From mevans at aconex.com Fri Sep 1 00:31:02 2017 From: mevans at aconex.com (Matt Evans) Date: Fri, 1 Sep 2017 04:31:02 +0000 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out Message-ID: We're running keycloak clustered with standalone-ha.xml, and it's been working fine. We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: org.infinispan.commons.CacheException: Initial state transfer timed out for cache sessions on xxxx Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? What can I do to address this so that I can add the node back into the cluster? I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! Thanks Matt From felix.straub at kaufland.com Fri Sep 1 09:23:20 2017 From: felix.straub at kaufland.com (felix.straub at kaufland.com) Date: Fri, 1 Sep 2017 15:23:20 +0200 Subject: [keycloak-user] Keycloak LDAP User Validation Message-ID: Hello together, I have to following issue: I added LDAP/AD User federation to my keycloak server version 3.2.0.Final. So far so good everything is working I can import all the users and then can validate the users against the LDAP. But the target is that no user gets imported to keycloak. Thats working, too. Just switched off the import button. If I try to login now with my LDAP-credentials an error comes up. The error on the keycloak login page says: "Unexpected error when handling authentication request to identity provider". In the keycloak log it throws a "ReadOnlyException". But if I look into the sessions there is an active session with the user I tried to login. Did I miss any settings that keycloak can authenticate the user against LDAP/AD without importing all the users? Thank you for your help. Mit freundlichen Gr??en Felix Straub +49 7132 94 920297 Kaufland Informationssysteme GmbH & Co. KG Postfach 12 53 - 74172 Neckarsulm Kommanditgesellschaft Sitz: Neckarsulm Registergericht: Stuttgart HRA 104163 From kuntalakrishna at gmail.com Fri Sep 1 09:26:32 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Fri, 1 Sep 2017 14:26:32 +0100 Subject: [keycloak-user] User defined password policies Message-ID: We have following requirements w.r.t. password policies. I am not sure whether we would be able to add custom password policies. If yes, how to define custom policies? 1. Password max length should be 16 2. Only allow 2 repeating characters 3. Satisfy 3 out of 4 password criterias mentioned in "Authentication->Password Policy" 4. Lock account for 1 hour after 3 failed login attempts Please let me know whether these requirements can be configured from the UI or do I need to implement some code to achieve this? Thanks and Regards, Krishna Kuntala From Thomas.Kuestermann at sabre.com Fri Sep 1 10:08:14 2017 From: Thomas.Kuestermann at sabre.com (Kuestermann, Thomas) Date: Fri, 1 Sep 2017 14:08:14 +0000 Subject: [keycloak-user] Spring Security Adapter & Filter Bean Registration Message-ID: Keycloak experts, We've got a working Spring Boot application that integrates with Keycloak via Spring Security adapter. Works great so far! I read the documentation (http://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/java/spring-security-adapter.html), section "Avoid double Filter bean registration", and it states that "it may be necessary to add two FilterRegistrationBeans to your security configuration to prevent the Keycloak filters from being registered twice". Under which circumstances do we need to add the mentioned FilterRegistrationBeans to the configuration as I cannot see filters from being registered twice? Blindly adding the filters results in no filter to be applied at all. I'd like to be clear about this as I'm relatively new to the technology involved. Thanks for shedding some light on it! -- Thomas From msakho at redhat.com Fri Sep 1 10:53:35 2017 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Fri, 1 Sep 2017 16:53:35 +0200 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: References: Message-ID: Matt, How did you add your new node? Have you defined the jboss.node.name property in your new node? Meissa On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans wrote: > We're running keycloak clustered with standalone-ha.xml, and it's been > working fine. > > We changed the 'owners' of the distributed caches for session, > loginFailures etc to 2 so that it will distribute those caches across the 2 > nodes in the cluster. > > Now, when I remove a node and add a new node, the new node fails to start > some of the services, due to: > > org.infinispan.commons.CacheException: Initial state transfer timed out > for cache sessions on xxxx > > Is this because it's actually taking too long to fetch the initial cache > data from the other node? Is it due to the size of the cache, or some other > issue? > > What can I do to address this so that I can add the node back into the > cluster? > > I'm not experienced at all in infinispan or jgroups, so any pointers on > how to query the servers to see whats in the caches, and how to see what's > actually happening will be appreciated! > > Thanks > > Matt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Fri Sep 1 16:59:45 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Sep 2017 22:59:45 +0200 Subject: [keycloak-user] Transparent login for legacy web applications without direct Keycloak integration Message-ID: Hello, Sorry for the long email... A while ago I experimented with a Keycloak extension that would support converting access_tokens, retrieved via a Direct Access Grant, to a 307 redirect response with the KEYCLOAK_IDENTITY, KEYCLOAK_SESSION set to transparently authenticate a user. The use case was to allow users to transparently authenticate via the login pages of a legacy-app (a portal, which I cannot change) without requiring users to use the Keycloak login pages. Next to the legacy application there are other newer apps which are fully integrated with Keycloak. Users who login to the legacy-app first should be able to access the other applications without an additional login step. The users of all applications are stored in Keycloak. This and similar topics have come up quite often on this mailing list in the past so I wanted to discuss a potential solution, which uses Direct Access Grants, a new hypothetical ?token2cookies? endpoint in Keycloak, as well as redirects. It would work like this: 1) legacy-app sends a POST with client_credentials + user_credentials + a generated nonce to Keycloak to retrieve an access_token via Direct Access Grant. The nonce is stored with the client session in Keycloak. The purpose of the nonce is to prevent attackers from issuing cookies for an access_token that was issued for a different client or at a different time. 2) legacy-app extracts session_state from access_token, generates "token2cookies" URL and sends a 307 redirect to the users browser. This URL contains the session_state, the nonce and the client_id to redirect to as parameters. E.g.: Location: https://sso.acme.local/auth/realms/transparent-login/protocol/openid-connect/token/introspect/t2c?redirect_to_client_id=legacy-app&session_state=680e5ba3-6f9f-4c79-9c74-a24347a06f63&nonce=b98cd9a7-c834-4942-bef7-aba90061582d 3) The browser follows the redirect. The endpoint verifies the session_state by comparing the previously stored nonce given as URL parameter. If the session is verified & active the endpoint performs some checks with the user associated with the session (present, disabled, etc.). If the user is valid then: AuthenticationManager.createLoginCookie(session, realm, user, userSession, uriInfo, clientConnection); is called which generates and injects the KEYCLOAK_IDENTITY, KEYCLOAK_SESSION cookies into the response, which is then returned as a 307 redirect to the base_url configured for the client referred to by the redirect_to_client_id parameter. The redirect points to the org.keycloak.services.resources.RealmsResource#getRedirect endpoint which eventually redirects to the base path of the target application. This redirect URL looks like: https://sso.acme.local/auth/realms/transparent-login/clients/legacy-app/redirect The user is now returned to the legacy-app. He can now transparently go to other applications e.g. new-app without having to login again since the Keycloak session cookies are now present for sso.acme.local. The new-app will transparently renew the sso session. I think this approach could be applied in many legacy integration scenarios where users are used to access a centralized application which, for whatever reason, cannot be changed that much or fronted with Keycloak. Looking forward to hear your opinions about this approach. Cheers, Thomas From mevans at aconex.com Fri Sep 1 17:47:03 2017 From: mevans at aconex.com (Matt Evans) Date: Fri, 1 Sep 2017 21:47:03 +0000 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: References: , Message-ID: No, I just start up keycloak and run standalone ha. There's no mention of that property in the keycloak docs about clustering Matt ________________________________ From: Meissa M'baye Sakho Sent: Saturday, September 2, 2017 12:53:35 AM To: Matt Evans Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out Matt, How did you add your new node? Have you defined the jboss.node.name property in your new node? Meissa On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: We're running keycloak clustered with standalone-ha.xml, and it's been working fine. We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: org.infinispan.commons.CacheException: Initial state transfer timed out for cache sessions on xxxx Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? What can I do to address this so that I can add the node back into the cluster? I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! Thanks Matt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From imteyaz.ahmad at clairvoyantsoft.com Sat Sep 2 22:57:48 2017 From: imteyaz.ahmad at clairvoyantsoft.com (Imteyaz Ahmad) Date: Sun, 3 Sep 2017 08:27:48 +0530 Subject: [keycloak-user] Redirection based on button clicked Message-ID: Hi All, I am new to Keycloak. It looks very promising so far. I am intending to use it in one of our projects. We have different landing page for first time user and the returning user. for example: Once the first time user clicks of "register" button after filling up his/her details, application redirects to a page let's say " http://localhost:8080/abc". While in case of returning user, once the user click on "login" button, it redirects to a different page let's say " http://localhost:8080/def" Can this be achieved with the configurations available? Or I'll have to do this in my client application?? Thanks, Imteyaz Ahmad From amaeztu at tesicnor.com Sun Sep 3 09:15:44 2017 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Sun, 03 Sep 2017 15:15:44 +0200 Subject: [keycloak-user] Redirection based on button clicked In-Reply-To: References: Message-ID: When your application redirects to the keycloak server, there is a redirectUrl param specified. However, for your case you dont know the url to redirect in that moment, so you need to redirect to a point where your application will decide wether the user has been logged in or not. Nire Sony Xperia? telefonotik bidalita ---- Imteyaz Ahmad igorleak idatzi du ---- >Hi All, > >I am new to Keycloak. It looks very promising so far. I am intending to >use it in one of our projects. > >We have different landing page for first time user and the returning user. >for example: > >Once the first time user clicks of "register" button after filling up >his/her details, application redirects to a page let's say " >http://localhost:8080/abc". While in case of returning user, once the user >click on "login" button, it redirects to a different page let's say " >http://localhost:8080/def" > > >Can this be achieved with the configurations available? Or I'll have to do >this in my client application?? > > >Thanks, >Imteyaz Ahmad >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From mevans at aconex.com Sun Sep 3 22:40:11 2017 From: mevans at aconex.com (Matt Evans) Date: Mon, 4 Sep 2017 02:40:11 +0000 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: References: , Message-ID: Strangely, it seems to have fixed itself over the weekend. I came to look at it this morning and the new node successfully retrieved the initial state data. I've not made any changes to configuration etc. I'd still like to know why it was happening and how to prevent it though. Matt -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans Sent: Saturday, 2 September 2017 7:47 AM To: Meissa M'baye Sakho Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out No, I just start up keycloak and run standalone ha. There's no mention of that property in the keycloak docs about clustering Matt ________________________________ From: Meissa M'baye Sakho Sent: Saturday, September 2, 2017 12:53:35 AM To: Matt Evans Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out Matt, How did you add your new node? Have you defined the jboss.node.name property in your new node? Meissa On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: We're running keycloak clustered with standalone-ha.xml, and it's been working fine. We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: org.infinispan.commons.CacheException: Initial state transfer timed out for cache sessions on xxxx Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? What can I do to address this so that I can add the node back into the cluster? I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! Thanks Matt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Mon Sep 4 04:23:05 2017 From: lists at merit.unu.edu (mj) Date: Mon, 4 Sep 2017 10:23:05 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: <94134b6f-14c2-4c55-fb30-4b123ef374c2@redhat.com> References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> <94134b6f-14c2-4c55-fb30-4b123ef374c2@redhat.com> Message-ID: Hi Marek, list, Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password updates" has now been postponed until 4.x, I'd like to know if it's possible to display some additional text on the keycloak password change page. We would like to outline the password requiirements, so at least our users would understand WHY the password change did not succeed. Something like: "Please mix upper- and lowecase, numbers and special characters, and make it longer than 8 characters" I have looked at the templates, but can't see where to add/edit this. MJ On 08/23/2017 01:49 PM, Marek Posolda wrote: > Ah, I see your point now. > > I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am > likely not going to look into that due to other priorities. But maybe > someone else will. > > BTV. The error you mentioned is the known issue for Samba AD. We have > mapper (MSADUserAccountControlStorageMapper ), which is able to > translate the error message from MSAD during password update and > recognize if update failed due to password policy or other reason. > However this works just for MSAD, but doesn't work for Samba. It seems > that Samba has bit different error messages and hence it fails. The > solution might be to implement another mapper just for Samba AD > (hopefully subclass of MSADUserAccountControlStorageMapper, so it > doesn't need to be completely rewritten). If you want to contribute > that, it will be nice. We're not going to support Samba AD in near > future and hence we won't do it on our own. At least not now. > > Marek > > > On 22/08/17 10:38, lists wrote: >> Hi Marek, >> >> But I am under the impression that KEYCLOAK-4052 would not allow the >> user to provide a password that does not meet the complexity >> requirements configured in keycloak? >> >> And if I would configure keycloak to require complexer passwords than >> MSAD does, the user password change would succeed? >> >> Because currently keycloak accepts 'abc' as a password, and samba >> doesn't. If keycloak would require the user to provide a GOOD >> password, samba would also accept it. >> >> (because the basic password-change-functionality works fine) >> >> I would only like keycloak to NOT accept '123' as a valid password, >> but take into account it's own configured password complexity when >> changing the MSAD password. >> >> Is that not what KEYCLOAK-4052 is about? >> >> MJ >> >> On 22-8-2017 8:43, Marek Posolda wrote: >>> KEYCLOAK-4052 will help with the case when you want to enforce >>> Keycloak password policies when updating the password of Keycloak >>> user, who is mapped to LDAP provider. However LDAP password policies >>> will be applied too. And in your case, MSAD policies are applied >>> already. In other words, KEYCLOAK-4052 won't help you with the error >>> "Could not modify attribute for DN >>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" . >>> >>> The case you mentioned should be already supported, but it workds >>> just for MSAD. AFAIK it doesn't work for some others like Samba AD. >>> Also you need to have MSAD User Account Controls mapper enabled. >>> >>> Marek >>> >>> > From sajid at theinnovationinc.co Mon Sep 4 04:46:59 2017 From: sajid at theinnovationinc.co (Sajid Chauhan) Date: Mon, 4 Sep 2017 14:16:59 +0530 Subject: [keycloak-user] OTP validation Message-ID: Hi, Is there a REST api which validates the OTP? -- Thanks and regards, Sajid From mposolda at redhat.com Mon Sep 4 05:49:13 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Sep 2017 11:49:13 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> <94134b6f-14c2-4c55-fb30-4b123ef374c2@redhat.com> Message-ID: Yes, that should work at least as a workaround :/ AFAIK there is "themes" directory as a subdirectory of the main keycloak directory of the keycloak-server distribution. AFAIK if you change it there, it should be used. There are messages_en.properties file for the account theme (that's one you need for the account management) and also for the login theme (that's one you need for user's self-registration or updatePassword required action). We have docs for "Theme", so you can take a look there. Marek On 04/09/17 10:23, mj wrote: > Hi Marek, list, > > Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password > updates" has now been postponed until 4.x, I'd like to know if it's > possible to display some additional text on the keycloak password > change page. > > We would like to outline the password requiirements, so at least our > users would understand WHY the password change did not succeed. > > Something like: "Please mix upper- and lowecase, numbers and special > characters, and make it longer than 8 characters" > > I have looked at the templates, but can't see where to add/edit this. > > MJ > > On 08/23/2017 01:49 PM, Marek Posolda wrote: >> Ah, I see your point now. >> >> I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I >> am likely not going to look into that due to other priorities. But >> maybe someone else will. >> >> BTV. The error you mentioned is the known issue for Samba AD. We have >> mapper (MSADUserAccountControlStorageMapper ), which is able to >> translate the error message from MSAD during password update and >> recognize if update failed due to password policy or other reason. >> However this works just for MSAD, but doesn't work for Samba. It >> seems that Samba has bit different error messages and hence it fails. >> The solution might be to implement another mapper just for Samba AD >> (hopefully subclass of MSADUserAccountControlStorageMapper, so it >> doesn't need to be completely rewritten). If you want to contribute >> that, it will be nice. We're not going to support Samba AD in near >> future and hence we won't do it on our own. At least not now. >> >> Marek >> >> >> On 22/08/17 10:38, lists wrote: >>> Hi Marek, >>> >>> But I am under the impression that KEYCLOAK-4052 would not allow the >>> user to provide a password that does not meet the complexity >>> requirements configured in keycloak? >>> >>> And if I would configure keycloak to require complexer passwords >>> than MSAD does, the user password change would succeed? >>> >>> Because currently keycloak accepts 'abc' as a password, and samba >>> doesn't. If keycloak would require the user to provide a GOOD >>> password, samba would also accept it. >>> >>> (because the basic password-change-functionality works fine) >>> >>> I would only like keycloak to NOT accept '123' as a valid password, >>> but take into account it's own configured password complexity when >>> changing the MSAD password. >>> >>> Is that not what KEYCLOAK-4052 is about? >>> >>> MJ >>> >>> On 22-8-2017 8:43, Marek Posolda wrote: >>>> KEYCLOAK-4052 will help with the case when you want to enforce >>>> Keycloak password policies when updating the password of Keycloak >>>> user, who is mapped to LDAP provider. However LDAP password >>>> policies will be applied too. And in your case, MSAD policies are >>>> applied already. In other words, KEYCLOAK-4052 won't help you with >>>> the error "Could not modify attribute for DN >>>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" . >>>> >>>> The case you mentioned should be already supported, but it workds >>>> just for MSAD. AFAIK it doesn't work for some others like Samba AD. >>>> Also you need to have MSAD User Account Controls mapper enabled. >>>> >>>> Marek >>>> >>>> >> From james.mk.green at gmail.com Mon Sep 4 06:13:47 2017 From: james.mk.green at gmail.com (James Green) Date: Mon, 4 Sep 2017 11:13:47 +0100 Subject: [keycloak-user] Java admin clients Message-ID: In the absence of a Swagger endpoint (which would be so useful!) I've been trying to use the admin-client in my client, but I cannot get even this to work. It seems it requires an older version of Resteasy, which I downgrade to, then find I need to upgrade Jackson, then discover there are binary API changes preventing it's use presumably with keycloak-3. So I switched to OpenFeign and hooked in the JAXRS contracts feature, but this blows up because various methods of the various interfaces lack HTTP methods see UsersResource#get() So all-in-all, I'm not having any luck with something that looks like an off-the-shelf dependency to just "use" :( I've followed through a number of the example gists on Github but they all seem to pre-date Keycloak-3 and don't work. The keycloak-admin-client doesn't seem to have any tests to confirm it actually works, either. So does anyone have a way forward without me having to re-implement the interfaces? What I'd *really* like to see is a Swagger endpoint that I can point swagger-codegen at as we've had success though this means with other software in the past, but I can't find anything other than requests for Swagger in past emails to this list. Yours rather frustrated, James From christianlutz at inovel.de Mon Sep 4 06:34:57 2017 From: christianlutz at inovel.de (christian lutz) Date: Mon, 4 Sep 2017 10:34:57 +0000 Subject: [keycloak-user] Java admin clients In-Reply-To: References: Message-ID: <000605A0.59AD485D@mail.ino.local> Hello James, please see this pom file. https://github.com/ChristianLutz/keycloak-cxf-admin-client/blob/master/pom.xml We created our own cxf-admin-client because we rely on cxf. So just ignore our cxf dependencies and replace them with the resteasy dependency. And you should be fine for compiling. And these are the runtime dependency. Maybe one or another isn't necessary anymore.
The keycloak adapter core stuff
http-whiteboard mvn:org.bouncycastle/bcprov-jdk15on/1.52 mvn:org.bouncycastle/bcpkix-jdk15on/1.52 mvn:com.fasterxml.jackson.core/jackson-core/${jackson-version} mvn:com.fasterxml.jackson.core/jackson-annotations/${jackson-version} mvn:com.fasterxml.jackson.core/jackson-databind/${jackson-version} mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/${jackson-version} mvn:org.jboss.logging/jboss-logging/3.3.0.Final mvn:org.keycloak/keycloak-osgi-thirdparty/${keycloak.version} mvn:org.keycloak/keycloak-common/${keycloak.version} mvn:org.keycloak/keycloak-core/${keycloak.version} mvn:org.keycloak/keycloak-cxf-admin-client/${keycloak.version} //replace it with your default resteasy dependency. mvn:org.keycloak/keycloak-authz-client/${keycloak.version} mvn:org.keycloak/keycloak-adapter-spi/${keycloak.version} mvn:org.keycloak/keycloak-adapter-core/${keycloak.version} mvn:org.keycloak/keycloak-osgi-adapter/${keycloak.version} Hope this may help a bit. Kind regards. Christian -------- Original Message -------- Subject: [keycloak-user] Java admin clients (4. September 2017, 12:13) From: James Green To: christianlutz at inovel.de > In the absence of a Swagger endpoint (which would be so useful!) I've been > trying to use the admin-client in my client, but I cannot get even this to > work. > > It seems it requires an older version of Resteasy, which I downgrade to, > then find I need to upgrade Jackson, then discover there are binary API > changes preventing it's use presumably with keycloak-3. > > So I switched to OpenFeign and hooked in the JAXRS contracts feature, but > this blows up because various methods of the various interfaces lack HTTP > methods see UsersResource#get() > > So all-in-all, I'm not having any luck with something that looks like an > off-the-shelf dependency to just "use" :( > > I've followed through a number of the example gists on Github but they all > seem to pre-date Keycloak-3 and don't work. > > The keycloak-admin-client doesn't seem to have any tests to confirm it > actually works, either. So does anyone have a way forward without me having > to re-implement the interfaces? > > What I'd *really* like to see is a Swagger endpoint that I can point > swagger-codegen at as we've had success though this means with other > software in the past, but I can't find anything other than requests for > Swagger in past emails to this list. > > Yours rather frustrated, > > James > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user To: james.mk.green at gmail.com keycloak-user at lists.jboss.org From gaetancollaud at gmail.com Mon Sep 4 07:27:30 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Mon, 04 Sep 2017 11:27:30 +0000 Subject: [keycloak-user] Java admin clients In-Reply-To: <000605A0.59AD485D@mail.ino.local> References: <000605A0.59AD485D@mail.ino.local> Message-ID: I successfully use the admin-client with this in my pom : org.keycloak keycloak-admin-client 3.2.1.Final org.jboss.resteasy resteasy-jaxrs 3.1.4.Final org.jboss.resteasy resteasy-client 3.1.4.Final org.jboss.resteasy resteasy-jackson2-provider 3.1.4.Final Le lun. 4 sept. 2017 ? 12:37, christian lutz a ?crit : > Hello James, > > please see this pom file. > https://github.com/ChristianLutz/keycloak-cxf-admin-client/blob/master/pom.xml > We created our own cxf-admin-client because we rely on cxf. > > So just ignore our cxf dependencies and replace them with the resteasy > dependency. And you should be fine for compiling. > And these are the runtime dependency. Maybe one or another isn't necessary > anymore. > > >
The keycloak adapter core stuff
> http-whiteboard > mvn:org.bouncycastle/bcprov-jdk15on/1.52 > mvn:org.bouncycastle/bcpkix-jdk15on/1.52 > > mvn:com.fasterxml.jackson.core/jackson-core/${jackson-version} > > mvn:com.fasterxml.jackson.core/jackson-annotations/${jackson-version} > > mvn:com.fasterxml.jackson.core/jackson-databind/${jackson-version} > > mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/${jackson-version} > > mvn:org.jboss.logging/jboss-logging/3.3.0.Final > > mvn:org.keycloak/keycloak-osgi-thirdparty/${keycloak.version} > > mvn:org.keycloak/keycloak-common/${keycloak.version} > > mvn:org.keycloak/keycloak-core/${keycloak.version} > > mvn:org.keycloak/keycloak-cxf-admin-client/${keycloak.version} > //replace it with your default resteasy dependency. > > mvn:org.keycloak/keycloak-authz-client/${keycloak.version} > > mvn:org.keycloak/keycloak-adapter-spi/${keycloak.version} > > mvn:org.keycloak/keycloak-adapter-core/${keycloak.version} > > mvn:org.keycloak/keycloak-osgi-adapter/${keycloak.version} > > > Hope this may help a bit. > Kind regards. > Christian > > > > > > -------- Original Message -------- > Subject: [keycloak-user] Java admin clients (4. September 2017, 12:13) > From: James Green > To: christianlutz at inovel.de > > > In the absence of a Swagger endpoint (which would be so useful!) I've > been > > trying to use the admin-client in my client, but I cannot get even this > to > > work. > > > > It seems it requires an older version of Resteasy, which I downgrade to, > > then find I need to upgrade Jackson, then discover there are binary API > > changes preventing it's use presumably with keycloak-3. > > > > So I switched to OpenFeign and hooked in the JAXRS contracts feature, but > > this blows up because various methods of the various interfaces lack HTTP > > methods see UsersResource#get() > > > > So all-in-all, I'm not having any luck with something that looks like an > > off-the-shelf dependency to just "use" :( > > > > I've followed through a number of the example gists on Github but they > all > > seem to pre-date Keycloak-3 and don't work. > > > > The keycloak-admin-client doesn't seem to have any tests to confirm it > > actually works, either. So does anyone have a way forward without me > having > > to re-implement the interfaces? > > > > What I'd *really* like to see is a Swagger endpoint that I can point > > swagger-codegen at as we've had success though this means with other > > software in the past, but I can't find anything other than requests for > > Swagger in past emails to this list. > > > > Yours rather frustrated, > > > > James > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > To: james.mk.green at gmail.com > keycloak-user at lists.jboss.org > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Mon Sep 4 07:48:33 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 4 Sep 2017 13:48:33 +0200 Subject: [keycloak-user] Java admin clients In-Reply-To: References: <000605A0.59AD485D@mail.ino.local> Message-ID: Did you see this Keycloak Blog-Post [0] about using Swagger to generate Docs for Keycloaks REST API? Btw. another way I found to generate Swagger API documentation was using jax-rs analyzer [1] which can analyze the bytecode of keycloak-services-xxx.jar to generate the API docs. Cheers, Thomas [0] http://blog.keycloak.org/2015/09/having-fun-with-rest-api-documentation.html [1] https://github.com/sdaschner/jaxrs-analyzer 2017-09-04 13:27 GMT+02:00 Ga?tan Collaud : > I successfully use the admin-client with this in my pom : > > > org.keycloak > keycloak-admin-client > 3.2.1.Final > > > org.jboss.resteasy > resteasy-jaxrs > 3.1.4.Final > > > org.jboss.resteasy > resteasy-client > 3.1.4.Final > > > org.jboss.resteasy > resteasy-jackson2-provider > 3.1.4.Final > > > Le lun. 4 sept. 2017 ? 12:37, christian lutz a > ?crit : > > > Hello James, > > > > please see this pom file. > > https://github.com/ChristianLutz/keycloak-cxf- > admin-client/blob/master/pom.xml > > We created our own cxf-admin-client because we rely on cxf. > > > > So just ignore our cxf dependencies and replace them with the resteasy > > dependency. And you should be fine for compiling. > > And these are the runtime dependency. Maybe one or another isn't > necessary > > anymore. > > > > > >
The keycloak adapter core stuff
> > http-whiteboard > > mvn:org.bouncycastle/ > bcprov-jdk15on/1.52 > > mvn:org.bouncycastle/ > bcpkix-jdk15on/1.52 > > > > mvn:com.fasterxml.jackson.core/jackson-core/${ > jackson-version} > > > > mvn:com.fasterxml.jackson.core/jackson- > annotations/${jackson-version} > > > > mvn:com.fasterxml.jackson.core/jackson-databind/ > ${jackson-version} > > > > mvn:com.fasterxml.jackson.module/jackson-module- > jaxb-annotations/${jackson-version} > > > > mvn:org.jboss.logging/jboss-logging/3.3.0.Final > > > > mvn:org.keycloak/keycloak-osgi-thirdparty/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-common/${keycloak.version} > > > > mvn:org.keycloak/keycloak-core/${keycloak.version} > > > > mvn:org.keycloak/keycloak-cxf-admin-client/${ > keycloak.version} > > //replace it with your default resteasy dependency. > > > > mvn:org.keycloak/keycloak-authz-client/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-adapter-spi/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-adapter-core/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-osgi-adapter/${ > keycloak.version} > > > > > > Hope this may help a bit. > > Kind regards. > > Christian > > > > > > > > > > > > -------- Original Message -------- > > Subject: [keycloak-user] Java admin clients (4. September 2017, 12:13) > > From: James Green > > To: christianlutz at inovel.de > > > > > In the absence of a Swagger endpoint (which would be so useful!) I've > > been > > > trying to use the admin-client in my client, but I cannot get even this > > to > > > work. > > > > > > It seems it requires an older version of Resteasy, which I downgrade > to, > > > then find I need to upgrade Jackson, then discover there are binary API > > > changes preventing it's use presumably with keycloak-3. > > > > > > So I switched to OpenFeign and hooked in the JAXRS contracts feature, > but > > > this blows up because various methods of the various interfaces lack > HTTP > > > methods see UsersResource#get() > > > > > > So all-in-all, I'm not having any luck with something that looks like > an > > > off-the-shelf dependency to just "use" :( > > > > > > I've followed through a number of the example gists on Github but they > > all > > > seem to pre-date Keycloak-3 and don't work. > > > > > > The keycloak-admin-client doesn't seem to have any tests to confirm it > > > actually works, either. So does anyone have a way forward without me > > having > > > to re-implement the interfaces? > > > > > > What I'd *really* like to see is a Swagger endpoint that I can point > > > swagger-codegen at as we've had success though this means with other > > > software in the past, but I can't find anything other than requests for > > > Swagger in past emails to this list. > > > > > > Yours rather frustrated, > > > > > > James > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > To: james.mk.green at gmail.com > > keycloak-user at lists.jboss.org > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From remi_cc at hotmail.com Mon Sep 4 10:28:00 2017 From: remi_cc at hotmail.com (Remi CASSAM CHENAI) Date: Mon, 4 Sep 2017 14:28:00 +0000 Subject: [keycloak-user] Customize consent UI Message-ID: Hi, I would like to customize the user consent screen when OIDC is used. After login screen, keycloak shows to the user a consent screen containing ressources (scope) needed by the RP (client). In this screen, the client is identified by its name (eg. : ?My-app?), given in the admin console (configure/clients/settings/name). I would like to identify the client in the consent screen by its redirect uri (eg. : ?www.my-app.com/callback?). Or, even better, the main domain of the redirect uri (eg. : ?www.my-app.com?). I guess i need to change something in the theme directory but could you help me with that please? Many thanks, R?mi From mposolda at redhat.com Mon Sep 4 10:53:33 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Sep 2017 16:53:33 +0200 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> Message-ID: <933cd1af-7b92-5d31-0273-533db0491e3c@redhat.com> I can confirm that UserModel.serviceAccountClientLink is available just for service-account users. Marek On 31/08/17 10:38, Daniel Storey wrote: > > Thanks Phillip. I need a custom mapper to transform my user/service > account attribute into a complex object claim value (not a primitive > claim value). So, unfortunately, it?s not simply a case of mapping a > role name to a claim, which is what I think you are suggesting? > > Assuming a custom mapper is necessary, it seems to make sense to fold > the user/service account conditional logic into the mapper. > > *From:*Phillip Fleischer [mailto:pcfleischer at outlook.com] > *Sent:* 30 August 2017 21:49 > *To:* Daniel Storey > *Cc:* Marek Posolda ; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Service account user attributes > > I'm not a contributor just an avid user. So "best" is relative. > > Seems like your solution will work just also seems like a service > account role mapping would also work without any code. Both should be > capable of controlling through the admin UI, so I guess not much > difference. > > ------------------------------------------------------------------------ > > *From:*Daniel Storey > > *Sent:* Wednesday, August 30, 2017 10:54:45 AM > *To:* Phillip Fleischer > *Cc:* Marek Posolda; keycloak-user at lists.jboss.org > > *Subject:* RE: [keycloak-user] Service account user attributes > > Hi Phillip > > Thanks very much for your suggestion. > > To give a bit more context, I have a requirement to convert a custom > attribute associated with the resource owner (user or service account) > into a complex type OIDC claim for all token requests. I have achieved > this for requests associated with a user account by implementing an > OIDC protocol mapper similar to the "User Attribute" mapper. I have > attempted to do the same for service account requests by adding > functionality similar to the "Hardcoded Claim" mapper. My mapper > checks the UserModel associated with the request, then executes either > User Attribute mapper-esque logic, where the value to convert to a > claim comes from a user attribute, or Hardcoded Claim mapper-esque > logic, where the value to convert comes from the ProtocolMapperModel. > The hardcoded claim part essentially allows me to define service > account-specific claims via the admin UI. > > It seems UserModel.serviceAccountClientLink is only set on service > account token requests (null on user requests), so I'm driving my > mapper logic off the presence of this property. If this is not > advisable, I will define a service account role and check this > instead, as you suggest. > > Given my requirement, does this sound like a reasonable solution? > > > -----Original Message----- > From: Phillip Fleischer [mailto:pcfleischer at outlook.com] > Sent: 30 August 2017 13:11 > To: Daniel Storey > > Cc: Marek Posolda >; > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Service account user attributes > > Is there a reason you?re not using service account roles? > > This is what we use for this. Ideally you?d create realm and client > roles that determine the access level for whatever actions you want > the service account to be authorized to do, or you could just make a > role ?service_account? which will show in the realm role access in the > token or some combination of roles that do both. If you then want this > to be a ?claim? instead of a ?role? in the token then you could use > the ?User Realm Role? protocol mapper (assuming OIDC protocol) > > It?d probably be cool too to be able to actually mess with the user > entity in the admin too to do some attributes that are a claim? but > there?s probably a bunch of good reasons not to allow that either > (e.g. there?s a bunch of stuff you can?t do like impersonate or delete > that would need to be blocked from the UI). It might be possible to > edit the user via the rest api too if you really really need it to be > an attribute, but that?s likely a hack. > > > > On Aug 30, 2017, at 2:54 AM, Daniel Storey > > wrote: > > > > Thanks Marek. What would you suggest is the most reliable way to > detect a service account login from a protocol mapper? Is there a > service account flag in UserModel, or would I need to check for the > existence of known service account field(s), such as client notes? > > > > Are there any plans to make service account users viewable/editable > in the same way as 'normal' users (via the Keycloak admin UI) in a > future release? > > > > Many thanks > > Dan > > > > -----Original Message----- > > From: Marek Posolda [mailto:mposolda at redhat.com] > > Sent: 25 August 2017 21:15 > > To: Daniel Storey >; keycloak-user at lists.jboss.org > > > Subject: Re: [keycloak-user] Service account user attributes > > > > On 25/08/17 15:11, Daniel Storey wrote: > >> Hello > >> > >> I would like to use service accounts to allow my OIDC clients to > obtain access tokens using the client credentials grant. Furthermore, > I'm trying to find a way to define additional attributes for each > service account client so that I can map them to custom claims via a > protocol mapper. > >> > >> I notice that Keycloak creates an internal user for each service > account in its database, but the user is not visible/editable through > the admin UI. Therefore, I am unable to create attributes for the > service account user as I can for 'normal' users. > >> > >> I think I can define custom claims for a service account using a > protocol mapper (something like the "hardcoded claim" mapper), > assuming I can distinguish service account requests from user requests > in the mapper. If this approach is not recommended, I would be very > grateful if you could suggest an alternative. > > That's possible if you plan to implement your own protocol mapper. > You can detect if login is service-account for example by checking if > UserModel corresponds to service-account user. There are also some > client notes, which are available just for service-account logins. > > > > Marek > >> > >> Kind regards > >> Dan > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kevin.berendsen at pharmapartners.nl Mon Sep 4 11:00:10 2017 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Mon, 4 Sep 2017 15:00:10 +0000 Subject: [keycloak-user] 1 realm multiple ldap providers with username collisions In-Reply-To: References: Message-ID: <3914b6e5e5ce4e3abdd3be912d56e945@PHINEAS.ppg.lan> Hi Wim, One solution that used to work for us in the past as a POC was to create the following items: * User storage provider extending the internal LDAP user storage provider to add a prefix to the username upon synchronization. It's not pretty but it works. * Authenticator that'd generate a list of providers upon login. The user would then need to fill in the username, password and select the provider. The authenticator will prepend the prefix to the username based on the selected provider from the login page and attempt to authenticate the user then. We had no trouble synchronizing users and authentication went smoothly BUT the use of internal Keycloak API may wreck your custom modules. So I'd recommend to stick to two realms. IF it's possible, I'd merge the two LDAPs. > -----Oorspronkelijk bericht----- > Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user- > bounces at lists.jboss.org] Namens Wim Vandenhaute > Verzonden: donderdag 31 augustus 2017 16:35 > Aan: keycloak-user at lists.jboss.org > Onderwerp: [keycloak-user] 1 realm multiple ldap providers with username > collisions > > Hello list, > > What would be the advisable way of handling following use case: > > 1 application authn using keycloak with a realm with > 1 ldap configurations > But in 2 or more of those ldap's there are equal usernames. > How can we for user1 make sure ldap1 is used and for user2 ldap2? > > I.e. for example where we could provide a login form with the > username/password but with an additional dropdown that has the > configured ldap providers in it. > > What would be the advisable way of handling such a situation? > Is there any support for this that I am missing? > Would having 2 realms be the only way to handle this right now? > > p.s. > We are developing against keycloak 2.5.5 at the moment > > Kind regards, > Wim. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 4 11:27:32 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Sep 2017 17:27:32 +0200 Subject: [keycloak-user] User defined password policies In-Reply-To: References: Message-ID: AFAIK 4 can be done through BruteForce protector. See the admin console brute force settings (It's in different place then password policies). For 1,2,3 you would need to implement custom password policies. PasswordPolicy is an SPI, so you can add new providers to existing ones. See our documentation for SPI and providers and also the keycloak-examples distribution and especially the directory "providers". Marek On 01/09/17 15:26, Krishna Kuntala wrote: > We have following requirements w.r.t. password policies. I am not sure > whether we would be able to add custom password policies. If yes, how to > define custom policies? > > 1. Password max length should be 16 > 2. Only allow 2 repeating characters > 3. Satisfy 3 out of 4 password criterias mentioned in > "Authentication->Password Policy" > 4. Lock account for 1 hour after 3 failed login attempts > > Please let me know whether these requirements can be configured from the UI > or do I need to implement some code to achieve this? > > Thanks and Regards, > Krishna Kuntala > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 4 11:38:36 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Sep 2017 17:38:36 +0200 Subject: [keycloak-user] Keycloak LDAP User Validation In-Reply-To: References: Message-ID: <5e0ae8d9-c2b1-2740-6ad7-82908fd02e30@redhat.com> Just to understand, did you already combined both things together? I mean the scenario like: 1) You setup LDAP with import on 2) Then you login some LDAP user "joe" and imported him 3) Then you switched import off 4) Then login again as the LDAP user "joe" and saw the error? If yes, I suspect this won't work. I think you need to decide from the beginning if you want import or not. If you don't want import, it will likely good to start from clean DB, so the scenario will be like: 1) You setup LDAP with import off 2) You login as "joe" and it will work. Marek On 01/09/17 15:23, felix.straub at kaufland.com wrote: > > Hello together, > > I have to following issue: > > I added LDAP/AD User federation to my keycloak server version 3.2.0.Final. > So far so good everything is working I can import all the users and then > can validate the users against the LDAP. > > But the target is that no user gets imported to keycloak. Thats working, > too. Just switched off the import button. > If I try to login now with my LDAP-credentials an error comes up. The error > on the keycloak login page says: "Unexpected error when handling > authentication request to identity provider". > In the keycloak log it throws a "ReadOnlyException". > But if I look into the sessions there is an active session with the user I > tried to login. > > Did I miss any settings that keycloak can authenticate the user against > LDAP/AD without importing all the users? > > Thank you for your help. > > Mit freundlichen Gr??en > Felix Straub > > > +49 7132 94 920297 > > Kaufland Informationssysteme GmbH & Co. KG > Postfach 12 53 - 74172 Neckarsulm > Kommanditgesellschaft > Sitz: Neckarsulm > Registergericht: Stuttgart HRA 104163 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 4 11:44:03 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Sep 2017 17:44:03 +0200 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: References: Message-ID: <2cfabc6a-6075-62e4-150e-7aad645068b0@redhat.com> I think that you were right. Your cache is too big, it likely contains many user sessions. So the initial state transfer took quite a long time. Maybe during weekend, most people were logged-out, hence the state transfer was able to finish in time... It's possible to increase the timeout for the state transfer (I think it's 240 seconds by default, but not 100% sure). It will be good to check infinispan documentation and documentation about wildfly infinispan subsystem, which should provide more details. Marek On 04/09/17 04:40, Matt Evans wrote: > Strangely, it seems to have fixed itself over the weekend. I came to look at it this morning and the new node successfully retrieved the initial state data. I've not made any changes to configuration etc. > > I'd still like to know why it was happening and how to prevent it though. > > Matt > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans > Sent: Saturday, 2 September 2017 7:47 AM > To: Meissa M'baye Sakho > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out > > No, I just start up keycloak and run standalone ha. There's no mention of that property in the keycloak docs about clustering > > Matt > > ________________________________ > From: Meissa M'baye Sakho > Sent: Saturday, September 2, 2017 12:53:35 AM > To: Matt Evans > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out > > Matt, > How did you add your new node? > Have you defined the jboss.node.name property in your new node? > Meissa > > On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: > We're running keycloak clustered with standalone-ha.xml, and it's been working fine. > > We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. > > Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: > > org.infinispan.commons.CacheException: Initial state transfer timed out for cache sessions on xxxx > > Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? > > What can I do to address this so that I can add the node back into the cluster? > > I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! > > Thanks > > Matt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mevans at aconex.com Mon Sep 4 19:48:38 2017 From: mevans at aconex.com (Matt Evans) Date: Mon, 4 Sep 2017 23:48:38 +0000 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: <2cfabc6a-6075-62e4-150e-7aad645068b0@redhat.com> References: <2cfabc6a-6075-62e4-150e-7aad645068b0@redhat.com> Message-ID: Yes I've been digging into the infinispan docs :) You're right, from what I gather, the default timeout for the initial state transfer is 4 minutes, I would have thought that would have to be a lot of sessions to transfer for it to take longer than 4 mins. Now looking at how to view statistics on the caches to monitor this stuff. I was wondering why the standalone-ha caches are using distributed caches and are configured with 1 owner, is this because it assumes session affinity for connections from the load balancer? Does it make more sense if the load balancers are not using session affinity for the caches to be replicated caches rather than distributed caches? Matt -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, 5 September 2017 1:44 AM To: Matt Evans ; Meissa M'baye Sakho Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out I think that you were right. Your cache is too big, it likely contains many user sessions. So the initial state transfer took quite a long time. Maybe during weekend, most people were logged-out, hence the state transfer was able to finish in time... It's possible to increase the timeout for the state transfer (I think it's 240 seconds by default, but not 100% sure). It will be good to check infinispan documentation and documentation about wildfly infinispan subsystem, which should provide more details. Marek On 04/09/17 04:40, Matt Evans wrote: > Strangely, it seems to have fixed itself over the weekend. I came to look at it this morning and the new node successfully retrieved the initial state data. I've not made any changes to configuration etc. > > I'd still like to know why it was happening and how to prevent it though. > > Matt > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans > Sent: Saturday, 2 September 2017 7:47 AM > To: Meissa M'baye Sakho > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, > initial state transfer timed out > > No, I just start up keycloak and run standalone ha. There's no mention > of that property in the keycloak docs about clustering > > Matt > > ________________________________ > From: Meissa M'baye Sakho > Sent: Saturday, September 2, 2017 12:53:35 AM > To: Matt Evans > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, > initial state transfer timed out > > Matt, > How did you add your new node? > Have you defined the jboss.node.name property in your new node? > Meissa > > On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: > We're running keycloak clustered with standalone-ha.xml, and it's been working fine. > > We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. > > Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: > > org.infinispan.commons.CacheException: Initial state transfer timed > out for cache sessions on xxxx > > Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? > > What can I do to address this so that I can add the node back into the cluster? > > I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! > > Thanks > > Matt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Sep 5 02:20:09 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 5 Sep 2017 08:20:09 +0200 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: References: <2cfabc6a-6075-62e4-150e-7aad645068b0@redhat.com> Message-ID: <18e214af-3517-51c0-11ea-99b9fb0443c1@redhat.com> On 05/09/17 01:48, Matt Evans wrote: > Yes I've been digging into the infinispan docs :) You're right, from what I gather, the default timeout for the initial state transfer is 4 minutes, I would have thought that would have to be a lot of sessions to transfer for it to take longer than 4 mins. Now looking at how to view statistics on the caches to monitor this stuff. There is something available through JMX. You can connect with jconsole and see some statistics. Maybe statistics needs to be enabled for infinispan caches (again see docs for details). There may be other ways to monitor this, but this one is likely the easiest for the start. > > I was wondering why the standalone-ha caches are using distributed caches and are configured with 1 owner, is this because it assumes session affinity for connections from the load balancer? Does it make more sense if the load balancers are not using session affinity for the caches to be replicated caches rather than distributed caches? distributed with 1 owner is here to save memory. And yes, there is some session affinity support in latest master. You can try to add 2 or more owners or use replicated cache if you need failover (eg. after some node is killed or restarted, it's user sessions are lost and users need to re-authenticate if you have just 1 owner). However state transfer will probably take even more time if you increase number of owners or re-configure cache to be replicated. You can try and see. Marek > > Matt > > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Tuesday, 5 September 2017 1:44 AM > To: Matt Evans ; Meissa M'baye Sakho > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out > > I think that you were right. Your cache is too big, it likely contains many user sessions. So the initial state transfer took quite a long time. Maybe during weekend, most people were logged-out, hence the state transfer was able to finish in time... > > It's possible to increase the timeout for the state transfer (I think it's 240 seconds by default, but not 100% sure). It will be good to check infinispan documentation and documentation about wildfly infinispan subsystem, which should provide more details. > > Marek > > On 04/09/17 04:40, Matt Evans wrote: >> Strangely, it seems to have fixed itself over the weekend. I came to look at it this morning and the new node successfully retrieved the initial state data. I've not made any changes to configuration etc. >> >> I'd still like to know why it was happening and how to prevent it though. >> >> Matt >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans >> Sent: Saturday, 2 September 2017 7:47 AM >> To: Meissa M'baye Sakho >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Keycloak node cannot join cluster, >> initial state transfer timed out >> >> No, I just start up keycloak and run standalone ha. There's no mention >> of that property in the keycloak docs about clustering >> >> Matt >> >> ________________________________ >> From: Meissa M'baye Sakho >> Sent: Saturday, September 2, 2017 12:53:35 AM >> To: Matt Evans >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Keycloak node cannot join cluster, >> initial state transfer timed out >> >> Matt, >> How did you add your new node? >> Have you defined the jboss.node.name property in your new node? >> Meissa >> >> On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: >> We're running keycloak clustered with standalone-ha.xml, and it's been working fine. >> >> We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. >> >> Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: >> >> org.infinispan.commons.CacheException: Initial state transfer timed >> out for cache sessions on xxxx >> >> Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? >> >> What can I do to address this so that I can add the node back into the cluster? >> >> I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! >> >> Thanks >> >> Matt >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From mevans at aconex.com Tue Sep 5 03:20:30 2017 From: mevans at aconex.com (Matt Evans) Date: Tue, 5 Sep 2017 07:20:30 +0000 Subject: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out In-Reply-To: <18e214af-3517-51c0-11ea-99b9fb0443c1@redhat.com> References: <2cfabc6a-6075-62e4-150e-7aad645068b0@redhat.com> <18e214af-3517-51c0-11ea-99b9fb0443c1@redhat.com> Message-ID: Thanks Marek, I think I'm really working on two issues here, like you say the initial state transfer grows and, for example, if I was to add a new node to the cluster to scale for load, then it needs to be able to copy the state. I'm definitely looking at monitoring the caches, I found that I can use jboss-cli to read info about each cache (and turn statistics on and off, although the docs say that statistics adversely affect performance, so shouldn't be on all the time). One thing I did notice that since we had the problem and I found the jboss-cli command, each time I've called it to check it seems that the number of entries is 0 for the session cache. Admittedly it's only been a few times that I've checked it, but I would have thought there would be some entries. I'll look at jmx also, as the jboss cli output isn't a standard output which makes it less than straightforward to parse. The second issue is that we have 3 nodes in the cluster and without setting the owners to at least 2 we were getting all sorts of strange things happen, the session expiry page kept appearing, as well as the expected session missing because the request comes in to the other server. Which was why I thinking that the replicated cache might be the way to go so that each node has all the session info etc. What I wasn't sure of was if there was a reason it was specifically a distributed cache, and if I could/should change it. I'll have a go at changing it and see what happens! :) Matt -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, 5 September 2017 4:20 PM To: Matt Evans ; Meissa M'baye Sakho Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out On 05/09/17 01:48, Matt Evans wrote: > Yes I've been digging into the infinispan docs :) You're right, from what I gather, the default timeout for the initial state transfer is 4 minutes, I would have thought that would have to be a lot of sessions to transfer for it to take longer than 4 mins. Now looking at how to view statistics on the caches to monitor this stuff. There is something available through JMX. You can connect with jconsole and see some statistics. Maybe statistics needs to be enabled for infinispan caches (again see docs for details). There may be other ways to monitor this, but this one is likely the easiest for the start. > > I was wondering why the standalone-ha caches are using distributed caches and are configured with 1 owner, is this because it assumes session affinity for connections from the load balancer? Does it make more sense if the load balancers are not using session affinity for the caches to be replicated caches rather than distributed caches? distributed with 1 owner is here to save memory. And yes, there is some session affinity support in latest master. You can try to add 2 or more owners or use replicated cache if you need failover (eg. after some node is killed or restarted, it's user sessions are lost and users need to re-authenticate if you have just 1 owner). However state transfer will probably take even more time if you increase number of owners or re-configure cache to be replicated. You can try and see. Marek > > Matt > > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Tuesday, 5 September 2017 1:44 AM > To: Matt Evans ; Meissa M'baye Sakho > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak node cannot join cluster, initial state transfer timed out > > I think that you were right. Your cache is too big, it likely contains many user sessions. So the initial state transfer took quite a long time. Maybe during weekend, most people were logged-out, hence the state transfer was able to finish in time... > > It's possible to increase the timeout for the state transfer (I think it's 240 seconds by default, but not 100% sure). It will be good to check infinispan documentation and documentation about wildfly infinispan subsystem, which should provide more details. > > Marek > > On 04/09/17 04:40, Matt Evans wrote: >> Strangely, it seems to have fixed itself over the weekend. I came to look at it this morning and the new node successfully retrieved the initial state data. I've not made any changes to configuration etc. >> >> I'd still like to know why it was happening and how to prevent it though. >> >> Matt >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans >> Sent: Saturday, 2 September 2017 7:47 AM >> To: Meissa M'baye Sakho >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Keycloak node cannot join cluster, >> initial state transfer timed out >> >> No, I just start up keycloak and run standalone ha. There's no mention >> of that property in the keycloak docs about clustering >> >> Matt >> >> ________________________________ >> From: Meissa M'baye Sakho >> Sent: Saturday, September 2, 2017 12:53:35 AM >> To: Matt Evans >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Keycloak node cannot join cluster, >> initial state transfer timed out >> >> Matt, >> How did you add your new node? >> Have you defined the jboss.node.name property in your new node? >> Meissa >> >> On Fri, Sep 1, 2017 at 6:31 AM, Matt Evans > wrote: >> We're running keycloak clustered with standalone-ha.xml, and it's been working fine. >> >> We changed the 'owners' of the distributed caches for session, loginFailures etc to 2 so that it will distribute those caches across the 2 nodes in the cluster. >> >> Now, when I remove a node and add a new node, the new node fails to start some of the services, due to: >> >> org.infinispan.commons.CacheException: Initial state transfer timed >> out for cache sessions on xxxx >> >> Is this because it's actually taking too long to fetch the initial cache data from the other node? Is it due to the size of the cache, or some other issue? >> >> What can I do to address this so that I can add the node back into the cluster? >> >> I'm not experienced at all in infinispan or jgroups, so any pointers on how to query the servers to see whats in the caches, and how to see what's actually happening will be appreciated! >> >> Thanks >> >> Matt >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From lists at merit.unu.edu Tue Sep 5 03:32:11 2017 From: lists at merit.unu.edu (lists) Date: Tue, 5 Sep 2017 09:32:11 +0200 Subject: [keycloak-user] extra password policy, interesting? Message-ID: Hi, Recently we were under attack of a botnet, trying out passwords for our accounts, and we learned a lot from it. :-) We learned the kinds of passwords and variations that were tried, and how they were composed. Therefore, I would like to suggest an extra password policy: a list of forbidden words (like an expression blacklist) We noticed that the botnet actually took often-occuring words from our website, and tried those for passwords, often adding things like: a year, or a part (subdomain or domain) of our email addresses. (username at subdomain.domain.com) So, now we know what passwords are tried, but we have no way of prohibiting those passwords/terms. We can only ask our users not to use those words in their passwords. If we could define blacklisted words, that would help (us) a lot. (and perhaps others too?) MJ From thomas.darimont at googlemail.com Tue Sep 5 03:35:31 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 5 Sep 2017 09:35:31 +0200 Subject: [keycloak-user] extra password policy, interesting? In-Reply-To: References: Message-ID: Hello, there is already a PR for that :) https://github.com/keycloak/keycloak/pull/4370 Cheers, Thomas 2017-09-05 9:32 GMT+02:00 lists : > Hi, > > Recently we were under attack of a botnet, trying out passwords for our > accounts, and we learned a lot from it. :-) > > We learned the kinds of passwords and variations that were tried, and > how they were composed. Therefore, I would like to suggest an extra > password policy: a list of forbidden words (like an expression blacklist) > > We noticed that the botnet actually took often-occuring words from our > website, and tried those for passwords, often adding things like: a > year, or a part (subdomain or domain) of our email addresses. > (username at subdomain.domain.com) > > So, now we know what passwords are tried, but we have no way of > prohibiting those passwords/terms. We can only ask our users not to use > those words in their passwords. > > If we could define blacklisted words, that would help (us) a lot. > > (and perhaps others too?) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From lists at merit.unu.edu Tue Sep 5 03:51:07 2017 From: lists at merit.unu.edu (lists) Date: Tue, 5 Sep 2017 09:51:07 +0200 Subject: [keycloak-user] extra password policy, interesting? In-Reply-To: References: Message-ID: <8e27aec7-c022-9aee-979f-62f2c0f60fe0@merit.unu.edu> Haha super! So we were not alone with our sudden interest in that feature :-) Thanks! MJ On 5-9-2017 9:35, Thomas Darimont wrote: > Hello, > > there is already a PR for that :) > https://github.com/keycloak/keycloak/pull/4370 > > Cheers, > Thomas > > 2017-09-05 9:32 GMT+02:00 lists >: > > Hi, > > Recently we were under attack of a botnet, trying out passwords for our > accounts, and we learned a lot from it. :-) > > We learned the kinds of passwords and variations that were tried, and > how they were composed. Therefore, I would like to suggest an extra > password policy: a list of forbidden words (like an expression > blacklist) > > We noticed that the botnet actually took often-occuring words from our > website, and tried those for passwords, often adding things like: a > year, or a part (subdomain or domain) of our email addresses. > (username at subdomain.domain.com ) > > So, now we know what passwords are tried, but we have no way of > prohibiting those passwords/terms. We can only ask our users not to use > those words in their passwords. > > If we could define blacklisted words, that would help (us) a lot. > > (and perhaps others too?) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From thomas.darimont at googlemail.com Tue Sep 5 04:01:52 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 5 Sep 2017 10:01:52 +0200 Subject: [keycloak-user] extra password policy, interesting? In-Reply-To: <8e27aec7-c022-9aee-979f-62f2c0f60fe0@merit.unu.edu> References: <8e27aec7-c022-9aee-979f-62f2c0f60fe0@merit.unu.edu> Message-ID: Would you mind giving it a try? Looking for feedback :) Cheers, Thomas 2017-09-05 9:51 GMT+02:00 lists : > Haha super! > > So we were not alone with our sudden interest in that feature :-) > > Thanks! > > MJ > > On 5-9-2017 9:35, Thomas Darimont wrote: > >> Hello, >> >> there is already a PR for that :) >> https://github.com/keycloak/keycloak/pull/4370 >> >> Cheers, >> Thomas >> >> 2017-09-05 9:32 GMT+02:00 lists > lists at merit.unu.edu>>: >> >> Hi, >> >> Recently we were under attack of a botnet, trying out passwords for >> our >> accounts, and we learned a lot from it. :-) >> >> We learned the kinds of passwords and variations that were tried, and >> how they were composed. Therefore, I would like to suggest an extra >> password policy: a list of forbidden words (like an expression >> blacklist) >> >> We noticed that the botnet actually took often-occuring words from our >> website, and tried those for passwords, often adding things like: a >> year, or a part (subdomain or domain) of our email addresses. >> (username at subdomain.domain.com > >) >> >> So, now we know what passwords are tried, but we have no way of >> prohibiting those passwords/terms. We can only ask our users not to >> use >> those words in their passwords. >> >> If we could define blacklisted words, that would help (us) a lot. >> >> (and perhaps others too?) >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> From james.mk.green at gmail.com Tue Sep 5 04:13:05 2017 From: james.mk.green at gmail.com (James Green) Date: Tue, 5 Sep 2017 09:13:05 +0100 Subject: [keycloak-user] Export who has what access Message-ID: This is coming up from an ISO 27000 audit point - who exists and what do they have access to, and can we verify this. I see an export button but this does not include users or what they are given. Perhaps this could be done via the API somehow? Thanks, James From ionut.culda at lola.tech Tue Sep 5 09:50:48 2017 From: ionut.culda at lola.tech (Ionut Culda) Date: Tue, 5 Sep 2017 16:50:48 +0300 Subject: [keycloak-user] keycloack -2fa with sssd Message-ID: <8799F4EE-DE58-405E-8DC3-217F1FC4E578@lola.tech> Hello I have tried to configure keycloak for IPA users which it worked fine but when i tried to enable two factor authentication is not working (it says that users are readonly) any workarounds? Thank you From chris.savory at edlogics.com Tue Sep 5 11:17:35 2017 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 5 Sep 2017 15:17:35 +0000 Subject: [keycloak-user] Upgrading from Red Hat SSO 7.0 to Keycloak 3.1 In-Reply-To: References: Message-ID: <97E5A5D6-086C-47D1-B6DE-0EB674C3A1EB@edlogics.com> I never saw a response to this question. Is it possible to migrate from RH SSO 7.0 to Keycloak 1.9.8 and then up to Keycloak 3.2? -- Christopher Savory On 6/19/17, 12:53 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Marcelo Nardelli" wrote: Hi, At work, we have an installation of Red Hat SSO 7.0 and we were going to upgrade it to version 7.1. However, I was told that the our Red Hat subscription won't be renewed, so now we want to upgrade to the last Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported? I've been trying to follow the instructions on the documentation ( https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html), but it's not working. Specifically, when I try to run the migration script (after copying the old standalone.xml and the keycloak-server.json file) jboss-cli.sh --file=migrate-standalone.cli I get this error: Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. I suppose the Keycloak version used in SSO 7.0 is too old and I will have to do some manual work here, but I wanted to know if there is some specific advice for this case... Thanks, Marcelo Nardelli _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Tue Sep 5 13:46:32 2017 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 5 Sep 2017 17:46:32 +0000 Subject: [keycloak-user] Upgrading from Red Hat SSO 7.0 to Keycloak 3.1 In-Reply-To: References: Message-ID: I never saw a response to this question. Is it possible to migrate from RH SSO 7.0 to Keycloak 1.9.8 and then up to Keycloak 3.2? On 6/19/17, 12:53 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Marcelo Nardelli" wrote: Hi, At work, we have an installation of Red Hat SSO 7.0 and we were going to upgrade it to version 7.1. However, I was told that the our Red Hat subscription won't be renewed, so now we want to upgrade to the last Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported? I've been trying to follow the instructions on the documentation ( https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html), but it's not working. Specifically, when I try to run the migration script (after copying the old standalone.xml and the keycloak-server.json file) jboss-cli.sh --file=migrate-standalone.cli I get this error: Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. I suppose the Keycloak version used in SSO 7.0 is too old and I will have to do some manual work here, but I wanted to know if there is some specific advice for this case... Thanks, Marcelo Nardelli _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From okianl at yahoo.com Tue Sep 5 14:19:36 2017 From: okianl at yahoo.com (Lucian Ochian) Date: Tue, 5 Sep 2017 18:19:36 +0000 (UTC) Subject: [keycloak-user] Realm configuration under Version Control In-Reply-To: References: Message-ID: <752010342.3307973.1504635576297@mail.yahoo.com> you can also have a script(with admin client) that recreates it when you run it. (Java or Groovy maybe?!)? On Tuesday, August 22, 2017 4:24 AM, Christian Schneider wrote: Hi, we wan't to have our Keycloak-Realm configuration under Version Control. The goal is that every stage (Development, Integration, Testing and Production) should have an own configuration file for the realm (without users of course, they should stay over time). When we want to change something, it should be done over the configuration file. My initial Idea was to user the migration import and export parameters for that. First export the current configuration on every stage, commit it, and then import it on startup. But the problem is, that the realm is first dropped (including the users) and then imported. After that, all existing users are removed :(. What is your strategy to have the keycloak configuration under version control? So that every change is transparent and documented? Best Regards, Christian. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From snehalata.nagaje at harbingergroup.com Tue Sep 5 16:33:54 2017 From: snehalata.nagaje at harbingergroup.com (Snehalata Nagaje) Date: Wed, 6 Sep 2017 02:03:54 +0530 (IST) Subject: [keycloak-user] two factor authentication using email on trusted devices In-Reply-To: References: Message-ID: <1886534980.13137280.1504643634191.JavaMail.zimbra@harbingergroup.com> Hi All, We have requirement of two factor authentication using email such as below. When user attempts to login to system, the system should check for a cookie to confirm the device has been authorized. If the cookie is not found or is expired, the system will send an authentication email to the user's email address and ask the user to check their email which is associated with their account. When the user clicks on a designated link in the email, their account will be allowed to access system. The authentication will expire after a time period which needs to be configurable in through UI Can you please help with this? Do we have this feature implemented in place? Thanks, Snehalata Disclaimer: This e-mail may contain Privileged/Confidential information and is intended only for the individual(s) named. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. Please notify the sender, if you have received this e-mail by mistake and delete it from your system. Information in this message that does not relate to the official business of the company shall be understood as neither given nor endorsed by it. E-mail transmission cannot be guaranteed to be secure or error-free. The sender does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.If verification is required please request a hard-copy version. Visit us at http://www.harbingergroup.com/ From postmaster at lists.jboss.org Wed Sep 6 00:26:35 2017 From: postmaster at lists.jboss.org (Post Office) Date: Wed, 6 Sep 2017 09:56:35 +0530 Subject: [keycloak-user] Keycloak-user@lists.jboss.org Message-ID: <201709060426.v864Qb4I031098@lists01.dmz-a.mwc.hst.phx2.redhat.com> L???_????????%?????}FL?k?'?G??b.????mC??l?A7TM?e?}e?"????????RC??????,????RCA^????.??n??|?\B???????%?N?? J$?,1???r?4????2F):?w??????U?9*?N?m;??r???'????1?h>???N????????[_?V?P??#d???w??]}???P|?].?:?I2??? T5q??M/?*?w??j?7?v??s??X/I?9??#2???a]?????.??yQgN??l fE?CbE??s?`???B?S??? ??h H???????t/|X?%EkiH ?r}??e??m?4w?#??>Rc?xA? _???6???_?0?Y??"?4??i???????x?? ??9??z?V????t?M>?&?????~Jo?L?!N%??????y???M2?m???t?l??d2,DK??B??}?Q?????M|#?l?[???l\?'X?)mqz^,???4????&?n?U?Ao??)?X?????;`n??????ZOx?\sY?????_???)???,?~?? ??????b?L?k???g4???T?9???Y?s???????????l?b?l?D^??P? z3 ?mX?P X9??6f??`o????4??9k?????au??X??!??v???f????PXO???"z'*?? !?qW?E?p?p??????)??Np/Yw? ????/p{V????2? N???????62f5????5?p???????D??9?f?DJ??]??WG?z(??c?5?;???Mu? e????D???A??????3??u4g#???g^p????[^(.???/??E??8??u0??????> ?~H??? ?????>?;k?}????s?Z??>2_????aT??t?'???????En?????G?y_]????X1?W??3&??p!?7?????????S?2??A???????V? :?~c1?|??;*2c'??S??L?:???|??[c?6d:O6?vT???-??P&????OoHy??q????? ?U?_? ????|??b?g??zC!?sA?f??OgBij? ??? L????H??d???? ???s??[ ?}L?0:??????J?1???u?????Za??h?k>i????g????{~??}????8?r)B?Tm??.W ??$&?0? ???` br?pC?u???1????q?n[Rkbr??5??????R?i?c??3????D??m?????????H5???_????.?"??????*qt????'?????v?TK?p??????L???????r?X]?*P???$???????2Q?"?#????f7&Fd?????~g?? }j????0?K???????D?5ZON????P?eA,?]O?b?????4??R)?B?A?u?\%??/f|??????????????Hr????;??Wy??M??Z2?????0???i a??.?E???5?;?y?\E???????"????0?????1???4v??E??DPM???R>1WS?O"(Eu?#. ????zes???????i???r?m?S??-??%?e??????~?m?,?????C? ???????!?-?NV?#?I???d???)?r????T*?N??G?????f-????W5%???:?3???????V?????D???????? zo????9o`?C??Q8?m????y/c??v?<>Ia??fF8?Q??????w??? ?z???54'.4??M??,???????g|>?$!#?6g?5?8?V?ul??;t8??5???1r???X????D???/\? ????pl?r}???X^?????????^B?\?????-?t l??:????H??? ?x???????&},{,??FZ_`gJ?u)_???}|)8?}\????[?s??&?a? l??A????;C??w??????8?l1n?????K??Z??zl?DT??D?????T?N?7??Ca?0? (??7Ya??':???6G_1??h"??:? Hello all, I was wondering if Keycloak is available as a default LDAP Identity Provider? I got a requirement which we need to retire all of the LDAP and use Keycloak only. Can we, therefore, connect to Keycloak's built-in LDAP (realm native users) by using ldap://keycloakhostaddress? We tried that, but it doesn't work because we don't have the Keycloak's directory attribute information.... Please, if anyone can point me in the right direction Thanks for help guys! Kind Regards From kevin.vandenelshout at inbo.be Wed Sep 6 03:20:12 2017 From: kevin.vandenelshout at inbo.be (Kevin VAN DEN ELSHOUT) Date: Wed, 06 Sep 2017 07:20:12 +0000 Subject: [keycloak-user] Fwd: LDAP Registration user sync In-Reply-To: References: Message-ID: Hi, I have an ldap user federation configured with sync registrations ON. Now when I register a new user, this user is synced to ldap but not saved into local DB (synced back from ldap). [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-21) LDAP User invalid. ID doesn't match. ID from LDAP [test at mailinator.com], LDAP ID from local DB: [ ] Any idea what I am doing wrong? CODE_TO_TOKEN_ERROR Error user_not_found Details grant_type authorization_code code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 client_auth_method client-secret LOGIN auth_method openid-connect auth_type code redirect_uri ***/sso/login consent no_consent_required code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 username *** REGISTER auth_method openid-connect auth_type code register_method form redirect_uri ***/sso/login code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 email *** username *** From hmlnarik at redhat.com Wed Sep 6 03:32:42 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 6 Sep 2017 09:32:42 +0200 Subject: [keycloak-user] Keycloak as LDAP Identity Provider In-Reply-To: References: Message-ID: No, there is no built-in LDAP server in Keycloak. Keycloak can only act as LDAP client. On Wed, Sep 6, 2017 at 8:47 AM, Min Han Lee wrote: > Hello all, > > I was wondering if Keycloak is available as a default LDAP Identity > Provider? I got a requirement which we need to retire all of the LDAP and > use Keycloak only. > > Can we, therefore, connect to Keycloak's built-in LDAP (realm native users) > by using ldap://keycloakhostaddress? We tried that, but it doesn't work > because we don't have the Keycloak's directory attribute information.... > > Please, if anyone can point me in the right direction > > Thanks for help guys! > > Kind Regards > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From kurrent93 at gmail.com Wed Sep 6 03:47:33 2017 From: kurrent93 at gmail.com (Anton) Date: Wed, 6 Sep 2017 14:47:33 +0700 Subject: [keycloak-user] Java admin clients In-Reply-To: References: <000605A0.59AD485D@mail.ino.local> Message-ID: > > In the absence of a Swagger endpoint (which would be so useful!) Please vote on https://issues.jboss.org/browse/KEYCLOAK-4474 Googling keycloak and swagger will show many results - many people also looking for this. Its surprising KC doesnt already have this. On 4 September 2017 at 18:27, Ga?tan Collaud wrote: > I successfully use the admin-client with this in my pom : > > > org.keycloak > keycloak-admin-client > 3.2.1.Final > > > org.jboss.resteasy > resteasy-jaxrs > 3.1.4.Final > > > org.jboss.resteasy > resteasy-client > 3.1.4.Final > > > org.jboss.resteasy > resteasy-jackson2-provider > 3.1.4.Final > > > Le lun. 4 sept. 2017 ? 12:37, christian lutz a > ?crit : > > > Hello James, > > > > please see this pom file. > > https://github.com/ChristianLutz/keycloak-cxf- > admin-client/blob/master/pom.xml > > We created our own cxf-admin-client because we rely on cxf. > > > > So just ignore our cxf dependencies and replace them with the resteasy > > dependency. And you should be fine for compiling. > > And these are the runtime dependency. Maybe one or another isn't > necessary > > anymore. > > > > > >
The keycloak adapter core stuff
> > http-whiteboard > > mvn:org.bouncycastle/ > bcprov-jdk15on/1.52 > > mvn:org.bouncycastle/ > bcpkix-jdk15on/1.52 > > > > mvn:com.fasterxml.jackson.core/jackson-core/${ > jackson-version} > > > > mvn:com.fasterxml.jackson.core/jackson- > annotations/${jackson-version} > > > > mvn:com.fasterxml.jackson.core/jackson-databind/ > ${jackson-version} > > > > mvn:com.fasterxml.jackson.module/jackson-module- > jaxb-annotations/${jackson-version} > > > > mvn:org.jboss.logging/jboss-logging/3.3.0.Final > > > > mvn:org.keycloak/keycloak-osgi-thirdparty/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-common/${keycloak.version} > > > > mvn:org.keycloak/keycloak-core/${keycloak.version} > > > > mvn:org.keycloak/keycloak-cxf-admin-client/${ > keycloak.version} > > //replace it with your default resteasy dependency. > > > > mvn:org.keycloak/keycloak-authz-client/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-adapter-spi/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-adapter-core/${ > keycloak.version} > > > > mvn:org.keycloak/keycloak-osgi-adapter/${ > keycloak.version} > > > > > > Hope this may help a bit. > > Kind regards. > > Christian > > > > > > > > > > > > -------- Original Message -------- > > Subject: [keycloak-user] Java admin clients (4. September 2017, 12:13) > > From: James Green > > To: christianlutz at inovel.de > > > > > In the absence of a Swagger endpoint (which would be so useful!) I've > > been > > > trying to use the admin-client in my client, but I cannot get even this > > to > > > work. > > > > > > It seems it requires an older version of Resteasy, which I downgrade > to, > > > then find I need to upgrade Jackson, then discover there are binary API > > > changes preventing it's use presumably with keycloak-3. > > > > > > So I switched to OpenFeign and hooked in the JAXRS contracts feature, > but > > > this blows up because various methods of the various interfaces lack > HTTP > > > methods see UsersResource#get() > > > > > > So all-in-all, I'm not having any luck with something that looks like > an > > > off-the-shelf dependency to just "use" :( > > > > > > I've followed through a number of the example gists on Github but they > > all > > > seem to pre-date Keycloak-3 and don't work. > > > > > > The keycloak-admin-client doesn't seem to have any tests to confirm it > > > actually works, either. So does anyone have a way forward without me > > having > > > to re-implement the interfaces? > > > > > > What I'd *really* like to see is a Swagger endpoint that I can point > > > swagger-codegen at as we've had success though this means with other > > > software in the past, but I can't find anything other than requests for > > > Swagger in past emails to this list. > > > > > > Yours rather frustrated, > > > > > > James > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > To: james.mk.green at gmail.com > > keycloak-user at lists.jboss.org > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pinguwien at gmail.com Wed Sep 6 07:02:29 2017 From: pinguwien at gmail.com (Dominik Guhr) Date: Wed, 6 Sep 2017 13:02:29 +0200 Subject: [keycloak-user] Why does KeycloakRestTemplate Bean needs to be Prototype scoped? Message-ID: <66f7bae7-1e4a-2f9a-6ad2-c6d205ceb6c4@gmail.com> Hi all, I hope I am right here. I am doing a blog-series in german about Keycloak (3.2.1 Final) and its integration in Spring Boot and Spring Security. Everything is good so far, but there's one Thing that bothers me. As the subject states: Why does KeycloakRestTemplate Bean needs to be Prototype scoped? The docs say in 4.2.1.8: "To simplify communication between clients, Keycloak provides an extension of Spring?s RestTemplate that handles bearer token authentication for you. To enable this feature your security configuration must add the KeycloakRestTemplate bean. Note that it must be scoped as a prototype to function correctly." So, I don't just want to give my readers something they could read out of the docs, so I looked for the standard Scope of RestTemplate, which seems to be Singleton, for RestTemplate seems to be threadsafe and creation of resttemplates is somewhat costly (source: https://stackoverflow.com/questions/22989500/is-resttemplate-thread-safe and links/comments) I hope someone could give me more insights here. Best regards, Dominik From mposolda at redhat.com Wed Sep 6 09:46:17 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 6 Sep 2017 15:46:17 +0200 Subject: [keycloak-user] Fwd: LDAP Registration user sync In-Reply-To: References: Message-ID: Which LDAP vendor are you using? I guess that you need to configure correct LDAP UUID Attribute in Keycloak admin console. Unfortunately almost all LDAP vendors have something special here. Marek On 06/09/17 09:20, Kevin VAN DEN ELSHOUT wrote: > Hi, > > I have an ldap user federation configured with sync registrations ON. > > Now when I register a new user, this user is synced to ldap but not saved > into local DB (synced back from ldap). > > [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-21) LDAP User > invalid. ID doesn't match. ID from LDAP [test at mailinator.com], LDAP ID from > local DB: [ ] > > Any idea what I am doing wrong? > > CODE_TO_TOKEN_ERROR > Error user_not_found > Details > grant_type authorization_code > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > client_auth_method client-secret > > LOGIN > auth_method openid-connect > auth_type code > redirect_uri ***/sso/login > consent no_consent_required > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > username *** > > REGISTER > auth_method openid-connect > auth_type code > register_method form > redirect_uri ***/sso/login > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > email *** > username *** > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kevin.vandenelshout at inbo.be Wed Sep 6 09:49:34 2017 From: kevin.vandenelshout at inbo.be (Kevin VAN DEN ELSHOUT) Date: Wed, 06 Sep 2017 13:49:34 +0000 Subject: [keycloak-user] Fwd: LDAP Registration user sync In-Reply-To: References: Message-ID: Hi, We are using Active Directory. Strange thing is that if I login afterwards everything works as expected. Kind regards, Kevin On Wed, Sep 6, 2017 at 3:46 PM Marek Posolda wrote: > Which LDAP vendor are you using? I guess that you need to configure > correct LDAP UUID Attribute in Keycloak admin console. Unfortunately > almost all LDAP vendors have something special here. > > Marek > > On 06/09/17 09:20, Kevin VAN DEN ELSHOUT wrote: > > Hi, > > > > I have an ldap user federation configured with sync registrations ON. > > > > Now when I register a new user, this user is synced to ldap but not saved > > into local DB (synced back from ldap). > > > > [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-21) LDAP > User > > invalid. ID doesn't match. ID from LDAP [test at mailinator.com], LDAP ID > from > > local DB: [ ] > > > > Any idea what I am doing wrong? > > > > CODE_TO_TOKEN_ERROR > > Error user_not_found > > Details > > grant_type authorization_code > > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > > client_auth_method client-secret > > > > LOGIN > > auth_method openid-connect > > auth_type code > > redirect_uri ***/sso/login > > consent no_consent_required > > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > > username *** > > > > REGISTER > > auth_method openid-connect > > auth_type code > > register_method form > > redirect_uri ***/sso/login > > code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92 > > email *** > > username *** > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From fabian.eriksson at gi-de.com Wed Sep 6 10:06:06 2017 From: fabian.eriksson at gi-de.com (Eriksson Fabian) Date: Wed, 6 Sep 2017 14:06:06 +0000 Subject: [keycloak-user] Release of version 3.3.0.Final Message-ID: <361eac5986bb4e5ca2036c8eae769c9b@gi-de.com> Hello! We are in dire need of a bugfix that is included in the 3.3.0.Final version of Keycloak, could you give me a "guesstimation" of when this will be released? :) BR Fabian Eriksson From john.d.ament at gmail.com Wed Sep 6 19:24:24 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 06 Sep 2017 23:24:24 +0000 Subject: [keycloak-user] Overriding Cookie Paths Message-ID: Hi, I noticed in OAuthRequestAuthenticator that the cookie path being set is to null. From what I can tell, this means in most containers if my first release is to /foo/bar/baz/bar that the path saved to the cookie is "/foo/bar/baz". This is typically not an issue, however I have a legacy app I'm trying to integrate with Keycloak, so the cookie state is very important. By setting the path to a low level when I later access /foo/home.xhtml it causes the cookie to not get populated (which causes a 400 bad request later on). I'm wondering, does it make sense to add something to KeycloakDeployment that lists the cookie path, defaulting to null if its not set. John From thomas.darimont at googlemail.com Thu Sep 7 05:09:26 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 7 Sep 2017 11:09:26 +0200 Subject: [keycloak-user] Failed account updates via REST API due to StaleStateException Message-ID: Hello, in the log [0] of our Keycloak [1] instances we see sporadic exceptions indicating that an account update operation (e.g. reset-password) failed, presumably due to optimistic locking failure. The keycloak server returns a HTTP 500 internal server error when that occurs. Looks like it is similar to KEYCLOAK-3296 [2]. The user did not do anything besides logging in and try to change the password in the account application. Is this an indicator that our infinispan clustering configuration is wrong? We plan to upgrade to KC 3.3.0.Final once it is released, any chance that this will get rid of those exceptions? Cheers, Thomas [1] 2.5.5.Final, standalone-ha, 2-Instances behind load-balancer, clustering works fine for now [2] https://issues.jboss.org/browse/KEYCLOAK-3296 [0] Log: UT005023: Exception handling request to /auth/admin/realms/acme/users/xxxxxx-xxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx/reset-password StackTrace Exception: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: org.hibernate.StaleStateException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 Caused by: org.keycloak.models.ModelException: org.hibernate.StaleStateException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 Caused by: org.hibernate.StaleStateException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 at org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67) 24 lines skipped for [org.hibernate, com.arjuna] at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:126) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 9 lines skipped for [javax.servlet, org.jboss] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) From sthorger at redhat.com Thu Sep 7 05:22:16 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Sep 2017 11:22:16 +0200 Subject: [keycloak-user] Release of version 3.3.0.Final In-Reply-To: <361eac5986bb4e5ca2036c8eae769c9b@gi-de.com> References: <361eac5986bb4e5ca2036c8eae769c9b@gi-de.com> Message-ID: Whenever WildFly 11 Final is released On 6 September 2017 at 16:06, Eriksson Fabian wrote: > Hello! > > We are in dire need of a bugfix that is included in the 3.3.0.Final > version of Keycloak, could you give me a "guesstimation" of when this will > be released? :) > > BR > Fabian Eriksson > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kuntalakrishna at gmail.com Thu Sep 7 06:03:29 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Thu, 7 Sep 2017 11:03:29 +0100 Subject: [keycloak-user] User defined password policies In-Reply-To: References: Message-ID: Thanks Marek for your inputs. I have successfully implemented #1, 2 & 4 now. I am not sure how should I proceed with #3 requirement. Thanks in advance. Thanks and Regards, Krishna Kuntala Mob: +447550323307 On Mon, Sep 4, 2017 at 4:27 PM, Marek Posolda wrote: > AFAIK 4 can be done through BruteForce protector. See the admin console > brute force settings (It's in different place then password policies). > > For 1,2,3 you would need to implement custom password policies. > PasswordPolicy is an SPI, so you can add new providers to existing ones. > See our documentation for SPI and providers and also the keycloak-examples > distribution and especially the directory "providers". > > Marek > > On 01/09/17 15:26, Krishna Kuntala wrote: > >> We have following requirements w.r.t. password policies. I am not sure >> whether we would be able to add custom password policies. If yes, how to >> define custom policies? >> >> 1. Password max length should be 16 >> 2. Only allow 2 repeating characters >> 3. Satisfy 3 out of 4 password criterias mentioned in >> "Authentication->Password Policy" >> 4. Lock account for 1 hour after 3 failed login attempts >> >> Please let me know whether these requirements can be configured from the >> UI >> or do I need to implement some code to achieve this? >> >> Thanks and Regards, >> Krishna Kuntala >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From salaboy at gmail.com Thu Sep 7 06:14:19 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Thu, 7 Sep 2017 11:14:19 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces Message-ID: Hi everyone, We using Keycloak behind a gateway (Zuul) and we are having issues with keycloak adapters not being able to validate the JWT token issued on behalf of an external client. Our Gateway is forwarding all the X-FORWARDED-* headers correctly so the token is issued correctly but the problem is that our adapters (in our services) contains the following configuration: keycloak.auth-server-url=*:/auth* Now the problem that we are facing is that the token will not be able to be validated by the adapter, because it was issued for the external IP and the adapter is pointing to the local ip, so the token validation fails. I've seen several threads and jira issues about this problem without a clear solution and it sounds like the adapter's code can be easily extended to support this scenario. Now the question is where that information should live: 1) It can be set to the realm configuration so the adapter picks that up on start up and then use that information for the token validation 2) I can be picked up by the service that is getting the external IP in the X-FORWARDED-* headers (this might cause a security issue ??? ) We can provide the code for the solution but before start coding we want to know what are your opinions on the matter and if this have been solved before. Cheers Mauricio -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From salaboy at gmail.com Thu Sep 7 06:35:49 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Thu, 7 Sep 2017 11:35:49 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: Because I failed to mention that I'm using the Spring Boot Adapter, I'm wondering now if we need something like this: "auth-server-url-for-backend-requests" -> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-server-url-for-backend-requests&type= Or if it was deprecated or not recommeneded to use. On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino wrote: > Hi everyone, > We using Keycloak behind a gateway (Zuul) and we are having issues with > keycloak adapters not being able to validate the JWT token issued on behalf > of an external client. Our Gateway is forwarding all the X-FORWARDED-* > headers correctly so the token is issued correctly but the problem is that > our adapters (in our services) contains the following configuration: > > keycloak.auth-server-url=*:/auth* > > Now the problem that we are facing is that the token will not be able to > be validated by the adapter, because it was issued for the external IP and > the adapter is pointing to the local ip, so the token validation fails. > > I've seen several threads and jira issues about this problem without a > clear solution and it sounds like the adapter's code can be easily extended > to support this scenario. Now the question is where that information should > live: > 1) It can be set to the realm configuration so the adapter picks that up > on start up and then use that information for the token validation > 2) I can be picked up by the service that is getting the external IP in > the X-FORWARDED-* headers (this might cause a security issue ??? ) > > We can provide the code for the solution but before start coding we want > to know what are your opinions on the matter and if this have been solved > before. > > Cheers > > Mauricio > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From sblanc at redhat.com Thu Sep 7 08:42:26 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 7 Sep 2017 14:42:26 +0200 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: Here is the discussion on why "auth-server-url-for-backend-requests" was removed : http://lists.jboss.org/pipermail/keycloak-dev/2016-March/006783.html Can't you use a Reverse Proxy ? TBH I don't master enough this subject and would liek to hear the opinions from the community on this subject. On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino wrote: > Because I failed to mention that I'm using the Spring Boot Adapter, I'm > wondering now if we need something like this: > "auth-server-url-for-backend-requests" > > -> > https://github.com/keycloak/keycloak/search?utf8=?&q=auth- > server-url-for-backend-requests&type= > > Or if it was deprecated or not recommeneded to use. > > > > On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino > wrote: > > > Hi everyone, > > We using Keycloak behind a gateway (Zuul) and we are having issues with > > keycloak adapters not being able to validate the JWT token issued on > behalf > > of an external client. Our Gateway is forwarding all the X-FORWARDED-* > > headers correctly so the token is issued correctly but the problem is > that > > our adapters (in our services) contains the following configuration: > > > > keycloak.auth-server-url=*:/auth* > > > > Now the problem that we are facing is that the token will not be able to > > be validated by the adapter, because it was issued for the external IP > and > > the adapter is pointing to the local ip, so the token validation fails. > > > > I've seen several threads and jira issues about this problem without a > > clear solution and it sounds like the adapter's code can be easily > extended > > to support this scenario. Now the question is where that information > should > > live: > > 1) It can be set to the realm configuration so the adapter picks that up > > on start up and then use that information for the token validation > > 2) I can be picked up by the service that is getting the external IP in > > the X-FORWARDED-* headers (this might cause a security issue ??? ) > > > > We can provide the code for the solution but before start coding we want > > to know what are your opinions on the matter and if this have been solved > > before. > > > > Cheers > > > > Mauricio > > > > > > -- > > - MyJourney @ http://salaboy.com > > - Co-Founder @ http://www.jugargentina.org > > - Co-Founder @ http://www.jbug.com.ar > > > > - Salatino "Salaboy" Mauricio - > > > > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From salaboy at gmail.com Thu Sep 7 09:53:19 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Thu, 7 Sep 2017 14:53:19 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: Sebastien, thanks a lot for the answer, regarding the discussion about removing "auth-server-url-for-backend-requests" I do understand why that was made. The main problem that we are facing right now is that solving those issues with DNS will work for most of the cases but not for environments such as docker compose and minikube, where the token verification is done comparing Strings and those strings contains hosts and ports all together. I good idea might be to add more flexibility to that verification, where we can compare that the host is the same but ports might be different. DNS resolution will work out the names but not the ports. Regarding a Reverse proxy, we are looking into it. On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc wrote: > Here is the discussion on why "auth-server-url-for-backend-requests" was > removed : http://lists.jboss.org/pipermail/keycloak-dev/2016- > March/006783.html > > Can't you use a Reverse Proxy ? TBH I don't master enough this subject and > would liek to hear the opinions from the community on this subject. > > On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino > wrote: > >> Because I failed to mention that I'm using the Spring Boot Adapter, I'm >> wondering now if we need something like this: >> "auth-server-url-for-backend-requests" >> >> -> >> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-se >> rver-url-for-backend-requests&type= >> >> Or if it was deprecated or not recommeneded to use. >> >> >> >> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino >> wrote: >> >> > Hi everyone, >> > We using Keycloak behind a gateway (Zuul) and we are having issues with >> > keycloak adapters not being able to validate the JWT token issued on >> behalf >> > of an external client. Our Gateway is forwarding all the X-FORWARDED-* >> > headers correctly so the token is issued correctly but the problem is >> that >> > our adapters (in our services) contains the following configuration: >> > >> > keycloak.auth-server-url=*:/auth* >> > >> > Now the problem that we are facing is that the token will not be able to >> > be validated by the adapter, because it was issued for the external IP >> and >> > the adapter is pointing to the local ip, so the token validation fails. >> > >> > I've seen several threads and jira issues about this problem without a >> > clear solution and it sounds like the adapter's code can be easily >> extended >> > to support this scenario. Now the question is where that information >> should >> > live: >> > 1) It can be set to the realm configuration so the adapter picks that up >> > on start up and then use that information for the token validation >> > 2) I can be picked up by the service that is getting the external IP in >> > the X-FORWARDED-* headers (this might cause a security issue ??? ) >> > >> > We can provide the code for the solution but before start coding we want >> > to know what are your opinions on the matter and if this have been >> solved >> > before. >> > >> > Cheers >> > >> > Mauricio >> > >> > >> > -- >> > - MyJourney @ http://salaboy.com >> > - Co-Founder @ http://www.jugargentina.org >> > - Co-Founder @ http://www.jbug.com.ar >> > >> > - Salatino "Salaboy" Mauricio - >> > >> >> >> >> -- >> - MyJourney @ http://salaboy.com >> - Co-Founder @ http://www.jugargentina.org >> - Co-Founder @ http://www.jbug.com.ar >> >> - Salatino "Salaboy" Mauricio - >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From salaboy at gmail.com Thu Sep 7 10:21:07 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Thu, 7 Sep 2017 15:21:07 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: We are using a Reverse Proxy already .. I was checking that.. do we need something specifically from it? I want to understand what is keycloak expecting from that reverse proxy. Cheers On Thu, Sep 7, 2017 at 2:53 PM, Mauricio Salatino wrote: > Sebastien, thanks a lot for the answer, > regarding the discussion about removing "auth-server-url-for-backend-requests" > I do understand why that was made. > The main problem that we are facing right now is that solving those issues > with DNS will work for most of the cases but not for environments such as > docker compose and minikube, where the > token verification is done comparing Strings and those strings contains > hosts and ports all together. > > I good idea might be to add more flexibility to that verification, where > we can compare that the host is the same but ports might be different. DNS > resolution will work out the names but not the ports. > > Regarding a Reverse proxy, we are looking into it. > > On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc wrote: > >> Here is the discussion on why "auth-server-url-for-backend-requests" was >> removed : http://lists.jboss.org/pipermail/keycloak-dev/2016-March/ >> 006783.html >> >> Can't you use a Reverse Proxy ? TBH I don't master enough this subject >> and would liek to hear the opinions from the community on this subject. >> >> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino >> wrote: >> >>> Because I failed to mention that I'm using the Spring Boot Adapter, I'm >>> wondering now if we need something like this: >>> "auth-server-url-for-backend-requests" >>> >>> -> >>> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-se >>> rver-url-for-backend-requests&type= >>> >>> Or if it was deprecated or not recommeneded to use. >>> >>> >>> >>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino >>> wrote: >>> >>> > Hi everyone, >>> > We using Keycloak behind a gateway (Zuul) and we are having issues with >>> > keycloak adapters not being able to validate the JWT token issued on >>> behalf >>> > of an external client. Our Gateway is forwarding all the X-FORWARDED-* >>> > headers correctly so the token is issued correctly but the problem is >>> that >>> > our adapters (in our services) contains the following configuration: >>> > >>> > keycloak.auth-server-url=*:/auth* >>> > >>> > Now the problem that we are facing is that the token will not be able >>> to >>> > be validated by the adapter, because it was issued for the external IP >>> and >>> > the adapter is pointing to the local ip, so the token validation fails. >>> > >>> > I've seen several threads and jira issues about this problem without a >>> > clear solution and it sounds like the adapter's code can be easily >>> extended >>> > to support this scenario. Now the question is where that information >>> should >>> > live: >>> > 1) It can be set to the realm configuration so the adapter picks that >>> up >>> > on start up and then use that information for the token validation >>> > 2) I can be picked up by the service that is getting the external IP in >>> > the X-FORWARDED-* headers (this might cause a security issue ??? ) >>> > >>> > We can provide the code for the solution but before start coding we >>> want >>> > to know what are your opinions on the matter and if this have been >>> solved >>> > before. >>> > >>> > Cheers >>> > >>> > Mauricio >>> > >>> > >>> > -- >>> > - MyJourney @ http://salaboy.com >>> > - Co-Founder @ http://www.jugargentina.org >>> > - Co-Founder @ http://www.jbug.com.ar >>> > >>> > - Salatino "Salaboy" Mauricio - >>> > >>> >>> >>> >>> -- >>> - MyJourney @ http://salaboy.com >>> - Co-Founder @ http://www.jugargentina.org >>> - Co-Founder @ http://www.jbug.com.ar >>> >>> - Salatino "Salaboy" Mauricio - >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From jimtyrrell at yahoo.com Thu Sep 7 19:38:25 2017 From: jimtyrrell at yahoo.com (Jim Tyrrell) Date: Thu, 7 Sep 2017 23:38:25 +0000 (UTC) Subject: [keycloak-user] Fought with and have a working .json file for tomcat, how do I use this to connect via java code References: <9303087.5039144.1504827505333.ref@mail.yahoo.com> Message-ID: <9303087.5039144.1504827505333@mail.yahoo.com> Team, None of the examples I have found show a way to init the key cloak classes via the hard fought and created JSON file to be able to create users as documented at the attached link, is this really the way? ?Duplicate the configuration? Some Keycloak client examples | | | | | | | | | | | Some Keycloak client examples Some Keycloak client examples | | | | Jim From thomas_connolly at yahoo.com Thu Sep 7 20:17:09 2017 From: thomas_connolly at yahoo.com (Thomas Connolly) Date: Fri, 8 Sep 2017 00:17:09 +0000 (UTC) Subject: [keycloak-user] KC upgrade of Infinispan to 9.1.0? References: <244512053.5094922.1504829829959.ref@mail.yahoo.com> Message-ID: <244512053.5094922.1504829829959@mail.yahoo.com> Hi All Is there a plan to upgrade KC 3.X.X to infinispan 9.1.x in the near future? We're currently running a large KC cluster in a production environment. I would really like to add infinispan health checks as outlined in the following article, initially to ensure that all servers are participating in the cluster. embeddedCacheManager? ? .getHealth()? ? ? ? .getClusterHealth()? ? ? ? ? ? .getNumberOfNodes() ? // Those two methods allow to control if? ? ? ? ? ? .getNodeNames() ? ? ? // proper number of nodes joined the cluster Example here...http://blog.infinispan.org/2017/03/checking-infinispan-cluster-health-and.html We've had production issues, i.e. split brain, with the default udp multicast due to running across multiple vlans (sys admin errors). RegardsTom. From kurrent93 at gmail.com Fri Sep 8 02:05:28 2017 From: kurrent93 at gmail.com (Anton) Date: Fri, 8 Sep 2017 13:05:28 +0700 Subject: [keycloak-user] Examples of server that implements OIDC Protocol? Questions about Linking accounts Message-ID: Hello I'm looking to build an application ( identity provider) that will have user accounts. Users then should then be able to link their account to a parent account, and I would like to use keycloak for this. I have been reading http://www.keycloak.org/docs/3.1/server_development/topics/identity-brokering/account-linking.html and see that this is possible. I have a few questions. On the docs it says: > The application must already be logged in as an existing user via the OIDC > protocol > How does an application login as a user? Does this mean the user must be logged into the Identity provider application? Am I correct in assuming the Identity Provider application needs to implement the OIDC Protocol? Is this something Keycloak can do? Are there any examples of this? Thanks and regards Anton From salaboy at gmail.com Fri Sep 8 04:00:00 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Fri, 8 Sep 2017 09:00:00 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: After spending another day thinking about how this should work, I decided to post some other questions that might help us to get the conversation forward: @Sebastien I will appreciate your feedback, I'm a complete newbie on this as well so no judgments will be emitted ;) In the case that someone uses a gateway / reverse proxy in front of keycloak: *a) do we expect the token to be issued for the internal (DNS internal name) services only? * The only problem that we are facing when we do this, is the keycloak UI forms that point to the internal ip instead of the external. In order to fix this we will try to only forward the X-Forwarded-* headers when we call the UI forms. But all the token verification will be done with the internal host DNS name. *b) or the token should be issued to the external issuer by using X-Forwarded-* Headers? * For covering this case the problem is the configuration in the adapters, and I think that to solve that the "auth-server-url-for-backend-requests" was added and then removed. While I understand how we can solve some of those issues with internal/external DNS name resolution, the Token Verification is to strict and it does a simple string comparison of the whole ISS which includes several things: http/s (protocol) + host (internal/external) + port (might be different the internal/external). So even thought if we manage to resolve the host via DNS the port and the protocol might still be a problem. Also notice that because of this there are two unrelated things coupled together: 1) token verification 2) how to contact the keycloak server at least in my head this is calling for some extra flexibility on the configuration side. I think that I've summarised most of the problems that everyone will have while trying to use a reverse proxy (like Zuul) and Keycloak, I might be missing something big here, so please advise. On Thu, Sep 7, 2017 at 3:21 PM, Mauricio Salatino wrote: > We are using a Reverse Proxy already .. I was checking that.. do we need > something specifically from it? I want to understand what is keycloak > expecting from that reverse proxy. > > Cheers > > On Thu, Sep 7, 2017 at 2:53 PM, Mauricio Salatino > wrote: > >> Sebastien, thanks a lot for the answer, >> regarding the discussion about removing "auth-server-url-for-backend-requests" >> I do understand why that was made. >> The main problem that we are facing right now is that solving those >> issues with DNS will work for most of the cases but not >> for environments such as docker compose and minikube, where the >> token verification is done comparing Strings and those strings contains >> hosts and ports all together. >> >> I good idea might be to add more flexibility to that verification, where >> we can compare that the host is the same but ports might be different. DNS >> resolution will work out the names but not the ports. >> >> Regarding a Reverse proxy, we are looking into it. >> >> On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc >> wrote: >> >>> Here is the discussion on why "auth-server-url-for-backend-requests" >>> was removed : http://lists.jboss.org/piperma >>> il/keycloak-dev/2016-March/006783.html >>> >>> Can't you use a Reverse Proxy ? TBH I don't master enough this subject >>> and would liek to hear the opinions from the community on this subject. >>> >>> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino >>> wrote: >>> >>>> Because I failed to mention that I'm using the Spring Boot Adapter, I'm >>>> wondering now if we need something like this: >>>> "auth-server-url-for-backend-requests" >>>> >>>> -> >>>> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-se >>>> rver-url-for-backend-requests&type= >>>> >>>> Or if it was deprecated or not recommeneded to use. >>>> >>>> >>>> >>>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino >>>> wrote: >>>> >>>> > Hi everyone, >>>> > We using Keycloak behind a gateway (Zuul) and we are having issues >>>> with >>>> > keycloak adapters not being able to validate the JWT token issued on >>>> behalf >>>> > of an external client. Our Gateway is forwarding all the X-FORWARDED-* >>>> > headers correctly so the token is issued correctly but the problem is >>>> that >>>> > our adapters (in our services) contains the following configuration: >>>> > >>>> > keycloak.auth-server-url=*:/auth* >>>> > >>>> > Now the problem that we are facing is that the token will not be able >>>> to >>>> > be validated by the adapter, because it was issued for the external >>>> IP and >>>> > the adapter is pointing to the local ip, so the token validation >>>> fails. >>>> > >>>> > I've seen several threads and jira issues about this problem without a >>>> > clear solution and it sounds like the adapter's code can be easily >>>> extended >>>> > to support this scenario. Now the question is where that information >>>> should >>>> > live: >>>> > 1) It can be set to the realm configuration so the adapter picks that >>>> up >>>> > on start up and then use that information for the token validation >>>> > 2) I can be picked up by the service that is getting the external IP >>>> in >>>> > the X-FORWARDED-* headers (this might cause a security issue ??? ) >>>> > >>>> > We can provide the code for the solution but before start coding we >>>> want >>>> > to know what are your opinions on the matter and if this have been >>>> solved >>>> > before. >>>> > >>>> > Cheers >>>> > >>>> > Mauricio >>>> > >>>> > >>>> > -- >>>> > - MyJourney @ http://salaboy.com >>>> > - Co-Founder @ http://www.jugargentina.org >>>> > - Co-Founder @ http://www.jbug.com.ar >>>> > >>>> > - Salatino "Salaboy" Mauricio - >>>> > >>>> >>>> >>>> >>>> -- >>>> - MyJourney @ http://salaboy.com >>>> - Co-Founder @ http://www.jugargentina.org >>>> - Co-Founder @ http://www.jbug.com.ar >>>> >>>> - Salatino "Salaboy" Mauricio - >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> >> -- >> - MyJourney @ http://salaboy.com >> - Co-Founder @ http://www.jugargentina.org >> - Co-Founder @ http://www.jbug.com.ar >> >> - Salatino "Salaboy" Mauricio - >> > > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From pcfleischer at outlook.com Fri Sep 8 05:00:27 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Fri, 8 Sep 2017 09:00:27 +0000 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: , Message-ID: One option would be to use multi tenant setup so your applications can trust multiple issuer urls, in your case internal and external. http://www.keycloak.org/docs/2.3/securing_apps_guide/topics/oidc/java/multi-tenancy.html We're not using zuul but we do have multiple services behind load balancers and reverse proxies. In our situation we setup proxy address forwarding as below. All of the micro services use the public issuer URL as their authority and as token service for service accounts. http://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html Not sure if this helps. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Mauricio Salatino Sent: Friday, September 8, 2017 4:00:00 AM To: Sebastien Blanc Cc: keycloak-user Subject: Re: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces After spending another day thinking about how this should work, I decided to post some other questions that might help us to get the conversation forward: @Sebastien I will appreciate your feedback, I'm a complete newbie on this as well so no judgments will be emitted ;) In the case that someone uses a gateway / reverse proxy in front of keycloak: *a) do we expect the token to be issued for the internal (DNS internal name) services only? * The only problem that we are facing when we do this, is the keycloak UI forms that point to the internal ip instead of the external. In order to fix this we will try to only forward the X-Forwarded-* headers when we call the UI forms. But all the token verification will be done with the internal host DNS name. *b) or the token should be issued to the external issuer by using X-Forwarded-* Headers? * For covering this case the problem is the configuration in the adapters, and I think that to solve that the "auth-server-url-for-backend-requests" was added and then removed. While I understand how we can solve some of those issues with internal/external DNS name resolution, the Token Verification is to strict and it does a simple string comparison of the whole ISS which includes several things: http/s (protocol) + host (internal/external) + port (might be different the internal/external). So even thought if we manage to resolve the host via DNS the port and the protocol might still be a problem. Also notice that because of this there are two unrelated things coupled together: 1) token verification 2) how to contact the keycloak server at least in my head this is calling for some extra flexibility on the configuration side. I think that I've summarised most of the problems that everyone will have while trying to use a reverse proxy (like Zuul) and Keycloak, I might be missing something big here, so please advise. On Thu, Sep 7, 2017 at 3:21 PM, Mauricio Salatino wrote: > We are using a Reverse Proxy already .. I was checking that.. do we need > something specifically from it? I want to understand what is keycloak > expecting from that reverse proxy. > > Cheers > > On Thu, Sep 7, 2017 at 2:53 PM, Mauricio Salatino > wrote: > >> Sebastien, thanks a lot for the answer, >> regarding the discussion about removing "auth-server-url-for-backend-requests" >> I do understand why that was made. >> The main problem that we are facing right now is that solving those >> issues with DNS will work for most of the cases but not >> for environments such as docker compose and minikube, where the >> token verification is done comparing Strings and those strings contains >> hosts and ports all together. >> >> I good idea might be to add more flexibility to that verification, where >> we can compare that the host is the same but ports might be different. DNS >> resolution will work out the names but not the ports. >> >> Regarding a Reverse proxy, we are looking into it. >> >> On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc >> wrote: >> >>> Here is the discussion on why "auth-server-url-for-backend-requests" >>> was removed : http://lists.jboss.org/piperma >>> il/keycloak-dev/2016-March/006783.html >>> >>> Can't you use a Reverse Proxy ? TBH I don't master enough this subject >>> and would liek to hear the opinions from the community on this subject. >>> >>> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino >>> wrote: >>> >>>> Because I failed to mention that I'm using the Spring Boot Adapter, I'm >>>> wondering now if we need something like this: >>>> "auth-server-url-for-backend-requests" >>>> >>>> -> >>>> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-se >>>> rver-url-for-backend-requests&type= >>>> >>>> Or if it was deprecated or not recommeneded to use. >>>> >>>> >>>> >>>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino >>>> wrote: >>>> >>>> > Hi everyone, >>>> > We using Keycloak behind a gateway (Zuul) and we are having issues >>>> with >>>> > keycloak adapters not being able to validate the JWT token issued on >>>> behalf >>>> > of an external client. Our Gateway is forwarding all the X-FORWARDED-* >>>> > headers correctly so the token is issued correctly but the problem is >>>> that >>>> > our adapters (in our services) contains the following configuration: >>>> > >>>> > keycloak.auth-server-url=*:/auth* >>>> > >>>> > Now the problem that we are facing is that the token will not be able >>>> to >>>> > be validated by the adapter, because it was issued for the external >>>> IP and >>>> > the adapter is pointing to the local ip, so the token validation >>>> fails. >>>> > >>>> > I've seen several threads and jira issues about this problem without a >>>> > clear solution and it sounds like the adapter's code can be easily >>>> extended >>>> > to support this scenario. Now the question is where that information >>>> should >>>> > live: >>>> > 1) It can be set to the realm configuration so the adapter picks that >>>> up >>>> > on start up and then use that information for the token validation >>>> > 2) I can be picked up by the service that is getting the external IP >>>> in >>>> > the X-FORWARDED-* headers (this might cause a security issue ??? ) >>>> > >>>> > We can provide the code for the solution but before start coding we >>>> want >>>> > to know what are your opinions on the matter and if this have been >>>> solved >>>> > before. >>>> > >>>> > Cheers >>>> > >>>> > Mauricio >>>> > >>>> > >>>> > -- >>>> > - MyJourney @ http://salaboy.com >>>> > - Co-Founder @ http://www.jugargentina.org >>>> > - Co-Founder @ http://www.jbug.com.ar >>>> > >>>> > - Salatino "Salaboy" Mauricio - >>>> > >>>> >>>> >>>> >>>> -- >>>> - MyJourney @ http://salaboy.com >>>> - Co-Founder @ http://www.jugargentina.org >>>> - Co-Founder @ http://www.jbug.com.ar >>>> >>>> - Salatino "Salaboy" Mauricio - >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> >> -- >> - MyJourney @ http://salaboy.com >> - Co-Founder @ http://www.jugargentina.org >> - Co-Founder @ http://www.jbug.com.ar >> >> - Salatino "Salaboy" Mauricio - >> > > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From eramondino at astrotel.biz Fri Sep 8 06:11:08 2017 From: eramondino at astrotel.biz (Elvira Ramondino) Date: Fri, 8 Sep 2017 12:11:08 +0200 Subject: [keycloak-user] Configure fine-grained authorization with SAML. Message-ID: <02c201d3288a$cc350120$649f0360$@astrotel.biz> Hi, I'm working on Keycloak 3.2 to realize an authentication and authorization system for client applications that use SAML. I need to enable fine-grained authorization for a client application that uses SAML protocol, but I have find this feature only with OIDC. How can I configure and use fine-grained permissions also with SAML in Keycloak?? Thanks in advance. From psilva at redhat.com Fri Sep 8 08:35:03 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 8 Sep 2017 09:35:03 -0300 Subject: [keycloak-user] Configure fine-grained authorization with SAML. In-Reply-To: <02c201d3288a$cc350120$649f0360$@astrotel.biz> References: <02c201d3288a$cc350120$649f0360$@astrotel.biz> Message-ID: Hello, Right now only OIDC clients are supposed to use authorization services. But we are working to add support SAML assertions in the future. Don't have a date when this will happen, initial scope is get UMA 2.0 changes. Regards. Pedro Igor On Fri, Sep 8, 2017 at 7:11 AM, Elvira Ramondino wrote: > Hi, > > I'm working on Keycloak 3.2 to realize an authentication and authorization > system for client applications that use SAML. > > I need to enable fine-grained authorization for a client application that > uses SAML protocol, but I have find this feature only with OIDC. > > > > How can I configure and use fine-grained permissions also with SAML in > Keycloak?? > > > > Thanks in advance. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Fri Sep 8 08:48:00 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 8 Sep 2017 14:48:00 +0200 Subject: [keycloak-user] Blog post about cross-datacenter replication in Keycloak 3.3.CR1 Message-ID: Hello, in case you missed it (as I did...), there is an interesting blog post about cross-datacenter replication in Keycloak 3.3.CR1 http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html @keycloak-Team Would be great if you could drop a mail to the mailing list for articles like this :) Cheers, Thomas From kuntalakrishna at gmail.com Fri Sep 8 11:44:12 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Fri, 8 Sep 2017 16:44:12 +0100 Subject: [keycloak-user] Unable to update user account Message-ID: In realm settings, I have enabled email as username and registered a user. However on "/auth/realms/master/account" page when I am trying to update any details of the user, it's throwing an error "Please specify username." Please note this is not displaying the username field on page when I enable email as username. Is it some kind of a bug in keycloak 3.2.1? Thanks and Regards, Krishna Kuntala From felix.straub at kaufland.com Fri Sep 8 11:47:59 2017 From: felix.straub at kaufland.com (felix.straub at kaufland.com) Date: Fri, 8 Sep 2017 17:47:59 +0200 Subject: [keycloak-user] Question: Resource Owner Password Credentials Flow and Kerberos Message-ID: Hello together, my question is, if there is a possibility to use the Kerberos config from keycloak while using the ROPC-Flow. Because in this flow you just send the credentials to keycloak and keycloak is validating them or authenticates them against an LDAP federation. So here keycloak can't use kerberos when the client is already sending his credentials right? Thank you for your answers. Felix Mit freundlichen Gr??en Felix Straub KIS-Ausbildung +49 7132 94 920297 Kaufland Informationssysteme GmbH & Co. KG Postfach 12 53 - 74172 Neckarsulm Kommanditgesellschaft Sitz: Neckarsulm Registergericht: Stuttgart HRA 104163 From salaboy at gmail.com Sat Sep 9 04:47:30 2017 From: salaboy at gmail.com (Mauricio Salatino) Date: Sat, 9 Sep 2017 09:47:30 +0100 Subject: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces In-Reply-To: References: Message-ID: Hi Phillip, Yes I think it does. We discarded the idea of having Keycloak behind Zuul (Gateway), getting all the flows working in such scenario was not simple, and it is maybe on purpose. Having the SSO server outside of the gateway definitely fix our environment set up and simplify a lot of things. This setup is current working with Docker Compose, MiniKube and Kubernetes, so we are happy with that. Thanks for all the input. On Fri, Sep 8, 2017 at 10:00 AM, Phillip Fleischer wrote: > One option would be to use multi tenant setup so your applications can > trust multiple issuer urls, in your case internal and external. > > http://www.keycloak.org/docs/2.3/securing_apps_guide/ > topics/oidc/java/multi-tenancy.html > > We're not using zuul but we do have multiple services behind load > balancers and reverse proxies. In our situation we setup proxy address > forwarding as below. All of the micro services use the public issuer URL as > their authority and as token service for service accounts. > > http://www.keycloak.org/docs/1.9/server_installation_guide/ > topics/clustering/load-balancer.html > > Not sure if this helps. > > > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Mauricio Salatino < > salaboy at gmail.com> > *Sent:* Friday, September 8, 2017 4:00:00 AM > *To:* Sebastien Blanc > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Zuul (Gateway) -> Keycloak Adapters > Missing pieces > > After spending another day thinking about how this should work, I decided > to post some other questions that might help us to get the conversation > forward: > @Sebastien I will appreciate your feedback, I'm a complete newbie on this > as well so no judgments will be emitted ;) > > In the case that someone uses a gateway / reverse proxy in front of > keycloak: > > *a) do we expect the token to be issued for the internal (DNS internal > name) services only? * > The only problem that we are facing when we do this, is the keycloak UI > forms that point to the internal ip instead of the external. In order to > fix this we will try to > only forward the X-Forwarded-* headers when we call the UI forms. But > all the token verification will be done with the internal host DNS name. > > *b) or the token should be issued to the external issuer by using > X-Forwarded-* Headers? * > > For covering this case the problem is the configuration in the adapters, > and I think that to solve that the "auth-server-url-for-backend-requests" > was added and then removed. > While I understand how we can solve some of those issues with > internal/external DNS name resolution, the Token Verification is to strict > and it does a simple string comparison of the whole ISS which includes > several things: http/s (protocol) + host (internal/external) + port (might > be different the internal/external). So even thought if we manage to > resolve the host via DNS the port and the protocol might still be a > problem. Also notice that because of this there are two unrelated things > coupled together: 1) token verification 2) how to contact the keycloak > server at least in my head this is calling for some extra flexibility on > the configuration side. > > I think that I've summarised most of the problems that everyone will have > while trying to use a reverse proxy (like Zuul) and Keycloak, I might be > missing something big here, so please advise. > > > > On Thu, Sep 7, 2017 at 3:21 PM, Mauricio Salatino > wrote: > > > We are using a Reverse Proxy already .. I was checking that.. do we need > > something specifically from it? I want to understand what is keycloak > > expecting from that reverse proxy. > > > > Cheers > > > > On Thu, Sep 7, 2017 at 2:53 PM, Mauricio Salatino > > wrote: > > > >> Sebastien, thanks a lot for the answer, > >> regarding the discussion about removing "auth-server-url-for-backend- > requests" > >> I do understand why that was made. > >> The main problem that we are facing right now is that solving those > >> issues with DNS will work for most of the cases but not > >> for environments such as docker compose and minikube, where the > >> token verification is done comparing Strings and those strings contains > >> hosts and ports all together. > >> > >> I good idea might be to add more flexibility to that verification, where > >> we can compare that the host is the same but ports might be different. > DNS > >> resolution will work out the names but not the ports. > >> > >> Regarding a Reverse proxy, we are looking into it. > >> > >> On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc > >> wrote: > >> > >>> Here is the discussion on why "auth-server-url-for-backend-requests" > >>> was removed : http://lists.jboss.org/piperma > >>> il/keycloak-dev/2016-March/006783.html > >>> > >>> Can't you use a Reverse Proxy ? TBH I don't master enough this subject > >>> and would liek to hear the opinions from the community on this subject. > >>> > >>> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino > >>> wrote: > >>> > >>>> Because I failed to mention that I'm using the Spring Boot Adapter, > I'm > >>>> wondering now if we need something like this: > >>>> "auth-server-url-for-backend-requests" > >>>> > >>>> -> > >>>> https://github.com/keycloak/keycloak/search?utf8=?&q=auth-se > >>>> rver-url-for-backend-requests&type= > >>>> > >>>> Or if it was deprecated or not recommeneded to use. > >>>> > >>>> > >>>> > >>>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino > > >>>> wrote: > >>>> > >>>> > Hi everyone, > >>>> > We using Keycloak behind a gateway (Zuul) and we are having issues > >>>> with > >>>> > keycloak adapters not being able to validate the JWT token issued on > >>>> behalf > >>>> > of an external client. Our Gateway is forwarding all the > X-FORWARDED-* > >>>> > headers correctly so the token is issued correctly but the problem > is > >>>> that > >>>> > our adapters (in our services) contains the following configuration: > >>>> > > >>>> > keycloak.auth-server-url=* server>:/auth* > >>>> > > >>>> > Now the problem that we are facing is that the token will not be > able > >>>> to > >>>> > be validated by the adapter, because it was issued for the external > >>>> IP and > >>>> > the adapter is pointing to the local ip, so the token validation > >>>> fails. > >>>> > > >>>> > I've seen several threads and jira issues about this problem > without a > >>>> > clear solution and it sounds like the adapter's code can be easily > >>>> extended > >>>> > to support this scenario. Now the question is where that information > >>>> should > >>>> > live: > >>>> > 1) It can be set to the realm configuration so the adapter picks > that > >>>> up > >>>> > on start up and then use that information for the token validation > >>>> > 2) I can be picked up by the service that is getting the external IP > >>>> in > >>>> > the X-FORWARDED-* headers (this might cause a security issue ??? ) > >>>> > > >>>> > We can provide the code for the solution but before start coding we > >>>> want > >>>> > to know what are your opinions on the matter and if this have been > >>>> solved > >>>> > before. > >>>> > > >>>> > Cheers > >>>> > > >>>> > Mauricio > >>>> > > >>>> > > >>>> > -- > >>>> > - MyJourney @ http://salaboy.com > >>>> > - Co-Founder @ http://www.jugargentina.org > >>>> > - Co-Founder @ http://www.jbug.com.ar > >>>> > > >>>> > - Salatino "Salaboy" Mauricio - > >>>> > > >>>> > >>>> > >>>> > >>>> -- > >>>> - MyJourney @ http://salaboy.com > >>>> - Co-Founder @ http://www.jugargentina.org > >>>> - Co-Founder @ http://www.jbug.com.ar > >>>> > >>>> - Salatino "Salaboy" Mauricio - > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> > >> > >> > >> -- > >> - MyJourney @ http://salaboy.com > >> - Co-Founder @ http://www.jugargentina.org > >> - Co-Founder @ http://www.jbug.com.ar > >> > >> - Salatino "Salaboy" Mauricio - > >> > > > > > > > > -- > > - MyJourney @ http://salaboy.com > > - Co-Founder @ http://www.jugargentina.org > > - Co-Founder @ http://www.jbug.com.ar > > > > - Salatino "Salaboy" Mauricio - > > > > > > -- > - MyJourney @ http://salaboy.com > - Co-Founder @ http://www.jugargentina.org > - Co-Founder @ http://www.jbug.com.ar > > - Salatino "Salaboy" Mauricio - > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- - MyJourney @ http://salaboy.com - Co-Founder @ http://www.jugargentina.org - Co-Founder @ http://www.jbug.com.ar - Salatino "Salaboy" Mauricio - From cube_00 at hotmail.com Sun Sep 10 15:02:26 2017 From: cube_00 at hotmail.com (James .) Date: Sun, 10 Sep 2017 19:02:26 +0000 Subject: [keycloak-user] Getting complete SAML assertion without using private modules Message-ID: Hello, I'm using JBoss EAP 7.0.0 and I'm trying to access the complete SAML assertion XML. I used org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil and org.keycloak.dom.saml.v2.assertion.AssertionType, however the classes were not being found so I had to create a jboss-deployment-structure.xml with modules org.keycloak.keycloak-saml-core-public and org.keycloak.keycloak-saml-core. Full source is in https://github.com/TownCube/keycloak/blob/towncube-adfs/examples/saml/redirect-with-signature-adfs/src/main/webapp/index.jsp However in doing this I now have two warnings when I start the application: WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.saml-redirect-signatures-adfs.war" is using a private module ("org.keycloak.keycloak-saml-core-public:main") which may be changed or removed in future versions without notice. WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.saml-redirect-signatures-adfs.war" is using a private module ("org.keycloak.keycloak-saml-core:main") which may be changed or removed in future versions without notice. Is there a better way to get the full assertion which doesn't require the use of private modules? Thanks, James. From kdevouassoux at leadformance.com Sun Sep 10 16:08:46 2017 From: kdevouassoux at leadformance.com (Kilian DEVOUASSOUX) Date: Sun, 10 Sep 2017 22:08:46 +0200 Subject: [keycloak-user] Adding properties during token generation Message-ID: Hello, We are using Keycloak (v2.1.0.Final) in our micro-service architecture. We are currently facing a problem : We imagined adding dynamic properties on the go, into the JWT token, during its generation We already use mappers to put user attributes into token for non dynamic properties. But we would like to avoid putting those dynamic properties into user attributes, or other cold data in Keycloak data models. We really want to avoid duplicating them in Keycloak. Those data are exposed by one of our API, and can be retrieved via a REST call. Is there any mechanism which will allow us to do that ? Thanks in advance for any response. Kilian D From pieter at thehyve.nl Mon Sep 11 03:42:20 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Mon, 11 Sep 2017 09:42:20 +0200 Subject: [keycloak-user] I disabled "master" realm...now I'm stuck Message-ID: I disabled "master" realm...now I'm stuck. I can't find any documentation that helps me out of this. I already tried to enable it again, but because it is disabled it won't allow me to enable it again(!?): running: ./kcadm.sh update realms/master -s enabled=true --user admin --password=admin --realm master results in: Logging into http://localhost:8080/auth as user admin of realm master Realm not enabled [access_denied] www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software From thomas.darimont at googlemail.com Mon Sep 11 04:00:22 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 11 Sep 2017 10:00:22 +0200 Subject: [keycloak-user] I disabled "master" realm...now I'm stuck In-Reply-To: References: Message-ID: Hello, if you have access to your database, you can enable the realm by setting the "enabled" value in the "realm" table to "true". Cheers, Thomas 2017-09-11 9:42 GMT+02:00 Pieter Lukasse : > I disabled "master" realm...now I'm stuck. I can't find any documentation > that helps me out of this. > > I already tried to enable it again, but because it is disabled it won't > allow me to enable it again(!?): > > running: > > ./kcadm.sh update realms/master -s enabled=true --user admin > --password=admin --realm master > > results in: > > Logging into http://localhost:8080/auth as user admin of realm master > Realm not enabled [access_denied] > > > > > > > www.thehyve.nl > E pieter at thehyve.nl > T +31(0)30 700 9713 > M +31(0)6 28 18 9540 > Skype pieter.lukasse > > > We empower scientists by building on open source software > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pieter at thehyve.nl Mon Sep 11 04:09:24 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Mon, 11 Sep 2017 10:09:24 +0200 Subject: [keycloak-user] I disabled "master" realm...now I'm stuck In-Reply-To: References: Message-ID: Thanks Thomas. I'm afraid I'm a bit too new to keycloak, so I have some extra questions: which table should I look for? How can I connect to the DB (default H2 in my case)? Maybe some documentation I can start with? The current documentation is quite hard to search through...google will only direct to old pages (before it moved) and the documentation site does not have a good search option... Thanks, Pieter PS: I had logged a ticket for this but it god closed...not sure why: https://issues.jboss.org/browse/KEYCLOAK-5436. I would argue that allowing one to disable master ream in admin pages is a bug since it can only be undone by changing things directly in DB. www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-11 10:00 GMT+02:00 Thomas Darimont : > Hello, > > if you have access to your database, you can enable the realm > by setting the "enabled" value in the "realm" table to "true". > > Cheers, > Thomas > > 2017-09-11 9:42 GMT+02:00 Pieter Lukasse : > >> I disabled "master" realm...now I'm stuck. I can't find any documentation >> that helps me out of this. >> >> I already tried to enable it again, but because it is disabled it won't >> allow me to enable it again(!?): >> >> running: >> >> ./kcadm.sh update realms/master -s enabled=true --user admin >> --password=admin --realm master >> >> results in: >> >> Logging into http://localhost:8080/auth as user admin of realm master >> Realm not enabled [access_denied] >> >> >> >> >> >> >> www.thehyve.nl >> E pieter at thehyve.nl >> T +31(0)30 700 9713 >> M +31(0)6 28 18 9540 >> Skype pieter.lukasse >> >> >> We empower scientists by building on open source software >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From jonathan.scheinmann at dxc.com Mon Sep 11 04:26:37 2017 From: jonathan.scheinmann at dxc.com (Scheinmann, Jonathan) Date: Mon, 11 Sep 2017 08:26:37 +0000 Subject: [keycloak-user] invalid_code when redirecting back from identity provider Message-ID: When setting up a second keycloak as identity provider I am forwarded correctly to the identity provider and back to the initial keycloak instance. So far so good, but as soon as I am forwarded back to the initial instance I receive an error page with the following log entry: 06:42:40,715 WARN [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=, clientId=null, userId=null, ipAddress=, error=invalid_code It is not really clear what the error is in this case. It seems that the second keycloak instance (the id. provider) generates a wrong authorization code, which is not accepted by the first keycloak instance. But as a user I do not really see how I could change that behaviour. It is not really clear what to do with this error. What ever is causing this error (which is obviously just a warning?) it has to be clearer. I attached the screenshots of the first keycloak instance id. provider configuration and the client configuration in the second keycloak instance. When using direct grant for the identity provider instance I can successfully fetch an access token. It is therefore no authorization issue itself (as I was successfully authenticated) but maybe rather related to the generation or parsing of the authorization code. Environment: Official docker image jboss/keycloak 3.3.0.CR1 for both instances Steps to reproduce: 1.setup 2 keycloak instances whereas one instance acts as identity provider (with the options set similar to the screenshots attached) 1.1 Use /auth/realms/myrealm/.well-known/openid-configuration to export the client config of the identity provider to import it as identity provider configuration 2. create a user in the identity provider instance 3. call /auth/realms//protocol/openid-connect/auth?client_id=token-exchange&login=true&redirect_uri=&response_type=token&nonce=123 in the first keycloak instance and click on the identity provider button. 4. login with the user created From thomas.darimont at googlemail.com Mon Sep 11 04:30:46 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 11 Sep 2017 10:30:46 +0200 Subject: [keycloak-user] I disabled "master" realm...now I'm stuck In-Reply-To: References: Message-ID: Hello Pieter, Note that is (AFAIK) not recommended to use the h2 databse in production. I'd recommend to use a dedicated prostgresql database for storing keycloak configuration. However, here is what you can do to change the realm configuration stored in a h2 database: cd into your KEYCLOAK_HOME (e.g. /home/tom/dev/playground/keycloak/keycloak-3.3.0.CR1) Find the location of your h2 database files by looking into the configuration files, via: grep 'connection-url.*keycloak' standalone/configuration/*.xml You might see: jdbc:h2:${jboss.server.data.dir}/keycloak; This means that the h2 database is in a file in $KEYCLOAK_HOME/standalone/data, e.g. standalone/data/keycloak.mv.db Open a h2 database console: java -jar modules/system/layers/base/com/h2database/h2/main/h2-*.jar Browse to: http://127.0.1.1:8082 Use this as the jdbc URL: JDBC Url: jdbc:h2:/home/tom/dev/playground/keycloak/keycloak-3.3.0.CR1/standalone/data/keycloak User: sa Password: sa Click "connect". You should be able to update the realm table as described before. Note that you might need to stop keycloak before you can update the database. Cheers, Thomas 2017-09-11 10:09 GMT+02:00 Pieter Lukasse : > Thanks Thomas. I'm afraid I'm a bit too new to keycloak, so I have some > extra questions: which table should I look for? How can I connect to the DB > (default H2 in my case)? Maybe some documentation I can start with? The > current documentation is quite hard to search through...google will only > direct to old pages (before it moved) and the documentation site does not > have a good search option... > > Thanks, > > Pieter > > PS: I had logged a ticket for this but it god closed...not sure why: > https://issues.jboss.org/browse/KEYCLOAK-5436. I would argue that > allowing one to disable master ream in admin pages is a bug since it can > only be undone by changing things directly in DB. > > www.thehyve.nl > E pieter at thehyve.nl > T +31(0)30 700 9713 > M +31(0)6 28 18 9540 > Skype pieter.lukasse > > > We empower scientists by building on open source software > > 2017-09-11 10:00 GMT+02:00 Thomas Darimont >: > >> Hello, >> >> if you have access to your database, you can enable the realm >> by setting the "enabled" value in the "realm" table to "true". >> >> Cheers, >> Thomas >> >> 2017-09-11 9:42 GMT+02:00 Pieter Lukasse : >> >>> I disabled "master" realm...now I'm stuck. I can't find any documentation >>> that helps me out of this. >>> >>> I already tried to enable it again, but because it is disabled it won't >>> allow me to enable it again(!?): >>> >>> running: >>> >>> ./kcadm.sh update realms/master -s enabled=true --user admin >>> --password=admin --realm master >>> >>> results in: >>> >>> Logging into http://localhost:8080/auth as user admin of realm master >>> Realm not enabled [access_denied] >>> >>> >>> >>> >>> >>> >>> www.thehyve.nl >>> E pieter at thehyve.nl >>> T +31(0)30 700 9713 >>> M +31(0)6 28 18 9540 >>> Skype pieter.lukasse >>> >>> >>> We empower scientists by building on open source software >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From mposolda at redhat.com Mon Sep 11 04:39:25 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Sep 2017 10:39:25 +0200 Subject: [keycloak-user] KC upgrade of Infinispan to 9.1.0? In-Reply-To: <244512053.5094922.1504829829959@mail.yahoo.com> References: <244512053.5094922.1504829829959.ref@mail.yahoo.com> <244512053.5094922.1504829829959@mail.yahoo.com> Message-ID: <5cefa061-50b7-e95f-2aed-d9bca790e69c@redhat.com> I afraid that we are tight to the infinispan version used by underlying Wildfly. Which is 8.2.8.Final in the Wildfly 11, currently used in latest Keycloak master. I think that you can monitor it with the usage of JMX at least. You can also add custom REST endpoints to Keycloak and do some health checks on your own according to what you need. Marek On 08/09/17 02:17, Thomas Connolly wrote: > Hi All > Is there a plan to upgrade KC 3.X.X to infinispan 9.1.x in the near future? > We're currently running a large KC cluster in a production environment. > I would really like to add infinispan health checks as outlined in the following article, initially to ensure that all servers are participating in the cluster. > embeddedCacheManager .getHealth() .getClusterHealth() .getNumberOfNodes() // Those two methods allow to control if .getNodeNames() // proper number of nodes joined the cluster > Example here...http://blog.infinispan.org/2017/03/checking-infinispan-cluster-health-and.html > We've had production issues, i.e. split brain, with the default udp multicast due to running across multiple vlans (sys admin errors). > RegardsTom. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 11 04:41:28 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Sep 2017 10:41:28 +0200 Subject: [keycloak-user] Blog post about cross-datacenter replication in Keycloak 3.3.CR1 In-Reply-To: References: Message-ID: <3ad96320-2bb8-9f52-e068-aec0517e6f6b@redhat.com> Yes maybe for a bit more important blog posts it makes sense to write an email too. Sorry for not doing it. Will try to be better next time :) Marek On 08/09/17 14:48, Thomas Darimont wrote: > Hello, > > in case you missed it (as I did...), there is an interesting blog post about > cross-datacenter replication in Keycloak 3.3.CR1 > http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html > > @keycloak-Team > Would be great if you could drop a mail to the mailing list for articles > like this :) > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 11 04:58:49 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Sep 2017 10:58:49 +0200 Subject: [keycloak-user] Question: Resource Owner Password Credentials Flow and Kerberos In-Reply-To: References: Message-ID: I have a JIRA opened for longer time to support Kerberos for Direct grants (Resource Owner Password Credentials) too. I think that it will need some helper code on client side to generate the value for "Authorization: Negotiate" HTTP header, which will need to be sent to Keycloak (browser is normally doing it in browser-based flows). Then separate Authenticator on server-side to handle the ticket. Note that we have Authentication SPI and you can set/reconfigure the authenticator for Direct Grant. So in theory nothing prevents you to already implement this on your own (and possibly contribute to Keycloak :) Marek On 08/09/17 17:47, felix.straub at kaufland.com wrote: > > Hello together, > > my question is, if there is a possibility to use the Kerberos config from > keycloak while using the ROPC-Flow. > Because in this flow you just send the credentials to keycloak and keycloak > is validating them or authenticates them against an LDAP federation. > So here keycloak can't use kerberos when the client is already sending his > credentials right? > > Thank you for your answers. > > Felix > > Mit freundlichen Gr??en > Felix Straub > > KIS-Ausbildung > +49 7132 94 920297 > > Kaufland Informationssysteme GmbH & Co. KG > Postfach 12 53 - 74172 Neckarsulm > Kommanditgesellschaft > Sitz: Neckarsulm > Registergericht: Stuttgart HRA 104163 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pieter at thehyve.nl Mon Sep 11 07:55:10 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Mon, 11 Sep 2017 13:55:10 +0200 Subject: [keycloak-user] I disabled "master" realm...now I'm stuck In-Reply-To: References: Message-ID: Thanks Thomas! Much appreciated. www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-11 10:30 GMT+02:00 Thomas Darimont : > Hello Pieter, > > Note that is (AFAIK) not recommended to use the h2 databse in production. > I'd recommend to use a dedicated prostgresql database for storing keycloak > configuration. > > However, here is what you can do to change the realm configuration > stored in a h2 database: > > cd into your KEYCLOAK_HOME (e.g. /home/tom/dev/playground/ > keycloak/keycloak-3.3.0.CR1) > > Find the location of your h2 database files by looking > into the configuration files, via: > grep 'connection-url.*keycloak' standalone/configuration/*.xml > > You might see: > jdbc:h2:${jboss.server.data.dir}/keycloak; > > This means that the h2 database is in a file in > $KEYCLOAK_HOME/standalone/data, e.g. standalone/data/keycloak.mv.db > > Open a h2 database console: > java -jar modules/system/layers/base/com/h2database/h2/main/h2-*.jar > Browse to: http://127.0.1.1:8082 > > Use this as the jdbc URL: > JDBC Url: jdbc:h2:/home/tom/dev/playground/keycloak/keycloak- > 3.3.0.CR1/standalone/data/keycloak > User: sa > Password: sa > > Click "connect". > > You should be able to update the realm table as described before. > Note that you might need to stop keycloak before you can update the > database. > > Cheers, > Thomas > > 2017-09-11 10:09 GMT+02:00 Pieter Lukasse : > >> Thanks Thomas. I'm afraid I'm a bit too new to keycloak, so I have some >> extra questions: which table should I look for? How can I connect to the DB >> (default H2 in my case)? Maybe some documentation I can start with? The >> current documentation is quite hard to search through...google will only >> direct to old pages (before it moved) and the documentation site does not >> have a good search option... >> >> Thanks, >> >> Pieter >> >> PS: I had logged a ticket for this but it god closed...not sure why: >> https://issues.jboss.org/browse/KEYCLOAK-5436. I would argue that >> allowing one to disable master ream in admin pages is a bug since it can >> only be undone by changing things directly in DB. >> >> www.thehyve.nl >> E pieter at thehyve.nl >> T +31(0)30 700 9713 >> M +31(0)6 28 18 9540 >> Skype pieter.lukasse >> >> >> We empower scientists by building on open source software >> >> 2017-09-11 10:00 GMT+02:00 Thomas Darimont > m>: >> >>> Hello, >>> >>> if you have access to your database, you can enable the realm >>> by setting the "enabled" value in the "realm" table to "true". >>> >>> Cheers, >>> Thomas >>> >>> 2017-09-11 9:42 GMT+02:00 Pieter Lukasse : >>> >>>> I disabled "master" realm...now I'm stuck. I can't find any >>>> documentation >>>> that helps me out of this. >>>> >>>> I already tried to enable it again, but because it is disabled it won't >>>> allow me to enable it again(!?): >>>> >>>> running: >>>> >>>> ./kcadm.sh update realms/master -s enabled=true --user admin >>>> --password=admin --realm master >>>> >>>> results in: >>>> >>>> Logging into http://localhost:8080/auth as user admin of realm master >>>> Realm not enabled [access_denied] >>>> >>>> >>>> >>>> >>>> >>>> >>>> www.thehyve.nl >>>> E pieter at thehyve.nl >>>> T +31(0)30 700 9713 >>>> M +31(0)6 28 18 9540 >>>> Skype pieter.lukasse >>>> >>>> >>>> We empower scientists by building on open source software >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From jdennis at redhat.com Mon Sep 11 10:38:31 2017 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Sep 2017 10:38:31 -0400 Subject: [keycloak-user] Getting complete SAML assertion without using private modules In-Reply-To: References: Message-ID: <28175e03-0c68-6d09-0481-a26895ea7de4@redhat.com> On 09/10/2017 03:02 PM, James . wrote: > I'm using JBoss EAP 7.0.0 and I'm trying to access the complete SAML assertion XML. Why not use any one of the many SAML browser add-on's to view the assertion? You'll need to disable encryption if enabled. Plugins are available for Firefox and Chrome. This doc shows you how: https://jdennis.fedorapeople.org/doc/mellon-doc/mellon.html#inspect_saml_messages -- John From robert.parker at weareact.com Mon Sep 11 10:51:05 2017 From: robert.parker at weareact.com (Robert Parker) Date: Mon, 11 Sep 2017 14:51:05 +0000 Subject: [keycloak-user] Nodejs adapter - session object not persisting redirect_uri Message-ID: Hi, I am trying to use the nodejs adapter with my express application and I am encountering issues when the adapter tries to exchange my user's authorization code for an access token. I have been debugging the calls made from the adapter library, and can see after the user has been authorised, an obtainFromCode function is invoked in the grant-manager module (keycloak-auth-utils\lib\grant-manager.js) and in particular there is the following line of code present: redirect_uri: request.session ? request.session.auth_redirect_uri : {} Adding a breakpoint to this, I can see a session object is present on the request object, but there is no auth_redirect_uri property present. This ends up sending an empty redirect_uri param in the POST request being made to my keycloak server, and I get back an invalid_code error. I can replicate the same behaviour if I make the requests using Postman, and can fix and get an access token back if I set to the correct redirect_uri as configured against my client in the keycloak admin portal. I can see in the initial request sent out when first authorising the user that this contains a redirect_uri query string param also. I have my node express application using a mongoDB session store (using express-session), so am using the same store when configuring keycloak with my express app instance. I followed the example in the keycloak-nodejs-connect library here Can anyone suggest what may be going on for me here, why this redirect_uri is not being set on the session object so it can be read in my the nodejs adapter library? Thanks * Rob ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ From pablo.fernandez at cscs.ch Mon Sep 11 11:54:16 2017 From: pablo.fernandez at cscs.ch (Pablo Fernandez) Date: Mon, 11 Sep 2017 17:54:16 +0200 Subject: [keycloak-user] Getting complete SAML assertion without using private modules In-Reply-To: <28175e03-0c68-6d09-0481-a26895ea7de4@redhat.com> References: <28175e03-0c68-6d09-0481-a26895ea7de4@redhat.com> Message-ID: <980f24e6-e09b-ab92-bf2c-da7d0a37e81b@cscs.ch> If you don't want to trust your private keys to some webpage or firefox module, you can try this command: $ xmlsec1 --decrypt --privkey-pem $KEYFILE $SAMLFILE | xmllint --format - Hope it helps! BR/Pablo On 11/09/17 16:38, John Dennis wrote: > On 09/10/2017 03:02 PM, James . wrote: >> I'm using JBoss EAP 7.0.0 and I'm trying to access the complete SAML assertion XML. > Why not use any one of the many SAML browser add-on's to view the > assertion? You'll need to disable encryption if enabled. Plugins are > available for Firefox and Chrome. This doc shows you how: > > https://jdennis.fedorapeople.org/doc/mellon-doc/mellon.html#inspect_saml_messages > From cube_00 at hotmail.com Mon Sep 11 12:05:31 2017 From: cube_00 at hotmail.com (James .) Date: Mon, 11 Sep 2017 16:05:31 +0000 Subject: [keycloak-user] Getting complete SAML assertion without using private modules In-Reply-To: <28175e03-0c68-6d09-0481-a26895ea7de4@redhat.com> References: , <28175e03-0c68-6d09-0481-a26895ea7de4@redhat.com> Message-ID: Hi John, Thanks for the reply. I was thinking about using a common audience and passing the token on to call additional services so I'm looking for access to the assertion within the application itself. James. ________________________________ From: John Dennis Sent: Tuesday, 12 September 2017 12:38 AM To: James .; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting complete SAML assertion without using private modules On 09/10/2017 03:02 PM, James . wrote: > I'm using JBoss EAP 7.0.0 and I'm trying to access the complete SAML assertion XML. Why not use any one of the many SAML browser add-on's to view the assertion? You'll need to disable encryption if enabled. Plugins are available for Firefox and Chrome. This doc shows you how: https://jdennis.fedorapeople.org/doc/mellon-doc/mellon.html#inspect_saml_messages -- John From llivezking at gmail.com Mon Sep 11 22:20:32 2017 From: llivezking at gmail.com (Ilya Korol) Date: Tue, 12 Sep 2017 12:20:32 +1000 Subject: [keycloak-user] DataBase connectivity requirements Message-ID: Hi. Recently we were trying to move Keycloak storage from H2 to Oracle on our test environment and faced some troubles. Our test DB instance is situated in different office and is available over VPN connection with ping about 200-400 ms. We made some preliminary actions (create schema, populate it with keycloak-update.sql ...). So during startup everything was ok except quite long db data initiation (master realm etc.). I successfully logged as master realm admin. UI works with little freezes. The problem was when i tried to create new realm. Page in browser was showing loading, then UI showed timeout-error popup. Few seconds later i tried to create new realm again and then got Exception in logs (something related to "transaction was rolled back"). Seems that thats all because of ping delays during DB requests. "New REALM operation" is not single composite DB request but is sequence of small requests created by Hibernate. Am i right? So the question is: Is there any strong requirements on DB connectivity for Keycloak? Or maybe we can do some customization for adopting to this case? From llivezking at gmail.com Mon Sep 11 22:43:37 2017 From: llivezking at gmail.com (Ilya Korol) Date: Tue, 12 Sep 2017 12:43:37 +1000 Subject: [keycloak-user] Password related features for federated users Message-ID: <541ff100-3b00-5e40-0e63-c984b89e2196@gmail.com> Hi. I've got some questions about enabling password-related features (policies, OTP ...) for users, that come from UserStorageProviders. Currently we integrated custom UserStorageProvider: - read-only - ability to update password via implementing CredentialUpdater - existing realm roles population to user during extraction from federated storage I've dig into keycloak sources and find out that some policies (password history for example) rely on special SPI which holds persistent data for mentioned features. So the question is: Is it possible to somehow utilize this features for federated users? Is there any examples? What about OTP for federated users? From forums.akurathi at gmail.com Mon Sep 11 23:28:31 2017 From: forums.akurathi at gmail.com (Eswara Akurathi) Date: Mon, 11 Sep 2017 23:28:31 -0400 Subject: [keycloak-user] OTP Policy updates not reflects at Google Authenticator Message-ID: Dear all, We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. A sequence of steps : 1) create realm, create user 2) enable OTP 3) login with the newly created user 4) system asks you to configure OTP 5) update OTP policy such as number of digits from 6 to 8 6) try login again 7) system asks you to enter OTP but authentication fails We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. Your response is highly appreciated !!! Thanks in advance Regards Krishna Kumar Akurathi From psilva at redhat.com Tue Sep 12 12:04:44 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 12 Sep 2017 13:04:44 -0300 Subject: [keycloak-user] Please suggest [keycloak help] In-Reply-To: References: Message-ID: Marek is probably the best person to answer your questions :) On Tue, Sep 12, 2017 at 11:24 AM, Priyadarshan Cindula < priyadarshan.cindula at qolsys.com> wrote: > > Hi Silva, > > > Please suggest us how to do session replication or failover mechanism for > our domain cluster setup of keycloak. > > > Its highly urgent. > > > Please help. > > > Also for the users forum: > > > Anyone let us know the following things: > > > > 1) We have domain cluster setup - master and slaves - all sharing a > master DB postgresql > > 2) Can we have session replication strategies that will work if any slave > is down and session continuation shall happen > > 3) Can we know about how to handle session management dynamically > > > > Thanks and Regards, > > > Priyadarshan > From jasonspittel at yahoo.com Tue Sep 12 16:34:08 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Tue, 12 Sep 2017 20:34:08 +0000 (UTC) Subject: [keycloak-user] Keycloak as an Identity Broker Encrypting SAML Assertions References: <1181929836.693960.1505248448687.ref@mail.yahoo.com> Message-ID: <1181929836.693960.1505248448687@mail.yahoo.com> Hello, I'm trying to integrate with InCommon federation, using Keycloak as an Identity Broker. Workflow is JEE app <--> Keycloak Broker <--> InCommon IdP. The problem is that InCommon requires SAML Assertion Encrypting. As far as I can see, in the Keycloak IdP setup, I can only set the signing for document. Looking at this SPSSODescriptor from Keycloak: ? ?? ? ? ? ASDFASDFASDF? ? ? ? ?? ? ? ? ? ? ? qwerqwerqwer? ? ? ? ? ? ........ The KeyDescriptor is not for 'signing' and not for 'encrypting'. How do I set that flag? Thanks, Jason From hari.mailvaganam at ubc.ca Tue Sep 12 18:09:17 2017 From: hari.mailvaganam at ubc.ca (Mailvaganam, Hari) Date: Tue, 12 Sep 2017 22:09:17 +0000 Subject: [keycloak-user] Consent Page -- OIDC/OAuth2 Message-ID: <9894ACE8-D23D-4CB4-97A5-8A3A9B887BDA@mail.ubc.ca> Hi List: Have a bit of flow question --- hopefully succinctly described below. Workflow: Triggered by 3rd party application (Service Provider) --- User will be authenticating via KeyCloak ---- and consent page displayed with list of attributes to be released to Service Provider (however, the data is served by API on another application --- MuleSoft). Question: Can KeyCloak generate consent page --- with list of attributes ? based on APIs that the Service Provider has access on MuleSoft (APIs protected by KeyCloak's OAuth2)? Best regards, Hari From thorsten315 at gmx.de Tue Sep 12 18:21:09 2017 From: thorsten315 at gmx.de (Thorsten) Date: Wed, 13 Sep 2017 00:21:09 +0200 Subject: [keycloak-user] Externally triggered impersonation Message-ID: Hi there, I have an application (Angular 4 UI + Spring Boot Backend) where I would like to implement user impersonation without going through the Keycloak console. Ideally the power user with the proper impersonation permissions can click a button in the app and then a new windows is being opened in the same application but with the user to impersonate logged in. Is there any example on how to do this or can somebody outline how this would be possible? Thanks, Thorsten From ylevine20 at gmail.com Tue Sep 12 20:59:26 2017 From: ylevine20 at gmail.com (Y Levine) Date: Tue, 12 Sep 2017 17:59:26 -0700 Subject: [keycloak-user] KeyCloak as an OIDC Message-ID: I have read http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/oidc-overview.html I may have misread as it appears to list connectors to KeyCloak's OIDC ....but how do we configure KeyCloak to be the OIDC IdP? From sthorger at redhat.com Tue Sep 12 23:41:03 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Sep 2017 20:41:03 -0700 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: What are you actually trying to do? Keycloak is an OIDC IDP On 12 September 2017 at 17:59, Y Levine wrote: > I have read > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > oidc-overview.html > > I may have misread as it appears to list connectors to KeyCloak's OIDC > ....but how do we configure KeyCloak to be the OIDC IdP? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From marian.rainer-harbach at apa.at Wed Sep 13 03:36:06 2017 From: marian.rainer-harbach at apa.at (Rainer-Harbach Marian) Date: Wed, 13 Sep 2017 09:36:06 +0200 Subject: [keycloak-user] Creating a federated user via REST API creates an incorrect entry in the CREDENTIAL table Message-ID: <864f962d-0bb5-4f07-066b-36ff22f89d1e@apa.at> Hi everyone, about two weeks ago I stumbled upon a phenomenon which I believe to be a bug in Keycloak. The error occurs when creating a new user via the REST API in a realm configured with LDAP user federation: The user is created in LDAP, but without a password -- instead, Keycloak creates an entry for the user in its internal CREDENTIAL database table. When the user later changes their password, Keycloak writes the new password to LDAP, but keeps the old entry in the CREDENTIAL table. The user can then still only login with the old password. I created a Jira ticket for this problem: https://issues.jboss.org/browse/KEYCLOAK-5383 It would be very helpful to us if someone could check if they can reproduce the problem (maybe we are doing something wrong?) and if it's indeed a bug in Keycloak to give an estimate when it might be fixed. The bug is a blocker in our project to deploy Keycloak for about 100k users. Thanks, Marian From jfherouard.almerys at gmail.com Wed Sep 13 05:01:37 2017 From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=) Date: Wed, 13 Sep 2017 11:01:37 +0200 Subject: [keycloak-user] Adding an attribute "context" to org.keycloak.representations.idm.authorization.Permission Message-ID: Hi, I'm quite new to keycloak and not sure if it is a keycloak-user or keycloak-dev question, please route to the right place if somebody knows. Is is about the authz part of Keycloak. Our security policy includes a concept of "context" for a permission scope. It is a String that should be evaluated by the resource owner application, it can be a time restriction, or a rule applying on a business bean (eg invoice.amount < 1000), or some other global situation (eg env.emergency == true). Current implementation uses a SpringEL expression to evaluate the permission context. It allows to modelize quite complex security policies using few rules. Somewhat in an ABAC way, but Keycloak is only responsible to distribute user permission with allowed resource and scope, resource owner is responsible to evaluate the context of the scope to allow the user to do an action. I have a Keycloak server plugin that adds a PolicyProviderFactory and PolicyProvider, and stores the context for the scopes. I have an extended keycloak-spring-security-adapter which can evaluate SpringEL contexts when SpringSecurity evaluates permissions. The problem is how the context string can be sent from my policy plugin to the keycloak authz client ? Without modifying too much Keycloak code, the Permission class is used many differents places, but currently i see no other way. Any ideas ? Thanks. From pieter at thehyve.nl Wed Sep 13 07:32:24 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Wed, 13 Sep 2017 13:32:24 +0200 Subject: [keycloak-user] Logout error ("Success" + HTTP 500!?) Message-ID: Hi, I am currently getting a strange error when trying logout from my application. The logout request is as follows (HTTP 200 code): <*saml2p:LogoutRequest* xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8081/auth/realms/test/protocol/saml" ID="a370b54ee2i7g6j9275jbg40185b154" IssueInstant="2017-09-13T11:22:04.100Z" Version="2.0" > cbioportal nKZrPGrsLZeR6xSgg0+xQ3dCg90= .... .... pieter at thehyve.nl 2ce54b83-67c1-40fd-850d-947b29c721be Which is replied with (HTTP 500 code!?): http://localhost:8081/auth/realms/test HMgEFe5f6mGdIlCwg8BRHif4JW8k7MLs+5V8j9BUwuE= ... Yp3AF_Lz-EdxjwDdCJGk3dmvU9ZsWQE3SfV8pdT9OOQ ... ... ... So the reply states "Success" while at the same time it returns HTTP 500 (Internal Server Error). Is this a known bug? Or am I doing something wrong? This is the log on the server side: 13:21:19,378 WARN [org.keycloak.protocol.saml.SamlService] (default task-13) Unknown saml response. 13:21:19,380 WARN [org.keycloak.events] (default task-13) type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token 13:22:04,205 WARN [org.keycloak.protocol.saml.SamlService] (default task-20) Unknown saml response. 13:22:04,206 WARN [org.keycloak.events] (default task-20) type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token Thanks, PIeter www.thehyve.nl We empower scientists by building on open source software From pieter at thehyve.nl Wed Sep 13 07:50:24 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Wed, 13 Sep 2017 13:50:24 +0200 Subject: [keycloak-user] Logout error ("Success" + HTTP 500!?) In-Reply-To: References: Message-ID: Found a solution by setting the Logout Service POST Binding URL ( to http://localhost:8080/cbioportal/saml/logout in my case): [image: image] www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-13 13:32 GMT+02:00 Pieter Lukasse : > Hi, > > I am currently getting a strange error when trying logout from my > application. The logout request is as follows (HTTP 200 code): > > <*saml2p:LogoutRequest* xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > Destination="http://localhost:8081/auth/realms/test/protocol/saml" > ID="a370b54ee2i7g6j9275jbg40185b154" > IssueInstant="2017-09-13T11:22:04.100Z" > Version="2.0" > > > cbioportal > > > > > > > > > > > nKZrPGrsLZeR6xSgg0+xQ3dCg90= > > > .... > > .... > > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > >pieter at thehyve.nl > 2ce54b83-67c1-40fd-850d-947b29c721be > > > > Which is replied with (HTTP 500 code!?): > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > Destination="http://localhost:8081/auth/realms/test/protocol/saml" > ID="ID_1a5b931f-05b2-4b69-a32b-93cb7631fc98" > InResponseTo="a370b54ee2i7g6j9275jbg40185b154" > IssueInstant="2017-09-13T11:22:04.156Z" > Version="2.0" > > > http://localhost:8081/auth/realms/test > > > > > > > > > > > HMgEFe5f6mGdIlCwg8BRHif4JW8k7MLs+5V8j9BUwuE= > > > ... > > Yp3AF_Lz-EdxjwDdCJGk3dmvU9ZsWQE3SfV8pdT9OOQ > > ... > > > > ... > ... > > > > > > > > > So the reply states "Success" while at the same time it returns HTTP 500 (Internal Server Error). Is this a known bug? Or am I doing something wrong? > > This is the log on the server side: > > > 13:21:19,378 WARN [org.keycloak.protocol.saml.SamlService] (default task-13) Unknown saml response. > 13:21:19,380 WARN [org.keycloak.events] (default task-13) type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token > 13:22:04,205 WARN [org.keycloak.protocol.saml.SamlService] (default task-20) Unknown saml response. > 13:22:04,206 WARN [org.keycloak.events] (default task-20) type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token > > > Thanks, > > PIeter > > www.thehyve.nl > > > > We empower scientists by building on open source software > From gaetancollaud at gmail.com Wed Sep 13 07:53:56 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Wed, 13 Sep 2017 11:53:56 +0000 Subject: [keycloak-user] Issue with public client and javascript adapter Message-ID: Hi, I'm unable to connect to my public client using the javascript adapter. I configured a public client (access-type=public). I used the customer-app-js demo template. When I try to use my public client, I'm redirected to the login page, nothing wrong with that. Then when I'm back to the js app I receive a HTTP 400 bad request on this call: /auth/realms/PortalRealm/protocol/openid-connect/token. The content is: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} In the logs I can see: vpdev-keycloak | 11:50:00,767 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-60) AUTHENTICATE CLIENT vpdev-keycloak | 11:50:00,767 TRACE [org.keycloak.authentication.ClientAuthenticationFlow] (default task-60) Using executions for client authentication: [424c67b0-60b3-4063-a1b7-7ae7cbd4c90a, 6ec7a8eb-6fa2-4307-8f70-fbc845205210] vpdev-keycloak | 11:50:00,767 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-60) client authenticator: client-secret vpdev-keycloak | 11:50:00,767 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-60) client authenticator: client-jwt vpdev-keycloak | 11:50:00,768 WARN [org.keycloak.events] (default task-60) type=CODE_TO_TOKEN_ERROR, realmId=ea8dbfe4-21c1-4af5-8ec0-488317b62ccf, clientId=morphean-public, userId=null, ipAddress=172.19.0.4, error=invalid_client_credentials, grant_type=authorization_code I searched for this CODE_TO_TOKEN_ERROR message on the web but no luck so far. Has somebody experienced the same issue ? Am I missing something ? I use kecloak 3.2.1-FINAL. Best regards, Gaetan PS: I tried with a confidential client and it works, but it's says everywhere that secret should be kept hidden (this is why I wanted to use a public client). From psilva at redhat.com Wed Sep 13 08:08:00 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 13 Sep 2017 09:08:00 -0300 Subject: [keycloak-user] Adding an attribute "context" to org.keycloak.representations.idm.authorization.Permission In-Reply-To: References: Message-ID: Hello, So, what you did was create a new policy provider that can be used to specify some attribute that must be satisfied and checked by the adapter when enforcing permissions granted by this policy ? I guess, we'll need to push this information somehow to the permission. Maybe we can change the SPI to allow developers to push additional data to permissions after evaluating and granting a permission. On Wed, Sep 13, 2017 at 6:01 AM, Jean-Fran?ois HEROUARD < jfherouard.almerys at gmail.com> wrote: > Hi, > > I'm quite new to keycloak and not sure if it is a keycloak-user or > keycloak-dev question, please route to the right place if somebody knows. > Is is about the authz part of Keycloak. > > Our security policy includes a concept of "context" for a permission scope. > It is a String that should be evaluated by the resource owner application, > it can be a time restriction, or a rule applying on a business bean (eg > invoice.amount < 1000), or some other global situation (eg env.emergency == > true). Current implementation uses a SpringEL expression to evaluate the > permission context. It allows to modelize quite complex security policies > using few rules. Somewhat in an ABAC way, but Keycloak is only responsible > to distribute user permission with allowed resource and scope, resource > owner is responsible to evaluate the context of the scope to allow the user > to do an action. > > I have a Keycloak server plugin that adds a PolicyProviderFactory and > PolicyProvider, and stores the context for the scopes. > > I have an extended keycloak-spring-security-adapter which can evaluate > SpringEL contexts when SpringSecurity evaluates permissions. > > The problem is how the context string can be sent from my policy plugin to > the keycloak authz client ? Without modifying too much Keycloak code, the > Permission class is used many differents places, but currently i see no > other way. Any ideas ? > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From glavoie at gmail.com Wed Sep 13 09:59:44 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Wed, 13 Sep 2017 09:59:44 -0400 Subject: [keycloak-user] Externally triggered impersonation In-Reply-To: References: Message-ID: Hi Thorsten, Does your application internally has identifiers/information about its users? Can you list them through it? We've implemented this using a custom Spring Authentication object (called SwitchUserAuthentication) in which we keep the original Authentication object of the Spring security context, then we replace the Authentication object of the security context with it. That way, the application knows that a user is authenticated in an impersonated way and we can log actions accordingly. This doesn't work though if you need to do remote API calls using impersonated OAuth2 access tokens. I haven't seen anything yet allowing this in Keycloak. Gabriel 2017-09-12 18:21 GMT-04:00 Thorsten : > Hi there, > > I have an application (Angular 4 UI + Spring Boot Backend) where I would > like to implement user impersonation without going through the Keycloak > console. > > Ideally the power user with the proper impersonation permissions can click > a button in the app and then a new windows is being opened in the same > application but with the user to impersonate logged in. > > Is there any example on how to do this or can somebody outline how this > would be possible? > > Thanks, > > Thorsten > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Gabriel Lavoie glavoie at gmail.com From bburke at redhat.com Wed Sep 13 10:58:39 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Sep 2017 10:58:39 -0400 Subject: [keycloak-user] Externally triggered impersonation In-Reply-To: References: Message-ID: You mean you want to be able to obtain a token for a different user. We don't support this, although I'm considering do this now with the token exchange work I'm doing. On Tue, Sep 12, 2017 at 6:21 PM, Thorsten wrote: > Hi there, > > I have an application (Angular 4 UI + Spring Boot Backend) where I would > like to implement user impersonation without going through the Keycloak > console. > > Ideally the power user with the proper impersonation permissions can click > a button in the app and then a new windows is being opened in the same > application but with the user to impersonate logged in. > > Is there any example on how to do this or can somebody outline how this > would be possible? > > Thanks, > > Thorsten > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke Red Hat From thorsten315 at gmx.de Wed Sep 13 12:15:30 2017 From: thorsten315 at gmx.de (Thorsten) Date: Wed, 13 Sep 2017 18:15:30 +0200 Subject: [keycloak-user] Externally triggered impersonation In-Reply-To: References: Message-ID: Yes, the goal would be to replace the current flow of impersonation that requires a user to actually go to the Keycloak console and press the "Impersonate" button. Doing this will open a new account management window where the user - now impersonating the target user - can click on an app link to use the app as the impersonated user. So this is a very common requirement for most apps I have worked on and its great that KC provides an out of the box solution for this. But it would be really awesome if the same goal - an impersonated token - could be done without the need to hit the KC console at all. Bonus points if the impersonated token contains information that would indicate that this is an impersonated token. If that would be possible with the token exchange you are working on then perfect! Thanks 2017-09-13 16:58 GMT+02:00 Bill Burke : > You mean you want to be able to obtain a token for a different user. > We don't support this, although I'm considering do this now with the > token exchange work I'm doing. > > On Tue, Sep 12, 2017 at 6:21 PM, Thorsten wrote: > > Hi there, > > > > I have an application (Angular 4 UI + Spring Boot Backend) where I would > > like to implement user impersonation without going through the Keycloak > > console. > > > > Ideally the power user with the proper impersonation permissions can > click > > a button in the app and then a new windows is being opened in the same > > application but with the user to impersonate logged in. > > > > Is there any example on how to do this or can somebody outline how this > > would be possible? > > > > Thanks, > > > > Thorsten > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > Red Hat > From jasonspittel at yahoo.com Wed Sep 13 13:13:50 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Wed, 13 Sep 2017 17:13:50 +0000 (UTC) Subject: [keycloak-user] Quickstart for SAML JEE JSP with EJBs? References: <2105282229.1389054.1505322830701.ref@mail.yahoo.com> Message-ID: <2105282229.1389054.1505322830701@mail.yahoo.com> Hi All, There doesn't seem to be a quickstart for JEE JSP with EJBs.? I made one, would that be useful to make a pull request for? It's basically just the app-profile-saml-jee-jsp one but with an EJB added with all the dependencies needed on the pom.xml.? Is this is something that the keycloak team would actually want? Jason From kurrent93 at gmail.com Wed Sep 13 18:15:14 2017 From: kurrent93 at gmail.com (Anton) Date: Thu, 14 Sep 2017 10:15:14 +1200 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: I'm also interested in this. If I understand OPs question correctly, he wants to know how to be an Identity Provider that supports OIDC Protocol. For example - in the section on User initiated linked accounts - the example is that the user links their Facebook account. How to create an equivalent, OIDC-ly speaking, of Facebook? On 13 September 2017 at 15:41, Stian Thorgersen wrote: > What are you actually trying to do? Keycloak is an OIDC IDP > > On 12 September 2017 at 17:59, Y Levine wrote: > > > I have read > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > oidc-overview.html > > > > I may have misread as it appears to list connectors to KeyCloak's OIDC > > ....but how do we configure KeyCloak to be the OIDC IdP? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From klchan.kalam at gmail.com Wed Sep 13 22:37:10 2017 From: klchan.kalam at gmail.com (Ka Lam Chan) Date: Thu, 14 Sep 2017 10:37:10 +0800 Subject: [keycloak-user] Keycloak - Token access for external customer server Message-ID: Hi all I am new to Keycloak SSO, and have been trying to setup a POC for a simple microservice environment: user -> public client 1 -> service 1 user -> public client 2 -> service 1 public client 1, 2 and service 1 are all Keycloak clients, service 1 is bearer only. They are all spring boot with Keycloak-spring-boot-starter and all user info, attributes and roles/auth comes from Keycloak and spring use these roles/auth to perform @PreAuthorize and path access control. Now I want to introduce a new path, public client 3, for non browser API access by my customers: customer server -> public client 3 -> service 1 My questions: - Should customer server get token from Keycloak with client_credentials grant, then access public client 3 with token? ie customer server is a client on Keycloak. - if no: Is Keycloak the right technology to use here, for granting token of API access? what are the alternatives? - if yes: I find Keycloak will create a temporary user, called 'service-account-public client 3' and email 'service-account-public client 3 at placeholder.org'. This user is deleted after session expired. As I use email address for spring jpa audit, is there a way to change these default attributes? Regards KL From sblanc at redhat.com Thu Sep 14 05:16:46 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 14 Sep 2017 11:16:46 +0200 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: As Stian said , KC is already a OIDC Idp, nothing to do here. Once your realm has been created, you can see the OIDC endpoints here : /auth/realms/your_realm/.well-known/openid-configuration Or was this not the question ? Sebi On Thu, Sep 14, 2017 at 12:15 AM, Anton wrote: > I'm also interested in this. > If I understand OPs question correctly, he wants to know how to be an > Identity Provider that supports OIDC Protocol. > > For example - in the section on User initiated linked accounts - the > example is that the user links their Facebook account. How to create an > equivalent, OIDC-ly speaking, of Facebook? > > On 13 September 2017 at 15:41, Stian Thorgersen > wrote: > > > What are you actually trying to do? Keycloak is an OIDC IDP > > > > On 12 September 2017 at 17:59, Y Levine wrote: > > > > > I have read > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > > oidc-overview.html > > > > > > I may have misread as it appears to list connectors to KeyCloak's OIDC > > > ....but how do we configure KeyCloak to be the OIDC IdP? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From simonpayne58 at gmail.com Thu Sep 14 05:29:38 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 14 Sep 2017 10:29:38 +0100 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: I think the OP is referring to identity brokering where keycloak is used to broker other identity providers which follow the OIDC protocol. One of these brokered identity provider can be another keycloak server. On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc wrote: > As Stian said , KC is already a OIDC Idp, nothing to do here. Once your > realm has been created, you can see the OIDC endpoints here : > > /auth/realms/your_realm/.well-known/openid-configuration > > Or was this not the question ? > > Sebi > > On Thu, Sep 14, 2017 at 12:15 AM, Anton wrote: > > > I'm also interested in this. > > If I understand OPs question correctly, he wants to know how to be an > > Identity Provider that supports OIDC Protocol. > > > > For example - in the section on User initiated linked accounts - the > > example is that the user links their Facebook account. How to create an > > equivalent, OIDC-ly speaking, of Facebook? > > > > On 13 September 2017 at 15:41, Stian Thorgersen > > wrote: > > > > > What are you actually trying to do? Keycloak is an OIDC IDP > > > > > > On 12 September 2017 at 17:59, Y Levine wrote: > > > > > > > I have read > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > > > oidc-overview.html > > > > > > > > I may have misread as it appears to list connectors to KeyCloak's > OIDC > > > > ....but how do we configure KeyCloak to be the OIDC IdP? > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jnmlme at outlook.com Thu Sep 14 05:34:37 2017 From: jnmlme at outlook.com (_ JnMlMe _) Date: Thu, 14 Sep 2017 09:34:37 +0000 Subject: [keycloak-user] Impossible to create/assign a user to a group Message-ID: When using admin API (throw curl) to initiliaze via puppet the settings of my realms, I didn't manage to both create a user and assigned him to a group. The expected user is indeed created but not joined to the expected group. The API produces no errors in logs. It seems that the groups attribute is just ignore. Tests done on a 3.3.0.CR2 vanilla. $ curl -X POST -uadmin:admin http://localhost:8080/auth/admin/realms/master/groups -H "Content-Type: application/json" -H "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at group.json $ curl -X POST -uadmin:admin http://localhost:8080/auth/admin/realms/master/users -H "Content-Type: application/json" -H "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at user.json Thks From jnmlme at outlook.com Thu Sep 14 05:47:09 2017 From: jnmlme at outlook.com (_ JnMlMe _) Date: Thu, 14 Sep 2017 09:47:09 +0000 Subject: [keycloak-user] Impossible to create/assign a user to a group In-Reply-To: References: Message-ID: Add missing json content:. group.json: { "name": "THIS-IS-A-SIMPLE-TESTING-GROUP", "path": "/THIS-IS-A-SIMPLE-TESTING-GROUP" } user.json: { "username": "THIS-IS-A-SIMPLE-TESTING-USER", "firstName": "firstName", "lastName": "lastName", "email": "firstName.lastName at noreply.fr", "enabled" : true, "groups": [ "/THIS-IS-A-SIMPLE-TESTING-GROUP" ], "credentials": [ { "type": "password", "value": "aaaaaaaa" } ] } ________________________________ De : keycloak-user-bounces at lists.jboss.org de la part de _ JnMlMe _ Envoy? : jeudi 14 septembre 2017 11:34 ? : keycloak-user at lists.jboss.org Objet : [keycloak-user] Impossible to create/assign a user to a group When using admin API (throw curl) to initiliaze via puppet the settings of my realms, I didn't manage to both create a user and assigned him to a group. The expected user is indeed created but not joined to the expected group. The API produces no errors in logs. It seems that the groups attribute is just ignore. Tests done on a 3.3.0.CR2 vanilla. $ curl -X POST -uadmin:admin http://localhost:8080/auth/admin/realms/master/groups -H "Content-Type: application/json" -H "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at group.json $ curl -X POST -uadmin:admin http://localhost:8080/auth/admin/realms/master/users -H "Content-Type: application/json" -H "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at user.json Thks From kurrent93 at gmail.com Thu Sep 14 06:04:30 2017 From: kurrent93 at gmail.com (Anton) Date: Thu, 14 Sep 2017 22:04:30 +1200 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: I cant speak for OP, but it sounds like a question I asked a while ago: I'm looking to build an application ( identity provider) that will have user accounts. So, where as the typical example is a user links their Facebook, or LinkedIn account to a Keycloak account. Im interested in making an Identity Provider - comparable to Facebook, LinkedIn - interns of supporting the OIDC protocol - so that user can link these accounts. Users then should then be able to link their account to a parent account. I have been reading http://www.keycloak.org/docs/3.1/server_ development/topics/identity-brokering/account-linking.html and see that this is possible. I have a few questions. On the docs it says: > The application must already be logged in as an existing user via the OIDC > protocol > How does an application login as a user? Does this mean the user must be logged into the Identity provider application? Am I correct in assuming the Identity Provider application needs to implement the OIDC Protocol? Is this something Keycloak can do? Are there any examples of this? On 14 September 2017 at 21:29, Simon Payne wrote: > I think the OP is referring to identity brokering where keycloak is used to > broker other identity providers which follow the OIDC protocol. One of > these brokered identity provider can be another keycloak server. > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc > wrote: > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once your > > realm has been created, you can see the OIDC endpoints here : > > > > /auth/realms/your_realm/.well-known/openid-configuration > > > > Or was this not the question ? > > > > Sebi > > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton wrote: > > > > > I'm also interested in this. > > > If I understand OPs question correctly, he wants to know how to be an > > > Identity Provider that supports OIDC Protocol. > > > > > > For example - in the section on User initiated linked accounts - the > > > example is that the user links their Facebook account. How to create an > > > equivalent, OIDC-ly speaking, of Facebook? > > > > > > On 13 September 2017 at 15:41, Stian Thorgersen > > > wrote: > > > > > > > What are you actually trying to do? Keycloak is an OIDC IDP > > > > > > > > On 12 September 2017 at 17:59, Y Levine wrote: > > > > > > > > > I have read > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > > > > oidc-overview.html > > > > > > > > > > I may have misread as it appears to list connectors to KeyCloak's > > OIDC > > > > > ....but how do we configure KeyCloak to be the OIDC IdP? > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jyoti.tech90 at gmail.com Thu Sep 14 06:32:25 2017 From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh) Date: Thu, 14 Sep 2017 16:02:25 +0530 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance Message-ID: Hi Team, I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS instances. I am running two ECS instances in a cluster setup and also I have setup Keycloak in a clustered mode. To achieve this, I am using " */standalone/configuration/standalone-ha.xml *" file while building the docker image. Shared MySQL DB and Load Balancer setup are also in place. But when I checked Keycloak logs I am not seeing clustered nodes related information in logs. I am seeing nodes are not able to see each other. But same settings are working fine in DCOS Marathon platform. Interestingly if I run two Keycloak instances in one AWS ECS instance on different ports, I could see clustering related logs in Keycloak. Is there any standard guidelines which I can follow to achieve HA in AWS ECS instance ?? I followed the below discussion thread but it didn't help me to fix the issue. #Link: http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html -- *With Regards, Jyoti Kumar Singh* From hmlnarik at redhat.com Thu Sep 14 07:05:00 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 14 Sep 2017 13:05:00 +0200 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: In AWS, UDP multicast (default discovery method in the standalone-ha.xml config) is not possible [1]. You need to use S3PING or some other method for node discovery. [2] [1] https://aws.amazon.com/vpc/faqs/#Routing_&_Topology [2] https://developer.jboss.org/message/849585#849585 On Thu, Sep 14, 2017 at 12:32 PM, Jyoti Kumar Singh wrote: > Hi Team, > > I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS > instances. > > I am running two ECS instances in a cluster setup and also I have > setup Keycloak > in a clustered mode. To achieve this, I am using " > */standalone/configuration/standalone-ha.xml *" file while building the > docker image. Shared MySQL DB and Load Balancer setup are also in place. > > But when I checked Keycloak logs I am not seeing clustered nodes related > information in logs. I am seeing nodes are not able to see each other. But > same settings are working fine in DCOS Marathon platform. > > Interestingly if I run two Keycloak instances in one AWS ECS instance on > different ports, I could see clustering related logs in Keycloak. > > Is there any standard guidelines which I can follow to achieve HA in AWS > ECS instance ?? I followed the below discussion thread but it didn't help > me to fix the issue. > > #Link: > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html > > -- > > *With Regards, Jyoti Kumar Singh* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From lkrzyzan at redhat.com Thu Sep 14 07:58:23 2017 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Thu, 14 Sep 2017 13:58:23 +0200 Subject: [keycloak-user] CLI for adding modules configuration in in standalone.xml Message-ID: <1884D7EB-F020-43E0-AF7C-381E2AC707A4@redhat.com> Hi there, I cannot figure out how to write a CLI for adding modules configuration within element in standalone.xml as described here: http://www.keycloak.org/docs/3.3/server_development/topics/themes.html It would be cool to have this CLI in docs. Thanks for help, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services From mstrukel at redhat.com Thu Sep 14 08:17:12 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 14 Sep 2017 14:17:12 +0200 Subject: [keycloak-user] Impossible to create/assign a user to a group In-Reply-To: References: Message-ID: It's a separate operation you need to perform in order to add user to a group, and a separate operation again to set user's password. Search for it in the archives, it's been asked many times. Also, consider using Admin CLI ( http://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html), which makes it all much easier. On Thu, Sep 14, 2017 at 11:47 AM, _ JnMlMe _ wrote: > Add missing json content:. > > > group.json: > > { > "name": "THIS-IS-A-SIMPLE-TESTING-GROUP", > "path": "/THIS-IS-A-SIMPLE-TESTING-GROUP" > } > > > > user.json: > > { > "username": "THIS-IS-A-SIMPLE-TESTING-USER", > "firstName": "firstName", > "lastName": "lastName", > "email": "firstName.lastName at noreply.fr", > "enabled" : true, > "groups": [ > "/THIS-IS-A-SIMPLE-TESTING-GROUP" > ], > "credentials": [ > { > "type": "password", > "value": "aaaaaaaa" > } > ] > } > > > > > > ________________________________ > De : keycloak-user-bounces at lists.jboss.org jboss.org> de la part de _ JnMlMe _ > Envoy? : jeudi 14 septembre 2017 11:34 > ? : keycloak-user at lists.jboss.org > Objet : [keycloak-user] Impossible to create/assign a user to a group > > When using admin API (throw curl) to initiliaze via puppet the settings of > my realms, I didn't manage to both create a user and assigned him to a > group. The expected user is indeed created but not joined to the expected > group. > The API produces no errors in logs. It seems that the groups attribute is > just ignore. > > Tests done on a 3.3.0.CR2 vanilla. > > $ curl -X POST -uadmin:admin http://localhost:8080/auth/ > admin/realms/master/groups -H "Content-Type: application/json" -H > "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d > "username=admin" -d "password=admin" -d "grant_type=password" " > http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | > sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at group.json > > $ curl -X POST -uadmin:admin http://localhost:8080/auth/ > admin/realms/master/users -H "Content-Type: application/json" -H > "Authorization: bearer $(curl -s -d "client_id=admin-cli" -d > "username=admin" -d "password=admin" -d "grant_type=password" " > http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | > sed 's/.*access_token":"//g' | sed 's/".*//g')" -d at user.json > > Thks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.bartko at drillinginfo.com Thu Sep 14 10:25:46 2017 From: john.bartko at drillinginfo.com (John Bartko) Date: Thu, 14 Sep 2017 14:25:46 +0000 Subject: [keycloak-user] CLI for adding modules configuration in in standalone.xml In-Reply-To: <1884D7EB-F020-43E0-AF7C-381E2AC707A4@redhat.com> References: <1884D7EB-F020-43E0-AF7C-381E2AC707A4@redhat.com> Message-ID: Libor, I believe something like: module add --name=org.example.custom-theme --resources=/path/to/custom-theme.zip /subsystem=keycloak-server/theme=defaults:write-attribute(name=modules,value=[org.example.custom-theme]) should do the trick. Hope that helps, -John Bartko ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Libor Krzyzanek Sent: Thursday, September 14, 2017 6:58:23 AM To: keycloak-user Subject: [keycloak-user] CLI for adding modules configuration in in standalone.xml Hi there, I cannot figure out how to write a CLI for adding modules configuration within element in standalone.xml as described here: http://www.keycloak.org/docs/3.3/server_development/topics/themes.html > It would be cool to have this CLI in docs. Thanks for help, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From marc.destefanis at easytrust.com Thu Sep 14 10:26:54 2017 From: marc.destefanis at easytrust.com (Marc Destefanis) Date: Thu, 14 Sep 2017 14:26:54 +0000 Subject: [keycloak-user] Secure automatically multiple deployments via Adapter Subsystem Message-ID: Hi, We would like to secure multiple deployments via Adapter Subsystem. Because the keycloak.json solution needs a re-build of our project each time we want to change the Keycloak server URL. The problem is that we don't want to add a secure-deployment to our Wildfly domain.xml each time we add a WAR to our application. Is there a solution ? Like a wildcard on the secure-deployment name to be able to secure different deployments according to our WAR names ? Example : server-*.war client-*.war Thanks and have a good day, Marc. From kuntalakrishna at gmail.com Thu Sep 14 11:49:43 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Thu, 14 Sep 2017 16:49:43 +0100 Subject: [keycloak-user] Way to add new pages in keycloak Message-ID: Hi, I have a requirement of adding a new page in keycloak which will have few links to client applications. For simplicity I will call it as dashboard page. How easy or difficult it is to add a new Page/path in keycloak? If yes, how can we do it? Please point me to any link or implementation. Thanks and Regards, Krishna Kuntala From tonnis at autonomic.ai Thu Sep 14 12:30:14 2017 From: tonnis at autonomic.ai (Tonnis Wildeboer) Date: Thu, 14 Sep 2017 09:30:14 -0700 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: Jyoti, I have been working on similar goal and was finally successful yesterday. We are using postgres and kubernetes. Here are the key sources of information that enabled me to succeed: The big key is here: https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql Use the .xsl templates here to transform on the standalone-ha.xml and you can see what is being done. I suggest that you simply use JDBC_PING, since you already have a shared database. I think it is instructive to understand what JDBC_PING (and JGroups in general) are doing: http://jgroups.org/manual4/index.html https://developer.jboss.org/wiki/JDBCPING You may benefit from this also, specifically, the need to bind jgroups-tcp and jgroups-tcp-fd to the proper interface. Not sure about your situation. --Tonnis ____________________ Tonnis Wildeboer Autonomic.ai Engineering On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: > Hi Team, > > I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS > instances. > > I am running two ECS instances in a cluster setup and also I have > setup Keycloak > in a clustered mode. To achieve this, I am using " > */standalone/configuration/standalone-ha.xml *" file while building the > docker image. Shared MySQL DB and Load Balancer setup are also in place. > > But when I checked Keycloak logs I am not seeing clustered nodes related > information in logs. I am seeing nodes are not able to see each other. But > same settings are working fine in DCOS Marathon platform. > > Interestingly if I run two Keycloak instances in one AWS ECS instance on > different ports, I could see clustering related logs in Keycloak. > > Is there any standard guidelines which I can follow to achieve HA in AWS > ECS instance ?? I followed the below discussion thread but it didn't help > me to fix the issue. > > #Link: > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html > From ssilvert at redhat.com Thu Sep 14 13:10:37 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 14 Sep 2017 13:10:37 -0400 Subject: [keycloak-user] Way to add new pages in keycloak In-Reply-To: References: Message-ID: <779429cd-112d-d055-aadd-4df290c31d59@redhat.com> I assume you are talking about the account management console? It's really easy to change an existing page. So you could, for instance, quickly add links to Account page or the Sessions page, but it's not easy to add a brand new page. The ability to add pages is a top requirement for the new version of the account management console. We are hoping to have a tech preview of this before long. Stan On 9/14/2017 11:49 AM, Krishna Kuntala wrote: > Hi, > > I have a requirement of adding a new page in keycloak which will have few > links to client applications. For simplicity I will call it as dashboard > page. > > How easy or difficult it is to add a new Page/path in keycloak? If yes, how > can we do it? Please point me to any link or implementation. > > Thanks and Regards, > Krishna Kuntala > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nhoult51 at gmail.com Thu Sep 14 13:50:41 2017 From: nhoult51 at gmail.com (Nathan Hoult) Date: Thu, 14 Sep 2017 17:50:41 +0000 Subject: [keycloak-user] Multi attribute authorization check Message-ID: I have a use case where I need to check if a (user)+(company) is authorized for a client resource. Example: user + companyA = resourceA granted user + companyB = resourceA denied The user may have multiple browser sessions logged into the same client so I can't just set a KC user attribute "company=companyA". The service will know, based on cookie or something, what the company ID is and can pass that information to KC which can then return if that resource is authorized. I tried: 1) Scope per company: I got close but it seemed to be the wrong use of scope. I ran into some issues but if this was the way to do it I can look at it again. 2) Realm per company: then the user would have multiple accounts, clients would have to trust multiple Realms, added/removing companies would require a Realm setup, and any clients resources changes would require an update in each Realm. There is also the problem of a resource being controlled by multiple authorization servers seems wrong ( https://github.com/pingidentity/mod_auth_openidc/issues/199). I have thought about a hybrid approach but didn't think it was the right way to do it even if it worked: 1 client realm with all users and clients, that realm trusts multiple per company reals, then a user logs into a company realm that the client converts to the client realm but puts in the token which realm the user came from. I could write my own service, let the applications deal with their own resource permissions, or make KC plugin that does what I want, but if KC can't do it by default does anyone know of another AuthZ implementation that could? I could be thinking about the problem all wrong to begin with so any input is appreciated. Thanks, - Nathan From to_sud at yahoo.com Thu Sep 14 14:10:51 2017 From: to_sud at yahoo.com (Sud Ramasamy) Date: Thu, 14 Sep 2017 14:10:51 -0400 Subject: [keycloak-user] keycloak-user Digest, Vol 45, Issue 19 In-Reply-To: References: Message-ID: Hi, The?KeycloakAuthenticationProcessingFilter.java which is part of the Keycloak Spring Security Adapter module?does not let users of it to override the login url and is instead hard-coded to /sso/login.? Our use case is to setup two separate Spring Security FilterChains with their different SSO login URLs. We can subclass the?KeycloakAuthenticationProcessingFilter.java class and add the ability to override the login URL. But before embarking on this approach I?m perplexed as to why we would have the processing filter hardcoded to a particular URL without a way to override it. Thanks for your insights. -sud From pkboucher801 at gmail.com Thu Sep 14 14:30:43 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Thu, 14 Sep 2017 14:30:43 -0400 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: References: <000001d31c40$e0271a20$a0754e60$@gmail.com> <000801d31da3$476c21e0$d64465a0$@gmail.com> <3c7e369e-74c2-e9ce-af49-5ce2b30ea6af@redhat.com> Message-ID: <00da01d32d87$935e1dd0$ba1a5970$@gmail.com> Has anyone made https://github.com/ohioit/keycloak-link-idp-with-user work with Keycloak 3.1.0.Final? It seems to have been designed for 1.9.0.Final -----Original Message----- From: Adam Keily [mailto:adam.keily at adelaide.edu.au] Sent: Wednesday, August 30, 2017 12:27 AM To: Marek Posolda ; Peter K. Boucher ; 'Phillip Fleischer' ; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Skip Broker First-Time Flow? Check out. https://github.com/ohioit/keycloak-link-idp-with-user We use it to silently link users coming from another corporate IDP with our federated LDAP accounts. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Friday, 25 August 2017 10:59 PM To: Peter K. Boucher ; 'Phillip Fleischer' ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Skip Broker First-Time Flow? Yes. Marek On 25/08/17 15:08, Peter K. Boucher wrote: > Not asking you to review/endorse this code, but does the approach seem > reasonable? https://github.com/ohioit/keycloak-link-idp-with-user > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Thursday, August 24, 2017 5:30 AM > To: Phillip Fleischer ; Peter K. Boucher > ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Skip Broker First-Time Flow? > > +1 to what Phillip mentioned. > > We were thinking for adding the authenticator OOTB, which will link > accounts automatically. But didn't added in the end because of security. > However you're not the first asking for it, so maybe it makes sense - > as long as this authenticator won't be in the flow by default and > admin would need to edit the first-broker-login flow on his own risk. > Feel free to create JIRA (maybe it already exists, so you can add > comment like "I want it too" and add vote :) ) > > Marek > > On 24/08/17 10:38, Phillip Fleischer wrote: >> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. >> >> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. >> >> ________________________________ >> From: keycloak-user-bounces at lists.jboss.org >> on behalf of Peter K. Boucher >> >> Sent: Wednesday, August 23, 2017 2:51:48 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Skip Broker First-Time Flow? >> >> We have a need to pre-provision user accounts that are to be accessed >> with SAML from an outside IdP. These accounts are only ever to be >> used via SAML from this external IdP (i.e., we never want them to >> have to use a password to verify anything to Keycloak. >> >> >> >> Is there any way for the account-linking the first time the user >> comes in with SAML to happen automatically and silently? >> >> >> >> We understand that in some circumstances it would be a security hole >> to allow someone to connect via a brokered IdP to an existing account >> that has already been used, but these accounts are being created >> specifically to be accessed by this particular broker. >> >> >> >> Any help? >> >> >> >> Thanks! >> >> >> >> Regards, >> >> Peter K. Boucher >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ylevine20 at gmail.com Thu Sep 14 15:25:22 2017 From: ylevine20 at gmail.com (Y Levine) Date: Thu, 14 Sep 2017 12:25:22 -0700 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: Yes --- looking for similar.... KeyCloak is the OIDC Identity Provider --- Applications integrate against KeyCloak via OIDC --- users would authenticate directly against login page on KeyCloak - redirected back to SP.....ala Google login process to Stackoverflow (however in this case KeyCloak is the IDP for our organization's login/password). If there are steps that can describe how above can be configured will be much appreciated. On Thu, Sep 14, 2017 at 3:04 AM, Anton wrote: > I cant speak for OP, but it sounds like a question I asked a while ago: > > I'm looking to build an application ( identity provider) that will have > user accounts. So, where as the typical example is a user links their > Facebook, or LinkedIn account to a Keycloak account. Im interested in > making an Identity Provider - comparable to Facebook, LinkedIn - interns of > supporting the OIDC protocol - so that user can link these accounts. > > Users then should then be able to link their account to a parent account. > > I have been reading http://www.keycloak.org/docs/3.1/server_ > development/topics/identity-brokering/account-linking.html and see that > this is possible. > > I have a few questions. On the docs it says: > > > The application must already be logged in as an existing user via the > OIDC > > protocol > > > How does an application login as a user? > Does this mean the user must be logged into the Identity provider > application? > > Am I correct in assuming the Identity Provider application needs to > implement the OIDC Protocol? Is this something Keycloak can do? Are there > any examples of this? > > On 14 September 2017 at 21:29, Simon Payne wrote: > > > I think the OP is referring to identity brokering where keycloak is used > to > > broker other identity providers which follow the OIDC protocol. One of > > these brokered identity provider can be another keycloak server. > > > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc > > wrote: > > > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once your > > > realm has been created, you can see the OIDC endpoints here : > > > > > > /auth/realms/your_realm/.well-known/openid-configuration > > > > > > Or was this not the question ? > > > > > > Sebi > > > > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton wrote: > > > > > > > I'm also interested in this. > > > > If I understand OPs question correctly, he wants to know how to be an > > > > Identity Provider that supports OIDC Protocol. > > > > > > > > For example - in the section on User initiated linked accounts - the > > > > example is that the user links their Facebook account. How to create > an > > > > equivalent, OIDC-ly speaking, of Facebook? > > > > > > > > On 13 September 2017 at 15:41, Stian Thorgersen > > > > > wrote: > > > > > > > > > What are you actually trying to do? Keycloak is an OIDC IDP > > > > > > > > > > On 12 September 2017 at 17:59, Y Levine > wrote: > > > > > > > > > > > I have read > > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > > > > > oidc-overview.html > > > > > > > > > > > > I may have misread as it appears to list connectors to KeyCloak's > > > OIDC > > > > > > ....but how do we configure KeyCloak to be the OIDC IdP? > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Sebastian.Schuster at bosch-si.com Fri Sep 15 02:46:54 2017 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1)) Date: Fri, 15 Sep 2017 06:46:54 +0000 Subject: [keycloak-user] Multi attribute authorization check In-Reply-To: References: Message-ID: <4abe9c92d9c04046aeca1686ab4617f6@FE-MBX1028.de.bosch.com> How about using different clients for different companies? You can control the scopes the clients may ask for. Best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch?Software Innovations?GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nathan Hoult Sent: Donnerstag, 14. September 2017 19:51 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Multi attribute authorization check I have a use case where I need to check if a (user)+(company) is authorized for a client resource. Example: user + companyA = resourceA granted user + companyB = resourceA denied The user may have multiple browser sessions logged into the same client so I can't just set a KC user attribute "company=companyA". The service will know, based on cookie or something, what the company ID is and can pass that information to KC which can then return if that resource is authorized. I tried: 1) Scope per company: I got close but it seemed to be the wrong use of scope. I ran into some issues but if this was the way to do it I can look at it again. 2) Realm per company: then the user would have multiple accounts, clients would have to trust multiple Realms, added/removing companies would require a Realm setup, and any clients resources changes would require an update in each Realm. There is also the problem of a resource being controlled by multiple authorization servers seems wrong ( https://github.com/pingidentity/mod_auth_openidc/issues/199). I have thought about a hybrid approach but didn't think it was the right way to do it even if it worked: 1 client realm with all users and clients, that realm trusts multiple per company reals, then a user logs into a company realm that the client converts to the client realm but puts in the token which realm the user came from. I could write my own service, let the applications deal with their own resource permissions, or make KC plugin that does what I want, but if KC can't do it by default does anyone know of another AuthZ implementation that could? I could be thinking about the problem all wrong to begin with so any input is appreciated. Thanks, - Nathan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Sep 15 03:30:40 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Sep 2017 09:30:40 +0200 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: I'm not following.. What you want is secure your applications with Keycloak using the OIDC protocol? If so just create a client for it in the realm and away you go..? On 14 September 2017 at 21:25, Y Levine wrote: > Yes --- looking for similar.... > > KeyCloak is the OIDC Identity Provider --- Applications integrate against > KeyCloak via OIDC --- users would authenticate directly against login page > on KeyCloak - redirected back to SP.....ala Google login process to > Stackoverflow (however in this case KeyCloak is the IDP for our > organization's login/password). > > If there are steps that can describe how above can be configured will be > much appreciated. > > > On Thu, Sep 14, 2017 at 3:04 AM, Anton wrote: > > > I cant speak for OP, but it sounds like a question I asked a while ago: > > > > I'm looking to build an application ( identity provider) that will have > > user accounts. So, where as the typical example is a user links their > > Facebook, or LinkedIn account to a Keycloak account. Im interested in > > making an Identity Provider - comparable to Facebook, LinkedIn - interns > of > > supporting the OIDC protocol - so that user can link these accounts. > > > > Users then should then be able to link their account to a parent account. > > > > I have been reading http://www.keycloak.org/docs/3.1/server_ > > development/topics/identity-brokering/account-linking.html and see that > > this is possible. > > > > I have a few questions. On the docs it says: > > > > > The application must already be logged in as an existing user via the > > OIDC > > > protocol > > > > > How does an application login as a user? > > Does this mean the user must be logged into the Identity provider > > application? > > > > Am I correct in assuming the Identity Provider application needs to > > implement the OIDC Protocol? Is this something Keycloak can do? Are there > > any examples of this? > > > > On 14 September 2017 at 21:29, Simon Payne > wrote: > > > > > I think the OP is referring to identity brokering where keycloak is > used > > to > > > broker other identity providers which follow the OIDC protocol. One of > > > these brokered identity provider can be another keycloak server. > > > > > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc > > > wrote: > > > > > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once > your > > > > realm has been created, you can see the OIDC endpoints here : > > > > > > > > /auth/realms/your_realm/.well-known/openid-configuration > > > > > > > > Or was this not the question ? > > > > > > > > Sebi > > > > > > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton wrote: > > > > > > > > > I'm also interested in this. > > > > > If I understand OPs question correctly, he wants to know how to be > an > > > > > Identity Provider that supports OIDC Protocol. > > > > > > > > > > For example - in the section on User initiated linked accounts - > the > > > > > example is that the user links their Facebook account. How to > create > > an > > > > > equivalent, OIDC-ly speaking, of Facebook? > > > > > > > > > > On 13 September 2017 at 15:41, Stian Thorgersen < > sthorger at redhat.com > > > > > > > > wrote: > > > > > > > > > > > What are you actually trying to do? Keycloak is an OIDC IDP > > > > > > > > > > > > On 12 September 2017 at 17:59, Y Levine > > wrote: > > > > > > > > > > > > > I have read > > > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ > > > > > > > oidc-overview.html > > > > > > > > > > > > > > I may have misread as it appears to list connectors to > KeyCloak's > > > > OIDC > > > > > > > ....but how do we configure KeyCloak to be the OIDC IdP? > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kurrent93 at gmail.com Fri Sep 15 04:23:07 2017 From: kurrent93 at gmail.com (Anton) Date: Fri, 15 Sep 2017 20:23:07 +1200 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: Hi Stian Clearly you know more about this than I. But from my limited knowledge, an Identity Provider that supports the OIDC Protocol allows clients to "receive information about authenticated sessions and end-users." This would mean that the Identity Provider presumably needs to make user information available in a specific format or schema. Therefore, I am assuming there would be some specific data modeling requirements in the custom Identity Provider. The best example I could find of this is https://github.com/mitreid-connect/ldap-openid-connect-server On 15 September 2017 at 19:30, Stian Thorgersen wrote: > I'm not following.. What you want is secure your applications with > Keycloak using the OIDC protocol? If so just create a client for it in the > realm and away you go..? > > On 14 September 2017 at 21:25, Y Levine wrote: > >> Yes --- looking for similar.... >> >> KeyCloak is the OIDC Identity Provider --- Applications integrate against >> KeyCloak via OIDC --- users would authenticate directly against login page >> on KeyCloak - redirected back to SP.....ala Google login process to >> Stackoverflow (however in this case KeyCloak is the IDP for our >> organization's login/password). >> >> If there are steps that can describe how above can be configured will be >> much appreciated. >> >> >> On Thu, Sep 14, 2017 at 3:04 AM, Anton wrote: >> >> > I cant speak for OP, but it sounds like a question I asked a while ago: >> > >> > I'm looking to build an application ( identity provider) that will have >> > user accounts. So, where as the typical example is a user links their >> > Facebook, or LinkedIn account to a Keycloak account. Im interested in >> > making an Identity Provider - comparable to Facebook, LinkedIn - >> interns of >> > supporting the OIDC protocol - so that user can link these accounts. >> > >> > Users then should then be able to link their account to a parent >> account. >> > >> > I have been reading http://www.keycloak.org/docs/3.1/server_ >> > development/topics/identity-brokering/account-linking.html and see that >> > this is possible. >> > >> > I have a few questions. On the docs it says: >> > >> > > The application must already be logged in as an existing user via the >> > OIDC >> > > protocol >> > > >> > How does an application login as a user? >> > Does this mean the user must be logged into the Identity provider >> > application? >> > >> > Am I correct in assuming the Identity Provider application needs to >> > implement the OIDC Protocol? Is this something Keycloak can do? Are >> there >> > any examples of this? >> > >> > On 14 September 2017 at 21:29, Simon Payne >> wrote: >> > >> > > I think the OP is referring to identity brokering where keycloak is >> used >> > to >> > > broker other identity providers which follow the OIDC protocol. One >> of >> > > these brokered identity provider can be another keycloak server. >> > > >> > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc >> > > wrote: >> > > >> > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once >> your >> > > > realm has been created, you can see the OIDC endpoints here : >> > > > >> > > > /auth/realms/your_realm/.well-known/openid-configuration >> > > > >> > > > Or was this not the question ? >> > > > >> > > > Sebi >> > > > >> > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton >> wrote: >> > > > >> > > > > I'm also interested in this. >> > > > > If I understand OPs question correctly, he wants to know how to >> be an >> > > > > Identity Provider that supports OIDC Protocol. >> > > > > >> > > > > For example - in the section on User initiated linked accounts - >> the >> > > > > example is that the user links their Facebook account. How to >> create >> > an >> > > > > equivalent, OIDC-ly speaking, of Facebook? >> > > > > >> > > > > On 13 September 2017 at 15:41, Stian Thorgersen < >> sthorger at redhat.com >> > > >> > > > > wrote: >> > > > > >> > > > > > What are you actually trying to do? Keycloak is an OIDC IDP >> > > > > > >> > > > > > On 12 September 2017 at 17:59, Y Levine >> > wrote: >> > > > > > >> > > > > > > I have read >> > > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ >> > > > > > > oidc-overview.html >> > > > > > > >> > > > > > > I may have misread as it appears to list connectors to >> KeyCloak's >> > > > OIDC >> > > > > > > ....but how do we configure KeyCloak to be the OIDC IdP? >> > > > > > > _______________________________________________ >> > > > > > > keycloak-user mailing list >> > > > > > > keycloak-user at lists.jboss.org >> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > > >> > > > > > _______________________________________________ >> > > > > > keycloak-user mailing list >> > > > > > keycloak-user at lists.jboss.org >> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > >> > > > > _______________________________________________ >> > > > > keycloak-user mailing list >> > > > > keycloak-user at lists.jboss.org >> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From christianlutz at inovel.de Fri Sep 15 04:44:01 2017 From: christianlutz at inovel.de (christian lutz) Date: Fri, 15 Sep 2017 08:44:01 +0000 Subject: [keycloak-user] Re-2: Multi attribute authorization check In-Reply-To: <4abe9c92d9c04046aeca1686ab4617f6@FE-MBX1028.de.bosch.com> References: <4abe9c92d9c04046aeca1686ab4617f6@FE-MBX1028.de.bosch.com> Message-ID: <000608B1.59BBAEDC@mail.ino.local> Hello, Do you know the keycloak photoz example? https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz Based on this idea we solved the same problem like this. - For each company we crate a new resource containing a company id within the type like company:id:11 - Each user will be added to one company role. - Each company role contains an attribute like companyId=11 - You need to add this attribute to you token (see mapper) - We created a simple javascript policy This policy checks if the requested resource and the logged-in user having the same company id. Regards Christian -------- Original Message -------- Subject: Re: [keycloak-user] Multi attribute authorization check (15. September 2017, 08:46) From: Schuster Sebastian (INST/ESY1) To: christianlutz at inovel.de > How about using different clients for different companies? You can control > the scopes the clients may ask for. Best regards, Sebastian Mit > freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster > Engineering and Support (INST/ESY1) Bosch?Software Innovations?GmbH | > Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com Tel. + > 49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.- > Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: > keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists. > jboss.org] On Behalf Of Nathan Hoult Sent: Donnerstag, 14. September 2017 > 19:51 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Multi > attribute authorization check I have a use case where I need to check if a > (user)+(company) is authorized for a client resource. Example: user + > companyA = resourceA granted user + companyB = resourceA denied The user > may have multiple browser sessions logged into the same client so I can't > just set a KC user attribute "company=companyA". The service will know, > based on cookie or something, what the company ID is and can pass that > information to KC which can then return if that resource is authorized. I > tried: 1) Scope per company: I got close but it seemed to be the wrong use > of scope. I ran into some issues but if this was the way to do it I can > look at it again. 2) Realm per company: then the user would have multiple > accounts, clients would have to trust multiple Realms, added/removing > companies would require a Realm setup, and any clients resources changes > would require an update in each Realm. There is also the problem of a > resource being controlled by multiple authorization servers seems wrong ( > https://github.com/pingidentity/mod_auth_openidc/issues/199). I have > thought about a hybrid approach but didn't think it was the right way to do > it even if it worked: 1 client realm with all users and clients, that realm > trusts multiple per company reals, then a user logs into a company realm > that the client converts to the client realm but puts in the token which > realm the user came from. I could write my own service, let the > applications deal with their own resource permissions, or make KC plugin > that does what I want, but if KC can't do it by default does anyone know of > another AuthZ implementation that could? I could be thinking about the > problem all wrong to begin with so any input is appreciated. Thanks, - > Nathan _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/ > listinfo/keycloak-user _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org https://lists. > jboss.org/mailman/listinfo/keycloak- > user From loic.rapp at reymann.com Fri Sep 15 06:02:20 2017 From: loic.rapp at reymann.com (Rapp =?UTF-8?B?TG/Dr2M=?=) Date: Fri, 15 Sep 2017 12:02:20 +0200 Subject: [keycloak-user] Keycloak SSO Nextcloud Message-ID: <12EF9844-9D23-4F6C-AC21-34CE7E04AE2B@reymann.com> Hi ! I?ve try to connect Keycloak to Nextcloud with user_saml plugin. Someone have already do that? Because I?ve already do that with LemonLDAP:NG (A French sso server), and It?s working, but not with Keycloak. Thanks ? lot! Rapp Lo?c Service Technique Technicien R?seau Ligne directe : +33 (0)3 69 22 67 18 -- ?conomisons le papier. N'imprimez ce mail que si n?cessaire. From vikrant02.work at gmail.com Fri Sep 15 06:32:23 2017 From: vikrant02.work at gmail.com (Vikrant Singh) Date: Fri, 15 Sep 2017 16:02:23 +0530 Subject: [keycloak-user] Keycloak cross-dc standalone vs standalone-ha Message-ID: Hi, Recently there was a blog on cross dc support for keycloak http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html We have done something similar to that with one difference. In our deployment we have keycloak in standalone mode rather than standalone-ha. All keycloak instances are using same db. With this setup we are successfully able to achieve HA across same dc and cross dc both. Is there any benefit of using standalone-ha over standalone? since all clustering requirement will be handled by external infinispan server. Thanks! From lkrzyzan at redhat.com Fri Sep 15 07:07:33 2017 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Fri, 15 Sep 2017 13:07:33 +0200 Subject: [keycloak-user] CLI for adding modules configuration in in standalone.xml In-Reply-To: References: <1884D7EB-F020-43E0-AF7C-381E2AC707A4@redhat.com> Message-ID: <279FDD76-46FE-42EB-9369-87803EA80631@redhat.com> Hi, yep it works. Thanks a lot, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services > On Sep 14, 2017, at 4:25 PM, John Bartko wrote: > > Libor, > > I believe something like: > > module add --name=org.example.custom-theme --resources=/path/to/custom-theme.zip > /subsystem=keycloak-server/theme=defaults:write-attribute(name=modules,value=[org.example.custom-theme]) > > should do the trick. > > Hope that helps, > -John Bartko > From: keycloak-user-bounces at lists.jboss.org > on behalf of Libor Krzyzanek > > Sent: Thursday, September 14, 2017 6:58:23 AM > To: keycloak-user > Subject: [keycloak-user] CLI for adding modules configuration in in standalone.xml > > Hi there, > I cannot figure out how to write a CLI for adding modules configuration within element in standalone.xml as described here: > http://www.keycloak.org/docs/3.3/server_development/topics/themes.html > > > It would be cool to have this CLI in docs. > > Thanks for help, > > Libor Krzy?anek > Principal Software Engineer > Middleware Engineering Services > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pieter at thehyve.nl Fri Sep 15 07:56:25 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Fri, 15 Sep 2017 13:56:25 +0200 Subject: [keycloak-user] SAML Identiy broker mode bypasses any authentication after logout Message-ID: Hi, I have a spring-security based application that connects to keycloak via SAML. Keycloak itself is configured to connect via SAML to another external identity provider (so Keycloak is just the identity broker in this case). When I logout from my web application by going to https:///saml/logout?local=false, a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the external IDP. There is *no* LogoutResponse. Strangely, when I try to access my web application again, I am not asked to login and can access it as if the session is still valid. No AuthnRequest is seen in this case. What could be wrong? It seems that either the web application or the Keycloak is caching the session and not invalidating it upon a LogoutRequest. Maybe someone can help shed some light on this. Thanks, Pieter We empower scientists by building on open source software From hmlnarik at redhat.com Fri Sep 15 08:27:48 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 15 Sep 2017 14:27:48 +0200 Subject: [keycloak-user] Keycloak cross-dc standalone vs standalone-ha In-Reply-To: References: Message-ID: Putting aside cross DC, if you use default settings of caches in standalone.xml, the objects within the caches would not be shared in the cluster. That for example means that changes in realm settings would not propagate to other nodes and node states would thus become inconsistent, any node failure would lead to loss of state data stored at that node, etc. In cross DC, not all caches are shared between sites, e.g. authentication session cache is usually local to the cluster, so using cross-DC setup for "single-node clusters" you describe would not cure all potential issues coming out of not using standalone-ha profile. On Fri, Sep 15, 2017 at 12:32 PM, Vikrant Singh wrote: > Hi, > > Recently there was a blog on cross dc support for keycloak > http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html > > We have done something similar to that with one difference. In our > deployment we have keycloak in standalone mode rather than standalone-ha. > All keycloak instances are using same db. With this setup we are > successfully able to achieve HA across same dc and cross dc both. > > Is there any benefit of using standalone-ha over standalone? since all > clustering requirement will be handled by external infinispan server. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From hmlnarik at redhat.com Fri Sep 15 08:34:44 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 15 Sep 2017 14:34:44 +0200 Subject: [keycloak-user] SAML Identiy broker mode bypasses any authentication after logout In-Reply-To: References: Message-ID: Check why there is no LogoutResponse. This is a violation of SAML protocol [1]. You would need to inspect SAML message exchange by using either using browser extension like SAML Tracer, or increasing keycloak log level for SAML. --Hynek [1] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, l. 2631-2636 On Fri, Sep 15, 2017 at 1:56 PM, Pieter Lukasse wrote: > Hi, > > I have a spring-security based application that connects to keycloak via > SAML. Keycloak itself is configured to connect via SAML to another external > identity provider (so Keycloak is just the identity broker in this case). > > When I logout from my web application by going to > https:///saml/logout?local=false, > a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the > external IDP. There is *no* LogoutResponse. Strangely, when I try to access > my web application again, I am not asked to login and can access it as if > the session is still valid. No AuthnRequest is seen in this case. > > What could be wrong? It seems that either the web application or the > Keycloak is caching the session and not invalidating it upon a > LogoutRequest. Maybe someone can help shed some light on this. > > Thanks, > > Pieter > > > > We empower scientists by building on open source software > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From hmlnarik at redhat.com Fri Sep 15 09:06:54 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 15 Sep 2017 15:06:54 +0200 Subject: [keycloak-user] Keycloak as an Identity Broker Encrypting SAML Assertions In-Reply-To: <1181929836.693960.1505248448687@mail.yahoo.com> References: <1181929836.693960.1505248448687.ref@mail.yahoo.com> <1181929836.693960.1505248448687@mail.yahoo.com> Message-ID: This issue [1] should be fixed in 3.3.0. [1] https://issues.jboss.org/browse/KEYCLOAK-4775 On Tue, Sep 12, 2017 at 10:34 PM, Jason Spittel wrote: > Hello, > I'm trying to integrate with InCommon federation, using Keycloak as an Identity Broker. > Workflow is JEE app <--> Keycloak Broker <--> InCommon IdP. > The problem is that InCommon requires SAML Assertion Encrypting. As far as I can see, in the Keycloak IdP setup, I can only set the signing for document. > Looking at this SPSSODescriptor from Keycloak: > > ASDFASDFASDF qwerqwerqwer > ........ > > > > The KeyDescriptor is not for 'signing' and not for 'encrypting'. How do I set that flag? > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From pkboucher801 at gmail.com Fri Sep 15 10:18:43 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Fri, 15 Sep 2017 10:18:43 -0400 Subject: [keycloak-user] Detect existing IdP session In-Reply-To: References: Message-ID: <001101d32e2d$89663820$9c32a860$@gmail.com> You could write intelligence into the login page that looks at things like existing sessions and who the referrer was, and decides to silently act as if the user clicked on the corresponding brokered idp button on the login page, and do this without displaying anything on the page. This way, the login page will only actually display if it can't figure out to which brokered IDP to send the user. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Wednesday, August 30, 2017 2:35 AM To: Adam Keily Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Detect existing IdP session We don't support this at the moment, but could possibly be added at least for OIDC. OIDC has prompt=none which allows checking if a user is authenticated without displaying login form if they are not. Would need to be a community contribution though if you expect it to be added anytime soon. On 30 August 2017 at 03:17, Adam Keily wrote: > Hi, > > Forgive me if this is a dumb question. I'm just wondering if it's possible > for keycloak to detect that a user has already authenticated to a > configured IDP before being presented the the login page. E.g. > > We have multiple IDP's configured in Keycloak. Facebook, Google, corporate > ADFS. If they have an existing session, can that be detected e.g. > > > 1. User is already authenticated to ADFS > 2. They attempt to access a KC protected application. > 3. Instead of having to click the IDP link on the KC login screen to be > redirected to ADFS and back again, they are instead just authenticated > using their existing ADFS session. > > I know about kc_idp_hint and default IdP but this is more a case where a > user might be already authenticated to one of multiple IDP's. Something > like "Detected ADFS session. Continue as ADFS userA?". I guess if you've > authed to more than one IDP it could be a problem. > > Thanks > Adam > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pieter at thehyve.nl Fri Sep 15 10:54:16 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Fri, 15 Sep 2017 16:54:16 +0200 Subject: [keycloak-user] How to customize the timeout page? Message-ID: In keycloak there is a nice option to set a custom "Theme" for the login page. But is there also a way to customize the timeout page? Or to let the timeout page redirect automatically to the login page? Thanks, Pieter www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software From pkboucher801 at gmail.com Fri Sep 15 14:11:52 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Fri, 15 Sep 2017 14:11:52 -0400 Subject: [keycloak-user] SSO session timeout with OIDC client and SAML client? Message-ID: <002701d32e4e$1bc294a0$5347bde0$@gmail.com> We have a realm with two clients, one is a Java web app with OIDC, and the other is a 3rd-party app with SAML. If a user navigates to the SAML app and works there for 30 minutes or more (our realm's "SSO Session Idle" setting), then they get logged out of the OIDC app (we think because once you get in and start using the SAML app, no more authentications are requested and no refresh token requests are made). Has anyone seen this? Is our theory correct? Do you know of a fix or workaround? Thanks! Regards, Peter Boucher From glavoie at gmail.com Fri Sep 15 14:17:23 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Fri, 15 Sep 2017 14:17:23 -0400 Subject: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header Message-ID: Hi, we have one use case where we want to use a access_token URL parameter rather than the Authorization: Bearer header, to allow SSO from a mobile app to Safari. KeycloakAuthenticationProcessingFilter.java ( https://github.com/keycloak/keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java), the authentication flow is different when using the query param vs the Authorization header. Any reason for this? - Header: Upon successful authentication, the filter chain is processed to the requested page. - Query param: Upon successful authentication, default success handler is called and user is redirected to a target page (/ by default) (first condition of KeycloakAuthenticationProcessingFilter.successfulAuthentication(): if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) { super.successfulAuthentication(request, response, chain, authResult); return; } Thanks, Gabriel -- Gabriel Lavoie glavoie at gmail.com From rationull at gmail.com Fri Sep 15 23:54:56 2017 From: rationull at gmail.com (Jonathan Little) Date: Fri, 15 Sep 2017 20:54:56 -0700 Subject: [keycloak-user] Disabling User Account Service Message-ID: Is there a way to disable access to the self service user management page (covered here: http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? We have a use case where supposedly we don't want our users to be able to modify their own username, and password resets can be handled via the Forgot Password link on the login page. Or is there at least a way to disable username editing? I'd think if there were it would be pretty obvious in the admin UI but I figured I'd ask.. Thanks! From stephen at saasindustries.com Sat Sep 16 16:47:21 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Sat, 16 Sep 2017 13:47:21 -0700 Subject: [keycloak-user] Disabling User Account Service In-Reply-To: References: Message-ID: Have you thought about removing the account related user permissions or disabling the account client which allow access to account maintenance page? On Fri, Sep 15, 2017 at 8:54 PM, Jonathan Little wrote: > Is there a way to disable access to the self service user management page > (covered here: > http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? We > have a use case where supposedly we don't want our users to be able to > modify their own username, and password resets can be handled via the > Forgot Password link on the login page. > > Or is there at least a way to disable username editing? > > I'd think if there were it would be pretty obvious in the admin UI but I > figured I'd ask.. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rationull at gmail.com Sat Sep 16 20:54:03 2017 From: rationull at gmail.com (Jonathan Little) Date: Sat, 16 Sep 2017 17:54:03 -0700 Subject: [keycloak-user] Disabling User Account Service In-Reply-To: References: Message-ID: No, I didn't realize that access was controlled by a dedicated client. I will look into that -- thanks! On Sat, Sep 16, 2017 at 1:47 PM, Stephen Henrie wrote: > Have you thought about removing the account related user permissions or > disabling the account client which allow access to account maintenance > page? > > > > On Fri, Sep 15, 2017 at 8:54 PM, Jonathan Little > wrote: > > > Is there a way to disable access to the self service user management page > > (covered here: > > http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? We > > have a use case where supposedly we don't want our users to be able to > > modify their own username, and password resets can be handled via the > > Forgot Password link on the login page. > > > > Or is there at least a way to disable username editing? > > > > I'd think if there were it would be pretty obvious in the admin UI but I > > figured I'd ask.. > > > > Thanks! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From llivezking at gmail.com Sun Sep 17 23:26:52 2017 From: llivezking at gmail.com (Ilya Korol) Date: Mon, 18 Sep 2017 13:26:52 +1000 Subject: [keycloak-user] Custom Account implementation and In-App Password changes Message-ID: Hi, is there any API for implementing custom version of UserAccount? We are going to create separate User Account app for our users where they could manage their data (names, telephones etc.), passwords and company-specific settings. Almost all of per-user management except OTP could be implemented via calls to Admin REST API, but it seems a little hacky. So is there any suggestions or experience about creating substitution for out-of-the box Account app? From jonathan at beliantech.com Mon Sep 18 06:29:49 2017 From: jonathan at beliantech.com (Jonathan Lin) Date: Mon, 18 Sep 2017 18:29:49 +0800 Subject: [keycloak-user] Keycloak security proxy: Access token in cookie support Message-ID: <1D1A0173-98BE-4FB7-A53F-759FABF8D6AC@beliantech.com> Hi all, I have two clients, one for the API server (bearer-only), and another for front end (public), both in the same realm. I have set up the Security Proxy that comes with Keycloak (http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html ) with the following config. I am using Golang, hence am unable to use an official adapter. { "target-url": "http://localhost:9090", "send-access-token": false, "bind-address": "localhost", "http-port": "8080", "applications": [ { "base-path": "/", "adapter-config": { "realm": "demo-realm", "resource": "api-server", "auth-server-url": "http://auth.server/auth", "ssl-required": "external", "enable-cors": true, "cors-allowed-methods": "GET,POST", "cors-allowed-headers": "Authorization", "disable-trust-manager": true, "bearer-only": true, "token-store": "cookie" }, "constraints": [ { "pattern": "/*", "authenticate": true }, { "pattern": "/bar", "permit": true } ] } ] } This works fine with the Authorization: Bearer header, where the token was obtained by the front end public client. But I need authentication when using or src URL attributes as well. Hence I need to be able to send the access token via cookie. Putting ?token-store?: ?cookie? doesn?t seem to do anything for me. Any pointers? Thanks, Jonathan From glavoie at gmail.com Mon Sep 18 07:45:05 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Mon, 18 Sep 2017 07:45:05 -0400 Subject: [keycloak-user] Disabling User Account Service In-Reply-To: References: Message-ID: Hi Jonathan, disabling the "account" client will do the trick. Gabriel 2017-09-16 20:54 GMT-04:00 Jonathan Little : > No, I didn't realize that access was controlled by a dedicated client. I > will look into that -- thanks! > > On Sat, Sep 16, 2017 at 1:47 PM, Stephen Henrie < > stephen at saasindustries.com> > wrote: > > > Have you thought about removing the account related user permissions or > > disabling the account client which allow access to account maintenance > > page? > > > > > > > > On Fri, Sep 15, 2017 at 8:54 PM, Jonathan Little > > wrote: > > > > > Is there a way to disable access to the self service user management > page > > > (covered here: > > > http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? > We > > > have a use case where supposedly we don't want our users to be able to > > > modify their own username, and password resets can be handled via the > > > Forgot Password link on the login page. > > > > > > Or is there at least a way to disable username editing? > > > > > > I'd think if there were it would be pretty obvious in the admin UI but > I > > > figured I'd ask.. > > > > > > Thanks! > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Gabriel Lavoie glavoie at gmail.com From vikrant02.work at gmail.com Mon Sep 18 08:11:10 2017 From: vikrant02.work at gmail.com (Vikrant Singh) Date: Mon, 18 Sep 2017 17:41:10 +0530 Subject: [keycloak-user] Keycloak cross-dc standalone vs standalone-ha In-Reply-To: References: Message-ID: Hi, We have externalized all distributed/replicated cache mentioned in standalone-ha under keycloak cache-container to a external infinispan which is in a local and cross dc cluster. Following are the externalized caches work, sessions, authenticationSessions, offlineSessions, loginFailures, actionTokens. Below is keycloak's infinispan configuration section > > > module="org.keycloak.keycloak-model-infinispan" >> jndi-name="infinispan/Keycloak"> > > > > > > > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > > > > > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > > > > > fetch-state="false" passivation="false" preload="false" purge="false" >> shared="true"> > > > > true > > > > > > org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory > > > > > > > > > > > > > > > module="org.wildfly.clustering.server"> > > > > > > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > > Do you see any issue with above config for local+cross dc cluster. Thanks On Fri, Sep 15, 2017 at 5:57 PM, Hynek Mlnarik wrote: > Putting aside cross DC, if you use default settings of caches in > standalone.xml, the objects within the caches would not be shared in > the cluster. That for example means that changes in realm settings > would not propagate to other nodes and node states would thus become > inconsistent, any node failure would lead to loss of state data stored > at that node, etc. > > In cross DC, not all caches are shared between sites, e.g. > authentication session cache is usually local to the cluster, so using > cross-DC setup for "single-node clusters" you describe would not cure > all potential issues coming out of not using standalone-ha profile. > > On Fri, Sep 15, 2017 at 12:32 PM, Vikrant Singh > wrote: > > Hi, > > > > Recently there was a blog on cross dc support for keycloak > > http://blog.keycloak.org/2017/09/cross-datacenter-support- > in-keycloak.html > > > > We have done something similar to that with one difference. In our > > deployment we have keycloak in standalone mode rather than standalone-ha. > > All keycloak instances are using same db. With this setup we are > > successfully able to achieve HA across same dc and cross dc both. > > > > Is there any benefit of using standalone-ha over standalone? since all > > clustering requirement will be handled by external infinispan server. > > > > Thanks! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > From pieter at thehyve.nl Mon Sep 18 08:15:10 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Mon, 18 Sep 2017 14:15:10 +0200 Subject: [keycloak-user] How to customize the timeout page? In-Reply-To: References: Message-ID: A hack/workaround will also do if there are no settings for this. Anyone? www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-15 16:54 GMT+02:00 Pieter Lukasse : > In keycloak there is a nice option to set a custom "Theme" for the login > page. But is there also a way to customize the timeout page? Or to let the > timeout page redirect automatically to the login page? > > Thanks, > > Pieter > > > www.thehyve.nl > E pieter at thehyve.nl > T +31(0)30 700 9713 > M +31(0)6 28 18 9540 > Skype pieter.lukasse > > > We empower scientists by building on open source software > From glavoie at gmail.com Mon Sep 18 08:22:02 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Mon, 18 Sep 2017 08:22:02 -0400 Subject: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header In-Reply-To: References: Message-ID: According to the tests added in https://github.com/keycloak/keycloak/commit/159b37197335cc56fbb2097086e96fc752da9e40, when the "access_token" parameter was added, I should be able to reach directly a REST endpoint using that query parameter. That does look like a bug with the Spring Security adapter. 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie : > Hi, > we have one use case where we want to use a access_token URL > parameter rather than the Authorization: Bearer header, to allow SSO from a > mobile app to Safari. > > KeycloakAuthenticationProcessingFilter.java (https://github.com/keycloak/ > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/ > spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/ > KeycloakAuthenticationProcessingFilter.java), the authentication flow is > different when using the query param vs the Authorization header. Any > reason for this? > > - Header: Upon successful authentication, the filter chain is processed to > the requested page. > - Query param: Upon successful authentication, default success handler is > called and user is redirected to a target page (/ by default) (first > condition of KeycloakAuthenticationProcessingFilter. > successfulAuthentication(): > > > if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) > { > super.successfulAuthentication(request, response, chain, authResult); > return; > } > > Thanks, > > Gabriel > -- > Gabriel Lavoie > glavoie at gmail.com > -- Gabriel Lavoie glavoie at gmail.com From java at neposoft.com Mon Sep 18 09:17:12 2017 From: java at neposoft.com (java_os) Date: Mon, 18 Sep 2017 09:17:12 -0400 Subject: [keycloak-user] SAML Identiy broker mode bypasses any authentication after logout In-Reply-To: References: Message-ID: <24297bf6f7248825ed99e16922c65243.squirrel@neposoft.com> I saw this while brokering with ADFS - the logout request goes nowhere, and dies with NPE in keycloak. Seems as the sso cookie still active and not invalidated on logout request. I've asked the group but no answer - so you need to close the browser if your flow is browser sso. Your best path a Jira ticket. > Hi, > > I have a spring-security based application that connects to keycloak via > SAML. Keycloak itself is configured to connect via SAML to another > external > identity provider (so Keycloak is just the identity broker in this case). > > When I logout from my web application by going to > https:///saml/logout?local=false, > a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the > external IDP. There is *no* LogoutResponse. Strangely, when I try to > access > my web application again, I am not asked to login and can access it as if > the session is still valid. No AuthnRequest is seen in this case. > > What could be wrong? It seems that either the web application or the > Keycloak is caching the session and not invalidating it upon a > LogoutRequest. Maybe someone can help shed some light on this. > > Thanks, > > Pieter > > > > We empower scientists by building on open source software > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Sep 18 09:32:33 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Sep 2017 15:32:33 +0200 Subject: [keycloak-user] Disabling User Account Service In-Reply-To: References: Message-ID: Users are not allowed to edit the username unless that option is enabled for a realm. On 18 September 2017 at 13:45, Gabriel Lavoie wrote: > Hi Jonathan, > disabling the "account" client will do the trick. > > Gabriel > > 2017-09-16 20:54 GMT-04:00 Jonathan Little : > > > No, I didn't realize that access was controlled by a dedicated client. I > > will look into that -- thanks! > > > > On Sat, Sep 16, 2017 at 1:47 PM, Stephen Henrie < > > stephen at saasindustries.com> > > wrote: > > > > > Have you thought about removing the account related user permissions or > > > disabling the account client which allow access to account maintenance > > > page? > > > > > > > > > > > > On Fri, Sep 15, 2017 at 8:54 PM, Jonathan Little > > > wrote: > > > > > > > Is there a way to disable access to the self service user management > > page > > > > (covered here: > > > > http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? > > We > > > > have a use case where supposedly we don't want our users to be able > to > > > > modify their own username, and password resets can be handled via the > > > > Forgot Password link on the login page. > > > > > > > > Or is there at least a way to disable username editing? > > > > > > > > I'd think if there were it would be pretty obvious in the admin UI > but > > I > > > > figured I'd ask.. > > > > > > > > Thanks! > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Mon Sep 18 09:50:31 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 18 Sep 2017 15:50:31 +0200 Subject: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header In-Reply-To: References: Message-ID: If you believe it's a bug, please open a detailed JIRA ticket, we will take a look at it. On Mon, Sep 18, 2017 at 2:22 PM, Gabriel Lavoie wrote: > According to the tests added in > https://github.com/keycloak/keycloak/commit/159b37197335cc56fbb2097086e96f > c752da9e40, > when the "access_token" parameter was added, I should be able to reach > directly a REST endpoint using that query parameter. That does look like a > bug with the Spring Security adapter. > > 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie : > > > Hi, > > we have one use case where we want to use a access_token URL > > parameter rather than the Authorization: Bearer header, to allow SSO > from a > > mobile app to Safari. > > > > KeycloakAuthenticationProcessingFilter.java ( > https://github.com/keycloak/ > > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/ > > spring-security/src/main/java/org/keycloak/adapters/ > springsecurity/filter/ > > KeycloakAuthenticationProcessingFilter.java), the authentication flow is > > different when using the query param vs the Authorization header. Any > > reason for this? > > > > - Header: Upon successful authentication, the filter chain is processed > to > > the requested page. > > - Query param: Upon successful authentication, default success handler is > > called and user is redirected to a target page (/ by default) (first > > condition of KeycloakAuthenticationProcessingFilter. > > successfulAuthentication(): > > > > > > if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest( > request))) > > { > > super.successfulAuthentication(request, response, chain, > authResult); > > return; > > } > > > > Thanks, > > > > Gabriel > > -- > > Gabriel Lavoie > > glavoie at gmail.com > > > > > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From forums.akurathi at gmail.com Mon Sep 18 10:54:50 2017 From: forums.akurathi at gmail.com (Eswara Akurathi) Date: Mon, 18 Sep 2017 10:54:50 -0400 Subject: [keycloak-user] OTP Policy updates not reflects at Google Authenticator Message-ID: Dear all, We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. A sequence of steps : 1) create realm, create user 2) enable OTP 3) login with the newly created user 4) system asks you to configure OTP 5) update OTP policy such as number of digits from 6 to 8 6) try login again 7) system asks you to enter OTP but authentication fails We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. Your response is highly appreciated !!! Thanks in advance Regards Krishna Kumar Akurathi From celso.agra at gmail.com Mon Sep 18 12:39:51 2017 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 18 Sep 2017 13:39:51 -0300 Subject: [keycloak-user] How to change email and send a verification in the Keycloak Admin Client? Message-ID: Hi all, I have an question about Keycloak Admin Client and email verification. I'd like to know if would be possible to create a feature to change email with a verification url. So, I need change the email, and then send a verification to complete this feature. Does anyone know if Keycloak Admin Client has this feature? Best Regards, -- --- *Celso Agra* From glavoie at gmail.com Mon Sep 18 13:19:54 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Mon, 18 Sep 2017 13:19:54 -0400 Subject: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header In-Reply-To: References: Message-ID: Hi Sebastien, I will, when a PR is ready to submit. I must fix this for a new use case we have. Gabriel 2017-09-18 9:50 GMT-04:00 Sebastien Blanc : > If you believe it's a bug, please open a detailed JIRA ticket, we will > take a look at it. > > > On Mon, Sep 18, 2017 at 2:22 PM, Gabriel Lavoie wrote: > >> According to the tests added in >> https://github.com/keycloak/keycloak/commit/159b37197335cc56 >> fbb2097086e96fc752da9e40, >> when the "access_token" parameter was added, I should be able to reach >> directly a REST endpoint using that query parameter. That does look like a >> bug with the Spring Security adapter. >> >> 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie : >> >> > Hi, >> > we have one use case where we want to use a access_token URL >> > parameter rather than the Authorization: Bearer header, to allow SSO >> from a >> > mobile app to Safari. >> > >> > KeycloakAuthenticationProcessingFilter.java ( >> https://github.com/keycloak/ >> > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/ >> > spring-security/src/main/java/org/keycloak/adapters/springse >> curity/filter/ >> > KeycloakAuthenticationProcessingFilter.java), the authentication flow >> is >> > different when using the query param vs the Authorization header. Any >> > reason for this? >> > >> > - Header: Upon successful authentication, the filter chain is processed >> to >> > the requested page. >> > - Query param: Upon successful authentication, default success handler >> is >> > called and user is redirected to a target page (/ by default) (first >> > condition of KeycloakAuthenticationProcessingFilter. >> > successfulAuthentication(): >> > >> > >> > if (!(this.isBearerTokenRequest(request) || >> this.isBasicAuthRequest(request))) >> > { >> > super.successfulAuthentication(request, response, chain, >> authResult); >> > return; >> > } >> > >> > Thanks, >> > >> > Gabriel >> > -- >> > Gabriel Lavoie >> > glavoie at gmail.com >> > >> >> >> >> -- >> Gabriel Lavoie >> glavoie at gmail.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Gabriel Lavoie glavoie at gmail.com From shimin_q at yahoo.com Mon Sep 18 14:33:36 2017 From: shimin_q at yahoo.com (shimin q) Date: Mon, 18 Sep 2017 18:33:36 +0000 (UTC) Subject: [keycloak-user] How to disable Tomcat JSESSIONID References: <621322171.4355837.1505759616547.ref@mail.yahoo.com> Message-ID: <621322171.4355837.1505759616547@mail.yahoo.com> Hi, I have several apps deployed in Tomcat 7, and use Keycloak to manage user login and logout of these apps. ?Clicking on the Logout link does not log the user out and redirect to Keycloak's login page. ?Then I found the JSESSIONID cookie is still present, once I deleted the JSESSIONID cookie, the logout link works as expected. ?So I tried to disable Tomcat's session by putting <%@ page session="false" %> in the header of my app's JSP page. Unfortunately, this still does not disable Tomcat's session. I am wondering if anyone has a solution to this problem? I believe the presence of the Tomcat session interferes with the Keycloak's SSO session, and causes Keycloak logout link to not work. This has to be a common problem Keycloak users encounter, Tomcat is so widely used for web apps. How does Keycloak resolve the issue when its session conflict with Tomcat session? Would appreciate any tips on how we should handle this! From celso.agra at gmail.com Mon Sep 18 15:23:18 2017 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 18 Sep 2017 16:23:18 -0300 Subject: [keycloak-user] How to implement "Forgot Password" using Keycloak Admin Client? Message-ID: Hi all, I'm trying to creat a feature to do the password recovery using Keycloak Admin Client. I looked for a solution on the documentation [ www.keycloak.org/docs-api/2.5/rest-api/], but I did not find this specific result. Does anyone know how to implement the "forgot password feature" using Keycloak Admin Client? -- --- *Celso Agra* From robert.parker at weareact.com Mon Sep 18 17:33:59 2017 From: robert.parker at weareact.com (Robert Parker) Date: Mon, 18 Sep 2017 21:33:59 +0000 Subject: [keycloak-user] Determine users roles using the JavaScript adapter Message-ID: After authenticating a user using the JavaScript adapter, how can I determine what roles a user has? Robert Parker- Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 robert.parker at weareact.com www.weareACT.com Registered in England : 04476799 From Aymeric.LAGIER at ext.imprimerienationale.fr Tue Sep 19 03:53:52 2017 From: Aymeric.LAGIER at ext.imprimerienationale.fr (LAGIER Aymeric) Date: Tue, 19 Sep 2017 07:53:52 +0000 Subject: [keycloak-user] Extend Keycloak API Message-ID: <1f3e1ed4a1c6469dbd1428649994743e@EXDVDRARIMP002.EQ1IMP.lan> Hi, I try to perform a custom user search based on custom attributes. In my example, I?m using the default storage (keycloak database) to store users. I try to use the following example (https://github.com/keycloak/keycloak/tree/master/examples/providers/rest) and copy paste the content of the getUsers() methods from org.keycloak.services.resources.admin.UsersResource Code : https://pastebin.com/wbaEc8Pz ? In my example, after deploying the new jar, I try to call the http://localhost:8080/auth/realms//hello endpoint with an authorization header containing a valid access_token. For the moment it returns a NullPointerException when trying to access the auth variable. Am I on the right way ? Thanks in advance, Regards Aymeric From pieter at thehyve.nl Tue Sep 19 06:43:20 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Tue, 19 Sep 2017 12:43:20 +0200 Subject: [keycloak-user] import SAML keys via command line Message-ID: Hi, I have a .jks file which I would like to import into keycloak using the command line instead of the "SAML keys" page (in SAML client config page). I cannot find any command for this here http://www.keycloak.org/ docs/3.3/server_admin/topics/admin-cli.html Is this just missing or is the documentation incomplete? Can someone help me on this one? Thanks, Pieter www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software From jonathan at beliantech.com Tue Sep 19 07:43:35 2017 From: jonathan at beliantech.com (Jonathan Lin) Date: Tue, 19 Sep 2017 19:43:35 +0800 Subject: [keycloak-user] How to implement "Forgot Password" using Keycloak Admin Client? Message-ID: It?s as simple as Realm Settings > Login > Forgot password From jyoti.tech90 at gmail.com Tue Sep 19 10:19:09 2017 From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh) Date: Tue, 19 Sep 2017 19:49:09 +0530 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: Hi, I have tried the JDBC_PING option which Tonnis has mentioned :- https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql After that I could see node discovery is happening but JOIN operation is getting timed out which eventually not forming clustering between two ECS instances. Is there any configuration am I missing here ? #Logs:- 2017-09-19 10:59:52,907 WARN [org.jgroups.protocols.UDP] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL JGRP000015: the receive buffer of socket ManagedMulticastSocketBinding was set to 25MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux) 2017-09-19 10:59:59,475 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 1 2017-09-19 11:00:02,490 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 2 2017-09-19 11:00:05,508 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 3 2017-09-19 11:00:08,527 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 4 2017-09-19 11:00:11,542 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 5 2017-09-19 11:00:14,558 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 6 2017-09-19 11:00:17,579 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 7 2017-09-19 11:00:20,596 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 8 2017-09-19 11:00:23,611 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 9 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 10 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: too many JOIN attempts (10): becoming singleton On Thu, Sep 14, 2017 at 10:48 PM, Jyoti Kumar Singh wrote: > Hi Tonnis, > > Thank you very much for sharing the valuable information. I am checking on > this, hopefully I will also be able to achieve the HA. > > Thanks Again ! > > On Sep 14, 2017 10:00 PM, "Tonnis Wildeboer" wrote: > >> Jyoti, >> >> I have been working on similar goal and was finally successful yesterday. >> We are using postgres and kubernetes. >> >> Here are the key sources of information that enabled me to succeed: >> >> The big key is here: >> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >> Use the .xsl templates here to transform on the standalone-ha.xml and you >> can see what is being done. >> >> I suggest that you simply use JDBC_PING, since you already have a shared >> database. >> I think it is instructive to understand what JDBC_PING (and JGroups in >> general) are doing: >> http://jgroups.org/manual4/index.html >> https://developer.jboss.org/wiki/JDBCPING >> >> You may benefit from this also, specifically, the need to bind >> jgroups-tcp and jgroups-tcp-fd to the proper interface. Not sure about your >> situation. >> >> --Tonnis >> >> ____________________ >> Tonnis Wildeboer >> Autonomic.ai Engineering >> >> On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: >> >>> Hi Team, >>> >>> I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS >>> instances. >>> >>> I am running two ECS instances in a cluster setup and also I have >>> setup Keycloak >>> in a clustered mode. To achieve this, I am using " >>> */standalone/configuration/standalone-ha.xml *" file while building the >>> docker image. Shared MySQL DB and Load Balancer setup are also in place. >>> >>> But when I checked Keycloak logs I am not seeing clustered nodes related >>> information in logs. I am seeing nodes are not able to see each other. >>> But >>> same settings are working fine in DCOS Marathon platform. >>> >>> Interestingly if I run two Keycloak instances in one AWS ECS instance on >>> different ports, I could see clustering related logs in Keycloak. >>> >>> Is there any standard guidelines which I can follow to achieve HA in AWS >>> ECS instance ?? I followed the below discussion thread but it didn't >>> help >>> me to fix the issue. >>> >>> #Link: >>> http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html >>> >>> >> -- *With Regards, Jyoti Kumar Singh* From jdennis at redhat.com Tue Sep 19 11:24:35 2017 From: jdennis at redhat.com (John Dennis) Date: Tue, 19 Sep 2017 11:24:35 -0400 Subject: [keycloak-user] import SAML keys via command line In-Reply-To: References: Message-ID: On 09/19/2017 06:43 AM, Pieter Lukasse wrote: > Hi, > > I have a .jks file which I would like to import into keycloak using the > command line instead of the "SAML keys" page (in SAML client config page). > > I cannot find any command for this here http://www.keycloak.org/ > docs/3.3/server_admin/topics/admin-cli.html > > Is this just missing or is the documentation incomplete? Can someone help > me on this one? You can import using the Java keytool utility, but the import format MUST be PKCS12. Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully it should be obvious which xxx matches in each command. First create a .p12 PKCS12 file: % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey key.pem -out xxx.p12 Then import the .p12 PKCS12 file into the keystore: % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx -- John From jdennis at redhat.com Tue Sep 19 13:04:47 2017 From: jdennis at redhat.com (John Dennis) Date: Tue, 19 Sep 2017 13:04:47 -0400 Subject: [keycloak-user] import SAML keys via command line In-Reply-To: References: Message-ID: On 09/19/2017 11:24 AM, John Dennis wrote: > On 09/19/2017 06:43 AM, Pieter Lukasse wrote: >> Hi, >> >> I have a .jks file which I would like to import into keycloak using the >> command line instead of the "SAML keys" page (in SAML client config page). >> >> I cannot find any command for this here http://www.keycloak.org/ >> docs/3.3/server_admin/topics/admin-cli.html >> >> Is this just missing or is the documentation incomplete? Can someone help >> me on this one? > > You can import using the Java keytool utility, but the import format > MUST be PKCS12. > > Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully > it should be obvious which xxx matches in each command. > > First create a .p12 PKCS12 file: > > % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey > key.pem -out xxx.p12 > > Then import the .p12 PKCS12 file into the keystore: > > % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 > -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx I may have misread your original question, I thought you were asking how to import a key. But if all you want to do is import the contents of another JAVA keystore then just use -importkeystore -srckeystore JKS. The keytool man page has keystore import examples, including both importing an entire keystore or juast a specific key from the keystore. See the man page for details. -- John From betalb at gmail.com Tue Sep 19 13:59:50 2017 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Tue, 19 Sep 2017 17:59:50 +0000 Subject: [keycloak-user] OIDC Client dynamic registration Message-ID: Hi I was playing with example from openid-client nodejs package, it has examples with custom keys and key signing/encryption algorithms Some registration requests fail with NPE exception like this Caused by: java.lang.NullPointerException at org.keycloak.util.JWKSUtils.getKeyForUse(JWKSUtils.java:49) at org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey(DescriptionConverter.java:135) at org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal(DescriptionConverter.java:102) at org.keycloak.services.clientregistration.oidc.OIDCClientRegistrationProvider.createOIDC(OIDCClientRegistrationProvider.java:74) Registration request was following { "post_logout_redirect_uris": [ "http://localhost:3000/" ], "redirect_uris": [ "http://localhost:3000/cb" ], "grant_types": [ "authorization_code" ], "response_types": [ "code" ], "userinfo_encrypted_response_alg": "ECDH-ES+A128KW", "jwks": { "keys": [ { "kty": "EC", "kid": "pZtihA2ZjNh3qrPg3OUSZdpWatODXiUw_6ThWYqJ7gw", "crv": "P-256", "x": "qoBR4Zhj1RlMIF4TVfibVkApY1j2J1NdPUWTx_gKFlQ", "y": "cbZ3J1Y_OZXF0YhOerMVoqq5hRoe6G3xw21va5drqf0" } ] } } I overcome this issue by patching library and adding use: sig attribute to jwks key, but it seems that this attribute is not required by spec https://tools.ietf.org/html/rfc7517#section-4.2, and even if it is required from app perspective, NPE should be replaced with something more meaningful Other issues that I've faced after bypassing NPE -- registrations, that use unsupported algorithms like above doesn't fail, is it correct behaviour? From glavoie at gmail.com Tue Sep 19 14:05:53 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Tue, 19 Sep 2017 14:05:53 -0400 Subject: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header In-Reply-To: References: Message-ID: https://issues.jboss.org/browse/KEYCLOAK-5499 and https://github.com/keycloak/keycloak/pull/4488 submitted. Gabriel 2017-09-18 13:19 GMT-04:00 Gabriel Lavoie : > Hi Sebastien, > I will, when a PR is ready to submit. I must fix this for a new use > case we have. > > Gabriel > > 2017-09-18 9:50 GMT-04:00 Sebastien Blanc : > >> If you believe it's a bug, please open a detailed JIRA ticket, we will >> take a look at it. >> >> >> On Mon, Sep 18, 2017 at 2:22 PM, Gabriel Lavoie >> wrote: >> >>> According to the tests added in >>> https://github.com/keycloak/keycloak/commit/159b37197335cc56 >>> fbb2097086e96fc752da9e40, >>> when the "access_token" parameter was added, I should be able to reach >>> directly a REST endpoint using that query parameter. That does look like >>> a >>> bug with the Spring Security adapter. >>> >>> 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie : >>> >>> > Hi, >>> > we have one use case where we want to use a access_token URL >>> > parameter rather than the Authorization: Bearer header, to allow SSO >>> from a >>> > mobile app to Safari. >>> > >>> > KeycloakAuthenticationProcessingFilter.java ( >>> https://github.com/keycloak/ >>> > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/ >>> > spring-security/src/main/java/org/keycloak/adapters/springse >>> curity/filter/ >>> > KeycloakAuthenticationProcessingFilter.java), the authentication flow >>> is >>> > different when using the query param vs the Authorization header. Any >>> > reason for this? >>> > >>> > - Header: Upon successful authentication, the filter chain is >>> processed to >>> > the requested page. >>> > - Query param: Upon successful authentication, default success handler >>> is >>> > called and user is redirected to a target page (/ by default) (first >>> > condition of KeycloakAuthenticationProcessingFilter. >>> > successfulAuthentication(): >>> > >>> > >>> > if (!(this.isBearerTokenRequest(request) || >>> this.isBasicAuthRequest(request))) >>> > { >>> > super.successfulAuthentication(request, response, chain, >>> authResult); >>> > return; >>> > } >>> > >>> > Thanks, >>> > >>> > Gabriel >>> > -- >>> > Gabriel Lavoie >>> > glavoie at gmail.com >>> > >>> >>> >>> >>> -- >>> Gabriel Lavoie >>> glavoie at gmail.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Gabriel Lavoie > glavoie at gmail.com > -- Gabriel Lavoie glavoie at gmail.com From tonnis at autonomic.ai Tue Sep 19 14:28:48 2017 From: tonnis at autonomic.ai (Tonnis Wildeboer) Date: Tue, 19 Sep 2017 11:28:48 -0700 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: Have you disabled the UDP-related configurations? ____________________ Tonnis Wildeboer Autonomic.ai Engineering 650-204-0246 On 09/19/2017 07:19 AM, Jyoti Kumar Singh wrote: > Hi, > > I have tried the JDBC_PING option which Tonnis has mentioned :- > https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql > > > After that I could see node discovery is happening but JOIN operation > is getting timed out which eventually not forming clustering between > two ECS instances. Is there any configuration am I missing here ? > > > #Logs:- > > 2017-09-19 10:59:52,907 WARN [org.jgroups.protocols.UDP] (MSC service > thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL JGRP000015: the > receive buffer of socket ManagedMulticastSocketBinding was set to > 25MB, but the OS only allocated 212.99KB. This might lead to > performance problems. Please set your max receive buffer in the OS > correctly (e.g. net.core.rmem_max on Linux) > 2017-09-19 10:59:59,475 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 1 > 2017-09-19 11:00:02,490 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 2 > 2017-09-19 11:00:05,508 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 3 > 2017-09-19 11:00:08,527 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 4 > 2017-09-19 11:00:11,542 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 5 > 2017-09-19 11:00:14,558 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 6 > 2017-09-19 11:00:17,579 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 7 > 2017-09-19 11:00:20,596 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 8 > 2017-09-19 11:00:23,611 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 9 > 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after > 3000 ms), on try 10 > 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL > f0be09280f90: too many JOIN attempts (10): becoming singleton > > On Thu, Sep 14, 2017 at 10:48 PM, Jyoti Kumar Singh > > wrote: > > Hi Tonnis, > > Thank you very much for sharing the valuable information. I am > checking on this, hopefully I will also be able to achieve the HA. > > Thanks Again ! > > On Sep 14, 2017 10:00 PM, "Tonnis Wildeboer" > wrote: > > Jyoti, > > I have been working on similar goal and was finally successful > yesterday. We are using postgres and kubernetes. > > Here are the key sources of information that enabled me to > succeed: > > The big key is here: > https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql > > Use the .xsl templates here to transform on the > standalone-ha.xml and you can see what is being done. > > I suggest that you simply use JDBC_PING, since you already > have a shared database. > I think it is instructive to understand what JDBC_PING (and > JGroups in general) are doing: > http://jgroups.org/manual4/index.html > > https://developer.jboss.org/wiki/JDBCPING > > > You may benefit from this also, specifically, the need to bind > jgroups-tcp and jgroups-tcp-fd to the proper interface. Not > sure about your situation. > > --Tonnis > > ____________________ > Tonnis Wildeboer > Autonomic.ai Engineering > > On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: > > Hi Team, > > I am trying to enable high availability for Keycloak 3.1.0 > on AWS ECS > instances. > > I am running two ECS instances in a cluster setup and also > I have > setup Keycloak > in a clustered mode. To achieve this, I am using " > */standalone/configuration/standalone-ha.xml *" file while > building the > docker image. Shared MySQL DB and Load Balancer setup are > also in place. > > But when I checked Keycloak logs I am not seeing clustered > nodes related > information in logs. I am seeing nodes are not able to see > each other. But > same settings are working fine in DCOS Marathon platform. > > Interestingly if I run two Keycloak instances in one AWS > ECS instance on > different ports, I could see clustering related logs in > Keycloak. > > Is there any standard guidelines which I can follow to > achieve HA in AWS > ECS instance ?? I followed the below discussion thread but > it didn't help > me to fix the issue. > > #Link: > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html > > > > > > > -- > *With Regards, > Jyoti Kumar Singh* From pinguwien at gmail.com Tue Sep 19 15:25:22 2017 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 19 Sep 2017 21:25:22 +0200 Subject: [keycloak-user] How to set Identity Provider by Client Message-ID: <40b53184-3991-2565-07b2-68fd1139e98a@gmail.com> Hi there, maybe I am just blind, but reading the docs I see that identity providers are set on a per-realm-base. So now I'm asking myself if it is possible to use per-client-based identity providers, and if yes, how to do so. Eg. with the js adapter, Client A is being redirected to keycloaks login, and is allowed to use Google and Facebook as identity provider. But Client B only shows Twitter and/or Stackoverflow. Haven't found something about this and hope someone here could help me out! Thanks in advance, Dominik From sajid at theinnovationinc.co Wed Sep 20 01:45:01 2017 From: sajid at theinnovationinc.co (Sajid Chauhan) Date: Wed, 20 Sep 2017 11:15:01 +0530 Subject: [keycloak-user] REST APIs for OTP validation and realm creation Message-ID: Hi All, I would appreciate if anyone would be able to help me out here... 1. Is there a REST api which validates the OTP? 2. Is there a REST api for creating a Realm? Thanks and regards, Sajid From jyoti.tech90 at gmail.com Wed Sep 20 03:23:01 2017 From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh) Date: Wed, 20 Sep 2017 12:53:01 +0530 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: Hi Tonnis, No, I have not disabled the UDP-related configurations. Here is the standalone-ha.xml which I am using as part of my configurations. On Tue, Sep 19, 2017 at 11:58 PM, Tonnis Wildeboer wrote: > Have you disabled the UDP-related configurations? > > ____________________ > Tonnis Wildeboer > Autonomic.ai Engineering > 650-204-0246 > > On 09/19/2017 07:19 AM, Jyoti Kumar Singh wrote: > > Hi, > > I have tried the JDBC_PING option which Tonnis has mentioned :- > https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql > > After that I could see node discovery is happening but JOIN operation is > getting timed out which eventually not forming clustering between two ECS > instances. Is there any configuration am I missing here ? > > > #Logs:- > > 2017-09-19 10:59:52,907 WARN [org.jgroups.protocols.UDP] (MSC service > thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL JGRP000015: the > receive buffer of socket ManagedMulticastSocketBinding was set to 25MB, but > the OS only allocated 212.99KB. This might lead to performance problems. > Please set your max receive buffer in the OS correctly (e.g. > net.core.rmem_max on Linux) > 2017-09-19 10:59:59,475 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 1 > 2017-09-19 11:00:02,490 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 2 > 2017-09-19 11:00:05,508 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 3 > 2017-09-19 11:00:08,527 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 4 > 2017-09-19 11:00:11,542 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 5 > 2017-09-19 11:00:14,558 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 6 > 2017-09-19 11:00:17,579 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 7 > 2017-09-19 11:00:20,596 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 8 > 2017-09-19 11:00:23,611 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 9 > 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 10 > 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC > service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: > too many JOIN attempts (10): becoming singleton > > On Thu, Sep 14, 2017 at 10:48 PM, Jyoti Kumar Singh < > jyoti.tech90 at gmail.com> wrote: > >> Hi Tonnis, >> >> Thank you very much for sharing the valuable information. I am checking >> on this, hopefully I will also be able to achieve the HA. >> >> Thanks Again ! >> >> On Sep 14, 2017 10:00 PM, "Tonnis Wildeboer" wrote: >> >>> Jyoti, >>> >>> I have been working on similar goal and was finally successful >>> yesterday. We are using postgres and kubernetes. >>> >>> Here are the key sources of information that enabled me to succeed: >>> >>> The big key is here: >>> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >>> Use the .xsl templates here to transform on the standalone-ha.xml and >>> you can see what is being done. >>> >>> I suggest that you simply use JDBC_PING, since you already have a shared >>> database. >>> I think it is instructive to understand what JDBC_PING (and JGroups in >>> general) are doing: >>> http://jgroups.org/manual4/index.html >>> https://developer.jboss.org/wiki/JDBCPING >>> >>> You may benefit from this also, specifically, the need to bind >>> jgroups-tcp and jgroups-tcp-fd to the proper interface. Not sure about your >>> situation. >>> >>> --Tonnis >>> >>> ____________________ >>> Tonnis Wildeboer >>> Autonomic.ai Engineering >>> >>> On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: >>> >>>> Hi Team, >>>> >>>> I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS >>>> instances. >>>> >>>> I am running two ECS instances in a cluster setup and also I have >>>> setup Keycloak >>>> in a clustered mode. To achieve this, I am using " >>>> */standalone/configuration/standalone-ha.xml *" file while building the >>>> docker image. Shared MySQL DB and Load Balancer setup are also in place. >>>> >>>> But when I checked Keycloak logs I am not seeing clustered nodes related >>>> information in logs. I am seeing nodes are not able to see each other. >>>> But >>>> same settings are working fine in DCOS Marathon platform. >>>> >>>> Interestingly if I run two Keycloak instances in one AWS ECS instance on >>>> different ports, I could see clustering related logs in Keycloak. >>>> >>>> Is there any standard guidelines which I can follow to achieve HA in AWS >>>> ECS instance ?? I followed the below discussion thread but it didn't >>>> help >>>> me to fix the issue. >>>> >>>> #Link: >>>> http://lists.jboss.org/pipermail/keycloak-user/2016-February >>>> /004940.html >>>> >>>> >>> > > > -- > > *With Regards, Jyoti Kumar Singh* > > > -- *With Regards, Jyoti Kumar Singh* From antoine.roux at esrf.fr Wed Sep 20 03:48:42 2017 From: antoine.roux at esrf.fr (Antoine Roux) Date: Wed, 20 Sep 2017 09:48:42 +0200 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: <7040cdb0-a3ac-b96f-2a40-001029ee122f@esrf.fr> Hi, You can drop/empty the JGROUPSPING table in your database to avoid joining the existing cluster, but it's not a reliable solution as the issue will occur again when you restart the cluster. Antoine Le 20/09/2017 ? 09:23, Jyoti Kumar Singh a ?crit?: > Hi Tonnis, > > No, I have not disabled the UDP-related configurations. Here is the > standalone-ha.xml which I am using as part of my configurations. > > > On Tue, Sep 19, 2017 at 11:58 PM, Tonnis Wildeboer > wrote: > >> Have you disabled the UDP-related configurations? >> >> ____________________ >> Tonnis Wildeboer >> Autonomic.ai Engineering >> 650-204-0246 >> >> On 09/19/2017 07:19 AM, Jyoti Kumar Singh wrote: >> >> Hi, >> >> I have tried the JDBC_PING option which Tonnis has mentioned :- >> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >> >> After that I could see node discovery is happening but JOIN operation is >> getting timed out which eventually not forming clustering between two ECS >> instances. Is there any configuration am I missing here ? >> >> >> #Logs:- >> >> 2017-09-19 10:59:52,907 WARN [org.jgroups.protocols.UDP] (MSC service >> thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL JGRP000015: the >> receive buffer of socket ManagedMulticastSocketBinding was set to 25MB, but >> the OS only allocated 212.99KB. This might lead to performance problems. >> Please set your max receive buffer in the OS correctly (e.g. >> net.core.rmem_max on Linux) >> 2017-09-19 10:59:59,475 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 1 >> 2017-09-19 11:00:02,490 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 2 >> 2017-09-19 11:00:05,508 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 3 >> 2017-09-19 11:00:08,527 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 4 >> 2017-09-19 11:00:11,542 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 5 >> 2017-09-19 11:00:14,558 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 6 >> 2017-09-19 11:00:17,579 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 7 >> 2017-09-19 11:00:20,596 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 8 >> 2017-09-19 11:00:23,611 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 9 >> 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> JOIN(f0be09280f90) sent to 16c566cfa08e timed out (after 3000 ms), on try 10 >> 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL f0be09280f90: >> too many JOIN attempts (10): becoming singleton >> >> On Thu, Sep 14, 2017 at 10:48 PM, Jyoti Kumar Singh < >> jyoti.tech90 at gmail.com> wrote: >> >>> Hi Tonnis, >>> >>> Thank you very much for sharing the valuable information. I am checking >>> on this, hopefully I will also be able to achieve the HA. >>> >>> Thanks Again ! >>> >>> On Sep 14, 2017 10:00 PM, "Tonnis Wildeboer" wrote: >>> >>>> Jyoti, >>>> >>>> I have been working on similar goal and was finally successful >>>> yesterday. We are using postgres and kubernetes. >>>> >>>> Here are the key sources of information that enabled me to succeed: >>>> >>>> The big key is here: >>>> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >>>> Use the .xsl templates here to transform on the standalone-ha.xml and >>>> you can see what is being done. >>>> >>>> I suggest that you simply use JDBC_PING, since you already have a shared >>>> database. >>>> I think it is instructive to understand what JDBC_PING (and JGroups in >>>> general) are doing: >>>> http://jgroups.org/manual4/index.html >>>> https://developer.jboss.org/wiki/JDBCPING >>>> >>>> You may benefit from this also, specifically, the need to bind >>>> jgroups-tcp and jgroups-tcp-fd to the proper interface. Not sure about your >>>> situation. >>>> >>>> --Tonnis >>>> >>>> ____________________ >>>> Tonnis Wildeboer >>>> Autonomic.ai Engineering >>>> >>>> On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: >>>> >>>>> Hi Team, >>>>> >>>>> I am trying to enable high availability for Keycloak 3.1.0 on AWS ECS >>>>> instances. >>>>> >>>>> I am running two ECS instances in a cluster setup and also I have >>>>> setup Keycloak >>>>> in a clustered mode. To achieve this, I am using " >>>>> */standalone/configuration/standalone-ha.xml *" file while building the >>>>> docker image. Shared MySQL DB and Load Balancer setup are also in place. >>>>> >>>>> But when I checked Keycloak logs I am not seeing clustered nodes related >>>>> information in logs. I am seeing nodes are not able to see each other. >>>>> But >>>>> same settings are working fine in DCOS Marathon platform. >>>>> >>>>> Interestingly if I run two Keycloak instances in one AWS ECS instance on >>>>> different ports, I could see clustering related logs in Keycloak. >>>>> >>>>> Is there any standard guidelines which I can follow to achieve HA in AWS >>>>> ECS instance ?? I followed the below discussion thread but it didn't >>>>> help >>>>> me to fix the issue. >>>>> >>>>> #Link: >>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-February >>>>> /004940.html >>>>> >>>>> >>>> >> >> >> -- >> >> *With Regards, Jyoti Kumar Singh* >> >> >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Antoine Roux ooo ooo d888b d888b ooo 88W88 88I88 ooo d888b Y88P Y88P d888b 88S88 '` `' 88X88 Y8P' .od888bo. 'Y8P .od888888888bo. d888888888888888b 88888888888888888 Y8888888888888P `Y888P"Y888P' From K.Buler at adbglobal.com Wed Sep 20 04:10:46 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Wed, 20 Sep 2017 10:10:46 +0200 Subject: [keycloak-user] Resolution for 99% of CORS's problems Message-ID: Hi, after huge amounts of hours of investigations I found the resolution for almost all problems with CORS. I decided that maybe I am not alone with it, so here you go: 1. Go to admin console of Keycloak and set 'Web Origins' of your client to address of your application (or just * ). 2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know the name of this property in keycloak.json). 3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications. Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg] From adrianmatei at gmail.com Wed Sep 20 04:50:33 2017 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 20 Sep 2017 10:50:33 +0200 Subject: [keycloak-user] migrate users from legacy user storage Message-ID: Hi guys, our keycloak uses currently AD as the main user storage provider for passwords. We need to bind a legacy User Storage Provider and locally import the users in Keycloak. I have used the strategy described at Import Implementation Strategy section , and were able to either: 1. keep the password and username in legacy system and take care of synchronizations 2. remove the federation and update the password in Keycloak DB in the overridden *CredentialInputValidator.isValid* method with code stolen from Keycloak own's *PasswordCredentialProvider* For now I am in favour of the second option, but than it means there are still *two* user password storages (AD and Keycloak DB)... My question is whether the second approach sounds reasonable, or is there a *third* way to "migrate" the password to Active Directory when the validation is checked? Cheers, Adrian From zhiyuan.zou at nokia-sbell.com Wed Sep 20 04:52:37 2017 From: zhiyuan.zou at nokia-sbell.com (Zou, Zhiyuan (NSB - CN/Beijing)) Date: Wed, 20 Sep 2017 08:52:37 +0000 Subject: [keycloak-user] Resolution for 99% of CORS's problems In-Reply-To: References: Message-ID: <252030E40436684EA9016DAB4C9A16A01C38E7FF@cnshjmbx01> Very thanks your info.... -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Karol Buler Sent: 2017?9?20? 16:11 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Resolution for 99% of CORS's problems Hi, after huge amounts of hours of investigations I found the resolution for almost all problems with CORS. I decided that maybe I am not alone with it, so here you go: 1. Go to admin console of Keycloak and set 'Web Origins' of your client to address of your application (or just * ). 2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know the name of this property in keycloak.json). 3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications. Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg] _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From peter.stefka at orange.com Wed Sep 20 04:53:51 2017 From: peter.stefka at orange.com (STEFKA Peter OSK) Date: Wed, 20 Sep 2017 08:53:51 +0000 Subject: [keycloak-user] Keycloak client user federation management Message-ID: <36fab52059804548b5c7572952ffc465@orange.com> Hello all, We're thinking of implementing something best described as client user federation management. Our Keycloak instance is used by customers (registered + federated) as well as employees (federated). As such we got a requirement from our security guys to restrict access to certain clients to particular user federation types (user type) on Keycloak. For example, we don't want the registered users to be able to access our internal systems (clients), these should be accessible only to employees - this could be easily done on client side, however the requirement is to have it "server" side. If possible, we'd like to have it accepted to main branch eventually (we count on sending a pull request), as such what is the preferred way implementing this? P. Stefka From pieter at thehyve.nl Wed Sep 20 05:14:18 2017 From: pieter at thehyve.nl (Pieter Lukasse) Date: Wed, 20 Sep 2017 11:14:18 +0200 Subject: [keycloak-user] import SAML keys via command line In-Reply-To: References: Message-ID: Hi John, thanks for your replies. I might have cause some confusion by not stating the question clearly. I did have a screenshot in my initial post, but this is apparently not allowed...so I will try with words :) I am referring to the process of importing SAML keys when you are using the Administration console (from your browser). Go to "Clients" menu item, select a SAML client, and then click on "SAML Keys" tab. There you can import the keys. Now I am looking for a command line alternative for this, so I don't have to use the web page. Thanks, Pieter www.thehyve.nl E pieter at thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-19 19:04 GMT+02:00 John Dennis : > On 09/19/2017 11:24 AM, John Dennis wrote: > >> On 09/19/2017 06:43 AM, Pieter Lukasse wrote: >> >>> Hi, >>> >>> I have a .jks file which I would like to import into keycloak using the >>> command line instead of the "SAML keys" page (in SAML client config >>> page). >>> >>> I cannot find any command for this here http://www.keycloak.org/ >>> docs/3.3/server_admin/topics/admin-cli.html >>> >>> Is this just missing or is the documentation incomplete? Can someone help >>> me on this one? >>> >> >> You can import using the Java keytool utility, but the import format >> MUST be PKCS12. >> >> Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully >> it should be obvious which xxx matches in each command. >> >> First create a .p12 PKCS12 file: >> >> % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey >> key.pem -out xxx.p12 >> >> Then import the .p12 PKCS12 file into the keystore: >> >> % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 >> -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx >> > > I may have misread your original question, I thought you were asking how > to import a key. But if all you want to do is import the contents of > another JAVA keystore then just use -importkeystore -srckeystore JKS. The > keytool man page has keystore import examples, including both importing an > entire keystore or juast a specific key from the keystore. See the man page > for details. > > > -- > John > From plunkett_mcgurk at accelerite.com Wed Sep 20 05:54:52 2017 From: plunkett_mcgurk at accelerite.com (Plunkett McGurk) Date: Wed, 20 Sep 2017 09:54:52 +0000 Subject: [keycloak-user] Keycloak Policies Message-ID: Hi Guys, I have a quick question regarding the functionality available within Keycloak policies. We have a requirement were we need to track the number of calls to a particular resource. If say the number of calls exceed 100 per day for a particular user/role then the ?policy? would reject any further access to that resource for that day. Could this type of requirement be fulfilled through say either the JavaScript or Drools based policies? Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. From rudreshsj at gmail.com Wed Sep 20 07:31:54 2017 From: rudreshsj at gmail.com (Rudresh Shashikant) Date: Wed, 20 Sep 2017 18:31:54 +0700 Subject: [keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags Message-ID: Hi I would like to discuss 2 items when Keycloak responds with "Set-Cookie" headers: 1. "HttpOnly" flag 2. "Secure" flag 1. "HttpOnly" flag: I can see that affected cookie is: * KEYCLOAK_SESSION My understanding is (please correct me where inaccurate/wrong) that the "HttpOnly" flag is not included on purpose because the iframe in the browser that maintains the session with keycloak needs Javascript to modify the cookie and hence the "HttpOnly" flag will disallow this ability, breaking the feature as a result. Reference: The OIDC spec ( http://openid.net/specs/openid-connect-session-1_0.html) states that : *"If a cookie is used to maintain the OP browser state, the HttpOnly flag likely can't be set for this cookie because it needs to be accessed from JavaScript. Therefore, information that can be used for identifying the user should not be put into the cookie, as it could be read by unrelated JavaScript."* 2. "Secure" flag: I can see that affected cookies are: * AUTH_SESSION_ID * KC_RESTART * KEYCLOAK_IDENTITY * KEYCLOAK_SESSION I fail to understand why the "Secure" flag is not being set on all these cookies. As I understand it, "Secure" flag should be set to ensure that only the "HTTPS" version of the site can access the cookie else a "HTTP" version will also be able to access the cookie on the same domain. The NGINX proxy will have a 301 redirect for all HTTP requests so it is not a major concern but it still does not answer the question as to why the server did not set this flag on all cookies. Can it be set using NGINX ? If it is set will any keycloak feature break? Thanks. Regards, Rudy. From psilva at redhat.com Wed Sep 20 08:17:17 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 20 Sep 2017 09:17:17 -0300 Subject: [keycloak-user] Keycloak Policies In-Reply-To: References: Message-ID: It can't. You would need some kind of storage to keep state across authorization requests. Policy providers are all stateless. On Wed, Sep 20, 2017 at 6:54 AM, Plunkett McGurk < plunkett_mcgurk at accelerite.com> wrote: > Hi Guys, > > I have a quick question regarding the functionality available within > Keycloak policies. > > We have a requirement were we need to track the number of calls to a > particular resource. If say the number of calls exceed 100 per day for a > particular user/role then the ?policy? would reject any further access to > that resource for that day. > > Could this type of requirement be fulfilled through say either the > JavaScript or Drools based policies? > > Many thanks > Plunkett > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is > the property of Accelerite, a Persistent Systems business. It is intended > only for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, you are not authorized to read, retain, > copy, print, distribute or use this message. If you have received this > communication in error, please notify the sender and delete all copies of > this message. Accelerite, a Persistent Systems business does not accept any > liability for virus infected mails. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jdennis at redhat.com Wed Sep 20 09:34:48 2017 From: jdennis at redhat.com (John Dennis) Date: Wed, 20 Sep 2017 09:34:48 -0400 Subject: [keycloak-user] import SAML keys via command line In-Reply-To: References: Message-ID: On 09/20/2017 05:14 AM, Pieter Lukasse wrote: > Hi John, > > thanks for your replies. I might have cause some confusion by not > stating the question clearly. I did have a screenshot in my initial > post, but this is apparently not allowed...so I will try with words :) > > I am referring to the process of importing SAML keys when you are using > the Administration console (from your browser). Go to "Clients" menu > item, select a SAML client, and then click on "SAML Keys" tab. There you > can import the keys. Now I am looking for a command line alternative for > this, so I don't have to use the web page. O.K., keys used for SAML SP signing and encryption are a different story. I can't tell you how Keycloak stores these internally nor should you be dependent on whatever the current implementation. You mentioned a JAVA keystore, but that's just one possibility, plus you would have to know how Keycloak manages the key names (including key rotation). You should stick to using Keycloaks defined interfaces. The standard way SAML SP keys are imported to an IdP is by loading the SP's metadata which contains the key(s). You can do this either with the Web UI, the client registration protocol, or with the REST API. The later two can be done from the command line if you have the proper tooling to communicate with the Keycloak endpoints. I've written code that does exactly this. Or you can use the REST API to update the client representation directly in lieu of using metadata. The Keycloak team has done some work on providing a command line administration tool but I'm not sure of the status of that effort. But one question I'm left with is why you're changing an SP keys so often this is actually a burden. (Or similarly why you're not using metadata). -- John From rationull at gmail.com Wed Sep 20 12:05:37 2017 From: rationull at gmail.com (Jonathan Little) Date: Wed, 20 Sep 2017 09:05:37 -0700 Subject: [keycloak-user] Disabling User Account Service In-Reply-To: References: Message-ID: When I disable the admin client, the same process I outlined above results in a NullPointerException within Keycloak and reporting an Internal Server Error to the user. Removing the manage-account client specific role from the users still shows an error in this case but at least displays better and doesn't result in an internal error. So removing the role is the better solution. On Mon, Sep 18, 2017 at 6:32 AM, Stian Thorgersen wrote: > Users are not allowed to edit the username unless that option is enabled > for a realm. > > On 18 September 2017 at 13:45, Gabriel Lavoie wrote: > >> Hi Jonathan, >> disabling the "account" client will do the trick. >> >> Gabriel >> >> 2017-09-16 20:54 GMT-04:00 Jonathan Little : >> >> > No, I didn't realize that access was controlled by a dedicated client. I >> > will look into that -- thanks! >> > >> > On Sat, Sep 16, 2017 at 1:47 PM, Stephen Henrie < >> > stephen at saasindustries.com> >> > wrote: >> > >> > > Have you thought about removing the account related user permissions >> or >> > > disabling the account client which allow access to account maintenance >> > > page? >> > > >> > > >> > > >> > > On Fri, Sep 15, 2017 at 8:54 PM, Jonathan Little > > >> > > wrote: >> > > >> > > > Is there a way to disable access to the self service user management >> > page >> > > > (covered here: >> > > > http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? >> > We >> > > > have a use case where supposedly we don't want our users to be able >> to >> > > > modify their own username, and password resets can be handled via >> the >> > > > Forgot Password link on the login page. >> > > > >> > > > Or is there at least a way to disable username editing? >> > > > >> > > > I'd think if there were it would be pretty obvious in the admin UI >> but >> > I >> > > > figured I'd ask.. >> > > > >> > > > Thanks! >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> >> >> -- >> Gabriel Lavoie >> glavoie at gmail.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From stephen at saasindustries.com Wed Sep 20 12:21:25 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Wed, 20 Sep 2017 09:21:25 -0700 Subject: [keycloak-user] Keycloak Policies In-Reply-To: References: Message-ID: Have you looked at Redhat's Apiman? It is designed to to apply resource-based policies in real-time. On Wed, Sep 20, 2017 at 2:54 AM, Plunkett McGurk < plunkett_mcgurk at accelerite.com> wrote: > Hi Guys, > > I have a quick question regarding the functionality available within > Keycloak policies. > > We have a requirement were we need to track the number of calls to a > particular resource. If say the number of calls exceed 100 per day for a > particular user/role then the ?policy? would reject any further access to > that resource for that day. > > Could this type of requirement be fulfilled through say either the > JavaScript or Drools based policies? > > Many thanks > Plunkett > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is > the property of Accelerite, a Persistent Systems business. It is intended > only for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, you are not authorized to read, retain, > copy, print, distribute or use this message. If you have received this > communication in error, please notify the sender and delete all copies of > this message. Accelerite, a Persistent Systems business does not accept any > liability for virus infected mails. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Christian.Kayssner at muthpartners.de Wed Sep 20 13:05:45 2017 From: Christian.Kayssner at muthpartners.de (Christian Kayssner) Date: Wed, 20 Sep 2017 17:05:45 +0000 Subject: [keycloak-user] Receive "NoClassDefFoundError" during *deployment* not at _runtime_ with/by java class derivation. Message-ID: Hallo, I would extend a keycloak core class 'org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory'. The idea was, to get an additional field in the first form. For the first tests, I changes the shipped providers/authentication example. The derivation factory class become the name 'org.example.derivations.MyUsernamePasswordFormFactory'. I checked the java visibilities (Nothing protected or private or final). The core class reside in the artefactId 'keycloak-services', and the pom file has a direct dependency entry. Eclipse (the maven-plugin) is satisfied. But if I deploy the example, I get a 'NoClassDefFoundError' exception. The base is the 'https://downloads.jboss.org/keycloak/3.2.1.Final/keycloak-demo-3.2.1.Final.tar.gz' archive. For comprehending, you will: a) display my colored logfile (cat ./keycloak-demo-3.2.1.Final.log) from the attachment, or (for see yourself) you b) need: 1. a current linux system with network name resolution, *working* maven and _without_ running keycloak/wildfly service, 2. a directory of your own choice to hold all necessary files (space about 410MB), 3. the above mentioned keycloak archive, 4. and the unpacked attachment. Then you have to open two terminals, go in both to your chosen directory, and: * start in the first terminal the preparing/patching step: ./01.patch.it This bash-script o remove the (last) ruins (for the second and more run(s)), o provide the original keycloak environment, o do the necessary patches, o and start the standalone keycloak service. * If the keycloak service is started, start in the second terminal the deployment: ./02.deploy.it This bash-script o move to the chosen example, o and start the maven deploy. At this point you can see, how the deployment will fail! Does anyone have an idea why the *deployment* fails? Have I missed note something? Or is a derivation, per se, not desired?? Best regards. Christian Kayssner -- G. Muth Partners GmbH Borsigstra?e 32 D - 65205 Wiesbaden HRB 10196 Amtsgericht Wiesbaden Gesch?ftsf?hrer: Klaus Gockel / Oliver M?chold Tel. : +49(0)6122/5981-0 FAX. : +49(0)6122/5981-50 eMail: christian.kayssner at muthpartners.de www : www.muthpartners.de From robert.parker at weareact.com Wed Sep 20 15:39:24 2017 From: robert.parker at weareact.com (Robert Parker) Date: Wed, 20 Sep 2017 19:39:24 +0000 Subject: [keycloak-user] Ability to update a user's profile Message-ID: I am making use of the JavaScript adapter to retrieve a logged in users profile. Is there any way to programmatically update the values of a user's profile? I know there is an account management area the user can be redirected to, but how about being able to set it whilst still in the main client side application? I have an operation the user can perform whilst logged into our application that could do with updating a custom attribute on the users account in keycloak. Right now it's being persisted in local storage in the browser, it would be great if I could persist against the keycloak user record. Thanks From robert.parker at weareact.com Thu Sep 21 02:55:39 2017 From: robert.parker at weareact.com (Robert Parker) Date: Thu, 21 Sep 2017 06:55:39 +0000 Subject: [keycloak-user] Differences between userinfo and user profile Message-ID: Hi, I see I can retrieve a user's profile, but what is the difference when getting the userinfo record? Does the user profile return all properties associated with a user no matter of you have disabled the include in user info flag on the mappers for that field in the client settings in keycloak? I'm trying to figure out what I can control being returned in the user profile vs the userinfo object. Thanks Robert Parker- Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 robert.parker at weareact.com www.weareACT.com Registered in England : 04476799 From Christian.Kayssner at muthpartners.de Thu Sep 21 03:58:59 2017 From: Christian.Kayssner at muthpartners.de (Christian Kayssner) Date: Thu, 21 Sep 2017 07:58:59 +0000 Subject: [keycloak-user] Receive "NoClassDefFoundError" during *deployment* not at _runtime_ with/by java class derivation (Here: the unpacked attachment) Message-ID: <34174e5f2209420d890d27d47971e704@muthpartners.de> Hallo, > 4. and the unpacked attachment. ok, here no attachments. Therefore inline (with an stripped log-file) in the sequence of using/generating: <01.patch.it> #!/bin/bash # Object of the patch name="keycloak-demo-3.2.1.Final" # Remove the (last) ruins rm -fR "${name}" # Provide the original tar -xzf "${name}.tar.gz" # Patch the base patch -p 0 < "${name}.patch" # and run "${name}/keycloak/bin/standalone.sh" | tee "${name}.log" diff -Naur keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java --- keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java 1970-01-01 00:00:00.000000000 +0000 +++ keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java 2017-09-20 11:37:09.425674263 +0000 @@ -0,0 +1,54 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.example.derivations; + +import org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory; + +/** + */ +public// +class MyUsernamePasswordFormFactory// + extends UsernamePasswordFormFactory// +{ + public// + static// + final// + String PROVIDER_ID = "my-auth-username-password-form"; + + /** + * {@inheritDoc} + */ + @Override + public// + String getId()// + { + return MyUsernamePasswordFormFactory.PROVIDER_ID; + } + + /** + * {@inheritDoc} + * + * @return The heading for the (browser) page to explain the necessary inputs. + */ + @Override + public// + String getDisplayType()// + { + return "My Username Password Form"; + } +} diff -Naur keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory --- keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory 2017-07-21 11:31:26.000000000 +0000 +++ keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory 2017-09-20 11:43:31.354018042 +0000 @@ -15,4 +15,5 @@ # limitations under the License. # -org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory \ No newline at end of file +org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory +org.example.derivations.MyUsernamePasswordFormFactory \ No newline at end of file diff -Naur keycloak-demo-3.2.1.Final/keycloak/modules/layers.conf keycloak-demo-3.2.1.Final-modified/keycloak/modules/layers.conf --- keycloak-demo-3.2.1.Final/keycloak/modules/layers.conf 1970-01-01 00:00:00.000000000 +0000 +++ keycloak-demo-3.2.1.Final-modified/keycloak/modules/layers.conf 2017-07-21 09:11:58.000000000 +0000 @@ -0,0 +1 @@ +layers=keycloak \ No newline at end of file <02.deploy.it> #!/bin/bash # Choose the patched example cd keycloak-demo-3.2.1.Final/examples/providers/authenticator # And generate the error mvn clean \ install \ wildfly:deploy <02.deploy.it> [0m [0m17:38:42,392 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 10.0.0.Final (WildFly Core 2.0.10.Final) started in 17194ms - Started 459 of 836 services (561 services are lazy, passive or on-demand) [0m [0m17:39:08,074 INFO [org.jboss.as.repository] (management-handler-thread - 4) WFLYDR0001: Content added at location /path/to/your/own/playground/keycloak-demo-3.2.1.Final/keycloak/standalone/data/content/e4/95f32235bb131df52f479a09827186a3265788/content [0m [0m17:39:08,082 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "authenticator-required-action-example.jar" (runtime-name: "authenticator-required-action-example.jar") [0m [0m17:39:08,322 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-1) Deploying Keycloak provider: authenticator-required-action-example.jar [0m [33m17:39:08,335 WARN [org.jboss.modules] (MSC service thread 1-1) Failed to define class org.example.derivations.MyUsernamePasswordFormFactory in Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) at org.jboss.modules.Module.loadModuleClass(Module.java:605) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:208) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) [0m [31m17:39:08,336 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "authenticator-required-action-example.jar" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) at org.jboss.modules.Module.loadModuleClass(Module.java:605) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:208) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) ... 5 more [0m [31m17:39:08,339 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "authenticator-required-action-example.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\" Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory"}} [0m [31m17:39:08,341 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "authenticator-required-action-example.jar" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\" Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory"}} [0m [0m17:39:08,356 INFO [org.jboss.as.server.deployment] (MSC service thread 1-5) WFLYSRV0028: Stopped deployment authenticator-required-action-example.jar (runtime-name: authenticator-required-action-example.jar) in 14ms [0m [0m17:39:08,357 INFO [org.jboss.as.controller] (management-handler-thread - 4) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE [0m Best regards. Christian Kayssner -- G. Muth Partners GmbH Borsigstra?e 32 D - 65205 Wiesbaden HRB 10196 Amtsgericht Wiesbaden Gesch?ftsf?hrer: Klaus Gockel / Oliver M?chold Tel. : +49(0)6122/5981-0 FAX. : +49(0)6122/5981-50 eMail: christian.kayssner at muthpartners.de www : www.muthpartners.de From amaeztu at tesicnor.com Fri Sep 22 02:59:11 2017 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Fri, 22 Sep 2017 08:59:11 +0200 Subject: [keycloak-user] missing docker keycloak tags Message-ID: We're missing the docker tags for keycloak 2.5.6 and higher in the docker hub, it would be nice to have them added and also the ones for the related variations keycloak-mysql, and so on.. Thanks! -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. From mehdi.alishahi at gmail.com Fri Sep 22 08:26:46 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Fri, 22 Sep 2017 14:26:46 +0200 Subject: [keycloak-user] nodejs kc adapter: Grant validation failed. Reason: invalid token (expired) Message-ID: Hi I have implemened an specific authorization policy by nodejs kc adapter to control access to a service. I get 302 http status code (that gets redirected to keycloak for security check), but it fails due to keycloak authorization/authentication check with keycloak. I have extended the lifespan of tokens, but no success. Here is browser console. XMLHttpRequest cannot load http://aam.testest.io/auth/realms/watersense/protocol/openid-connect/auth?cl?ated%2CservicePath%2C*%26auth_callback%3D1&scope=openid&response_type=code. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. login-status-iframe.html:53 XHR finished loading: GET " http://aam.testest.io/auth/realms/watersense/protocol/openid-connect/login-s ?-iframe.html/init?client_id=dashboard&origin=http%3A%2F%2Flocalhost%3A3000". ------Nodejs console------------ Validate grant failed Grant validation failed. Reason: invalid token (expired) -----------Code------------- const keycloak = new Keycloak("../keycloak.json"); function servicePathProtection(accessLevel, getServicePath) { return keycloak.protect((token, req) => { const permissions = extractPermissions(req); const servicePath = getServicePath(req).toUpperCase(); From betalb at gmail.com Fri Sep 22 08:57:42 2017 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Fri, 22 Sep 2017 12:57:42 +0000 Subject: [keycloak-user] nodejs kc adapter: Grant validation failed. Reason: invalid token (expired) In-Reply-To: References: Message-ID: Hi I think your issue is related to CORS, check email with subject "Resolution for 99% of CORS's problems" in this list On Fri, Sep 22, 2017 at 3:51 PM Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > Hi > > I have implemened an specific authorization policy by nodejs kc adapter to > control access to a service. > > I get 302 http status code (that gets redirected to keycloak for security > check), but it fails due to keycloak authorization/authentication check > with keycloak. I have extended the lifespan of tokens, but no success. > > Here is browser console. > > XMLHttpRequest cannot load > > http://aam.testest.io/auth/realms/watersense/protocol/openid-connect/auth?cl > ?ated%2CservicePath%2C*%26auth_callback%3D1&scope=openid&response_type=code. > Response to preflight request doesn't pass access control check: No > 'Access-Control-Allow-Origin' header is present on the requested resource. > Origin 'http://localhost:3000' is therefore not allowed access. > login-status-iframe.html:53 XHR finished loading: GET " > > http://aam.testest.io/auth/realms/watersense/protocol/openid-connect/login-s > > ?-iframe.html/init?client_id=dashboard&origin=http%3A%2F%2Flocalhost%3A3000". > > > ------Nodejs console------------ > Validate grant failed > Grant validation failed. Reason: invalid token (expired) > > -----------Code------------- > const keycloak = new Keycloak("../keycloak.json"); > > function servicePathProtection(accessLevel, getServicePath) { > return keycloak.protect((token, req) => { > const permissions = extractPermissions(req); > const servicePath = getServicePath(req).toUpperCase(); > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Sep 22 09:40:07 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Sep 2017 09:40:07 -0400 Subject: [keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags In-Reply-To: References: Message-ID: The realm's SSL policy has to be set to SSL required for Secure-Only to be set. Out of the box, Keycloak does not have SSL/HTTPS set up. Wildfly recently introduced an SSL setup option that we may eventually take advantage of, but right now, Keycloak does not have SSL/HTTP enabled out of the box. Looking at our code KEYCLOAK_SESSION cookie is not marked HttpOnly and is used by our iframe to detect if the user is logged in still. KEYCLOAK_IDENTITY *is* marked HttpOnly. On Wed, Sep 20, 2017 at 7:31 AM, Rudresh Shashikant wrote: > Hi > > I would like to discuss 2 items when Keycloak responds with "Set-Cookie" > headers: > 1. "HttpOnly" flag > 2. "Secure" flag > > 1. "HttpOnly" flag: > I can see that affected cookie is: > * KEYCLOAK_SESSION > > My understanding is (please correct me where inaccurate/wrong) that the > "HttpOnly" flag is not included on purpose because the iframe in the > browser that maintains the session with keycloak needs Javascript to modify > the cookie and hence the "HttpOnly" flag will disallow this ability, > breaking the feature as a result. > > Reference: The OIDC spec ( > http://openid.net/specs/openid-connect-session-1_0.html) states that : > *"If a cookie is used to maintain the OP browser state, the HttpOnly flag > likely can't be set for this cookie because it needs to be accessed from > JavaScript. Therefore, information that can be used for identifying the > user should not be put into the cookie, as it could be read by unrelated > JavaScript."* > > 2. "Secure" flag: > I can see that affected cookies are: > * AUTH_SESSION_ID > * KC_RESTART > * KEYCLOAK_IDENTITY > * KEYCLOAK_SESSION > > I fail to understand why the "Secure" flag is not being set on all these > cookies. As I understand it, "Secure" flag should be set to ensure that > only the "HTTPS" version of the site can access the cookie else a "HTTP" > version will also be able to access the cookie on the same domain. > > The NGINX proxy will have a 301 redirect for all HTTP requests so it is not > a major concern but it still does not answer the question as to why the > server did not set this flag on all cookies. > Can it be set using NGINX ? If it is set will any keycloak feature break? > > Thanks. > > Regards, > Rudy. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke Red Hat From lfarkas at lfarkas.org Fri Sep 22 11:45:58 2017 From: lfarkas at lfarkas.org (Farkas Levente) Date: Fri, 22 Sep 2017 17:45:58 +0200 Subject: [keycloak-user] notification about user/group events Message-ID: hi, is there any way to get notification about user/group add,delete,modify event on a given keycloak server? one of our java microservice would like to receive all kind of changes about users. what would be the easiest, prefered way to get this kind of changes? thanks in advance. regards. -- Levente "Si vis pacem para bellum!" From tonnis at autonomic.ai Fri Sep 22 13:24:50 2017 From: tonnis at autonomic.ai (Tonnis Wildeboer) Date: Fri, 22 Sep 2017 10:24:50 -0700 Subject: [keycloak-user] Enabling High Availability for Keycloak 3.1.0 on AWS ECS Instance In-Reply-To: References: Message-ID: Hi Jyoti, Sorry I don't have time to help you debug this. But I would encourage you to examine each piece of the ha-standalone.xml that is touched by the xslt process, and also read up on the JDPC_PING and JGroups documentation. Finally, be sure you have the set the JGROUPS_STACK environment variable, or it will default to UDP, which is not fully supported in AWS, and the whole reason we use JDBC_PING there rather that the default. See this in your xml file: 325 326 327 328 329 --Tonnis On 09/20/2017 12:23 AM, Jyoti Kumar Singh wrote: > Hi Tonnis, > > No, I have not disabled the UDP-related configurations. Here is the > standalone-ha.xml which I am using as part of my configurations. > > > On Tue, Sep 19, 2017 at 11:58 PM, Tonnis Wildeboer > > wrote: > > Have you disabled the UDP-related configurations? > > ____________________ > Tonnis Wildeboer > Autonomic.ai Engineering > 650-204-0246 > > On 09/19/2017 07:19 AM, Jyoti Kumar Singh wrote: >> Hi, >> >> I have tried the JDBC_PING option which Tonnis has mentioned :- >> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >> >> >> After that I could see node discovery is happening but JOIN >> operation is getting timed out which eventually not forming >> clustering between two ECS instances. Is there any configuration >> am I missing here ? >> >> >> #Logs:- >> >> 2017-09-19 10:59:52,907 WARN [org.jgroups.protocols.UDP] (MSC >> service thread 1-1) [f0be09280f90] KEYCLOAK 3.1.0.Final-MySQL >> JGRP000015: the receive buffer of socket >> ManagedMulticastSocketBinding was set to 25MB, but the OS only >> allocated 212.99KB. This might lead to performance problems. >> Please set your max receive buffer in the OS correctly (e.g. >> net.core.rmem_max on Linux) >> 2017-09-19 10:59:59,475 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 1 >> 2017-09-19 11:00:02,490 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 2 >> 2017-09-19 11:00:05,508 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 3 >> 2017-09-19 11:00:08,527 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 4 >> 2017-09-19 11:00:11,542 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 5 >> 2017-09-19 11:00:14,558 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 6 >> 2017-09-19 11:00:17,579 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 7 >> 2017-09-19 11:00:20,596 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 8 >> 2017-09-19 11:00:23,611 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 9 >> 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: JOIN(f0be09280f90) sent to >> 16c566cfa08e timed out (after 3000 ms), on try 10 >> 2017-09-19 11:00:26,627 WARN [org.jgroups.protocols.pbcast.GMS] >> (MSC service thread 1-1) [f0be09280f90] KEYCLOAK >> 3.1.0.Final-MySQL f0be09280f90: too many JOIN attempts (10): >> becoming singleton >> >> On Thu, Sep 14, 2017 at 10:48 PM, Jyoti Kumar Singh >> > wrote: >> >> Hi Tonnis, >> >> Thank you very much for sharing the valuable information. I >> am checking on this, hopefully I will also be able to achieve >> the HA. >> >> Thanks Again ! >> >> On Sep 14, 2017 10:00 PM, "Tonnis Wildeboer" >> > wrote: >> >> Jyoti, >> >> I have been working on similar goal and was finally >> successful yesterday. We are using postgres and kubernetes. >> >> Here are the key sources of information that enabled me >> to succeed: >> >> The big key is here: >> https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql >> >> Use the .xsl templates here to transform on the >> standalone-ha.xml and you can see what is being done. >> >> I suggest that you simply use JDBC_PING, since you >> already have a shared database. >> I think it is instructive to understand what JDBC_PING >> (and JGroups in general) are doing: >> http://jgroups.org/manual4/index.html >> >> https://developer.jboss.org/wiki/JDBCPING >> >> >> You may benefit from this also, specifically, the need to >> bind jgroups-tcp and jgroups-tcp-fd to the proper >> interface. Not sure about your situation. >> >> --Tonnis >> >> ____________________ >> Tonnis Wildeboer >> Autonomic.ai Engineering >> >> On 09/14/2017 03:32 AM, Jyoti Kumar Singh wrote: >> >> Hi Team, >> >> I am trying to enable high availability for Keycloak >> 3.1.0 on AWS ECS >> instances. >> >> I am running two ECS instances in a cluster setup and >> also I have >> setup Keycloak >> in a clustered mode. To achieve this, I am using " >> */standalone/configuration/standalone-ha.xml *" file >> while building the >> docker image. Shared MySQL DB and Load Balancer setup >> are also in place. >> >> But when I checked Keycloak logs I am not seeing >> clustered nodes related >> information in logs. I am seeing nodes are not able >> to see each other. But >> same settings are working fine in DCOS Marathon platform. >> >> Interestingly if I run two Keycloak instances in one >> AWS ECS instance on >> different ports, I could see clustering related logs >> in Keycloak. >> >> Is there any standard guidelines which I can follow >> to achieve HA in AWS >> ECS instance ?? I followed the below discussion >> thread but it didn't help >> me to fix the issue. >> >> #Link: >> http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html >> >> >> >> >> >> >> -- >> *With Regards, >> Jyoti Kumar Singh* > > > > > -- > *With Regards, > Jyoti Kumar Singh* From stephen at saasindustries.com Fri Sep 22 13:33:10 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Fri, 22 Sep 2017 10:33:10 -0700 Subject: [keycloak-user] notification about user/group events In-Reply-To: References: Message-ID: You can create your own Event SPI which can listen to Admin events and then notify other components in your ecosystem. On Fri, Sep 22, 2017 at 8:45 AM, Farkas Levente wrote: > hi, > is there any way to get notification about user/group add,delete,modify > event on a given keycloak server? > one of our java microservice would like to receive all kind of changes > about users. what would be the easiest, prefered way to get this kind of > changes? > thanks in advance. > regards. > > -- > Levente "Si vis pacem para bellum!" > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From juandiego83 at gmail.com Fri Sep 22 14:24:49 2017 From: juandiego83 at gmail.com (Juan Diego) Date: Fri, 22 Sep 2017 13:24:49 -0500 Subject: [keycloak-user] Managing user from my java backend Message-ID: Hi I want to manage my users from my app but I dont understand some things. My backend is on java, front is on angular. So for my backend I used client of Type Bearer Only. I was looking at this example https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java And this one https://gist.github.com/thomasdarimont/43689aefb37540624e35 So my question is Should I create a User in my keycloak server for my app to use? Or should I use another type of client? Can i connect using just the client credentials? I thought I will have use the secret in credentials and the token there to connect? Thanks From Michael.Knurr at adesso.ch Sat Sep 23 04:46:50 2017 From: Michael.Knurr at adesso.ch (Knurr, Michael) Date: Sat, 23 Sep 2017 08:46:50 +0000 Subject: [keycloak-user] How to get UserSessionModel from RequiredActionContext Message-ID: <47e73b7cc39b4e8384618552615f92c4@EX2013-DB02.adesso.local> I just migrated an implementation for a RequiredActionProvider from 1.9 to 3.2. The processAction method in RequiredActionProvider has only one parameter of type RequiredActionContext. In the past (up to Release 2.4) it was possible to identify the users current session by calling @Override public void processAction(RequiredActionContext ctx) { // user session current login UserSessionModel currentUserSession = ctx.getUserSession(); ... } Unfortunately it seems that with Release 2.5 this method has been dropped. Instead, the RequiredActionContext now provides an AuthenticationSessionModel. The AuthenticationSessionModel interface again has a method getUserSession() which is exactly what I need but it is commented out. How can I identify the UserSessionModel for the current login action? One way would be to iterate over all user sessions, but there has to be an easier solution: List userSessions = ctx.getSession().sessions().getUserSessions(ctx.getRealm(), ctx.getUser()); I cannot find an easier solution. Can someone please help me out? Brgds Mike From rudreshsj at gmail.com Sun Sep 24 22:47:50 2017 From: rudreshsj at gmail.com (Rudresh Shashikant) Date: Mon, 25 Sep 2017 09:47:50 +0700 Subject: [keycloak-user] Set-Cookie is missing 'Secure' and 'HttpOnly' flags In-Reply-To: References: Message-ID: Hi Bill, thanks for the info on "require SSL" in the realm Login settings. I did not toggle that because I thought that it will require Java keystore certificates whereas I am just fronting with NGINX. Oh well, I tested and it works. Also thanks for clarifying the HttpOnly behaviour. Regards, Rudy. On Fri, Sep 22, 2017 at 8:40 PM, Bill Burke wrote: > The realm's SSL policy has to be set to SSL required for Secure-Only > to be set. Out of the box, Keycloak does not have SSL/HTTPS set up. > Wildfly recently introduced an SSL setup option that we may eventually > take advantage of, but right now, Keycloak does not have SSL/HTTP > enabled out of the box. > > Looking at our code KEYCLOAK_SESSION cookie is not marked HttpOnly and > is used by our iframe to detect if the user is logged in still. > KEYCLOAK_IDENTITY *is* marked HttpOnly. > > On Wed, Sep 20, 2017 at 7:31 AM, Rudresh Shashikant > wrote: > > Hi > > > > I would like to discuss 2 items when Keycloak responds with "Set-Cookie" > > headers: > > 1. "HttpOnly" flag > > 2. "Secure" flag > > > > 1. "HttpOnly" flag: > > I can see that affected cookie is: > > * KEYCLOAK_SESSION > > > > My understanding is (please correct me where inaccurate/wrong) that the > > "HttpOnly" flag is not included on purpose because the iframe in the > > browser that maintains the session with keycloak needs Javascript to > modify > > the cookie and hence the "HttpOnly" flag will disallow this ability, > > breaking the feature as a result. > > > > Reference: The OIDC spec ( > > http://openid.net/specs/openid-connect-session-1_0.html) states that : > > *"If a cookie is used to maintain the OP browser state, the HttpOnly flag > > likely can't be set for this cookie because it needs to be accessed from > > JavaScript. Therefore, information that can be used for identifying the > > user should not be put into the cookie, as it could be read by unrelated > > JavaScript."* > > > > 2. "Secure" flag: > > I can see that affected cookies are: > > * AUTH_SESSION_ID > > * KC_RESTART > > * KEYCLOAK_IDENTITY > > * KEYCLOAK_SESSION > > > > I fail to understand why the "Secure" flag is not being set on all these > > cookies. As I understand it, "Secure" flag should be set to ensure that > > only the "HTTPS" version of the site can access the cookie else a "HTTP" > > version will also be able to access the cookie on the same domain. > > > > The NGINX proxy will have a 301 redirect for all HTTP requests so it is > not > > a major concern but it still does not answer the question as to why the > > server did not set this flag on all cookies. > > Can it be set using NGINX ? If it is set will any keycloak feature break? > > > > Thanks. > > > > Regards, > > Rudy. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > Red Hat > From loic.rapp at reymann.com Mon Sep 25 03:16:47 2017 From: loic.rapp at reymann.com (Rapp =?UTF-8?B?TG/Dr2M=?=) Date: Mon, 25 Sep 2017 09:16:47 +0200 Subject: [keycloak-user] Using Keycloak with Nextcloud Message-ID: <28D8911B-E24B-4829-BA05-02C138608874@reymann.com> Hey, Someone are already do that? I?m not able to use Nextcloud with Keycloak (SAML), but, I?ve try with LemonLDAP:NG, and it?s working well. Thanks! Rapp Lo?c Service Technique Technicien R?seau Ligne directe : +33 (0)3 69 22 67 18 -- ?conomisons le papier. N'imprimez ce mail que si n?cessaire. From shimin_q at yahoo.com Mon Sep 25 14:43:58 2017 From: shimin_q at yahoo.com (shimin q) Date: Mon, 25 Sep 2017 18:43:58 +0000 (UTC) Subject: [keycloak-user] Resolution for 99% of CORS's problems In-Reply-To: References: Message-ID: <1280275420.9581719.1506365038329@mail.yahoo.com> Thanks for posting your solution, Karol. ?I have been having trouble with Keycloak CORS also. ?I followed your suggestion: 1 - set client Web Origins?2 - in Keycloak.json, added "enable-cors": true /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ ?cat keycloak.json{? ? ? "realm": "rtna",? ? ? ? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? ? ? ? ? "auth-server-url": "https://135.112.123.194:8666/auth",? ? ? ? ? ? "ssl-required": "external",? ? ? ? ? ? ? "resource": "main",? ? ? ? ? ? ? ? "public-client": true,? ? ? ? ? ? ? ? "enable-cors": true} I am still getting error: 135.112.123.183/:1 XMLHttpRequest cannot load https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://135.112.123.183' is therefore not allowed access. I also tried to add request header in ?/opt/sso/keycloak/standalone/configuration/standalone.xml, not working either. - If standalone.xml has : I get the error:(index):82 keycloak init done...... (index):1 XMLHttpRequest cannot load https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://135.112.123.183' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. Is there anything I am missing? ?Any idea how to make it work would be appreciated!! On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler wrote: Hi, after huge amounts of hours of investigations I found the resolution for almost all problems with CORS. I decided that maybe I am not alone with it, so here you go: 1. Go to admin console of Keycloak and set 'Web Origins' of your client to address of your application (or just * ). 2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know the name of this property in keycloak.json). 3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications. Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]? ? ? ? [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] ? ? ? ? [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg] _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From kurrent93 at gmail.com Mon Sep 25 16:42:51 2017 From: kurrent93 at gmail.com (Anton) Date: Tue, 26 Sep 2017 09:42:51 +1300 Subject: [keycloak-user] KeyCloak as an OIDC In-Reply-To: References: Message-ID: Did anyone find out how to achieve this using Keycloak? On 15 September 2017 at 20:23, Anton wrote: > Hi Stian > > Clearly you know more about this than I. But from my limited knowledge, an > Identity Provider that supports the OIDC Protocol allows clients to > "receive information about authenticated sessions and end-users." This > would mean that the Identity Provider presumably needs to make user > information available in a specific format or schema. > > Therefore, I am assuming there would be some specific data modeling > requirements in the custom Identity Provider. > > The best example I could find of this is https://github.com/mitreid- > connect/ldap-openid-connect-server > > > > > > On 15 September 2017 at 19:30, Stian Thorgersen > wrote: > >> I'm not following.. What you want is secure your applications with >> Keycloak using the OIDC protocol? If so just create a client for it in the >> realm and away you go..? >> >> On 14 September 2017 at 21:25, Y Levine wrote: >> >>> Yes --- looking for similar.... >>> >>> KeyCloak is the OIDC Identity Provider --- Applications integrate against >>> KeyCloak via OIDC --- users would authenticate directly against login >>> page >>> on KeyCloak - redirected back to SP.....ala Google login process to >>> Stackoverflow (however in this case KeyCloak is the IDP for our >>> organization's login/password). >>> >>> If there are steps that can describe how above can be configured will be >>> much appreciated. >>> >>> >>> On Thu, Sep 14, 2017 at 3:04 AM, Anton wrote: >>> >>> > I cant speak for OP, but it sounds like a question I asked a while ago: >>> > >>> > I'm looking to build an application ( identity provider) that will have >>> > user accounts. So, where as the typical example is a user links their >>> > Facebook, or LinkedIn account to a Keycloak account. Im interested in >>> > making an Identity Provider - comparable to Facebook, LinkedIn - >>> interns of >>> > supporting the OIDC protocol - so that user can link these accounts. >>> > >>> > Users then should then be able to link their account to a parent >>> account. >>> > >>> > I have been reading http://www.keycloak.org/docs/3.1/server_ >>> > development/topics/identity-brokering/account-linking.html and see >>> that >>> > this is possible. >>> > >>> > I have a few questions. On the docs it says: >>> > >>> > > The application must already be logged in as an existing user via the >>> > OIDC >>> > > protocol >>> > > >>> > How does an application login as a user? >>> > Does this mean the user must be logged into the Identity provider >>> > application? >>> > >>> > Am I correct in assuming the Identity Provider application needs to >>> > implement the OIDC Protocol? Is this something Keycloak can do? Are >>> there >>> > any examples of this? >>> > >>> > On 14 September 2017 at 21:29, Simon Payne >>> wrote: >>> > >>> > > I think the OP is referring to identity brokering where keycloak is >>> used >>> > to >>> > > broker other identity providers which follow the OIDC protocol. One >>> of >>> > > these brokered identity provider can be another keycloak server. >>> > > >>> > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc >> > >>> > > wrote: >>> > > >>> > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once >>> your >>> > > > realm has been created, you can see the OIDC endpoints here : >>> > > > >>> > > > /auth/realms/your_realm/.well-known/openid-configuration >>> > > > >>> > > > Or was this not the question ? >>> > > > >>> > > > Sebi >>> > > > >>> > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton >>> wrote: >>> > > > >>> > > > > I'm also interested in this. >>> > > > > If I understand OPs question correctly, he wants to know how to >>> be an >>> > > > > Identity Provider that supports OIDC Protocol. >>> > > > > >>> > > > > For example - in the section on User initiated linked accounts - >>> the >>> > > > > example is that the user links their Facebook account. How to >>> create >>> > an >>> > > > > equivalent, OIDC-ly speaking, of Facebook? >>> > > > > >>> > > > > On 13 September 2017 at 15:41, Stian Thorgersen < >>> sthorger at redhat.com >>> > > >>> > > > > wrote: >>> > > > > >>> > > > > > What are you actually trying to do? Keycloak is an OIDC IDP >>> > > > > > >>> > > > > > On 12 September 2017 at 17:59, Y Levine >>> > wrote: >>> > > > > > >>> > > > > > > I have read >>> > > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ >>> > > > > > > oidc-overview.html >>> > > > > > > >>> > > > > > > I may have misread as it appears to list connectors to >>> KeyCloak's >>> > > > OIDC >>> > > > > > > ....but how do we configure KeyCloak to be the OIDC IdP? >>> > > > > > > _______________________________________________ >>> > > > > > > keycloak-user mailing list >>> > > > > > > keycloak-user at lists.jboss.org >>> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > > > > >>> > > > > > _______________________________________________ >>> > > > > > keycloak-user mailing list >>> > > > > > keycloak-user at lists.jboss.org >>> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > > > >>> > > > > _______________________________________________ >>> > > > > keycloak-user mailing list >>> > > > > keycloak-user at lists.jboss.org >>> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > > >>> > > > _______________________________________________ >>> > > > keycloak-user mailing list >>> > > > keycloak-user at lists.jboss.org >>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From russell at zeroflux.net Mon Sep 25 17:03:01 2017 From: russell at zeroflux.net (Russell Davies) Date: Mon, 25 Sep 2017 22:03:01 +0100 Subject: [keycloak-user] Realm Keys Public Access Message-ID: Is there any way to access the realm keys without making an authenticated request? That is by making a GET request to `/auth/admin/realms/{realm name}/keys` without an authorization token. I ask because when I add a new service, that needs to verify a JWT sent to it, I have to manually authenticate, get the public key and then configure a JWK from that. It would be easier if I could just tell me service the URL and it would fetch the public key from the Keycloak API. The response for the keys doesn't include any private information so I don't see any issue in regard to security. Or am I missing something, or is there another way to do this? From K.Buler at adbglobal.com Tue Sep 26 04:01:43 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Tue, 26 Sep 2017 10:01:43 +0200 Subject: [keycloak-user] Resolution for 99% of CORS's problems In-Reply-To: <1280275420.9581719.1506365038329@mail.yahoo.com> References: <1280275420.9581719.1506365038329@mail.yahoo.com> Message-ID: <35c30a6d-7666-d6d3-40f7-111290159b59@adbglobal.com> I had exactly the same problem with "Access-Control-Allow-Origin" and my solution resolved this. Which version of KC do you have? I'm using 3.2.1.Final for now and didn't check on other versions. In other hand what do you type into Web Origins? '*' or 'https://135.112.123.183' ? On 25.09.2017 20:43, shimin q wrote: > Thanks for posting your solution, Karol. ?I have been having trouble > with Keycloak CORS also. ?I followed your suggestion: > > 1 - set client Web Origins > 2 - in Keycloak.json, added "enable-cors": true > > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ ?cat keycloak.json > { > ? ? ? "realm": "rtna", > ? ? ? ? "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", > ? ? ? ? ? "auth-server-url": "https://135.112.123.194:8666/auth", > ? ? ? ? ? ? "ssl-required": "external", > ? ? ? ? ? ? ? "resource": "main", > ? ? ? ? ? ? ? ? "public-client": true, > ? ? ? ? ? ? ? ? "enable-cors": true > } > > I am still getting error: > > 135.112.123.183/:1 XMLHttpRequest cannot load > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'https://135.112.123.183' is therefore not allowed > access. > > I also tried to add request header in > ?/opt/sso/keycloak/standalone/configuration/standalone.xml, not > working either. > > * If standalone.xml has name="Access-Control-Allow-Origin" > header-name="Access-Control-Allow-Origin" header-value="*"/>: > > I get the error:(index):82 keycloakinit done...... > > (index):1 XMLHttpRequest cannot load > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. > The value of the 'Access-Control-Allow-Origin' header in the response > must not be the wildcard '*' when the request's credentials mode is > 'include'. Origin 'https://135.112.123.183' is therefore not allowed > access. The credentials mode of requests initiated by the > XMLHttpRequest is controlled by the withCredentials attribute. > > Is there anything I am missing? ?Any idea how to make it work would be > appreciated!! > > > > > > > > > > > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler > wrote: > > > Hi, > > after huge amounts of hours of investigations I found the resolution > for almost all problems with CORS. I decided that maybe I am not alone > with it, so here you go: > > 1. Go to admin console of Keycloak and set 'Web Origins' of your > client to address of your application (or just * ). > > 2. In your application.properties (keycloak.json) set keycloak.cors = > true (don't know the name of this property in keycloak.json). > > 3. Thats it! Only 2 steps resolves almost all my problems with CORS in > our applications. > > Best regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > adbglobal.com > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] > ? ? ? [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] > ? ? ? > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] > > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg] > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From simonpayne58 at gmail.com Tue Sep 26 04:25:06 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Tue, 26 Sep 2017 09:25:06 +0100 Subject: [keycloak-user] Managing user from my java backend In-Reply-To: References: Message-ID: For this i would probably have 3 things. 1 users configured in keycloak either through LDAP or local accounts 2 a client for the back end configured as bearer only (if it's a simple REST service). This will not challenge for authentication, only return 401s, 403s 3 a public client for the front end to manage the auth flows and redirect to keycloak for authentication and log in as the user. read up on javascript adaptor for this. Pass the token returned to the front end client to the back end REST service in the headers as Basic Auth. Simon. On Fri, Sep 22, 2017 at 7:24 PM, Juan Diego wrote: > Hi > > I want to manage my users from my app but I dont understand some things. > > My backend is on java, front is on angular. So for my backend I used client > of Type Bearer Only. > > I was looking at this example > https://github.com/keycloak/keycloak/blob/master/examples/ > demo-template/admin-access-app/src/main/java/org/ > keycloak/example/AdminClient.java > > And this one > https://gist.github.com/thomasdarimont/43689aefb37540624e35 > > So my question is > > Should I create a User in my keycloak server for my app to use? > Or should I use another type of client? > > Can i connect using just the client credentials? I thought I will have use > the secret in credentials and the token there to connect? > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From t.ruiten at rdmedia.com Tue Sep 26 06:04:31 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Tue, 26 Sep 2017 12:04:31 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers Message-ID: Hello, I'm testing with the following setup: In our Active Directory, which is federated to Keycloak, we have a container with 'access' groups (groups that are used to give access to certain applications, akin to Keycloak roles) and a container for 'user' groups (eg. sales, it, marketing etc.). Users are always only direct members of a user group. The access groups can only have user groups as members, never users. In Keycloak, I have created two LDAP-group-mappers for both containers, but unfortunately, none of the user groups show any members. Is this expected? Using Keycloak 3.2.1 Final. -- Tiemen Ruiten Systems Engineer R&D Media From ykoer at redhat.com Tue Sep 26 08:57:46 2017 From: ykoer at redhat.com (=?UTF-8?Q?Yusuf_K=c3=b6r?=) Date: Tue, 26 Sep 2017 14:57:46 +0200 Subject: [keycloak-user] Stateless Application Design with Keycloak OIDC Message-ID: Hi, does someone have any experience with a stateless application design using Keycloak Adapter and cookie store support for the token? I would like to run a simple application with Spring MVC backend on Openshift and don't want to rely on HTTP state replication or sticky sessions. I see an endless redirect loop when I open the application. This is the source code: https://github.com/ykoer/spring-boot-keycloak-tutorial/tree/spring-security-cookie This is the configuration: https://github.com/ykoer/spring-boot-keycloak-tutorial/blob/spring-security-cookie/src/main/resources/application.properties Thank you in advance Yusuf From schissdraeck at rmm.li Tue Sep 26 09:14:04 2017 From: schissdraeck at rmm.li (Michael Meier) Date: Tue, 26 Sep 2017 15:14:04 +0200 Subject: [keycloak-user] Problems with nextcloud integration: Duplicated Attributes in response Message-ID: <29e42719-efbe-5a00-363f-145551d77950@rmm.li> hi all When I (and also others) tried to use saml login from nextcloud over keycloak, there is an error message about Duplicated Attributes. As far as I could find out, it looks like the role Attribute appears more than once. According to the saml add on developper is intentionally does not support double attribute, and keycloak should group the values. See: https://github.com/onelogin/php-saml/issues/170#issuecomment-255359227 https://github.com/onelogin/php-saml/issues/223#issuecomment-309718760 So I'm wondering if that is a bug in keycloak or a missing feature, or if I was just to stupid to find the corresponding setting ;-). I'm not sure how I could post the keycloak saml client config I use. thanks for any advice in that issue... Michael From sthorger at redhat.com Tue Sep 26 09:17:26 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 26 Sep 2017 15:17:26 +0200 Subject: [keycloak-user] Resolution for 99% of CORS's problems In-Reply-To: <35c30a6d-7666-d6d3-40f7-111290159b59@adbglobal.com> References: <1280275420.9581719.1506365038329@mail.yahoo.com> <35c30a6d-7666-d6d3-40f7-111290159b59@adbglobal.com> Message-ID: For the record using '*' as web origin is really rather bad from a security perspective and should ONLY be used in development/testing. On 26 September 2017 at 10:01, Karol Buler wrote: > I had exactly the same problem with "Access-Control-Allow-Origin" and my > solution resolved this. Which version of KC do you have? I'm using > 3.2.1.Final for now and didn't check on other versions. > > In other hand what do you type into Web Origins? '*' or > 'https://135.112.123.183' ? > > > On 25.09.2017 20:43, shimin q wrote: > > Thanks for posting your solution, Karol. I have been having trouble > > with Keycloak CORS also. I followed your suggestion: > > > > 1 - set client Web Origins > > 2 - in Keycloak.json, added "enable-cors": true > > > > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json > > { > > "realm": "rtna", > > "realm-public-key": > > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVP > Pl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/ > 9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/ > hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl467 > 0nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69 > TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5 > BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", > > "auth-server-url": "https://135.112.123.194:8666/auth", > > "ssl-required": "external", > > "resource": "main", > > "public-client": true, > > "enable-cors": true > > } > > > > I am still getting error: > > > > 135.112.123.183/:1 XMLHttpRequest cannot load > > https://135.112.123.194:8666/auth/realms/rtna/protocol/ > openid-connect/token. > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'https://135.112.123.183' is therefore not allowed > > access. > > > > I also tried to add request header in > > /opt/sso/keycloak/standalone/configuration/standalone.xml, not > > working either. > > > > * If standalone.xml has > name="Access-Control-Allow-Origin" > > header-name="Access-Control-Allow-Origin" header-value="*"/>: > > > > I get the error:(index):82 keycloakinit done...... > > > > (index):1 XMLHttpRequest cannot load > > https://135.112.123.194:8666/auth/realms/rtna/protocol/ > openid-connect/token. > > The value of the 'Access-Control-Allow-Origin' header in the response > > must not be the wildcard '*' when the request's credentials mode is > > 'include'. Origin 'https://135.112.123.183' is therefore not allowed > > access. The credentials mode of requests initiated by the > > XMLHttpRequest is controlled by the withCredentials attribute. > > > > Is there anything I am missing? Any idea how to make it work would be > > appreciated!! > > > > > > > > > > > > > > > > > > > > > > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler > > wrote: > > > > > > Hi, > > > > after huge amounts of hours of investigations I found the resolution > > for almost all problems with CORS. I decided that maybe I am not alone > > with it, so here you go: > > > > 1. Go to admin console of Keycloak and set 'Web Origins' of your > > client to address of your application (or just * ). > > > > 2. In your application.properties (keycloak.json) set keycloak.cors = > > true (don't know the name of this property in keycloak.json). > > > > 3. Thats it! Only 2 steps resolves almost all my problems with CORS in > > our applications. > > > > Best regards, > > Karol > > > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > > adbglobal.com > > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]< > https://www.linkedin.com/company-beta/162280/> > > [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] > > > > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] > > > > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]< > https://www.adbglobal.com/meet-us-at-ibc2017/> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Sep 26 09:20:36 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 26 Sep 2017 15:20:36 +0200 Subject: [keycloak-user] missing docker keycloak tags In-Reply-To: References: Message-ID: We don't maintain Keycloak 2.5.x in community anymore and as such new 2.5.x tags are not released to the community, but only used internally to build RH-SSO micro releases. If you are using community bits you are required to update to the latest release for fixes. If you want to have longer supported versions you should look at RH-SSO which is the supported version of Keycloak. On 22 September 2017 at 08:59, Aritz Maeztu wrote: > We're missing the docker tags for keycloak 2.5.6 and higher in the > docker hub, it would be nice to have them added and also the ones for > the related variations keycloak-mysql, and so on.. > > Thanks! > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf. Aritz Maeztu: 948 68 03 06 > Telf. Secretar?a: 948 21 40 40 > > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From robert.parker at weareact.com Tue Sep 26 09:23:51 2017 From: robert.parker at weareact.com (Robert Parker) Date: Tue, 26 Sep 2017 13:23:51 +0000 Subject: [keycloak-user] How to redirect user back to original application from account management pages Message-ID: I am using the keycloak javascript adapter and have a Profile link in my main application which makes a call to the adapter's `accountManagement()` function to redirect to the keycloak account management screens for the logged in user. What I can't figure out is how to redirect back to my main application after changes have been saved or when the user cancels the account management screens. Looking inside the account.ftl template for the themed user account screen, I see the following: <#if url.referrerURI??>${msg("backToApplication")}/a> This link does not appear for me, so this referrerURI property is clearly not present on the url object being passed to the form. How can I set this? Is there an argument I need to be passing into the `accountManagement()` adapter call? Thanks ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ From sam at focus21.io Tue Sep 26 10:47:04 2017 From: sam at focus21.io (Sam Lewis) Date: Tue, 26 Sep 2017 10:47:04 -0400 Subject: [keycloak-user] kcadm configure Client Role Mapper Message-ID: Is it possible to use kcadm to add a oidc-usermodel-client-role-mapper to a client? From Thomas.FOUTREIN at imprimerienationale.fr Tue Sep 26 11:22:54 2017 From: Thomas.FOUTREIN at imprimerienationale.fr (FOUTREIN Thomas) Date: Tue, 26 Sep 2017 15:22:54 +0000 Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy In-Reply-To: <1506435124245.91959@imprimerienationale.fr> References: <1506435124245.91959@imprimerienationale.fr> Message-ID: <1506439372210.80640@imprimerienationale.fr> ?Hello, I'm trying to use authentication wiht X509 client certificate with Keycloak. I've put the configuration on a specific realm like explained in the keycloak Documentation (http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/x509.html) All is ok on my dev environment without reverse proxy. When i put the same configuration on integration environnement with NGINX reverse proxy, the certificate never reach keycloak ? i've succeded to verifiy the client cert with nginx but keycloak nevere succeed to control the Client CN Could you help me with the configuration of both nginx et wildfly ? here is my Nginx conf try & Standalone.xml keycloak conf in attachement Thank you in advance for the help Regards Thomas Foutrein Imprimerie Nationale From fernando.mora at intenthq.com Tue Sep 26 12:03:09 2017 From: fernando.mora at intenthq.com (Fernando Mora) Date: Tue, 26 Sep 2017 18:03:09 +0200 Subject: [keycloak-user] Admin API omitting user client roles from groups Message-ID: I need to retrieve all client roles a user has in every client in kecloak to update them in my app in order to check authorization for different features. I am able to get both realm and client roles using the following endpoint *GET /admin/realms/{realmId}/users/{userId}/role-mappings* But the response is omitting the client roles from the groups users belong to. Is there some way I can retrieve all client roles of a user, including roles assigned by groups? I realized *GET /admin/realms/{realmId}/users/{userId}/role-mappings/clients/{cliendId}/composite* includes group client roles for one client but I need roles for all clients not for individual one. -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Intent HQ Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. From ssilvert at redhat.com Tue Sep 26 12:52:42 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 26 Sep 2017 12:52:42 -0400 Subject: [keycloak-user] How to redirect user back to original application from account management pages In-Reply-To: References: Message-ID: You need to set the referrer in the URL when you go to the account console. This explains it well: https://technology.first8.nl/add-manage-account-link-keycloak-redhat-sso/ On 9/26/2017 9:23 AM, Robert Parker wrote: > I am using the keycloak javascript adapter and have a Profile link in my main application which makes a call to the adapter's `accountManagement()` function to redirect to the keycloak account management screens for the logged in user. > > What I can't figure out is how to redirect back to my main application after changes have been saved or when the user cancels the account management screens. > > Looking inside the account.ftl template for the themed user account screen, I see the following: > > <#if url.referrerURI??>${msg("backToApplication")}/a> > > This link does not appear for me, so this referrerURI property is clearly not present on the url object being passed to the form. How can I set this? Is there an argument I need to be passing into the `accountManagement()` adapter call? > > Thanks > ________________________________ > Robert Parker - Front End Developer > Applied Card Technologies Ltd > Cardiff Office > 14 St Andrews Crescent > Caerdydd > Cardiff > CF10 3DD > +44 (0) 2922 331860 > > Robert.Parker at weareACT.com > www.weareACT.com > > Registered in England : 04476799 > ________________________________ > The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). > > The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. > [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. > ________________________________ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pnalyvayko at agi.com Tue Sep 26 23:48:44 2017 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Wed, 27 Sep 2017 03:48:44 +0000 Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy In-Reply-To: <1506439372210.80640@imprimerienationale.fr> References: <1506435124245.91959@imprimerienationale.fr>, <1506439372210.80640@imprimerienationale.fr> Message-ID: Hi Thomas, X509 user authentication behind reverse proxy is not supported out of the box yet, afaik. There is a fork off of 2.3.0 with necessary changes to enable x509 user auth when running behind haproxy and apache reverse proxies. Basically, a reverse proxy uses custom headers to pass the encoded client certificate and any certificates in the client cert chain to the service behind the proxy, but the x509 authenticator does not know anything about the custom headers and uses the incoming connection to look for the certificate instead. Perhaps wildfly can be taught to somehow use the custom headers to pass the cert to the application without any additional reverse proxy specific code, but my experience with wildfly is limited so if anyone here can suggest a way to achieve that I would be interested as well. --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of FOUTREIN Thomas [Thomas.FOUTREIN at imprimerienationale.fr] Sent: Tuesday, September 26, 2017 11:22 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy ?Hello, I'm trying to use authentication wiht X509 client certificate with Keycloak. I've put the configuration on a specific realm like explained in the keycloak Documentation (http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/x509.html) All is ok on my dev environment without reverse proxy. When i put the same configuration on integration environnement with NGINX reverse proxy, the certificate never reach keycloak ? i've succeded to verifiy the client cert with nginx but keycloak nevere succeed to control the Client CN Could you help me with the configuration of both nginx et wildfly ? here is my Nginx conf try & Standalone.xml keycloak conf in attachement Thank you in advance for the help Regards Thomas Foutrein Imprimerie Nationale From darrell at 1placeonline.com Wed Sep 27 00:25:56 2017 From: darrell at 1placeonline.com (Darrell Wu) Date: Wed, 27 Sep 2017 17:25:56 +1300 Subject: [keycloak-user] Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer after upgrade Message-ID: Hi, I've upgraded from keycloak 1.9.8 to keycloak 3.2.1 and now i'm getting the following error when i access my protected application. Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://localhost:8180/realms/1Place', but was ' https://192.168.10.19:8543/realms/1Place' I've configured keycloak to use a self signed certificate against by PC ip address. The admin console is using the address. https://192.168.10.19:8543/ I'm not sure where it is picking up http://localhost:8180/realms/1Place since you can't access the admin console against that address and i couldn't find anywhere in the console where http://localhost:8180/realms/1Place is used. Does anyone have any ideas? Thanks in Advance Darrell Here is the stack trace Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://localhost:8180/realms /1Place', but was 'https://192.168.10.19:8543/realms/1Place' at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:109) at org.keycloak.TokenVerifier.verify(TokenVerifier.java:371) at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89) at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:56) at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37) at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87) at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68) at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) -- Darrell Wu 1Place International Limited P.O. Box 125152, St Heliers, Auckland 1740, New Zealand Level 5, 1 Queen Street, Auckland 1010, New Zealand Phone: +64 9 5200612 ext 521 | Mob: +64 21 262 4898 | Fax: +64 9 5246203 Email: darrell at 1placeonline.com | Web: www.1placeonline.com From ionut.culda at lola.tech Wed Sep 27 03:36:00 2017 From: ionut.culda at lola.tech (Ionut Culda) Date: Wed, 27 Sep 2017 10:36:00 +0300 Subject: [keycloak-user] Custom URL and OTP over sssd Message-ID: Hello, I have tried to configure Keycloak to use sssd federalisation and it works fine but when i configured OTP as authentication mechanism i get an error regarding the READONLY account. Can someone tell me if key cloak supports OTP over sssd or not? The second question that i have is if key cloak offers the possibility of custom URL or URL redirects ? For example instead of https://DOMAIN:PORT/auth/realms/REALM/account to use https://DOMAIN:PORT/REALM Thank You From mhatanak at redhat.com Wed Sep 27 05:20:28 2017 From: mhatanak at redhat.com (Masanobu Hatanaka) Date: Wed, 27 Sep 2017 18:20:28 +0900 Subject: [keycloak-user] can not deploy quick start "app-authz-jee-servlet" Message-ID: Hi, I'm trying to deploy quick start application "app-authz-jee-servlet" here: https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.1.x/app-authz-jee-servlet and follow the configuration steps. However, "mvn install wildfly:deploy" command failed and the following exception is logged. Do I need to configure others to use this sample? Kind regards, Masanobu. ------------------ [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute goal deploy: {"WFLYCTL0062: ??????????????????????????:" => {"?? step-1" => {"WFLYCTL0080: ?????????????" => {"jboss.undertow.deployment.default-server.default-host./authz-servlet" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./authz-servlet: java.lang.RuntimeException: Could not find resource. [ERROR] Caused by: java.lang.RuntimeException: Could not find resource. [ERROR] Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 501 / Not Implemented"}}}} [ERROR] -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute goal deploy: {"WFLYCTL0062: ??????????????????????????:" => {"?? step-1" => {"WFLYCTL0080: ?????????????" => {"jboss.undertow.deployment.default-server.default-host./authz-servlet" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./authz-servlet: java.lang.RuntimeException: Could not find resource. Caused by: java.lang.RuntimeException: Could not find resource. Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 501 / Not Implemented"}}}} at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to execute goal deploy: {"WFLYCTL0062: ??????????????????????????:" => {"?? step-1" => {"WFLYCTL0080: ?????????????" => {"jboss.undertow.deployment.default-server.default-host./authz-servlet" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./authz-servlet: java.lang.RuntimeException: Could not find resource. Caused by: java.lang.RuntimeException: Could not find resource. Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 501 / Not Implemented"}}}} at org.wildfly.plugin.deployment.AbstractDeployment.execute(AbstractDeployment.java:148) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208) ... 20 more -------------------------- SSO server side, the following error is displayed -------------------------- :00,353 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-113) RESTEASY002010: Failed to execute: javax.ws.rs.WebApplicationException: Feature not enabled at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32) at org.keycloak.services.resources.RealmsResource.getAuthorizationService(RealmsResource.java:268) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) -------------------------- From mstrukel at redhat.com Wed Sep 27 06:15:10 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 27 Sep 2017 12:15:10 +0200 Subject: [keycloak-user] can not deploy quick start "app-authz-jee-servlet" In-Reply-To: References: Message-ID: You may need to run your server with -Dkeycloak.profile.feature.authorization=enabled to enable authorization feature. It should be enabled by default on Keycloak, but not on RHSSO. On Wed, Sep 27, 2017 at 11:20 AM, Masanobu Hatanaka wrote: > Hi, > > I'm trying to deploy quick start application "app-authz-jee-servlet" here: > https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.1.x/app- > authz-jee-servlet > > and follow the configuration steps. > > However, "mvn install wildfly:deploy" command failed and the following > exception is logged. > Do I need to configure others to use this sample? > > Kind regards, > Masanobu. > > ------------------ > [ERROR] Failed to execute goal > org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy > (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute > goal deploy: {"WFLYCTL0062: ??????????????????????????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > [ERROR] Caused by: java.lang.RuntimeException: Could not find resource. > [ERROR] Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > [ERROR] -> [Help 1] > org.apache.maven.lifecycle.LifecycleExecutionException: Failed to > execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy > (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute > goal deploy: {"WFLYCTL0062: ??????????????????????????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > Caused by: java.lang.RuntimeException: Could not find resource. > Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute( > MojoExecutor.java:213) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute( > MojoExecutor.java:154) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute( > MojoExecutor.java:146) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject( > LifecycleModuleBuilder.java:117) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject( > LifecycleModuleBuilder.java:81) > at > org.apache.maven.lifecycle.internal.builder.singlethreaded. > SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) > at > org.apache.maven.lifecycle.internal.LifecycleStarter. > execute(LifecycleStarter.java:128) > at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) > at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) > at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) > at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) > at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) > at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.codehaus.plexus.classworlds.launcher.Launcher. > launchEnhanced(Launcher.java:289) > at > org.codehaus.plexus.classworlds.launcher.Launcher. > launch(Launcher.java:229) > at > org.codehaus.plexus.classworlds.launcher.Launcher. > mainWithExitCode(Launcher.java:415) > at > org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) > Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to > execute goal deploy: {"WFLYCTL0062: ??????????????????????????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > Caused by: java.lang.RuntimeException: Could not find resource. > Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > at > org.wildfly.plugin.deployment.AbstractDeployment.execute( > AbstractDeployment.java:148) > at > org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo( > DefaultBuildPluginManager.java:134) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute( > MojoExecutor.java:208) > ... 20 more > -------------------------- > > SSO server side, the following error is displayed > -------------------------- > :00,353 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-113) RESTEASY002010: Failed to execute: > javax.ws.rs.WebApplicationException: Feature not enabled > at org.keycloak.utils.ProfileHelper.requireFeature( > ProfileHelper.java:32) > at > org.keycloak.services.resources.RealmsResource.getAuthorizationService( > RealmsResource.java:268) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource( > ResourceLocatorInvoker.java:79) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource( > ResourceLocatorInvoker.java:58) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:100) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:402) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:209) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:285) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:264) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:209) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:802) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > -------------------------- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From manglade at nextoo.fr Wed Sep 27 08:14:28 2017 From: manglade at nextoo.fr (Matthias ANGLADE) Date: Wed, 27 Sep 2017 14:14:28 +0200 Subject: [keycloak-user] Multi realms approach Message-ID: Hi, I'm currently working on a project with specific requirements. Actually what we are trying to do is to setup a Keycloak in order to protect several applications. Each of these applications will potentially have their own set of webapps and micro-services. What we intended to do is to declare a realm per app (and each component of the app would be a client within it's own realm). We need to setup some cross-realm features such as realm selection, multi-realm authentication (i.e not being forced to re-login when switchin from one realm to another). I'm looking for advices or feedbacks in implementing such a case. Would you have any ? Yours, From eduard.matuszak at worldline.com Wed Sep 27 09:07:04 2017 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Wed, 27 Sep 2017 13:07:04 +0000 Subject: [keycloak-user] ECDSA-based signatures (KEYCLOAK-3057) planned? Message-ID: <61D077C6283D454FAFD06F6AC4AB74D725E80968@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello, Is the implementation of ECDSA-based signatures planned for a Keycloak-version in the near future (see https://issues.jboss.org/browse/KEYCLOAK-3057)? I would rather appreciate this because I am afraid to run into performance issues when our Keycloak based token-generation will have to serve up to millions of login-requests per day. Best regards, Eduard Matuszak From adam.lis at gmail.com Wed Sep 27 13:16:19 2017 From: adam.lis at gmail.com (Adam Lis) Date: Wed, 27 Sep 2017 19:16:19 +0200 Subject: [keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper) Message-ID: Hi! I've role-ldap-mapper defined for my LDAP federation. I can see on user logon, KeyCloak is issuing LDAP search with filter build on role-ldap-mapper conditions. KeyCloak is requesting whole resource from LDAP - in my case groups are quite big. If I understand correctly, only 'dn' attribute could be requested, since query is being done anyway for each user on his logon. In my case current approach results in waiting for LDAP response for over 20 seconds. In case only "dn" attribute for group would be requested, LDAP response time is very short. Is there a way to instruct role-ldap-mapper to retrieve only 'dn' attribute, and assing a requesting user all groups based only by retrieved 'dn' attributes? AdamLis; From sajid at theinnovationinc.co Wed Sep 27 20:41:43 2017 From: sajid at theinnovationinc.co (Sajid Chauhan) Date: Thu, 28 Sep 2017 06:11:43 +0530 Subject: [keycloak-user] KeycloakSpringBootConfigResolver - When reading keycloak configuration from springboot properties file instead of keycloak.json Message-ID: Hi All, There are guidelines to implement a multi-tenant application using keycloak by overriding 'KeycloakConfigResolver' as specified in http://www.keycloak.org/docs/2.3/securing_apps_guide/topics/oidc/java/multi-tenancy.html . The steps defined above can only be used with keycloak.json. How can we adapt this to spring boot application such that keycloak properties are read from spring boot properties file and multi-tenancy is acheived? Thanks, Sajid From asrafalianwarali.shaikh at gi-de.com Thu Sep 28 01:29:21 2017 From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali) Date: Thu, 28 Sep 2017 05:29:21 +0000 Subject: [keycloak-user] Improvement required in password policy evaluation Message-ID: <8930fe05c0a94eafbbf8d7b12962a936@gi-de.com> Hello, The Keycloak shows PASSWORD construction rule one at a time when it fail to adhere to it. For example : Applied password policy are : 1. specialChars 2. upperCase 3. passwordHistory 4. length 5. digits 6. notUsername 7. lowerCase If I set my password as "abcd" I get error message saying " there has to be special character" then I changed it to abcd@ After that I get message saying, there has to be 1 capital letter ... It goes on and one till all the policy is satisfied There is a requirement that all failure reasons should be displayed at once or at least show the configures password rules somewhere on this screen. On page I have all the data available, like in realm.passwordPolicy - have all the configured password policy data. But not sure how messages can be formulated so that internationalization is also maintained. Is there any way by which it can be achieve? Regards, Asraf Shaikh From lists at merit.unu.edu Thu Sep 28 02:58:43 2017 From: lists at merit.unu.edu (mj) Date: Thu, 28 Sep 2017 08:58:43 +0200 Subject: [keycloak-user] Improvement required in password policy evaluation In-Reply-To: <8930fe05c0a94eafbbf8d7b12962a936@gi-de.com> References: <8930fe05c0a94eafbbf8d7b12962a936@gi-de.com> Message-ID: <84ba1790-5fa1-8c8f-7f6b-f5b82e2d8bd8@merit.unu.edu> Oh YES. We 100% agree with this. It would even be nicer if all requirements would be displayed by default, each requirement with: - a red cross if not yet satisfied - a green checkmark when satisfied So you would see red crosses turning into green checkmarks, while composing the password, as each requirement is fullfilled. Since you have to provide the new password twice, you could even have a requirement that 'both password have to match', with a red cross, until they match. MJ On 09/28/2017 07:29 AM, Shaikh Asrafali Anwarali wrote: > Hello, > > > > The Keycloak shows PASSWORD construction rule one at a time when it fail to adhere to it. > > > > For example : > > Applied password policy are : > > 1. specialChars > > 2. upperCase > > 3. passwordHistory > > 4. length > > 5. digits > > 6. notUsername > > 7. lowerCase > > > > If I set my password as "abcd" > > I get error message saying " there has to be special character" then I changed it to abcd@ > > After that I get message saying, there has to be 1 capital letter ... It goes on and one till all the policy is satisfied > > > > There is a requirement that all failure reasons should be displayed at once or at least show the configures password rules somewhere on this screen. > > On page I have all the data available, like in realm.passwordPolicy - have all the configured password policy data. > > But not sure how messages can be formulated so that internationalization is also maintained. > > > > Is there any way by which it can be achieve? > > > > > > Regards, > > Asraf Shaikh > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Thu Sep 28 03:38:28 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Sep 2017 09:38:28 +0200 Subject: [keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper) In-Reply-To: References: Message-ID: <16dc48ba-6751-9542-bd14-a0eabbb68b5f@redhat.com> Currently just the "dn" is retrieved and the membership attribute (typically "member"). I guess your roles are big because they have thousands of "member" items on them, is it correct? Few tips: - Maybe if you have possibility to configure "User Roles Retrieve Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports it and if it tracks role memberships on "memberOf" attribute of user. If it works, you can maybe configure "Membership attribute" to some non-existing value (eg. "foo"), which mean that roles from LDAP will be retrieved really just with the DN attribute. - It's also possible to create your own version of mapper and enhance some functionality. You may need to override RoleLDAPStorageMapperFactory and RoleLDAPStorageMapper and override some methods like for example "createRoleQuery()" . See our server-development guide for tips how to create and deploy your own providers. - Create JIRA if none of the above won't work for you. But not sure when we manage to look into it though... Marek On 27/09/17 19:16, Adam Lis wrote: > Hi! > > I've role-ldap-mapper defined for my LDAP federation. > > I can see on user logon, KeyCloak is issuing LDAP search with filter build > on role-ldap-mapper conditions. > > KeyCloak is requesting whole resource from LDAP - in my case groups are > quite big. > > If I understand correctly, only 'dn' attribute could be requested, since > query is being done anyway for each user on his logon. > > In my case current approach results in waiting for LDAP response for over > 20 seconds. In case only "dn" attribute for group would be requested, LDAP > response time is very short. > > Is there a way to instruct role-ldap-mapper to retrieve only 'dn' > attribute, and assing a requesting user all groups based only by retrieved > 'dn' attributes? > > AdamLis; > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Sep 28 03:41:35 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Sep 2017 09:41:35 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: References: Message-ID: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> Not expected. It should work and our tests are passing. Looks like some mis-configuration or something. We have an example in keycloak-examples distribution called "ldap" . Here you can see some example how can LDAP role be configured (no example for group-mapper yet, but it's quite similar to role mapper) Marek On 26/09/17 12:04, Tiemen Ruiten wrote: > Hello, > > I'm testing with the following setup: > > In our Active Directory, which is federated to Keycloak, we have a > container with 'access' groups (groups that are used to give access to > certain applications, akin to Keycloak roles) and a container for 'user' > groups (eg. sales, it, marketing etc.). Users are always only direct > members of a user group. The access groups can only have user groups as > members, never users. > > In Keycloak, I have created two LDAP-group-mappers for both containers, but > unfortunately, none of the user groups show any members. Is this expected? > > Using Keycloak 3.2.1 Final. > From mposolda at redhat.com Thu Sep 28 03:47:57 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Sep 2017 09:47:57 +0200 Subject: [keycloak-user] Realm Keys Public Access In-Reply-To: References: Message-ID: Yes, it is possible and our adapters are using it. It's like http://localhost:8081/auth/realms/master/protocol/openid-connect/certs (replace your protocol, server, port and realm). Marek On 25/09/17 23:03, Russell Davies wrote: > Is there any way to access the realm keys without making an authenticated > request? That is by making a GET request to `/auth/admin/realms/{realm > name}/keys` without an authorization token. > > I ask because when I add a new service, that needs to verify a JWT sent to > it, I have to manually authenticate, get the public key and then configure > a JWK from that. It would be easier if I could just tell me service the URL > and it would fetch the public key from the Keycloak API. > > The response for the keys doesn't include any private information so I > don't see any issue in regard to security. Or am I missing something, or is > there another way to do this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From eramondino at astrotel.biz Thu Sep 28 04:00:01 2017 From: eramondino at astrotel.biz (Elvira Ramondino) Date: Thu, 28 Sep 2017 10:00:01 +0200 Subject: [keycloak-user] Weblogic Keycloak Adapter Message-ID: <034f01d3382f$ca1812b0$5e483810$@astrotel.biz> Hi, I'm using Keycloak as authentication and authorization server for some client application that I must deploy on different application servers. I need to know if the Weblogic Adapter for Keycloak is in development and if there is a release date. If there's not a date, my team could start the development of the adapter, but we need some suggestions based on your experience. Can we use the tomcat adapter as base for the weblogic adapter? And what could be the effort? Thanks in advance, Elvira From t.ruiten at rdmedia.com Thu Sep 28 04:28:59 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Thu, 28 Sep 2017 10:28:59 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> Message-ID: Hm, I wrote this down the wrong way, apologies. What I meant to say was that the *access* groups don't have any members, which they should have from the user groups. Looks like my issue is https://issues.jboss.org/browse/KEYCLOAK-1797. Nested groups are quite common in Active Directory, it would be nice if this issue could receive some attention. On 28 September 2017 at 09:41, Marek Posolda wrote: > Not expected. It should work and our tests are passing. Looks like some > mis-configuration or something. We have an example in keycloak-examples > distribution called "ldap" . Here you can see some example how can LDAP > role be configured (no example for group-mapper yet, but it's quite similar > to role mapper) > > Marek > > > On 26/09/17 12:04, Tiemen Ruiten wrote: > >> Hello, >> >> I'm testing with the following setup: >> >> In our Active Directory, which is federated to Keycloak, we have a >> container with 'access' groups (groups that are used to give access to >> certain applications, akin to Keycloak roles) and a container for 'user' >> groups (eg. sales, it, marketing etc.). Users are always only direct >> members of a user group. The access groups can only have user groups as >> members, never users. >> >> In Keycloak, I have created two LDAP-group-mappers for both containers, >> but >> unfortunately, none of the user groups show any members. Is this expected? >> >> Using Keycloak 3.2.1 Final. >> >> > -- Tiemen Ruiten Systems Engineer R&D Media From Maxime.Cadoret at insa-rennes.fr Thu Sep 28 09:03:24 2017 From: Maxime.Cadoret at insa-rennes.fr (Maxime Cadoret) Date: Thu, 28 Sep 2017 15:03:24 +0200 (CEST) Subject: [keycloak-user] Using Direct Grant Access in Android app Message-ID: <237103419.6587370.1506603804478.JavaMail.zimbra@insa-rennes.fr> Hello everyone, I am currently working on an Android project and I'm trying to use KeyCloak as an authentication module. [Disclaimer] I'm still a student so my questions might appear completely off-mark, i managed to get KeyCloak to work by testing every scrap of code i found about the subject on the internet so it might not be the right way to do things, still doing what I need though. (mostly from this post : http://lists.jboss.org/pipermail/keycloak-user/2016-January/004445.html) I previously managed to connect to keycloak by : 1 - using a webview 2 - loading the login page url 3 - get the user to provide login/pwd on the page 4 - get a code back with the previous url (protocol/openid-connect/auth?response_type=code&client_id=android_app&redirect_uri=android://app"); 5 - send this code towards another url in a form : RestTemplate template = new RestTemplate(); template.getMessageConverters().add(new FormHttpMessageConverter()); template.getMessageConverters().add(new MappingJackson2HttpMessageConverter()); MultiValueMap form = new LinkedMultiValueMap<>(); form.add("grant_type", "authorization_code"); form.add("client_id", "android_app"); form.add("code", code); form.add("redirect_uri", "android://app"); ResponseEntity rssResponse = template.postForEntity( "xxx/auth/realms/{realm}/protocol/openid-connect/token", form, AccessTokenResponse.class); 6 - parse this JWT into what I need. I found that you could use Direct Grant Access to avoid using the "keycloak login page" and I am wondering if I'm doing things right when I use it. I'm actually trying to provide the login and password by an NFC TAG and it can't really work with the usual page. What I'm doing now is : 1 - Create a form containing my password and login (as clear as water) 2 - send it to KeyCloak RestTemplate template = new RestTemplate(); template.getMessageConverters().add(new FormHttpMessageConverter()); template.getMessageConverters().add(new MappingJackson2HttpMessageConverter()); MultiValueMap form = new LinkedMultiValueMap<>(); form.add("grant_type", "password"); form.add("client_id", "android_app"); form.add("username", "test"); form.add("password", "test"); form.add("redirect_uri", "android://app"); ResponseEntity rssResponse = template.postForEntity( "xxx/auth/realms/{realm}/protocol/openid-connect/token", form, AccessTokenResponse.class); But I'm worried about the login and password in this message. Isn't it vunerable as I'm using HTTP ? Or if I add HTTPS will it be secured enough ? I'm really not familiar with this process so I'm open for any suggestion or explainations. Thanks in advance for reading (sorry for my english if there are mistakes). Best regards, Maxime. From adam.lis at gmail.com Thu Sep 28 10:58:29 2017 From: adam.lis at gmail.com (Adam Lis) Date: Thu, 28 Sep 2017 16:58:29 +0200 Subject: [keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper) In-Reply-To: <16dc48ba-6751-9542-bd14-a0eabbb68b5f@redhat.com> References: <16dc48ba-6751-9542-bd14-a0eabbb68b5f@redhat.com> Message-ID: Hi! Thanks for your reply, it really helped much. In fact my group entry has thousands of member entries - in my case that are 'uniquemember' entries. So I've took a look at other strategy: https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2db972bad7b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java#L85 Following this, I took a look at 'keycloak/models/LDAPConstants.java': https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java So actually in LDAPConstants.java there is MEMBER_OF defined: https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java#L89 As I can see some of there parameters are adjustable via WebGUI per User Federation -> LDAP based Provider settings, while some other are not. "MEMBER_OF" seems not be in WebGUI. In my case LDAP is configured to return inside user entry, his/her groups but not in 'memberOf' attribute (as it defaults in mentioned Java file) but in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in that field. So my next 2 questions would be: 1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation provider - I'm actually sending JSON containing provider definition, so I'd only need confirmation that I could do this; 2) in case my LDAP is not returning 'memberOf' parameter per any user, would change a value of 'MEMBER_OF' from 'memberOf' to 'someWeirdMembershipAttribute' affect this federated source of user in any other way that I'm willing it too? Thanks; AdamLis; 2017-09-28 9:38 GMT+02:00 Marek Posolda : > Currently just the "dn" is retrieved and the membership attribute > (typically "member"). I guess your roles are big because they have > thousands of "member" items on them, is it correct? > > Few tips: > - Maybe if you have possibility to configure "User Roles Retrieve > Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports > it and if it tracks role memberships on "memberOf" attribute of user. If it > works, you can maybe configure "Membership attribute" to some non-existing > value (eg. "foo"), which mean that roles from LDAP will be retrieved really > just with the DN attribute. > > - It's also possible to create your own version of mapper and enhance some > functionality. You may need to override RoleLDAPStorageMapperFactory and > RoleLDAPStorageMapper and override some methods like for example > "createRoleQuery()" . See our server-development guide for tips how to > create and deploy your own providers. > > - Create JIRA if none of the above won't work for you. But not sure when > we manage to look into it though... > > Marek > > On 27/09/17 19:16, Adam Lis wrote: > > Hi! > > I've role-ldap-mapper defined for my LDAP federation. > > I can see on user logon, KeyCloak is issuing LDAP search with filter build > on role-ldap-mapper conditions. > > KeyCloak is requesting whole resource from LDAP - in my case groups are > quite big. > > If I understand correctly, only 'dn' attribute could be requested, since > query is being done anyway for each user on his logon. > > In my case current approach results in waiting for LDAP response for over > 20 seconds. In case only "dn" attribute for group would be requested, LDAP > response time is very short. > > Is there a way to instruct role-ldap-mapper to retrieve only 'dn' > attribute, and assing a requesting user all groups based only by retrieved > 'dn' attributes? > > AdamLis; > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > From teatimej at gmail.com Thu Sep 28 18:12:21 2017 From: teatimej at gmail.com (Michael Mok) Date: Fri, 29 Sep 2017 06:12:21 +0800 Subject: [keycloak-user] Fwd: Undeclared namespace prefix "dsig" - still a problem in keycloak 3.3.0 CR2. In-Reply-To: References: Message-ID: Hi there In regards to issuee 4818 (https://issues.jboss.org/browse/KEYCLOAK-4818), we are still encountering issue with recognising dsig. 06:54:51,265 WARN [org.keycloak.saml.common] (default task-110) XML External Entity switches are not supported. You may get XML injection vulnerabilities. 09:19:31,939 ERROR [io.undertow.request] (default task-245) UT005023: Exception handling request to /auth/realms/demo/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledExcept ion: java.lang.RuntimeException: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig" at [row,col {unknown-source}]: [1,914] at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException( ExceptionHandler.java:222) at org.jboss.resteasy.core.SynchronousDispatcher.writeException( SynchronousDispatcher.java:179) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:422) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( KeycloakSessionServletFilter.java:90) From mhatanak at redhat.com Thu Sep 28 21:17:00 2017 From: mhatanak at redhat.com (Masanobu Hatanaka) Date: Fri, 29 Sep 2017 10:17:00 +0900 Subject: [keycloak-user] can not deploy quick start "app-authz-jee-servlet" In-Reply-To: References: Message-ID: <660d56fa-f59d-dd78-0179-01d50a385f1a@redhat.com> Thank you so much for the response. I could deploy it with the option. Kind regards, Masanobu. On 2017?09?27? 19:15, Marko Strukelj wrote: > You may need to run your server with > -Dkeycloak.profile.feature.authorization=enabled to enable authorization > feature. > > It should be enabled by default on Keycloak, but not on RHSSO. > > On Wed, Sep 27, 2017 at 11:20 AM, Masanobu Hatanaka > wrote: > > Hi, > > I'm trying to deploy quick start application "app-authz-jee-servlet" > here: > https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.1.x/app-authz-jee-servlet > > > and follow the configuration steps. > > However, "mvn install wildfly:deploy" command failed and the following > exception is logged. > Do I need to configure others to use this sample? > > Kind regards, > Masanobu. > > ------------------ > [ERROR] Failed to execute goal > org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy > (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute > goal deploy: {"WFLYCTL0062: ???????????????????? > ??????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > [ERROR] Caused by: java.lang.RuntimeException: Could not find > resource. > [ERROR] Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > [ERROR] -> [Help 1] > org.apache.maven.lifecycle.LifecycleExecutionException: Failed to > execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy > (default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute > goal deploy: {"WFLYCTL0062: ???????????????????? > ??????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > Caused by: java.lang.RuntimeException: Could not find resource. > Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81) > at > org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) > at > org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) > at > org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) > at > org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) > at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) > at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) > at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) > at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) > at > org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) > at > org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) > at > org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) > Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to > execute goal deploy: {"WFLYCTL0062: ???????????????? > ??????????:" > => {"?? step-1" => {"WFLYCTL0080: ?????????????" => > {"jboss.undertow.deployment.default-server.default-host./authz-servlet" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./authz-servlet: > java.lang.RuntimeException: Could not find resource. > Caused by: java.lang.RuntimeException: Could not find resource. > Caused by: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 501 / Not Implemented"}}}} > at > org.wildfly.plugin.deployment.AbstractDeployment.execute(AbstractDeployment.java:148) > at > org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134) > at > org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208) > ... 20 more > -------------------------- > > SSO server side, the following error is displayed > -------------------------- > :00,353 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-113) RESTEASY002010: Failed to execute: > javax.ws.rs .WebApplicationException: Feature > not enabled > at > org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32) > at > org.keycloak.services.resources.RealmsResource.getAuthorizationService(RealmsResource.java:268) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:209) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > -------------------------- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From dirk.franssen at gmail.com Fri Sep 29 02:10:13 2017 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Fri, 29 Sep 2017 08:10:13 +0200 Subject: [keycloak-user] Force token refresh with the Spring Security adapter In-Reply-To: References: <3e910e72-34fd-7ff2-d57a-5a682aa55def@tesicnor.com> Message-ID: <3DF0EE57-2AF9-4A93-9EAB-D2AC354E059C@gmail.com> > Hi, > > I would like to initiate programmatically a refresh of the token once the profile of the user is updated in the app itself (via rest api) in order to e.g. display in the header the changed firstname of the logged-in user (which is retrieved from ((KeycloakAuthenticationToken) principal).getAccount().getKeycloakSecurityContext().getToken())) without the need to logout/login again in order to get the updated token. > > Kind regards, > Dirk From sthorger at redhat.com Fri Sep 29 03:15:22 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 29 Sep 2017 09:15:22 +0200 Subject: [keycloak-user] [keycloak-dev] Incompatiblity of UserRepresentation (and other Reps) between 2.5.5.Final and 3.3.0.CR2 In-Reply-To: References: Message-ID: Adding list back.. On 28 September 2017 at 13:57, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Yes in the case of 2.5.5.Final it won't help but we can fix it there > ourselves, since the version is "fixed". > However for future versions if Keycloak it would be good to have a > smoother upgrade process. > > I think in this case it is a trade-off between robustness and evolvability. > If you want to make it easy for people to upgrade to newer Keycloak > versions it would > help to relax the handling of unknown fields a bit. > > The rest is a question of how the API is tested. A test suite can also > discover problems > such as broken request / response objects by verifying the outcome of an > operation. > Also one could argue that having typos in a structured request is not very > likely - if the user > users the libraries / structures provided by Keycloak, otherwise (JS...) > they can happen of course. > I'm thinking about the case when users don't use the libraries provided by Keycloak, basically anyone not using Java (there's a few of them out there you know ;)). > > But again users need to verify themselves via tests whether or not a > request succeeds. > Even if they have no typo in a field name but a wrong value the request > would (should) still fail. > > Other options to deal with this would of course be to version the API, > however having a full blown versioning mechanism > that effectivly copies the whole REST interface would be very much > overkill. > > A leaner approch could be to let the client tell the server which version > of Keycloak they are compatible with via an Header. > e.g.: x-keycloak-version: 2.5.5.Final > The server REST infrastructure could then inspect that header and > dynamically add Jackson Mixins for request / response messages > to maintain compatibility - if this is possible / makes sense. > > E.g. Keycloak server could support basic operations for older clients, > even with support for newer features by applying sane defaults. > "New" fields (introduced after x-keycloak-version) would then just be > excluded in the response. > We'll probably have to add versions for REST APIs regardless so it might be better to just leverage that than to introduce yet another mechanism. > > Cheers, > Thomas > > 2017-09-28 12:13 GMT+02:00 Stian Thorgersen : > >> Would be good to have backwards compatibility, but: >> >> * Adding to reps wouldn't help for admin client 2.5.5, and we're not >> doing a new release of the admin client for 2.5.x. >> * Server side shouldn't ignore unknown fields as that could mask issues. >> For instance a typing error would just result in ignoring rather than an >> error. >> >> On 28 September 2017 at 10:11, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> Hello, >>> >>> I just noticed that it isn't possible to create a user with the old >>> keycloak admin client (2.5.5.Final) >>> on the Keycloak Server (3.3.0.CR2). See the exception below. >>> >>> It turns out that the recently introduced field "notBefore" on >>> UserRepresentation in KEYCLOAK-5293 is the cause. >>> Other representations like ClientRepresentation (unknown field "access") >>> and ProviderRepresentation (unknown field "order") >>> have the same problem. >>> >>> How about adding... @JsonIgnoreProperties(ignoreUnknown = true) ... to >>> all >>> representations (org.keycloak.representations.idm.*) to stay backwards >>> compatible for old clients? >>> >>> I gave this a spin locally (by patching the keycloak-core jar) and it is >>> working fine. >>> >>> Cheers, >>> Thomas >>> >>> >>> javax.ws.rs.client.ResponseProcessingException: >>> javax.ws.rs.ProcessingException: >>> com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >>> Unrecognized field "notBefore" (class >>> org.keycloak.representations.idm.UserRepresentation), not marked as >>> ignorable (24 known properties: "disableableCredentialTypes", "enabled", >>> "emailVerified", "origin", "self", "applicationRoles", >>> "createdTimestamp", >>> "clientRoles", "groups", "username", "totp", "id", "email", >>> "federationLink", "serviceAccountClientId", "lastName", "clientConsents", >>> "socialLinks", "realmRoles", "attributes", "firstName", "credentials", >>> "requiredActions", "federatedIdentities"]) >>> at [Source: org.apache.http.conn.EofSensorInputStream at 2663e964; line: >>> 1, >>> column: 308] (through reference chain: >>> java.util.ArrayList[0]->org.keycloak.representations.idm.Use >>> rRepresentation["notBefore"]) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.ex >>> tractResult(ClientInvocation.java:141) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.Bo >>> dyEntityExtractor.extractEntity(BodyEntityExtractor.java:59) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker >>> .invoke(ClientInvoker.java:104) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.i >>> nvoke(ClientProxy.java:64) >>> at com.sun.proxy.$Proxy32.search(Unknown Source) >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> > From mposolda at redhat.com Fri Sep 29 09:06:02 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 29 Sep 2017 15:06:02 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> Message-ID: In configuration of your LDAP Group mapper, you can select "User Roles Retrieve Strategy" to be "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it should be possible to recursively retrieve the memberships, hence user will be treated as member of "access" group too. This is specific to Active Directory, but since you're using it, it should work fine. Marek On 28/09/17 10:28, Tiemen Ruiten wrote: > Hm, I wrote this down the wrong way, apologies. What I meant to say > was that the /access/ groups don't have any members, which they should > have from the user groups. Looks like my issue is > https://issues.jboss.org/browse/KEYCLOAK-1797. Nested groups are quite > common in Active Directory, it would be nice if this issue could > receive some attention. > > > On 28 September 2017 at 09:41, Marek Posolda > wrote: > > Not expected. It should work and our tests are passing. Looks like > some mis-configuration or something. We have an example in > keycloak-examples distribution called "ldap" . Here you can see > some example how can LDAP role be configured (no example for > group-mapper yet, but it's quite similar to role mapper) > > Marek > > > On 26/09/17 12:04, Tiemen Ruiten wrote: > > Hello, > > I'm testing with the following setup: > > In our Active Directory, which is federated to Keycloak, we have a > container with 'access' groups (groups that are used to give > access to > certain applications, akin to Keycloak roles) and a container > for 'user' > groups (eg. sales, it, marketing etc.). Users are always only > direct > members of a user group. The access groups can only have user > groups as > members, never users. > > In Keycloak, I have created two LDAP-group-mappers for both > containers, but > unfortunately, none of the user groups show any members. Is > this expected? > > Using Keycloak 3.2.1 Final. > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media From mposolda at redhat.com Fri Sep 29 09:16:08 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 29 Sep 2017 15:16:08 +0200 Subject: [keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper) In-Reply-To: References: <16dc48ba-6751-9542-bd14-a0eabbb68b5f@redhat.com> Message-ID: Yes, you're right. Until now, there wasn't a use-case to use different attribute name then MEMBER_OF . Unfortunately we don't support Tivoli and don't test with it. So this will require to add new config parameter to group/role mapper though. Feel free to send PR if you want to contribute it. There is also possibility that you override Group/Role mapper and add the new strategy, which will be same like builtin GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, but will use your attribute instead of MEMBER_OF. Marek On 28/09/17 16:58, Adam Lis wrote: > Hi! > > Thanks for your reply, it really helped much. In fact my group entry has > thousands of member entries - in my case that are 'uniquemember' entries. > > So I've took a look at other strategy: > https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2db972bad7b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java#L85 > > Following this, I took a look at 'keycloak/models/LDAPConstants.java': > https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java > > So actually in LDAPConstants.java there is MEMBER_OF defined: > https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java#L89 > > As I can see some of there parameters are adjustable via WebGUI per User > Federation -> LDAP based Provider settings, while some other are not. > "MEMBER_OF" seems not be in WebGUI. > > In my case LDAP is configured to return inside user entry, his/her groups > but not in 'memberOf' attribute (as it defaults in mentioned Java file) but > in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in > that field. > > So my next 2 questions would be: > > 1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation > provider - I'm actually sending JSON containing provider definition, so I'd > only need confirmation that I could do this; > > 2) in case my LDAP is not returning 'memberOf' parameter per any user, > would change a value of 'MEMBER_OF' from 'memberOf' to > 'someWeirdMembershipAttribute' affect this federated source of user in any > other way that I'm willing it too? > > Thanks; > AdamLis; > > 2017-09-28 9:38 GMT+02:00 Marek Posolda : > >> Currently just the "dn" is retrieved and the membership attribute >> (typically "member"). I guess your roles are big because they have >> thousands of "member" items on them, is it correct? >> >> Few tips: >> - Maybe if you have possibility to configure "User Roles Retrieve >> Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports >> it and if it tracks role memberships on "memberOf" attribute of user. If it >> works, you can maybe configure "Membership attribute" to some non-existing >> value (eg. "foo"), which mean that roles from LDAP will be retrieved really >> just with the DN attribute. >> >> - It's also possible to create your own version of mapper and enhance some >> functionality. You may need to override RoleLDAPStorageMapperFactory and >> RoleLDAPStorageMapper and override some methods like for example >> "createRoleQuery()" . See our server-development guide for tips how to >> create and deploy your own providers. >> >> - Create JIRA if none of the above won't work for you. But not sure when >> we manage to look into it though... >> >> Marek >> >> On 27/09/17 19:16, Adam Lis wrote: >> >> Hi! >> >> I've role-ldap-mapper defined for my LDAP federation. >> >> I can see on user logon, KeyCloak is issuing LDAP search with filter build >> on role-ldap-mapper conditions. >> >> KeyCloak is requesting whole resource from LDAP - in my case groups are >> quite big. >> >> If I understand correctly, only 'dn' attribute could be requested, since >> query is being done anyway for each user on his logon. >> >> In my case current approach results in waiting for LDAP response for over >> 20 seconds. In case only "dn" attribute for group would be requested, LDAP >> response time is very short. >> >> Is there a way to instruct role-ldap-mapper to retrieve only 'dn' >> attribute, and assing a requesting user all groups based only by retrieved >> 'dn' attributes? >> >> AdamLis; >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From t.ruiten at rdmedia.com Fri Sep 29 10:35:22 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Fri, 29 Sep 2017 16:35:22 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> Message-ID: Marek, thanks for your answer. I had already tried that and it didn't work. I set up an AD federation and a role mapper in a clean testing realm with the same results. If you are interested, I can share the realm configuration with you for reproducing. On 29 September 2017 at 15:06, Marek Posolda wrote: > In configuration of your LDAP Group mapper, you can select "User Roles > Retrieve Strategy" to be "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . > Then it should be possible to recursively retrieve the memberships, hence > user will be treated as member of "access" group too. > > This is specific to Active Directory, but since you're using it, it should > work fine. > > Marek > > On 28/09/17 10:28, Tiemen Ruiten wrote: > > Hm, I wrote this down the wrong way, apologies. What I meant to say was > that the *access* groups don't have any members, which they should have > from the user groups. Looks like my issue is https://issues.jboss.org/ > browse/KEYCLOAK-1797. Nested groups are quite common in Active Directory, > it would be nice if this issue could receive some attention. > > > On 28 September 2017 at 09:41, Marek Posolda wrote: > >> Not expected. It should work and our tests are passing. Looks like some >> mis-configuration or something. We have an example in keycloak-examples >> distribution called "ldap" . Here you can see some example how can LDAP >> role be configured (no example for group-mapper yet, but it's quite similar >> to role mapper) >> >> Marek >> >> >> On 26/09/17 12:04, Tiemen Ruiten wrote: >> >>> Hello, >>> >>> I'm testing with the following setup: >>> >>> In our Active Directory, which is federated to Keycloak, we have a >>> container with 'access' groups (groups that are used to give access to >>> certain applications, akin to Keycloak roles) and a container for 'user' >>> groups (eg. sales, it, marketing etc.). Users are always only direct >>> members of a user group. The access groups can only have user groups as >>> members, never users. >>> >>> In Keycloak, I have created two LDAP-group-mappers for both containers, >>> but >>> unfortunately, none of the user groups show any members. Is this >>> expected? >>> >>> Using Keycloak 3.2.1 Final. >>> >>> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > -- Tiemen Ruiten Systems Engineer R&D Media From mposolda at redhat.com Fri Sep 29 10:56:51 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 29 Sep 2017 16:56:51 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> Message-ID: <4e622a0f-2fba-0ddd-185f-327cf0d14564@redhat.com> Maybe if you can enable TRACE logging for the "org.keycloak.storage.ldap" it may help. It shows the configuration at startup, but also it shows the LDAP queries. Maybe this can show why the roles can't be retrieved. Marek On 29/09/17 16:35, Tiemen Ruiten wrote: > Marek, thanks for your answer. I had already tried that and it didn't > work. I set up an AD federation and a role mapper in a clean testing > realm with the same results. If you are interested, I can share the > realm configuration with you for reproducing. > > On 29 September 2017 at 15:06, Marek Posolda > wrote: > > In configuration of your LDAP Group mapper, you can select "User > Roles Retrieve Strategy" to be > "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it should be > possible to recursively retrieve the memberships, hence user will > be treated as member of "access" group too. > > This is specific to Active Directory, but since you're using it, > it should work fine. > > Marek > > On 28/09/17 10:28, Tiemen Ruiten wrote: >> Hm, I wrote this down the wrong way, apologies. What I meant to >> say was that the /access/ groups don't have any members, which >> they should have from the user groups. Looks like my issue is >> https://issues.jboss.org/browse/KEYCLOAK-1797 >> . Nested groups >> are quite common in Active Directory, it would be nice if this >> issue could receive some attention. >> >> >> On 28 September 2017 at 09:41, Marek Posolda > > wrote: >> >> Not expected. It should work and our tests are passing. Looks >> like some mis-configuration or something. We have an example >> in keycloak-examples distribution called "ldap" . Here you >> can see some example how can LDAP role be configured (no >> example for group-mapper yet, but it's quite similar to role >> mapper) >> >> Marek >> >> >> On 26/09/17 12:04, Tiemen Ruiten wrote: >> >> Hello, >> >> I'm testing with the following setup: >> >> In our Active Directory, which is federated to Keycloak, >> we have a >> container with 'access' groups (groups that are used to >> give access to >> certain applications, akin to Keycloak roles) and a >> container for 'user' >> groups (eg. sales, it, marketing etc.). Users are always >> only direct >> members of a user group. The access groups can only have >> user groups as >> members, never users. >> >> In Keycloak, I have created two LDAP-group-mappers for >> both containers, but >> unfortunately, none of the user groups show any members. >> Is this expected? >> >> Using Keycloak 3.2.1 Final. >> >> >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media From betalb at gmail.com Fri Sep 29 13:39:09 2017 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Fri, 29 Sep 2017 17:39:09 +0000 Subject: [keycloak-user] OPENID Java Client Message-ID: I was looking at keykloak examples for client credentials flow examples, and it looks like the everything required is located in adapter-core module, especially AdapterRSATokenVerifier and ServerRequest classes. But I wonder if it safe to use this module in terms of API stability and documentation, or I should better stick to some 3rd party OpenID client, that will do all the fancy things with token validation, key retrieval, caching etc. Best Regards, Vitalii From Michael.Liebe at ist.com Sat Sep 30 02:55:18 2017 From: Michael.Liebe at ist.com (Michael Liebe) Date: Sat, 30 Sep 2017 06:55:18 +0000 Subject: [keycloak-user] Multi realms approach In-Reply-To: References: Message-ID: <28F9C445-51FA-433C-81BA-B5D2D16889D6@ist.com> Hi, We have a similar setup and achieve cross-realm authentication through an extra IdP instance (which is actually a requirement for us because the IdPs are owned by the customers). This adds of course an administrative overhead. Realm selection is in our case done by setting a specific header on the reverse proxy. The realm name is hereby derived from the request url. Accordingly, we implemented a custom KeycloakConfigResolver that reads the realm name from the header. I hope this helps, Michael On 2017-09-27, 14:14, "keycloak-user-bounces at lists.jboss.org on behalf of Matthias ANGLADE" wrote: Hi, I'm currently working on a project with specific requirements. Actually what we are trying to do is to setup a Keycloak in order to protect several applications. Each of these applications will potentially have their own set of webapps and micro-services. What we intended to do is to declare a realm per app (and each component of the app would be a client within it's own realm). We need to setup some cross-realm features such as realm selection, multi-realm authentication (i.e not being forced to re-login when switchin from one realm to another). I'm looking for advices or feedbacks in implementing such a case. Would you have any ? Yours, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From forums.akurathi at gmail.com Sat Sep 30 08:47:00 2017 From: forums.akurathi at gmail.com (forums.akurathi at gmail.com) Date: Sat, 30 Sep 2017 08:47:00 -0400 Subject: [keycloak-user] OTP Policy updates not reflects in Google Authenticator Message-ID: <15ed2d35a59-c0c-c297@webjas-vaa118.srv.aolmail.net> Dear all, We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. A sequence of steps : 1) create realm, create user 2) enable OTP 3) login with the newly created user 4) system asks you to configure OTP 5) update OTP policy such as number of digits from 6 to 8 6) try login again 7) system asks you to enter OTP but authentication fails We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. Your response is highly appreciated !!! Thanks in advance Regards Krishna Kumar Akurathi From stephen at saasindustries.com Sat Sep 30 13:34:21 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Sat, 30 Sep 2017 10:34:21 -0700 Subject: [keycloak-user] Multi realms approach In-Reply-To: <28F9C445-51FA-433C-81BA-B5D2D16889D6@ist.com> References: <28F9C445-51FA-433C-81BA-B5D2D16889D6@ist.com> Message-ID: I am curious....how does this address the issue of requiring users to re-login again to switch realms? I ask, as this is a very common need and since the access token is specific to a keycloak realm, I don't see how this would address that situation without Keycloak supporting "trusted realms". Thanks Stephen On Fri, Sep 29, 2017 at 11:55 PM, Michael Liebe wrote: > Hi, > > We have a similar setup and achieve cross-realm authentication through an > extra IdP instance (which is actually a requirement for us because the IdPs > are owned by the customers). This adds of course an administrative overhead. > > Realm selection is in our case done by setting a specific header on the > reverse proxy. The realm name is hereby derived from the request url. > Accordingly, we implemented a custom KeycloakConfigResolver that reads the > realm name from the header. > > I hope this helps, > Michael > > > > > On 2017-09-27, 14:14, "keycloak-user-bounces at lists.jboss.org on behalf of > Matthias ANGLADE" manglade at nextoo.fr> wrote: > > Hi, > > I'm currently working on a project with specific requirements. Actually > what we are trying to do is to setup a Keycloak in order to protect > several > applications. Each of these applications will potentially have their > own > set of webapps and micro-services. What we intended to do is to > declare a > realm per app (and each component of the app would be a client within > it's > own realm). > > We need to setup some cross-realm features such as realm selection, > multi-realm authentication (i.e not being forced to re-login when > switchin > from one realm to another). > > I'm looking for advices or feedbacks in implementing such a case. > Would you > have any ? > > Yours, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Michael.Liebe at ist.com Sat Sep 30 14:08:03 2017 From: Michael.Liebe at ist.com (Michael Liebe) Date: Sat, 30 Sep 2017 18:08:03 +0000 Subject: [keycloak-user] Multi realms approach In-Reply-To: References: <28F9C445-51FA-433C-81BA-B5D2D16889D6@ist.com> Message-ID: <102BEF32-7FC1-4D15-BF41-5F536E62FF4F@ist.com> Yes, the tokens are still realm specific. This is how the setup basically works: - The user requests a resource from application A, gets redirected to Keycloak ? realm A - which, in turn, redirects to the IdP. After authentication at the IdP the user is redirected back to Keycloak which issues the token for the application within realm A. - Then, the user switches to application B. The user is again redirected to Keycloak - but now to realm B. Since the user has no active session here, the user is furtherly redirected to the IdP. Since the user already has an active session at the IdP the request is redirected directly, i.e. without user interaction, back to Keycloak which in turn issues a token within realm B to application B. From: Stephen Henrie Date: Saturday, 30 September 2017 at 19:34 To: Michael Liebe Cc: Matthias ANGLADE , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Multi realms approach I am curious....how does this address the issue of requiring users to re-login again to switch realms? I ask, as this is a very common need and since the access token is specific to a keycloak realm, I don't see how this would address that situation without Keycloak supporting "trusted realms". Thanks Stephen