ?

?         Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A).

?         Disable keycloak in spring boot?s Application property as ?keycloak.enabled = false?

Expected Result ?

?         When Keycloak is disabled, spring security should handle authentication OR should not perform authentication.

Actual Result ?
                java.lang.NullPointerException: null
        at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
                 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar!/:4.3.12.RELEASE]

What can be done here:

?         Ideal Option: Keycloak adapter classes like ?KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s filters when ?keycloak.enabled? property is false.

?         Temporary Option: we can handle this at application config level by defining  on SecurityConfig class

o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")

Example Section A:

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
        keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

        auth.authenticationProvider(keyCloakAuthProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
            .and()
            .authorizeRequests()
            .antMatchers("/test*").hasRole("ADMIN")
            .anyRequest().permitAll();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver KeyCloakConfigResolver(){
        return new KeycloakSpringBootConfigResolver();
    }
}

Thanks and Regards.
Rahul Pharande

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Thu Nov 30 01:29:56 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 30 Nov 2017 07:29:56 +0100
Subject: [keycloak-user]
	=?utf-8?q?Using_keycloak-spring-boot-starter_thro?=
	=?utf-8?q?ws_NullPointerException_when_=E2=80=9Ckeycloak=2Eenabled?=
	=?utf-8?q?_=3D_false=E2=80=9D_in_spring_boot_application=2Epropert?=
	=?utf-8?q?ies?=
In-Reply-To: <f27c9ac274474413bbf9e203b59a4f51@gi-de.com>
References: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
	<CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>
	<f27c9ac274474413bbf9e203b59a4f51@gi-de.com>
Message-ID: <CAMZCGg_zQyz+GMz_5Q9gkbhp6OMtW=nxKz2W25LRtA1P=FFgNA@mail.gmail.com>

The Spring Boot Starter bundles Spring Boot Adapter and Spring Security
Adapter. I admit it can be confusing but we will fix this soon.

On Thu, Nov 30, 2017 at 6:01 AM, Pharande Rahul <rahul.pharande at gi-de.com>
wrote:

> I believe I?m using Spring-boot Adapter here ?keycloak-spring-boot-starter
> v3.4.0.Final? so as per your comment ?keycloak.enabled? property should
> work out of the box here.
>
> Did I miss understood something here ..
>
>
>
> -Rahul
>
> *From:* Sebastien Blanc [mailto:sblanc at redhat.com]
> *Sent:* Wednesday, November 29, 2017 8:32 PM
> *To:* Pharande Rahul
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Using keycloak-spring-boot-starter throws
> NullPointerException when ?keycloak.enabled = false? in spring boot
> application.properties
>
>
>
> keycloak.enable property only works for the Spring Boot Adapter, not for
> the Spring Security Adapter. There is already a ticket opened to align the
> feature.
>
>
>
> On Wed, Nov 29, 2017 at 1:35 PM, Pharande Rahul <rahul.pharande at gi-de.com>
> wrote:
>
> Hi,
>
> While using ?keycloak-spring-boot-starter v3.4.0.Final? with
> ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting
> NullPointerException as described below.
> Please let me know if anyone has suggestion on this, OR this is really
> defect in keycloak adapter.
>
> Precondition ?
>
> ?         Application configured to use spring-security with
> KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig
> in Example section (A).
>
> ?         Disable keycloak in spring boot?s Application property as
> ?keycloak.enabled = false?
>
> Expected Result ?
>
> ?         When Keycloak is disabled, spring security should handle
> authentication OR should not perform authentication.
>
> Actual Result ?
>                 java.lang.NullPointerException: null
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(
> KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.build(
> KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolv
> er.resolve(KeycloakSpringBootConfigResolver.java:37)
> ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.AdapterDeploymentContext.
> resolveDeployment(AdapterDeploymentContext.java:88)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(
> PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springsecurity.filter.
> KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
> ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
>         at org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
>         at org.springframework.security.web.csrf.CsrfFilter.
> doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.
> RELEASE.jar!/:4.2.3.RELEASE]
>                  at org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.
> jar!/:4.3.12.RELEASE]
>
> What can be done here:
>
> ?         Ideal Option: Keycloak adapter classes like ?
> KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s
> filters when ?keycloak.enabled? property is false.
>
> ?         Temporary Option: we can handle this at application config level
> by defining  on SecurityConfig class
>
> o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")
>
> Example Section A:
>
> @KeycloakConfiguration
> public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
>
>     @Autowired
>     public void configureGlobal(AuthenticationManagerBuilder auth) throws
> Exception {
>         KeycloakAuthenticationProvider keyCloakAuthProvider =
> keycloakAuthenticationProvider();
>         keyCloakAuthProvider.setGrantedAuthoritiesMapper(new
> SimpleAuthorityMapper());
>
>         auth.authenticationProvider(keyCloakAuthProvider);
>     }
>
>     @Override
>     protected void configure(HttpSecurity http) throws Exception
>     {
>         super.configure(http);
>         http
>             .sessionManagement().sessionCreationPolicy(
> SessionCreationPolicy.STATELESS)
>             .sessionAuthenticationStrategy(sessionAuthenticationStrategy(
> ))
>             .and()
>             .authorizeRequests()
>             .antMatchers("/test*").hasRole("ADMIN")
>             .anyRequest().permitAll();
>     }
>
>     @Override
>     protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
> {
>         return new NullAuthenticatedSessionStrategy();
>     }
>
>     @Bean
>     public KeycloakConfigResolver KeyCloakConfigResolver(){
>         return new KeycloakSpringBootConfigResolver();
>     }
> }
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From khirschmann at huebinet.de  Thu Nov 30 04:13:45 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Thu, 30 Nov 2017 09:13:45 +0000
Subject: [keycloak-user] Notify application about
Message-ID: <96ef490b2edc4ef89f0070fa620dbb93@huebinet.de>

Hello,

when having a user federation with an active directory server I would like to trigger some logic in my application if a periodic synch has completed.
I hoped I could use the Event Listener SPI to do so. I have taken the example "sysout" to check if there is an event fired but I could only see an event for manually starting a user synch.
What is the recommended approach here? Have I missed something?

Thx

Kevin Hirschmann

HUEBINET Informationsmanagement GmbH & Co. KG


Telefon:           +49 (0) 261 / 5 00 86 - 17
Telefax:           +49 (0) 261 / 5 00 86 - 29
E-Mail:             kevin.hirschmann at huebinet.de<mailto:kevin.hirschmann at huebinet.de>
Internet:            www.huebinet.de<http://www.huebinet.de/>

 HUEBINET Informationsmanagement GmbH & Co. KG
An der K?nigsbach 8
56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:
Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.


From philippe.ventrillon at actility.com  Thu Nov 30 05:47:22 2017
From: philippe.ventrillon at actility.com (philippe ventrillon)
Date: Thu, 30 Nov 2017 11:47:22 +0100
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
Message-ID: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>

Hello every one,


I am new to keycloak and I may have missed an obvious point but, as i 
don't see any other search to perform, I am going to ask.


I am simply trying to make a keycloak? quickstart j2ee vanilla 
equivalent for wildfly 9.

I have been able to make the keycloak provided quickstart work ontop of 
WF10.

But I don't manage with WF 9.


Following section 2.1.2 of "Securing Apps" i have :

- installed a brand new wildfly 9

- unzipped |keycloak-wildfly-adapter-dist-3.4.0.Final.zip
|

 ? into WF9 install directory
- Executed the offline cli From WF9\bin directory

C:\java\wildfly-9.0.2.Final-withKC\bin>.\jboss-cli.bat 
--file=adapter-install-offline.cli
{"outcome" => "success"}
{"outcome" => "success"}
{
 ??? "outcome" => "failed",
 ??? "failure-description" => "WFLYCTL0158: Operation handler failed: 
org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main",
 ??? "rolled-back" => true
}
Press any key to continue . . .



Is there something I am missing ? Please point me to the piece of 
information i am lacking.

Thanks in advance for help and advises.

-- 
Philippe Ventrillon / Software architect
Actility


---

From rahul.pharande at gi-de.com  Thu Nov 30 06:16:22 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Thu, 30 Nov 2017 11:16:22 +0000
Subject: [keycloak-user] =?windows-1252?q?keycloak-spring-security-adapter?=
 =?windows-1252?q?_=3A_KeycloakAuthenticationProcessingFilter_doesn=92t_sk?=
 =?windows-1252?q?ip_user_authentication_if_it=27s_already_authenticated?=
Message-ID: <45b9806d99d34f4380401c2d09c296e3@gi-de.com>

Hi,

While evaluating keycloak spring security adapter for one of my requirement (as below) I realized KeycloakAuthenticationProcessingFilter doesn?t skip
authentication if user is already authenticated in other/prev filters.

Requirement I?ve ?

?         Service-to-service authentication.

?         Support  multiple authentication schemes in fallback

o   OAuth (Using keycloak)

o   Basic (Application maintains username/password)


Problems I see ?

?         KeycloakAuthenticationProcessingFilter doesn?t have mechanism to skip authentication if user already authenticated. Like ?
protected boolean requiresAuthentication(HttpServletRequest request,
                HttpServletResponse response) {
            Authentication existingAuth = SecurityContextHolder.getContext()
                    .getAuthentication();
            if (existingAuth == null || !existingAuth.isAuthenticated()) {
                return true;
            }
            return false;
        }

Please suggest me If there is any configuration in keycloak to support it?

Thanks,
Rahul Pharande


From rahul.pharande at gi-de.com  Thu Nov 30 06:19:40 2017
From: rahul.pharande at gi-de.com (Pharande Rahul)
Date: Thu, 30 Nov 2017 11:19:40 +0000
Subject: [keycloak-user]
 =?utf-8?q?Using_keycloak-spring-boot-starter_thro?=
 =?utf-8?q?ws_NullPointerException_when_=E2=80=9Ckeycloak=2Eenabled_=3D_fa?=
 =?utf-8?q?lse=E2=80=9D_in_spring_boot_application=2Eproperties?=
In-Reply-To: <CAMZCGg_zQyz+GMz_5Q9gkbhp6OMtW=nxKz2W25LRtA1P=FFgNA@mail.gmail.com>
References: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
	<CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>
	<f27c9ac274474413bbf9e203b59a4f51@gi-de.com>
	<CAMZCGg_zQyz+GMz_5Q9gkbhp6OMtW=nxKz2W25LRtA1P=FFgNA@mail.gmail.com>
Message-ID: <fa3a1ade169146ec831bb8b8e38ca751@gi-de.com>

As you said there is ticket open for same, could you please point me out to respective ticket so that I can refer it for further tracking.

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: Thursday, November 30, 2017 12:00 PM
To: Pharande Rahul
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Using keycloak-spring-boot-starter throws NullPointerException when ?keycloak.enabled = false? in spring boot application.properties

The Spring Boot Starter bundles Spring Boot Adapter and Spring Security Adapter. I admit it can be confusing but we will fix this soon.

On Thu, Nov 30, 2017 at 6:01 AM, Pharande Rahul <rahul.pharande at gi-de.com<mailto:rahul.pharande at gi-de.com>> wrote:
I believe I?m using Spring-boot Adapter here ?keycloak-spring-boot-starter v3.4.0.Final? so as per your comment ?keycloak.enabled? property should work out of the box here.
Did I miss understood something here ..

-Rahul
From: Sebastien Blanc [mailto:sblanc at redhat.com<mailto:sblanc at redhat.com>]
Sent: Wednesday, November 29, 2017 8:32 PM
To: Pharande Rahul
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Using keycloak-spring-boot-starter throws NullPointerException when ?keycloak.enabled = false? in spring boot application.properties

keycloak.enable property only works for the Spring Boot Adapter, not for the Spring Security Adapter. There is already a ticket opened to align the feature.

On Wed, Nov 29, 2017 at 1:35 PM, Pharande Rahul <rahul.pharande at gi-de.com<mailto:rahul.pharande at gi-de.com>> wrote:
Hi,

While using ?keycloak-spring-boot-starter v3.4.0.Final? with ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting NullPointerException as described below.
Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter.

Precondition ?

?         Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A).

?         Disable keycloak in spring boot?s Application property as ?keycloak.enabled = false?

Expected Result ?

?         When Keycloak is disabled, spring security should handle authentication OR should not perform authentication.

Actual Result ?
                java.lang.NullPointerException: null
        at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
        at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
                 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar!/:4.3.12.RELEASE]

What can be done here:

?         Ideal Option: Keycloak adapter classes like ?KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s filters when ?keycloak.enabled? property is false.

?         Temporary Option: we can handle this at application config level by defining  on SecurityConfig class

o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")

Example Section A:

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
        keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

        auth.authenticationProvider(keyCloakAuthProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
            .and()
            .authorizeRequests()
            .antMatchers("/test*").hasRole("ADMIN")
            .anyRequest().permitAll();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver KeyCloakConfigResolver(){
        return new KeycloakSpringBootConfigResolver();
    }
}

Thanks and Regards.
Rahul Pharande

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Thu Nov 30 06:21:44 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 30 Nov 2017 12:21:44 +0100
Subject: [keycloak-user]
	=?utf-8?q?Using_keycloak-spring-boot-starter_thro?=
	=?utf-8?q?ws_NullPointerException_when_=E2=80=9Ckeycloak=2Eenabled?=
	=?utf-8?q?_=3D_false=E2=80=9D_in_spring_boot_application=2Epropert?=
	=?utf-8?q?ies?=
In-Reply-To: <fa3a1ade169146ec831bb8b8e38ca751@gi-de.com>
References: <a7bbdab6171041baabbdd4ab7475a013@gi-de.com>
	<CAMZCGg9W2gn7c+p-E-JRO-pJOUXjQiqKLLfG7a5pKFLgxyRoaA@mail.gmail.com>
	<f27c9ac274474413bbf9e203b59a4f51@gi-de.com>
	<CAMZCGg_zQyz+GMz_5Q9gkbhp6OMtW=nxKz2W25LRtA1P=FFgNA@mail.gmail.com>
	<fa3a1ade169146ec831bb8b8e38ca751@gi-de.com>
Message-ID: <CAMZCGg9kweXooQiBSQgwG6j1gPykwTFTw3bYT+_30O_Z2ROBVw@mail.gmail.com>

https://issues.jboss.org/browse/KEYCLOAK-5736

On Thu, Nov 30, 2017 at 12:19 PM, Pharande Rahul <rahul.pharande at gi-de.com>
wrote:

> As you said there is ticket open for same, could you please point me out
> to respective ticket so that I can refer it for further tracking.
>
>
>
> *From:* Sebastien Blanc [mailto:sblanc at redhat.com]
> *Sent:* Thursday, November 30, 2017 12:00 PM
>
> *To:* Pharande Rahul
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Using keycloak-spring-boot-starter throws
> NullPointerException when ?keycloak.enabled = false? in spring boot
> application.properties
>
>
>
> The Spring Boot Starter bundles Spring Boot Adapter and Spring Security
> Adapter. I admit it can be confusing but we will fix this soon.
>
>
>
> On Thu, Nov 30, 2017 at 6:01 AM, Pharande Rahul <rahul.pharande at gi-de.com>
> wrote:
>
> I believe I?m using Spring-boot Adapter here ?keycloak-spring-boot-starter
> v3.4.0.Final? so as per your comment ?keycloak.enabled? property should
> work out of the box here.
>
> Did I miss understood something here ..
>
>
>
> -Rahul
>
> *From:* Sebastien Blanc [mailto:sblanc at redhat.com]
> *Sent:* Wednesday, November 29, 2017 8:32 PM
> *To:* Pharande Rahul
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Using keycloak-spring-boot-starter throws
> NullPointerException when ?keycloak.enabled = false? in spring boot
> application.properties
>
>
>
> keycloak.enable property only works for the Spring Boot Adapter, not for
> the Spring Security Adapter. There is already a ticket opened to align the
> feature.
>
>
>
> On Wed, Nov 29, 2017 at 1:35 PM, Pharande Rahul <rahul.pharande at gi-de.com>
> wrote:
>
> Hi,
>
> While using ?keycloak-spring-boot-starter v3.4.0.Final? with
> ?spring-boot-starter-security V1.5.8.RELEASE?, I?m getting
> NullPointerException as described below.
> Please let me know if anyone has suggestion on this, OR this is really
> defect in keycloak adapter.
>
> Precondition ?
>
> ?         Application configured to use spring-security with
> KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig
> in Example section (A).
>
> ?         Disable keycloak in spring boot?s Application property as
> ?keycloak.enabled = false?
>
> Expected Result ?
>
> ?         When Keycloak is disabled, spring security should handle
> authentication OR should not perform authentication.
>
> Actual Result ?
>                 java.lang.NullPointerException: null
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(
> KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.KeycloakDeploymentBuilder.build(
> KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolv
> er.resolve(KeycloakSpringBootConfigResolver.java:37)
> ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.AdapterDeploymentContext.
> resolveDeployment(AdapterDeploymentContext.java:88)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(
> PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.
> Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
> ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
>         at org.keycloak.adapters.springsecurity.filter.
> KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
> ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
>         at org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
>         at org.springframework.security.web.csrf.CsrfFilter.
> doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.
> RELEASE.jar!/:4.2.3.RELEASE]
>                  at org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.
> jar!/:4.3.12.RELEASE]
>
> What can be done here:
>
> ?         Ideal Option: Keycloak adapter classes like ?
> KeycloakWebSecurityConfigurerAdapter? should avoid registering it?s
> filters when ?keycloak.enabled? property is false.
>
> ?         Temporary Option: we can handle this at application config level
> by defining  on SecurityConfig class
>
> o   @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")
>
> Example Section A:
>
> @KeycloakConfiguration
> public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
>
>     @Autowired
>     public void configureGlobal(AuthenticationManagerBuilder auth) throws
> Exception {
>         KeycloakAuthenticationProvider keyCloakAuthProvider =
> keycloakAuthenticationProvider();
>         keyCloakAuthProvider.setGrantedAuthoritiesMapper(new
> SimpleAuthorityMapper());
>
>         auth.authenticationProvider(keyCloakAuthProvider);
>     }
>
>     @Override
>     protected void configure(HttpSecurity http) throws Exception
>     {
>         super.configure(http);
>         http
>             .sessionManagement().sessionCreationPolicy(
> SessionCreationPolicy.STATELESS)
>             .sessionAuthenticationStrategy(sessionAuthenticationStrategy(
> ))
>             .and()
>             .authorizeRequests()
>             .antMatchers("/test*").hasRole("ADMIN")
>             .anyRequest().permitAll();
>     }
>
>     @Override
>     protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
> {
>         return new NullAuthenticatedSessionStrategy();
>     }
>
>     @Bean
>     public KeycloakConfigResolver KeyCloakConfigResolver(){
>         return new KeycloakSpringBootConfigResolver();
>     }
> }
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

From gavtheman1 at gmail.com  Thu Nov 30 06:24:54 2017
From: gavtheman1 at gmail.com (Gavin Howard)
Date: Thu, 30 Nov 2017 11:24:54 +0000
Subject: [keycloak-user] Setting up KC 3.1.0 in a HA cluster
Message-ID: <CABDsR5WUfGeh_ARmVCMoGr_AG24=FVLcCWnccoSirt=bapuawQ@mail.gmail.com>

KC group,

I am currently in the process of deploying Keycloak (KC) at my firm in a
highly available cluster and I have been following your documentation here:

http://www.keycloak.org/docs/3.1/server_installation/topics/clustering.html

My setup is that I am using HAproxy (HAP) to provide the reverse proxy and
balancing component and two KC nodes behind it connecting to an Oracle
database. Previously I had KC working correctly as a single standalone node.

I have followed your documentation to ensure the client IP address is
forwarded correctly from HAP to my backend servers and confirmed this by
following the steps mentioned under "Verify Connection" here:

http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/load-balancer.html

and also that the domain is correctly rendered in my equivalent of :
https://acme.com/auth/realms/master/.well-known/openid-configuration

Upon testing my cluster get some quite strange behavior upon entering valid
login credentials that I get either a message that either my session has
been restarted as I was taking too long to login or I get passed around a
redirect loop. Either way the setup is not working as I expected.

The documentation goes on to describe multicast settings:
http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/multicast.html
but it is not quite clear if this is needed in my setup.

Is it a requirement of ALL of the possible clustering configurations that
multicast is set and working between the nodes?

Or is it possible to setup the KC nodes as their own instances, without
knowledge of the other nodes, and have the load balancer stick the user
session to an individual node whilst authentication takes place? If so, how
can this be achieved?

Many thanks,
Gavin

From psilva at redhat.com  Thu Nov 30 06:33:54 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 30 Nov 2017 09:33:54 -0200
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
In-Reply-To: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
References: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
Message-ID: <CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>

Could you try to change
*${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml*
to mark *org.wildfly.security.elytron* dependency as optional. After your
changes the dependency should look like this:

    <module name="org.wildfly.security.elytron" *optional="true"* />

Regards.
Pedro Igor

On Thu, Nov 30, 2017 at 8:47 AM, philippe ventrillon <
philippe.ventrillon at actility.com> wrote:

> Hello every one,
>
>
> I am new to keycloak and I may have missed an obvious point but, as i
> don't see any other search to perform, I am going to ask.
>
>
> I am simply trying to make a keycloak  quickstart j2ee vanilla
> equivalent for wildfly 9.
>
> I have been able to make the keycloak provided quickstart work ontop of
> WF10.
>
> But I don't manage with WF 9.
>
>
> Following section 2.1.2 of "Securing Apps" i have :
>
> - installed a brand new wildfly 9
>
> - unzipped |keycloak-wildfly-adapter-dist-3.4.0.Final.zip
> |
>
>    into WF9 install directory
> - Executed the offline cli From WF9\bin directory
>
> C:\java\wildfly-9.0.2.Final-withKC\bin>.\jboss-cli.bat
> --file=adapter-install-offline.cli
> {"outcome" => "success"}
> {"outcome" => "success"}
> {
>      "outcome" => "failed",
>      "failure-description" => "WFLYCTL0158: Operation handler failed:
> org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main",
>      "rolled-back" => true
> }
> Press any key to continue . . .
>
>
>
> Is there something I am missing ? Please point me to the piece of
> information i am lacking.
>
> Thanks in advance for help and advises.
>
> --
> Philippe Ventrillon / Software architect
> Actility
>
>
> ---
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From betalb at gmail.com  Thu Nov 30 07:09:12 2017
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Thu, 30 Nov 2017 12:09:12 +0000
Subject: [keycloak-user] Session state iframe doesn't work reliably
Message-ID: <CANYoZJmffOU76uEF=4t=KuB+FSuvrGj4Uua-bsqFsgqLW3Te3g@mail.gmail.com>

Hello

I'm trying to setup seamless logout flow for SPA, but falling into issue in
the following scenario

User is logged-in with a public client using code grant and check login
iframe enabled.
I see that KEYCLOAK_SESSION cookie is set during code exchange phase, and
later used in iframe to validate user session

Application refreshes token using refresh_token when access_token is close
to expiration

Now I log user out from application using Keycloak admin app

I do not expect that user should be logged-out immediately.
But what I do expect is to get error response from a token endpoint, when I
will try to refresh token next time.
Response, returned by OP, doesn't have Cors Headers, so application can't
access any information from response that will allow distinguishing between
network error and cors related errors

Other option may be to clear cookie in response to token endpoint call

Any help will be appreciated

From jayblanc at gmail.com  Thu Nov 30 07:23:20 2017
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Thu, 30 Nov 2017 12:23:20 +0000
Subject: [keycloak-user] nonce parameter not send when authorize with OIDC
	on Identity Provider
Message-ID: <CAPNq5vaYeRm8j=N71k+zQhZRrbp25Y4gwX=ew8Ny-RYEEp0_Zw@mail.gmail.com>

Hi all,

I have configured an external IDP for my keycloak. This IDP is using openid
connect protocol but when I try to identify throught this IDP from the
login form, the nonce parameter is not included in request and the IDP
reject it.

According to this JIRA :
https://issues.jboss.org/browse/KEYCLOAK-5032?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20nonce
I was thinking it will be fixed in the 3.4.0.Final but I face the same
problem.

Did I missed something or misconfigured ?

Thanks for your support,

Best regards,
J?r?me

PS : the external I try to use if 'France Connect'

From johannes.eickhold at bison-group.com  Thu Nov 30 08:40:40 2017
From: johannes.eickhold at bison-group.com (Eickhold Johannes (e))
Date: Thu, 30 Nov 2017 13:40:40 +0000
Subject: [keycloak-user] How to register new users without using admin API
Message-ID: <16e9bd5d56494ffa85099acce3da989c@fenacocln78-03.main.corp.fenaco.com>

Does Keycloak provide a public REST API to create new users besides the admin API (http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource)?
I know about the Keycloak registration form that is part of the OpenID Connect flow, but I don't want to use the redirects required during the OpenID Connect flows.

We considered using OpenID Connect using the implicit flow and "Resource Owner Password Credential Grant" from within an Angular SPA but do not see a possibility to let users create their own accounts in this scenario. What would be the recommended way to let users register themselves here?

In the previous mentioned scenario, I know that it's possible to authenticate a user using the "authorization_endpoint" which can be retrieved from the following endpoint:

/auth/realms/<real-name>/.well-known/openid-configuration

Is there an equivalent endpoint to register respectively to create a new user?

Other question:
How does Keycloak prevent attackers from excessively creating user accounts using the OpenID Connect flows if captchas are not activated?

Thanks in advance,
Johannes.

------------------------------------------------

 [cid:image001.jpg at 01D369E9.31D42700]   Leading Business IT Solutions

Bison Schweiz AG
Allee 1A
CH-6210 Sursee






Phone direct



+41 58 226 02 31

Phone



+41 58 226 00 00

Fax



+41 58 226 00 50


johannes.eickhold at bison-group.com <mailto:johannes.eickhold at bison-group.com>

www.bison-group.com<http://www.bison-group.com/>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 21761 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20171130/7fd01e0e/attachment-0001.jpg 

From philippe.ventrillon at actility.com  Thu Nov 30 08:52:00 2017
From: philippe.ventrillon at actility.com (philippe ventrillon)
Date: Thu, 30 Nov 2017 14:52:00 +0100
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
In-Reply-To: <CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>
References: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
	<CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>
Message-ID: <ffa03b13-d051-c821-d132-5301f7aa21cb@actility.com>

Thank you for your help


I've set optional="true" as you suggested. It worked smoothly as long as 
adapter install was concerned.

Unfortunately when i try to deploy? my war I get an exception :

Failed to define class 
org.keycloak.adapters.elytron.KeycloakConfigurationServletListener in 
Module "org.keycloak.keycloak-wildfly-elytron-oidc-adapter:main" from 
local module loader @45283ce2 (finder: local module finder @2077d4de 
(roots: 
C:\java\wildfly-9.0.2.Final-withKc\modules,C:\java\wildfly-9.0.2.Final-withKc\modules\system\layers\base,C:\java\wildfly-9.0.2.Final-withKc\modules\system\add-ons\keycloak)): 
org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main


Do you have more ideas ?


Regards



On 30/11/2017 12:33, Pedro Igor Silva wrote:
> Could you try to change 
> *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml* 
> to mark *org.wildfly.security.elytron* dependency as optional. After 
> your changes the dependency should look like this:
>
> ? ? <module name="org.wildfly.security.elytron" *optional="true"* />
>

-- 
Philippe Ventrillon / Software architect
Actility


---

From psilva at redhat.com  Thu Nov 30 09:20:53 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 30 Nov 2017 12:20:53 -0200
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
In-Reply-To: <ffa03b13-d051-c821-d132-5301f7aa21cb@actility.com>
References: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
	<CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>
	<ffa03b13-d051-c821-d132-5301f7aa21cb@actility.com>
Message-ID: <CAJrcDBfs02gw8vzZ+jZ+M2vHAAi-ETQ5Nef9HXCpYa8-M2_sHQ@mail.gmail.com>

You can do the same thing you did before but for
*${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/*
*keycloak-wildfly-elytron-oidc-adapter/main/module.xml.*

I did some tests with WF9 and it seems this is the last thing you need to
do ...

On Thu, Nov 30, 2017 at 11:52 AM, philippe ventrillon <
philippe.ventrillon at actility.com> wrote:

> Thank you for your help
>
>
> I've set optional="true" as you suggested. It worked smoothly as long as
> adapter install was concerned.
>
> Unfortunately when i try to deploy  my war I get an exception :
>
> Failed to define class org.keycloak.adapters.elytron.
> KeycloakConfigurationServletListener in Module "org.keycloak.keycloak-
> wildfly-elytron-oidc-adapter:main" from local module loader @45283ce2
> (finder: local module finder @2077d4de (roots: C:\java\wildfly-9.0.2.Final-
> withKc\modules,C:\java\wildfly-9.0.2.Final-withKc\
> modules\system\layers\base,C:\java\wildfly-9.0.2.Final-
> withKc\modules\system\add-ons\keycloak)): org.jboss.modules.ModuleLoadError:
> org.wildfly.security.elytron:main
>
>
> Do you have more ideas ?
>
>
> Regards
>
>
>
> On 30/11/2017 12:33, Pedro Igor Silva wrote:
>
> Could you try to change
> *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml*
> to mark *org.wildfly.security.elytron* dependency as optional. After your
> changes the dependency should look like this:
>
>     <module name="org.wildfly.security.elytron" *optional="true"* />
>
>
> --
> Philippe Ventrillon / Software architect
> [image: Actility]
> ---
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uc.png
Type: image/png
Size: 4853 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20171130/92db9733/attachment.png 

From philippe.ventrillon at actility.com  Thu Nov 30 09:55:28 2017
From: philippe.ventrillon at actility.com (philippe ventrillon)
Date: Thu, 30 Nov 2017 15:55:28 +0100
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
In-Reply-To: <CAJrcDBfs02gw8vzZ+jZ+M2vHAAi-ETQ5Nef9HXCpYa8-M2_sHQ@mail.gmail.com>
References: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
	<CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>
	<ffa03b13-d051-c821-d132-5301f7aa21cb@actility.com>
	<CAJrcDBfs02gw8vzZ+jZ+M2vHAAi-ETQ5Nef9HXCpYa8-M2_sHQ@mail.gmail.com>
Message-ID: <2c18b869-475d-3d12-c202-94cccf3e1065@actility.com>

Many thanks !


It worked like a charm ! My small app on wildfly 9 now authenticates me 
through keycloak.


Best regards

---

Philippe Ventrillon


On 30/11/2017 15:20, Pedro Igor Silva wrote:
> You can do the same thing you did before but for 
> *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/**keycloak-wildfly-elytron-oidc-adapter/main/module.xml.* 
>
> *
> *
> I did some tests with WF9 and it seems this is the last thing you need 
> to do ...
>
> On Thu, Nov 30, 2017 at 11:52 AM, philippe ventrillon 
> <philippe.ventrillon at actility.com 
> <mailto:philippe.ventrillon at actility.com>> wrote:
>
>     Thank you for your help
>
>
>     I've set optional="true" as you suggested. It worked smoothly as
>     long as adapter install was concerned.
>
>     Unfortunately when i try to deploy? my war I get an exception :
>
>     Failed to define class
>     org.keycloak.adapters.elytron.KeycloakConfigurationServletListener
>     in Module
>     "org.keycloak.keycloak-wildfly-elytron-oidc-adapter:main" from
>     local module loader @45283ce2 (finder: local module finder
>     @2077d4de (roots:
>     C:\java\wildfly-9.0.2.Final-withKc\modules,C:\java\wildfly-9.0.2.Final-withKc\modules\system\layers\base,C:\java\wildfly-9.0.2.Final-withKc\modules\system\add-ons\keycloak)):
>     org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main
>
>
>     Do you have more ideas ?
>
>
>     Regards
>
>
>
>     On 30/11/2017 12:33, Pedro Igor Silva wrote:
>>     Could you try to change
>>     *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml*
>>     to mark *org.wildfly.security.elytron* dependency as optional.
>>     After your changes the dependency should look like this:
>>
>>     ? ? <module name="org.wildfly.security.elytron" *optional="true"* />
>>
>
>     -- 
>     Philippe Ventrillon / Software architect
>     Actility
>
>
>     ---
>
>

-- 
Philippe Ventrillon / Software architect
Actility


---

From psilva at redhat.com  Thu Nov 30 10:02:47 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 30 Nov 2017 13:02:47 -0200
Subject: [keycloak-user] wildfly-adapter install over wildfly 9
In-Reply-To: <2c18b869-475d-3d12-c202-94cccf3e1065@actility.com>
References: <64622aa6-a97d-0458-0522-5114a422f0bb@actility.com>
	<CAJrcDBc07M_AA=29oM=Xyk9xFaAJcXUad-66ricQxidR9R+h7w@mail.gmail.com>
	<ffa03b13-d051-c821-d132-5301f7aa21cb@actility.com>
	<CAJrcDBfs02gw8vzZ+jZ+M2vHAAi-ETQ5Nef9HXCpYa8-M2_sHQ@mail.gmail.com>
	<2c18b869-475d-3d12-c202-94cccf3e1065@actility.com>
Message-ID: <CAJrcDBer+QcRkD5DJhuAuxb3viXft5bHJNc0FZ13MvQ0499-kA@mail.gmail.com>

FYI, I've created https://issues.jboss.org/browse/KEYCLOAK-5953.

On Thu, Nov 30, 2017 at 12:55 PM, philippe ventrillon <
philippe.ventrillon at actility.com> wrote:

> Many thanks !
>
>
> It worked like a charm ! My small app on wildfly 9 now authenticates me
> through keycloak.
>
>
> Best regards
>
> ---
>
> Philippe Ventrillon
>
> On 30/11/2017 15:20, Pedro Igor Silva wrote:
>
> You can do the same thing you did before but for
> *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/*
> *keycloak-wildfly-elytron-oidc-adapter/main/module.xml.*
>
> I did some tests with WF9 and it seems this is the last thing you need to
> do ...
>
> On Thu, Nov 30, 2017 at 11:52 AM, philippe ventrillon <
> philippe.ventrillon at actility.com> wrote:
>
>> Thank you for your help
>>
>>
>> I've set optional="true" as you suggested. It worked smoothly as long as
>> adapter install was concerned.
>>
>> Unfortunately when i try to deploy  my war I get an exception :
>>
>> Failed to define class org.keycloak.adapters.elytron.
>> KeycloakConfigurationServletListener in Module
>> "org.keycloak.keycloak-wildfly-elytron-oidc-adapter:main" from local
>> module loader @45283ce2 (finder: local module finder @2077d4de (roots:
>> C:\java\wildfly-9.0.2.Final-withKc\modules,C:\java\wildfly-
>> 9.0.2.Final-withKc\modules\system\layers\base,C:\java\
>> wildfly-9.0.2.Final-withKc\modules\system\add-ons\keycloak)):
>> org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main
>>
>>
>> Do you have more ideas ?
>>
>>
>> Regards
>>
>>
>>
>> On 30/11/2017 12:33, Pedro Igor Silva wrote:
>>
>> Could you try to change
>> *${JBOSS_HOME}/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml*
>> to mark *org.wildfly.security.elytron* dependency as optional. After
>> your changes the dependency should look like this:
>>
>>     <module name="org.wildfly.security.elytron" *optional="true"* />
>>
>>
>> --
>> Philippe Ventrillon / Software architect
>> [image: Actility]
>> ---
>>
>
>
> --
> Philippe Ventrillon / Software architect
> [image: Actility]
> ---
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uc.png
Type: image/png
Size: 4853 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20171130/42b33dc4/attachment-0001.png 

From sthorger at redhat.com  Thu Nov 30 13:25:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 30 Nov 2017 19:25:46 +0100
Subject: [keycloak-user] Keycloak 3.4.1.CR1 released
Message-ID: <CAJgngAetvsJSEsQpZVODyDfi5BBri9qK2ohwWTmZhQiKXrPSyg@mail.gmail.com>

We've just released Keycloak 3.4.1.CR1.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
Highlights
Cross DC

A lot of work has gone into finishing the Cross DC support and it should
now be ready to use.
Database Replication

We're now testing database replication with MySQL Galera and Oracle RAC.
This is related to Cross DC support which requires a master node in each DC.
Loads more..

   - Loads and loads of fixes

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.4.1.CR1>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed. Release candidates are not recommended in
production and we do not support upgrading from release candidates.

From diegodiez.ddr at gmail.com  Thu Nov 30 14:22:44 2017
From: diegodiez.ddr at gmail.com (Diego Diez)
Date: Thu, 30 Nov 2017 20:22:44 +0100
Subject: [keycloak-user] Impersonate user feature stop working after
	3.2.0.Final
In-Reply-To: <CAGsgRRVUg9cDd5GZW4Fh6JRrYLS7HsnuL7nW-NFJFCu0nfMFTw@mail.gmail.com>
References: <CAGsgRRWM236fj+OdkZ1OrKZXAd3atQYgx_s6vfJ2u9MMzcJgqg@mail.gmail.com>
	<CAJgngAd4Xx0cHCxQrK9eN5CthsSff8qYo1HQ+x5HeUjPtay0nw@mail.gmail.com>
	<CAJgngAcqO7+ygjPS4YQ4JB+tfSLhEcrVdk5dC0uQM4AdJyzJ+A@mail.gmail.com>
	<CAGsgRRUtVDZHyWtN2AQexeGKxyM7Jb3t+16HFMTt7ZJLbEKcMA@mail.gmail.com>
	<CAGsgRRVUg9cDd5GZW4Fh6JRrYLS7HsnuL7nW-NFJFCu0nfMFTw@mail.gmail.com>
Message-ID: <CAGsgRRXah7YjOf=vfiMHZCNM2FqgnV6G8Q3CBsuz-fGZfxFHUw@mail.gmail.com>

It has something to do with the cookies.
I can impersonate a user the first time I try (without any cookies yet for
the browser session).
If I try again after doing log out, the login form is always shown, even
after impersonate another user.
The only way I found to impersonate a user again is clearing the cookies
for the keycloak server.

I hope this info is useful in order to reproduce the problem.


El 29 nov. 2017 10:13 p. m., "Diego Diez" <diegodiez.ddr at gmail.com>
escribi?:

> After clicking the button I can see the account of the impersonated user,
> but the SSO doesn't seem to work.
>
> When I go to another app, the login form is prompt again instead of a new
> redirect with the user logged in to the app automatically.
>
> That's the issue I meant in the first place. Sorry for the lack of details.
>
> PD: the app I used to reproduce the problem was secured using the spring
> security adapter for spring boot
>
> El 29 nov. 2017 9:33 p. m., "Stian Thorgersen" <sthorger at redhat.com>
> escribi?:
>
> Oh and we do have tests as well for it ;)
>
> On 29 November 2017 at 21:33, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Just tried it here and works just fine for me.
>>
>> On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr at gmail.com> wrote:
>>
>>> Hi Keycloak Community,
>>>
>>>
>>> After successfully upgrade our servers from keycloak 2.5.4.Final to
>>> 3.4.0.Final, we have notice that the impersonation feature isn't
>>> working anymore.
>>>
>>> We have tested other versions with a vanilla install and the first
>>> version with this problem is 3.2.0.Final.
>>>
>>> Are you experiencing this problem? Impersonation is a quite useful
>>> feature to us, so any workaround until next release would be great.
>>>
>>>
>>> Regards,
>>>
>>> Diego D?ez
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

From jeremy.michael7373 at gmail.com  Thu Nov 30 15:05:11 2017
From: jeremy.michael7373 at gmail.com (Jeremy Michael)
Date: Thu, 30 Nov 2017 15:05:11 -0500
Subject: [keycloak-user] kc_idp_hint parameter is being ignored
In-Reply-To: <CAJgngAc_gwF4+tc+zeCk3E=U_5=T7T-pR+qpNs7ijW89TX_0DQ@mail.gmail.com>
References: <CAAOwxdq2_G9JbQGU_t5VwSg4iWoePXEjO0Ps8+jyQpHjL+5VBA@mail.gmail.com>
	<CAJgngAc_gwF4+tc+zeCk3E=U_5=T7T-pR+qpNs7ijW89TX_0DQ@mail.gmail.com>
Message-ID: <CAAOwxdreNCSCO9G80AHjfW1bAb+RoEfDhpuHpd+Tui7SVrotxg@mail.gmail.com>

We're using the keycloak.js adapter. I've tried a couple of things, but am
still not able to get it to work. Within our adapter, we're instantiating
keycloak with the following (more or less):

keycloak = new Keycloak({
      url: "mykeycloak.com/auth/",
      realm: "myrealm",
      clientId: "myclient",
      checkLoginIframe: false
    });

I tried to add the following immediately after the code block below:

keycloak.createLoginUrl({
idpHint: 'myIdP'
});

But that generated an error: Argument of type '{ idpHint: string; }' is not
assignable to parameter of type 'LoginOptions'. Object literal may only
specify known properties, and 'idpHint' does not exist in type
'LoginOptions'.

So, I tried adding the idpHint param on the initial block:
keycloak = new Keycloak({
      url: "mykeycloak.com/auth/",
      realm: "myrealm",
      clientId: "myclient",
      checkLoginIframe: false,
      idpHint: 'myIdP'
    });

That didn't cause any errors, but it didn't seem to have any effect (I
still landed on the login page).

Any ideas?

On Wed, Nov 29, 2017 at 3:32 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> The kc_idp_hint param isn't set on your app, but rather it's a query param
> that needs to be included when the app is doing the login. What adapter are
> you using?
>
> On 29 November 2017 at 18:46, Jeremy Michael <jeremy.michael7373 at gmail.com
> > wrote:
>
>> Hello all,
>>
>> I?m trying to do something that looks like it should be very easy, but is
>> not working for me. Hopefully someone can help me figure out what I?m
>> doing
>> wrong.
>>
>> We have an application secured by Keycloak and have two Identity Providers
>> set up. Clicking the buttons on the standard Keycloak login screen works
>> fine for both Identity Providers. We can also set up either provider as a
>> default (in the browser Authentication flow) to bypass the login screen,
>> and that works fine. However, in some cases, we want to bypass the login
>> screen and use Identity Provider 1, and in others we want to bypass the
>> login screen and use Identity Provider 2.
>>
>> It looks like we should be able to achieve what we want by using the
>> kc_idp_hint parameter. But, when I try to test it out, the
>> kc_idp_hint seems to be ignored.
>>
>> I tried the following, where the URL is the address of my app secured by
>> Keycloak, and idp1alias is the alias of the Identity Provider I want to
>> use:
>> https://www.myapp.com?kc_idp_hint=idp1alias
>> <https://www.myapp.com/?kc_idp_hint=idp1alias>
>>
>> However, instead of bypassing the login screen and automatically beginning
>> the authentication process with Identity Provider 1, I am landing on the
>> standard Keycloak login screen.
>>
>> As another test, I tried just going to the built in,
>> ?/auth/realms/<realm>/account? with the "kc_idp_hint" parameter added and
>> I
>> got the same behavior (i.e., I saw the Keycloak login screen):
>> https://mykeycloakurl.com/auth/realms/myrealm/account?kc_
>> idp_hint=idp1alias.
>>
>> I?m clearly missing something, or misunderstanding how this should work.
>> Can someone help get me pointed in the right direction?
>>
>> Thanks!
>> Jeremy
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>