From geoff at opticks.io Sat Dec 1 07:47:02 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sat, 1 Dec 2018 13:47:02 +0100 Subject: [keycloak-user] Customize OpenID/OAuth token In-Reply-To: References: Message-ID: I think from my limited knowledge that the OpenId standard dictates the use of JWT tokens, so I would not expect this to be possible. On Fri, Nov 30, 2018, 11:25 Francisco Javier Crujeiras < fj.crujeiras at hocelot.com wrote: > Hi, > > We're thinking on using Keycloak as our main IDP and SSO solution. At this > time, we're using a "custom" IDP server based on Spring and we are > investigating if we can migrate our client database to Keycloak without > disturbing our users. > > So, we have seen that, by default, Keycloak answers a token request with a > complete JWT token, like this one: > { > "access_token": > > "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC4w! > > LjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg" > , > "expires_in": 300, > "refresh_expires_in": 1800, > "refresh_token": > > "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY" > , > "token_type": "bearer", > "not-before-policy": 0, > "session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f", > "scope": "profile email" > } > > But, we'd like to send a "non-JWT" token, like this one: > { > > "access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf", > "token_type": "bearer", > "expires_in": 3600, > "scope": "scope-1 scope-2 scope-n" > } > > We're not very experienced in Keycloak and we do not know if this is even > possible, but any help will make us very happy. > > Thanks in advance! > > Regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From geoff at opticks.io Sat Dec 1 11:17:17 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sat, 1 Dec 2018 17:17:17 +0100 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> <1541630686.2778.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C3759B@DSKCMAIL1WC.ad.dstsystems.com> <5BCF31B569C0A2468D7904C8E5839D690104C378C5@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: Pedro, I followed this thread with interest and have implemented your recommendation to do data filtering via added claims. Do you know if it's possible to add a JSON object to the claim? When I do permission.addClaim('data.filter.userId', {"a":5}); I get: "data.filter": ["[object Object]"] The protocol mapper scripting engine does allow adding JSON objects correctly. Regards, Geoffrey Cleaves On Fri, 9 Nov 2018 at 13:37, Pedro Igor Silva wrote: > On Thu, Nov 8, 2018 at 9:27 PM Byrd, Rob M wrote: > > > Pedro, > > > > > > > > That is helping my understanding some, thank you. I understand your > > recommendations on dealing with separating the employee's Salary field in > > my example too. Please see follow-up questions below. > > > > > > > > String resource attributes statically in keycloak: > > > > 2.1) I had been thinking of Resource as a *type* of resource to this > > point not a specific instance. But now I don't see how your suggestion > of > > basically using the resource attribute to store a foreign key (ie. pet's > > veterinarian) will work unless we are talking about each individual pet > > instance being a keycloak resource. Similarly it was mentioned pet 1 and > > pet 2 could have a meaningful Owner in keycloak, which again is making me > > think that *instances* are being suggested to store along with > > entity-relationships basically. So, should I instead be thinking of > > keycloak resources as storing single instances of items in our system? > > > You should not think of Keycloak as storing *only* single instances, but > with the necessary support to store single instances. That was my point > when I mentioned that you can have a 1:1 or 1:N mapping between keycloak > resources and your resources. > > The work to manage resources in Keycloak is quite trivial, keep them in > sync with your real resources too. Performance of authorization requests > for specific resources is quite good. It is a trade-off, the flexibility we > give regarding governing access to individual resources vs the drawbacks of > managing these resources in Keycloak. But again, you are not forced to use > this approach, it really depends on your requirements. For instance, we > support privacy through User-Managed Access (UMA), users are allowed to > manage permissions for their own resources, share resources with others, > allow/approve access to specific scopes/actions, and revoke access, where > you have loosely coupled clients and resource servers, resource servers in > control over the context that a permission should be granted, etc. > > I'm not pushing you to any specific solution but trying to clarify what we > have, what we can do, what we can improve and how we could help "data > filtering" use cases. Btw, thanks you and Dmitry for starting this. > > > 2.2) This relatively static storage of resources plus extra attributes > > like foreign keys seems to basically push/duplicate our business model of > > data into keycloak, to some degree, correct? And the more keycloak needs > > to decide, the more gets duplicated into keycloak? > > > Not really, but true for data filtering. That is another > point/drawback/concern that I tried to make when I said that data filtering > is not among our target use cases. We can support it, but not something we > discussed in the details like we are doing in this thread. > > Attributes can be used to define specific security related data associated > with a resource which are not part of your business model. Thus, allowing > you to keep your business model decoupled from security aspects that govern > access to your resources. > > > > > > > Push claims: > > > > 2.3) The push claim alternative seems to be having application logic > fetch > > more context as needed for the permission evaluation. This might work > okay > > when going after a single entity or asking singular questions of the > > application logic ? but for lists, such as a user seeing his list of 100 > > transaction history records amongst the 1 million transaction history > > records on the system, would a question be asked for each of the 1 > million > > records, one at a time? > > > Pushing claims is not the correct approach to solve this problem. > > First, Keycloak is optmized to only evaluate policies for resources where > the subject is the owner. So, considering that I decided to manage all 1 > million resources in Keycloak, each resource would have a user as the > resource owner. During evaluation the policy engine is going to evaluate > permissions fo 100 resources, not 1 million. > > You may ask now, would that scale ? Depends on how you obtain permissions > from the server. If you are asking the server for all permissions and users > can have 1 million resources over time, it won't scale. However, if you ask > permissions for individual transactions or a small set of transactions, it > will scale. > > > > > > > Post-filtering of records: > > > > 2.4) A use case I still seek clarification on is the "post-filtering of > > records", which I was trying to get at with my previous question #5. > > Stated in another way - say a financial database has 1 million > transaction > > records across thousands of users. Every user is allowed to see > transaction > > history records view, but only the ones they transacted. So, a single > user > > viewing all transactions of the transaction history feature/resource > should > > (obviously) only be able to see all HIS transactions, not all 1 million > on > > the database. Spring Security would have @PostAuth for this (though its > > drawback is slow db performance on first query that does a db table scan > > and brings back everything to the middle tier, which then inefficiently > > whittles it down to just what pertains to the user). My question is what > > ways would this post-filtering of records be handled in Keycloak? With > > what I know so far, I am guessing at keycloak basic options: > > > > a) Have each of 1mil transaction records managed by Keycloak, add a > > "creator" attribute for who instigated the transaction, and have that > user > > identifier stored on each record so Keycloak can do the filtering down to > > the 100 correct records > > > b) Receive a push claim, for each of the 1mil transaction records, > > indicating who the "creator" is, so it may be matched against the current > > user and thus filter down to the 100 correct records > > > > c) During evaluation, the policy engine can call out to a service > > somewhere to get the primary keys of the subset of records this user can > > see (this may be like a Claim Information Point), then whittle the full > > list down to just those matching primary keys (kind of like sending an IN > > list of primary keys in a SQL WHERE clause) > > > > d) Something more like the ?partial evaluation? that OPA blog and Dmitry > > has been talking about > > > You don't need to create a "creator" attribute. Resources in Keycloak > always have a owner. It can be the resource server (the application) itself > or some user in your realm. See > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview > . > > I just realized that we have another option in Keycloak that might be > helpful to solve data filtering. I think it is similar to what you linked > from OPA docs. Some background first about the capability that may help > with that. > > In Keycloak, policies are allowed to push back claims to resource server > (the application protecting the resources you want to access). Quite > similar to Advice/Obligation in XACML. The idea is push back additional > constratins to the application in order to indicate additional checks that > should be performed by the policy enforcer. As a note, our CIPs do that in > order to reinforce access to resources based on any claim pushed to > Keycloak when evaluating permissions. > > Let me give you an example. Consider a Transaction resource that you > created in Keycloak. This is a generic resource representing all your > transactions. Suppose you have a specific scope that represents an > operation that lists all user transactions. Let's call this scope > "transaction:list". This scope is associated with the Transaction resource. > So you have: > > Resource: Transaction > Scopes: transaction:list > > Now, in addition to any other policy that applies to the Transaction > resource (role, group, whatever) you have a specific permissions that > govern access to the "transaction:list" scope. This permissions is granted > by a "List Transaction Policy" as follows: > > var permission = $evaluation.getPermission(); > var identity = $evaluation.getContext().getIdentity(); > > permission.addClaim('data.filter.userId', identity.getId()); > > $evaluation.grant(); > > Now, the client application acting on behalf of your user tries to access > your application at "/api/v1/transaction" using HTTP GET. You know that GET > method on that endpoint is associated with the "transaction:list" scope, so > you ask Keycloak for permissions to "Transaction" resources + > "transaction:list" scope. > > As a result, Keycloak will give you a response as follows: > > "permissions": [ > { > "scopes": [ > "album:list" > ], > "claims": { > "data.filter.userId": [ > "e68fa92d-6167-438f-844b-78c7abfc0dd2" > ] > }, > "rsid": "d3aaaf68-50cf-4c5c-97b9-99910a7bfb27", > "rsname": "Transaction Resource" > } > ] > > In your application you can use the permission granted above, and the > "data.filter.userId" claim to create a query in your database as follows: > > StringBuilder filter = new StringBuilder(); > Map queryParams = new HashMap(); > > for (Map.Entry> entry : > permission.getClaims().entrySet()) { > > if (filter.length() != 0) { > filter.append(" and "); > } > > String key = entry.getKey(); > > if (key.startsWith("data.filter")) { > String left = key.substring(key.lastIndexOf('.') + 1); > filter.append(left).append(" = :").append(left); > queryParams.put(left, entry.getValue()); > } > }; > > Query query = this.entityManager.createQuery("from Transaction where " > + filter.toString()); > > for (Map.Entry entry : queryParams.entrySet()) { > query.setParameter(entry.getKey(), entry.getValue()); > } > > The key points here are: > > * You are using a single resource to represent all transactions in your > system > > * You are using a specific policy to protect the "transaction:list" > operation by pushing back to your application how access should be > enforced > > * Access management is still centralized and you can push back the > "data.filter" claim with any information you want in order to indicate > to the application how data must be filtered > > * Your policies are using information already available from the > eluvation context (like user id, user attributes, user roles, groups) > without being forced to push any claim to the server > > In fact, I can use this in one of our quickstarts that is using a > database and protecting data. So we could introduce something similar > to this in order to filter recors in addition to protect API > endpoints. > > How that sounds to you ? > > > > > > General: > > > > 2.5) In general, it seems to me the bigger the chunks of extra context > > provided by application logic to the policy engine, the less detail about > > the actual constraints being enforced you have controlled and visible in > > the policy layer? somewhat defeating the purpose of the policy layer. > Does > > that sound correct? I could see us offloading a ton of detail to the > push > > claims ? rather than, say, duplicating more of our business model in > > keycloak ? and then realizing very little of our actual policy permission > > details are visible or controllable in the policy layer. So I am not > sure > > what we are getting at that point. > > > > a) An answer might be drawing the line at only role-based > > access control in the policy layer since that affinity is more easily > > provided as input (thought that could even be debated) > > > > b) Maybe we try to define and draw the line at > > ?resource-based? controls only in the policy layer > > > > c) Maybe we make the unit of work for each push claim so > > granular that truly all of the policy rules that are occurring are > > basically expressed in the policy layer (thus allowing control, > flexibility > > and visibility in one consolidated place) > > > > > > > > Thanks for your time. > > > > > > > > Rob Byrd > > > > DST > > > > Solutions Lead > > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > > t: (816) 435-7286 *| *m (816) 509-0119 > > > > *rmbyrd at dstsystems.com * | *www.ssctech.com > > * > > > > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] > > | [image: > > cid:image002.png at 01D412C1.A14C5770] > | > > [image: cid:image003.png at 01D412C1.A14C5770] > > > > > > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > > *Sent:* Thursday, November 8, 2018 2:20 PM > > *To:* Byrd, Rob M > > *Cc:* Dmitry Telegin
; keycloak-user < > > keycloak-user at lists.jboss.org> > > *Subject:* Re: [keycloak-user] Data filtering in SQL > > > > > > > > > > > > On Thu, Nov 8, 2018 at 5:44 PM Byrd, Rob M > wrote: > > > > Thanks Dmitry and Pedro, > > > > > > > > Pardon my simple-minded response below, but I am wondering how these > > specific items would work? Dmitry, yes I agree your GET > > /projects/ and GET /projects scenario is on point for the issue > ? > > I hope my questions below can further clarify the discussion. Here, I > will > > have to make a ?go or no-go? decision in about a week. J I would love to > > take on the challenge of searching for the ?holy grail? in this, but atm > > will need to figure out what Keycloak (or OPA, etc.) can confidently do > > today. > > > > > > > > Thanks for the great discussion and continued help! > > > > > > > > Questions > > > > 1) Simple role-based authorization policy seems doable. > > > > - Ex: ?Only veterinarians are allowed to read pet profiles.? > > > > > > > > 2) But how to answer once more context is needed, such as one resource?s > > affinity to another? Literally how does the application figure it out? > > Like the below example would need a pet-veterinarian mapping resolved > > somehow, it seems: > > > > - ?Only the treating veterinarian is allowed to read a pet?s profile.? > > > > Just like in OPA, but using a different approach, you can also push > > information (the input in OPA) to your policies. We call this "pushing > > claims" [1]. In our policy enforcer we also have the concept of a Claim > > Information Point [2] (similar concent as a PIP) which you can configure > to > > automatically push claims to your policies when checking access for a > > particular resource. There is also a CIP that allows you to fetch claims > > from external services. > > > > > > > > Besides, a resource in Keycloak has attributes, which can be anything you > > want. So you could, for instance, have a Pet Foo resources in Keycloak > and > > update a "veterinarian" attribute associated with it. So you could have a > > policy that checks if the user making the request is the same defined in > > the attribute. > > > > > > > > [1] > > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims > > > > [2] > > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point > > > > > > > > > > - > > > > > > > > 3) Keycloak has taken an example of ?Pet owners can access their own > pet?s > > profiles.? and said we can write policies saying that "Only Owner" can > > access "/api/petservice/pet/{id}". But how does the policy engine figure > > out who is the owner of /pet/2 vs /pet/3? > > > > I can think two options. Like I mentioned before, we are resource-based > > and resources have an owner. So you can write policies that check if the > > resource owner is the user making the authorization request. Another > option > > is to push claims. > > > > 4) Similarly, an OPA blog > > > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > > gives the example where ?Only the treating veterinarian is allowed to > read > > a pet?s profile, and only when signed in from a device at the pet?s > > clinic?. Again, it is easy enough to provide the OPA engine the target > pet > > and the current device location, but how exactly is it determined who is > > the treating veterinarian of that pet and what clinic the pet belongs to? > > > > 5) In general, the security difficulty is constraining what a user can > > see/do in a particular feature, so how exactly would a policy engine > bring > > back a subset of records that particular user can see (based on their > > affiliated company, etc.)? > > > > 6) Similarly, how exactly would a policy engine bring back all records > but > > not the fields a user should not see (such as employee salary field, > unless > > the user is a HR VIP)? These last two could be likened to @PostAuth > > post-filtering in spring security. > > > > You can have all those resources protected by Keycloak and make > > authorization requests to obtain the resources a user has access. We > > provide a REST API to create resources. And that is the point I tried to > > make when I said that data security is not really among the use cases we > > are trying to solve. Although it is possible. Keycloak allows you to > send a > > "give me all" permission request. That means returning permissions for > any > > resource, managed by Keycloak, that an user can access. But yeah, > depending > > on how many resources you have you may end up with a huge response and a > > bad performance. > > > > > > > > Another approach is define a single Employee resource with a Salary scope > > to represent all your employees. So you could enforce access to your real > > employees and their salary based on the decisions made by the server for > > this single resource. > > > > > > > > The decision for one approach or another really depends on how fine > > grained you want to be, like I mentioned before. Do you need to manage > > indivudual employees or they all share the same access policies ? > > > > > > > > See this > > > https://github.com/keycloak/keycloak-quickstarts/tree/master/app-authz-rest-employee > > . > > > > > > > > Regarding fields (e.g: salary) you could consider it as a scope > > associated with a resource. In Keycloak you can define permissions for > > scopes, not only for resources. > > > > > > > > > > > > Rob Byrd > > > > DST > > > > Solutions Lead > > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > > t: (816) 435-7286 *| *m (816) 509-0119 > > > > *rmbyrd at dstsystems.com * | *www.ssctech.com > > * > > > > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] > > | [image: > > cid:image002.png at 01D412C1.A14C5770] > | > > [image: cid:image003.png at 01D412C1.A14C5770] > > > > > > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > > *Sent:* Thursday, November 8, 2018 6:42 AM > > *To:* Dmitry Telegin
> > *Cc:* Byrd, Rob M ; keycloak-user < > > keycloak-user at lists.jboss.org> > > *Subject:* Re: [keycloak-user] Data filtering in SQL > > > > > > > > Hi Dmitry, > > > > > > > > Agree with you when you mention application vs data security. I also > agree > > that Keycloak can also solve data security problems. > > > > > > > > Privacy is one of the main reasons behind our UMA support a very > important > > aspect of data security. In addition to privacy, we also added extensions > > to UMA and OAuth2 standards to enable applications to use Keycloak as a > > Policy Decision Point, mainly target for application security. > > > > > > > > As PDP (and PAP), Keycloak allows you to govern access to protected > > resources and to obtain authorization decisions as a result of the > > evaluation of policies associated with these resources. Being based on > UMA > > and OAuth2 we support token-based authorization but also access control > > based on the permissions granted by the server. So, yeah, it should be > > possible to filter data based on those permissions as well dynamically > > create WHERE clauses. > > > > > > > > My main concerns about data security are scalability and manageability, > > two aspects that are closely related to how much fine-grained you want to > > be. Like I said, in Keycloak you can protect a set of one or more > resources > > as well as scope specific permissions, which can span access decisions > for > > one or more resources. > > > > > > > > We are using data security when you enable permissions to users or > groups, > > where results are filtered based on the evaluation of these permissions. > > Performance wise, evaluation is quite satisfactory, being the main > > challenges the trade-off between usability vs performance. Recently we > had > > important changes to improve the performance of our token endpoint and > > policy evaluation engine and I think we can perform well when fetching > > permissions from the server for a set of one or more resources. > > > > > > > > I'm happy to discuss how we can leverage what we have for data security > if > > the community is interested. > > > > > > > > Regards. > > > > Pedro Igor > > > > > > > > On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin
wrote: > > > > Hi Rob, > > > > On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: > > > (Hope this is the correct way to reply - let me know if not) > > > > > > Thanks. So my concern is really with the whole idea that an Enterprise > > Application's security constraints could really be all implemented based > on > > url-patterns, is that what you guys are thinking? > > > > Cannot speak for Keycloak guys, but will put in my 2? as an architect - > > URL-based (or rather resource-based) authorization covers only one aspect > > of the application security. Data filtering is equally important, but > it's > > just another facet of the problem, and needs to be solved accordingly. > > Indeed, Keycloak doesn't provide OOTB any means for automatically > limiting > > subsets of data shown to the user, as Keycloak has a completely different > > scope (namely Web SSO/IDM solution). > > > > However, you can still use Keycloak as a central warehouse for your > > security (meta)data, and use it the way you want. Like I said before, > > nothing stops you from defining some policies in Keycloak, then > retrieving > > them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. > > > > Speaking of NoSQL - this might be not directly relevant to your problem, > > but still interesting. A similar problem has surfaced in the discussion > > following my talk on Apache Sling + Keycloak [1] earlier this year; the > > central point was: "okay, we can have Keycloak path-based authorization > in > > Sling, but how do we limit the content visible to the user?" > > That time we came up with some sort of hybrid solution, like path-based > > security + JCR ACLs and/or application-level rules; but now I think this > > might be something similar, like generating JCR's equivalent to the WHERE > > clause based on Keycloak policy definition. > > > > Just to make sure I understand the case, let's imagine: > > - there are users and groups (live in Keycloak); > > - there are, say, "projects" (live in business tier + DB); > > - there is a policy in Keycloak saying "projects should be accessible > only > > to the members of the respective groups"; > > - based on that: > > - GET /projects/ should return 200 + representation if the user > > is a member of the group, 403 otherwise; > > - GET /projects should return the list of projects the current user has > > access to. > > > > Is this correct? > > > > [1] > > > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > > > > > For example, mostly a user can visit most features (urls) in an > > application, but it is the subset of things they can see/do within the > > feature that is the crux of the security issue - and it does not seem > > feasible to architect urls in such a way that they can be used as the key > > to security. Thoughts? > > > > > > Thanks! > > > > > > Rob Byrd > > > DST > > > Solutions Lead > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > t: (816) 435-7286 | m (816) 509-0119 > > > rmbyrd at dstsystems.com | www.ssctech.com > > > Follow us: | | > > > > > > -----Original Message----- > > > > From: Dmitry Telegin [mailto:dt at acutus.pro] > > > Sent: Friday, November 2, 2018 12:22 AM > > > > To: Byrd, Rob M ; > keycloak-user at lists.jboss.org > > > Subject: Re: [keycloak-user] Data filtering in SQL > > > > > > Hello Rob, > > > > > > If I get it right, it's all about generating SQL WHERE clause from > > Keycloak policies? I think this is doable, as Keycloak has a well-defined > > object model for authorization policies, and it's easy to obtain policy > > definitions in JSON format. I think Pedro Igor will tell you more about > > that. > > > > > > You should pay attention to the following: > > > - there are differences in semantics between OPA and Keycloak policies. > > For example, Keycloak policies do not operate HTTP methods but rather use > > more generic notion of scopes; > > > - not every policy type can be easily converted to a WHERE clause. It > > should be trivial for User/Group/Role policies, but is virtually > impossible > > for Script and Rules, as they are just blackboxes that evaluate to true > or > > false. Unless of course your DBMS has a built-in JavaScript engine :) > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > > > I am comparing OPA authorization to Keycloak - how could I enforce > > Keycloak policy in the SQL closest to the data for good performance, > > including returning subsets of lists? OPA discusses this at > > > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > > . > > > > > > > > Thanks! > > > > > > > > Rob Byrd > > > > DST > > > > Solutions Lead > > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > > t: (816) 435-7286 | m (816) 509-0119 > > > > rmbyrd at dstsystems.com | > > www.ssctech.com;; > > > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] < > > https://www.linkedin.com/company/ss-c-technologies/> | [ > > cid:image002.png at 01D412C1.A14C5770] > > | [cid:image003.png at 01D412C1.A14C5770] < > > https://www.facebook.com/ssctechnologies/> > > > > > > > > > > > > > > > > Please consider the environment before printing this email and any > > attachments. > > > > > > > > This e-mail and any attachments are intended only for the individual > > or company to which it is addressed and may contain information which is > > privileged, confidential and prohibited from disclosure or unauthorized > use > > under applicable law. If you are not the intended recipient of this > e-mail, > > you are hereby notified that any use, dissemination, or copying of this > > e-mail or the information contained in this e-mail is strictly prohibited > > by the sender. If you have received this transmission in error, please > > return the material received to the sender and delete all copies from > your > > system. > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > Please consider the environment before printing this email and any > > attachments. > > > > > > This e-mail and any attachments are intended only for the individual or > > company to which it is addressed and may contain information which is > > privileged, confidential and prohibited from disclosure or unauthorized > use > > under applicable law. If you are not the intended recipient of this > e-mail, > > you are hereby notified that any use, dissemination, or copying of this > > e-mail or the information contained in this e-mail is strictly prohibited > > by the sender. If you have received this transmission in error, please > > return the material received to the sender and delete all copies from > your > > system. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > > > Please consider the environment before printing this email and any > > attachments. > > > > This e-mail and any attachments are intended only for the individual or > > company to which it is addressed and may contain information which is > > privileged, confidential and prohibited from disclosure or unauthorized > use > > under applicable law. If you are not the intended recipient of this > e-mail, > > you are hereby notified that any use, dissemination, or copying of this > > e-mail or the information contained in this e-mail is strictly prohibited > > by the sender. If you have received this transmission in error, please > > return the material received to the sender and delete all copies from > your > > system. > > > > ------------------------------ > > Please consider the environment before printing this email and any > > attachments. > > > > This e-mail and any attachments are intended only for the individual or > > company to which it is addressed and may contain information which is > > privileged, confidential and prohibited from disclosure or unauthorized > use > > under applicable law. If you are not the intended recipient of this > e-mail, > > you are hereby notified that any use, dissemination, or copying of this > > e-mail or the information contained in this e-mail is strictly prohibited > > by the sender. If you have received this transmission in error, please > > return the material received to the sender and delete all copies from > your > > system. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Sat Dec 1 18:25:07 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 2 Dec 2018 00:25:07 +0100 Subject: [keycloak-user] Don't see custom protocol mapper claim in identity.getAttributes() Message-ID: Hi. I am using a client scope script mapper with: token.setOtherClaims("cn", cn); I expected to see this attribute in my Javascript Authorization Policy when doing: identity.getAttributes().toMap() However, my "cn" claim/attribute is not there. Am I misunderstanding the docs or doing something wrong? The docs say: The Identity is built based on the OAuth2 Access Token that was sent along with the authorization request, and this construct has access to all claims extracted from the original token. For example, if you are using a *Protocol Mapper* to include a custom claim in an OAuth2 Access Token you can also access this claim from a policy and use it to build your conditions. Regards, Geoffrey Cleaves From vinaya.thimmappa at gmail.com Sun Dec 2 09:13:05 2018 From: vinaya.thimmappa at gmail.com (Vinaya Thimmappa) Date: Sun, 2 Dec 2018 19:43:05 +0530 Subject: [keycloak-user] keycloak on tomcat In-Reply-To: References: Message-ID: Hello All, I am trying to run key-cloak on tomcat server instead of default jboss server. but I haven't been successful. I was reading https://dzone.com/articles/deploying-keycloak-in-tomcat and this document is very old and i also need to do clustering . So would like to know 1. can keycloak application itself be run on tomcat 2. if yes, can this application be run in clustered containerized mode Thanks On Sun, Dec 2, 2018 at 7:35 PM Vinaya Thimmappa wrote: > Hello All, > > I am trying to run key-cloak on tomcat server instead of default jboss > server. but I haven't been successful. I was reading > https://dzone.com/articles/deploying-keycloak-in-tomcat and but this one > very old one and i also need to do clustering . > > So would like to know > can keycloak application itself be run on tomcat > if yes, can this application be run in clustered containerized mode > > > Thanks > Vinaya > > From andreas.lau at outlook.com Sun Dec 2 11:07:33 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Sun, 2 Dec 2018 16:07:33 +0000 Subject: [keycloak-user] Send welcome mail after successful registration In-Reply-To: References: Message-ID: Sorry for bouncing this , but I hope someone can help me out. I think/hope the problem should not be that uncommon right? Is there anybody who has already solved the issue? Am 26. November 2018 17:00:52 MEZ schrieb Andreas Lau : Hey, i'd like keycloak to send a welcome mail after the user has successfully registered and verified his email. Currently I don't know how to do it. I found jira [1] feature request proposing a extension to support welcome email by configuration (I think). In the comments someone suggested to use SMTP provider and EventListener. The next comment has a Link [3] to a EventListener sample but I can not figure out what I have to do. I think they suggested the follwing workflow: 1. registration finished 2. listener invokes - how to tell Listener to listen on the registration event (how is the event named) 3. SMTP provider sends a email Hope someone is able to help me out. Andreas [1] https://issues.jboss.org/browse/KEYCLOAK-1835 [2] https://github.com/keycloak/keycloak/tree/master/examples/providers/event-listener-sysout ________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lokesh.ravichandru at grootan.com Sun Dec 2 11:26:30 2018 From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru) Date: Sun, 2 Dec 2018 21:56:30 +0530 Subject: [keycloak-user] Send welcome mail after successful registration In-Reply-To: References: Message-ID: Hi Andreas, You have to look at the following sample. https://github.com/keycloak/keycloak/tree/master/examples/providers/event-listener-sysout Here you have two events one is admin event and another is normal event , you have to look for admin event operation type and resource type under Adminevent class, If you are a developer just check the code. To test just deploy as per the instructions specified in read me , enable under events and try to do remote debugging on the above sample to plan your implementation. Thanks, Lokesh On Sun, 2 Dec 2018 at 9:41 PM, Andreas Lau wrote: > Sorry for bouncing this , but I hope someone can help me out. I think/hope > the problem should not be that uncommon right? > Is there anybody who has already solved the issue? > > Am 26. November 2018 17:00:52 MEZ schrieb Andreas Lau < > andreas.lau at outlook.com>: > > Hey, > i'd like keycloak to send a welcome mail after the user has successfully > registered and verified his email. Currently I don't know how to do it. I > found jira [1] feature request proposing a extension to support welcome > email by configuration (I think). In the comments someone suggested to use > SMTP provider and EventListener. The next comment has a Link [3] to a > EventListener sample but I can not figure out what I have to do. > I think they suggested the follwing workflow: > 1. registration finished > 2. listener invokes - how to tell Listener to listen on the registration > event (how is the event named) > 3. SMTP provider sends a email > > Hope someone is able to help me out. > > Andreas > [1] https://issues.jboss.org/browse/KEYCLOAK-1835 > [2] > https://github.com/keycloak/keycloak/tree/master/examples/providers/event-listener-sysout > ________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Grootan Technologies Private Limited* R-Block, 15th main street Anna nagar, Chennai 600 040 tel +91 97890 24698 mail lokesh.ravichandru at grootan.com | web https://www.grootan.com From sudhir_shetty at yahoo.com Sun Dec 2 20:52:21 2018 From: sudhir_shetty at yahoo.com (SUDHIR SHETTY) Date: Mon, 3 Dec 2018 01:52:21 +0000 (UTC) Subject: [keycloak-user] Device authentication - IOT use case References: <421086520.611401.1543801941857.ref@mail.yahoo.com> Message-ID: <421086520.611401.1543801941857@mail.yahoo.com> Hi,? ? ? ? ? I would like to find the right approach for device authentication in my usecase.My project has a 3 actors - Users - Devices - Apps (think of these as ,mobile Apps) We currently use KeyCloak for user authentication (Federated LDAp/OpenID Connect) and we have a backend of micro-services that are registered as clients in KeyCloak and?users/devices/mobile apps? can access those backend services via OAuth2? (JWT tokens). I would like to leverage KeyCloak for Device & Mobile App authentication , Device/App will authenticate via private/public key pair via signed JWT token. I know I can implement the mobile APP as a client in Keycloak. My question is around Devices , should I register the Device as a client or as? User in KeyCloak? Any guidance/sample project/example would be highly appreciated. regards,Sudhir | | Virus-free. www.avast.com | From dhara.basida at azilen.com Mon Dec 3 00:52:30 2018 From: dhara.basida at azilen.com (Dhara Basida) Date: Mon, 3 Dec 2018 11:22:30 +0530 Subject: [keycloak-user] Issue in client login role mapping in keycloak Message-ID: <8ab0dab1-6b2f-811d-b46f-4abaaa3b1d1c@azilen.com> Hey, I have created realm admin through which I created client and assigned client admin to one user.Now I logged in the system through that client admin but I am unable to view the page through which I can map the roles for users. I had referred the below link for managing this client admin, https://www.keycloak.org/docs/latest/server_admin/index.html#_admin_permissions Please provide the steps through which I can map the roles for users? through client admin login. Thanks and Regards, Dhara Basida From erlend at hamnaberg.net Mon Dec 3 02:28:30 2018 From: erlend at hamnaberg.net (Erlend Hamnaberg) Date: Mon, 3 Dec 2018 08:28:30 +0100 Subject: [keycloak-user] User session creation In-Reply-To: References: Message-ID: Anyone ? Sorry for bumping this. /Erlend On Thu, Nov 22, 2018 at 10:51 AM Erlend Hamnaberg wrote: > I forgot to mention that we are using KC-4.6.0.Final. > > If we do not refresh the user session we sometimes get an "Action Timeout" > error message. > > /Erlend > > On Thu, Nov 22, 2018 at 10:45 AM Erlend Hamnaberg > wrote: > >> Hello all. >> >> This is a bit hard to explain. >> >> I have created a IDP which uses CAS ( Central Authentication Service) as >> its backend. >> >> Our KC instance is again used by a clients KC instance. They have chosen >> to disable their persistent cookie handling, and thereby our by passing >> "prompt=login" to the login request. >> We are passing on the prompt=login by passing on renew=true to CAS. >> >> We get a token back, and verify that. However; Since the user session is >> not refreshed by the cookie handling, it seems like we are then timing out >> intermittently. >> >> Is there a problem with creating/refreshing the user session in the >> authenticationFinished Method in the gist below? >> >> https://gist.github.com/hamnis/547c550a532be7e8235aa653725b2ba2 >> >> Thanks. >> >> /Erlend >> > From uo67113 at gmail.com Mon Dec 3 04:39:42 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 3 Dec 2018 10:39:42 +0100 Subject: [keycloak-user] Customize OpenID/OAuth token In-Reply-To: References: Message-ID: Hello Francisco, Perhaps you need to implement your own client authenticator [1] Hoe it helps, Luis [1] https://www.keycloak.org/docs/latest/server_development/index.html#implement-your-own-client-authenticator El s?b., 1 dic. 2018 a las 13:48, Geoffrey Cleaves () escribi?: > I think from my limited knowledge that the OpenId standard dictates the use > of JWT tokens, so I would not expect this to be possible. > > On Fri, Nov 30, 2018, 11:25 Francisco Javier Crujeiras < > fj.crujeiras at hocelot.com wrote: > > > Hi, > > > > We're thinking on using Keycloak as our main IDP and SSO solution. At > this > > time, we're using a "custom" IDP server based on Spring and we are > > investigating if we can migrate our client database to Keycloak without > > disturbing our users. > > > > So, we have seen that, by default, Keycloak answers a token request with > a > > complete JWT token, like this one: > > { > > "access_token": > > > > > "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC! > 4w! > > > > > LjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg" > > , > > "expires_in": 300, > > "refresh_expires_in": 1800, > > "refresh_token": > > > > > "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY" > > , > > "token_type": "bearer", > > "not-before-policy": 0, > > "session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f", > > "scope": "profile email" > > } > > > > But, we'd like to send a "non-JWT" token, like this one: > > { > > > > "access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf", > > "token_type": "bearer", > > "expires_in": 3600, > > "scope": "scope-1 scope-2 scope-n" > > } > > > > We're not very experienced in Keycloak and we do not know if this is even > > possible, but any help will make us very happy. > > > > Thanks in advance! > > > > Regards, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From slaskawi at redhat.com Mon Dec 3 06:21:34 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 3 Dec 2018 12:21:34 +0100 Subject: [keycloak-user] Keycloak user sessions persistence In-Reply-To: <3F517B20-9838-4EDB-8D43-D2B40A452989@daimler.com> References: <3F517B20-9838-4EDB-8D43-D2B40A452989@daimler.com> Message-ID: In short, you need to add a cache store to Infinispan caches. However, before you do it, please catch up with this [1] email thread, that explains, why you can't use, so called shared cache stores (all Infinispan nodes writing into the same store instance). [1] http://lists.jboss.org/pipermail/keycloak-user/2018-November/016215.html On Wed, Nov 28, 2018 at 12:56 PM wrote: > Hello Community, > > after redeployment of keycloak we mentioned that all existing session are > gone. Is there any way to persist the session, so that the also exist after > server restart or redeployment? > > Thank you, > Marco > > > If you are not the addressee, please inform us immediately that you have > received this e-mail by mistake, and delete it. We thank you for your > support. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From fj.crujeiras at hocelot.com Mon Dec 3 06:36:42 2018 From: fj.crujeiras at hocelot.com (Francisco Javier Crujeiras) Date: Mon, 3 Dec 2018 12:36:42 +0100 Subject: [keycloak-user] Customize OpenID/OAuth token In-Reply-To: References: Message-ID: Thanks for your answer guys! Our intentions were not to develop anything (at least by now), but we'll check the possibility of writing a custom client authenticator. I will update the thread with updates as soon as possible. Regards, El lun., 3 dic. 2018 a las 10:39, Luis Rodr?guez Fern?ndez (< uo67113 at gmail.com>) escribi?: > Hello Francisco, > > Perhaps you need to implement your own client authenticator [1] > > Hoe it helps, > > Luis > > [1] > https://www.keycloak.org/docs/latest/server_development/index.html#implement-your-own-client-authenticator > > > > > > > > > > > El s?b., 1 dic. 2018 a las 13:48, Geoffrey Cleaves () > escribi?: > >> I think from my limited knowledge that the OpenId standard dictates the >> use >> of JWT tokens, so I would not expect this to be possible. >> >> On Fri, Nov 30, 2018, 11:25 Francisco Javier Crujeiras < >> fj.crujeiras at hocelot.com wrote: >> >> > Hi, >> > >> > We're thinking on using Keycloak as our main IDP and SSO solution. At >> this >> > time, we're using a "custom" IDP server based on Spring and we are >> > investigating if we can migrate our client database to Keycloak without >> > disturbing our users. >> > >> > So, we have seen that, by default, Keycloak answers a token request >> with a >> > complete JWT token, like this one: >> > { >> > "access_token": >> > >> > >> "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC! >> 4w! >> > >> > >> LjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg" >> > , >> > "expires_in": 300, >> > "refresh_expires_in": 1800, >> > "refresh_token": >> > >> > >> "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY" >> > , >> > "token_type": "bearer", >> > "not-before-policy": 0, >> > "session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f", >> > "scope": "profile email" >> > } >> > >> > But, we'd like to send a "non-JWT" token, like this one: >> > { >> > >> > "access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf", >> > "token_type": "bearer", >> > "expires_in": 3600, >> > "scope": "scope-1 scope-2 scope-n" >> > } >> > >> > We're not very experienced in Keycloak and we do not know if this is >> even >> > possible, but any help will make us very happy. >> > >> > Thanks in advance! >> > >> > Regards, >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > -- Francisco Javier Crujeiras @*DevOps* Edificio Madro?os III Ctra. de La Coru?a, Km.17.800, 28231 Las Rozas, Madrid, Espa?a. 91 064 94 18 ?S?guenos en Linked-in! ?S?guenos en Twitter! From lkrzyzan at redhat.com Mon Dec 3 07:06:58 2018 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Mon, 3 Dec 2018 13:06:58 +0100 Subject: [keycloak-user] Client in VERIFY_EMAIL event is "account" when doing in different browser Message-ID: <2E4B0935-B4F6-45AC-83D0-6A6D1D013E2F@redhat.com> Hi, I just realised that when user do verification email in restarted browser (or incognito mode or on different device) then the client is always ?account?. I expect that client in this event would be always the client during which user has been asked to verify e-mail and received the verification e-mail. It works in this way only if user do email verification on same device and same browser. Is my expectation correct? I?m using Keycloak 3.4.3.Final Should I fire a ticket? Thanks, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services From psilva at redhat.com Mon Dec 3 08:51:51 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 3 Dec 2018 11:51:51 -0200 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> <1541630686.2778.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C3759B@DSKCMAIL1WC.ad.dstsystems.com> <5BCF31B569C0A2468D7904C8E5839D690104C378C5@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: Yeah, you are limited to addClaim(String, String), where each entry holds a list of string values. On Sat, Dec 1, 2018 at 2:17 PM Geoffrey Cleaves wrote: > Pedro, > > I followed this thread with interest and have implemented your > recommendation to do data filtering via added claims. Do you know if it's > possible to add a JSON object to the claim? When I do > > permission.addClaim('data.filter.userId', {"a":5}); > > I get: "data.filter": ["[object Object]"] > > The protocol mapper scripting engine does allow adding JSON objects > correctly. > > Regards, > Geoffrey Cleaves > > > > > > > > On Fri, 9 Nov 2018 at 13:37, Pedro Igor Silva wrote: > >> On Thu, Nov 8, 2018 at 9:27 PM Byrd, Rob M wrote: >> >> > Pedro, >> > >> > >> > >> > That is helping my understanding some, thank you. I understand your >> > recommendations on dealing with separating the employee's Salary field >> in >> > my example too. Please see follow-up questions below. >> > >> > >> > >> > String resource attributes statically in keycloak: >> > >> > 2.1) I had been thinking of Resource as a *type* of resource to this >> > point not a specific instance. But now I don't see how your suggestion >> of >> > basically using the resource attribute to store a foreign key (ie. pet's >> > veterinarian) will work unless we are talking about each individual pet >> > instance being a keycloak resource. Similarly it was mentioned pet 1 >> and >> > pet 2 could have a meaningful Owner in keycloak, which again is making >> me >> > think that *instances* are being suggested to store along with >> > entity-relationships basically. So, should I instead be thinking of >> > keycloak resources as storing single instances of items in our system? >> > >> You should not think of Keycloak as storing *only* single instances, but >> with the necessary support to store single instances. That was my point >> when I mentioned that you can have a 1:1 or 1:N mapping between keycloak >> resources and your resources. >> >> The work to manage resources in Keycloak is quite trivial, keep them in >> sync with your real resources too. Performance of authorization requests >> for specific resources is quite good. It is a trade-off, the flexibility >> we >> give regarding governing access to individual resources vs the drawbacks >> of >> managing these resources in Keycloak. But again, you are not forced to use >> this approach, it really depends on your requirements. For instance, we >> support privacy through User-Managed Access (UMA), users are allowed to >> manage permissions for their own resources, share resources with others, >> allow/approve access to specific scopes/actions, and revoke access, where >> you have loosely coupled clients and resource servers, resource servers in >> control over the context that a permission should be granted, etc. >> >> I'm not pushing you to any specific solution but trying to clarify what we >> have, what we can do, what we can improve and how we could help "data >> filtering" use cases. Btw, thanks you and Dmitry for starting this. >> >> > 2.2) This relatively static storage of resources plus extra attributes >> > like foreign keys seems to basically push/duplicate our business model >> of >> > data into keycloak, to some degree, correct? And the more keycloak >> needs >> > to decide, the more gets duplicated into keycloak? >> > >> Not really, but true for data filtering. That is another >> point/drawback/concern that I tried to make when I said that data >> filtering >> is not among our target use cases. We can support it, but not something we >> discussed in the details like we are doing in this thread. >> >> Attributes can be used to define specific security related data associated >> with a resource which are not part of your business model. Thus, allowing >> you to keep your business model decoupled from security aspects that >> govern >> access to your resources. >> >> > >> > >> > Push claims: >> > >> > 2.3) The push claim alternative seems to be having application logic >> fetch >> > more context as needed for the permission evaluation. This might work >> okay >> > when going after a single entity or asking singular questions of the >> > application logic ? but for lists, such as a user seeing his list of 100 >> > transaction history records amongst the 1 million transaction history >> > records on the system, would a question be asked for each of the 1 >> million >> > records, one at a time? >> > >> Pushing claims is not the correct approach to solve this problem. >> >> First, Keycloak is optmized to only evaluate policies for resources where >> the subject is the owner. So, considering that I decided to manage all 1 >> million resources in Keycloak, each resource would have a user as the >> resource owner. During evaluation the policy engine is going to evaluate >> permissions fo 100 resources, not 1 million. >> >> You may ask now, would that scale ? Depends on how you obtain permissions >> from the server. If you are asking the server for all permissions and >> users >> can have 1 million resources over time, it won't scale. However, if you >> ask >> permissions for individual transactions or a small set of transactions, it >> will scale. >> >> > >> > >> > Post-filtering of records: >> > >> > 2.4) A use case I still seek clarification on is the "post-filtering of >> > records", which I was trying to get at with my previous question #5. >> > Stated in another way - say a financial database has 1 million >> transaction >> > records across thousands of users. Every user is allowed to see >> transaction >> > history records view, but only the ones they transacted. So, a single >> user >> > viewing all transactions of the transaction history feature/resource >> should >> > (obviously) only be able to see all HIS transactions, not all 1 million >> on >> > the database. Spring Security would have @PostAuth for this (though its >> > drawback is slow db performance on first query that does a db table scan >> > and brings back everything to the middle tier, which then inefficiently >> > whittles it down to just what pertains to the user). My question is >> what >> > ways would this post-filtering of records be handled in Keycloak? With >> > what I know so far, I am guessing at keycloak basic options: >> > >> > a) Have each of 1mil transaction records managed by Keycloak, add a >> > "creator" attribute for who instigated the transaction, and have that >> user >> > identifier stored on each record so Keycloak can do the filtering down >> to >> > the 100 correct records >> > >> b) Receive a push claim, for each of the 1mil transaction records, >> > indicating who the "creator" is, so it may be matched against the >> current >> > user and thus filter down to the 100 correct records >> > >> > c) During evaluation, the policy engine can call out to a service >> > somewhere to get the primary keys of the subset of records this user can >> > see (this may be like a Claim Information Point), then whittle the full >> > list down to just those matching primary keys (kind of like sending an >> IN >> > list of primary keys in a SQL WHERE clause) >> > >> > d) Something more like the ?partial evaluation? that OPA blog and Dmitry >> > has been talking about >> > >> You don't need to create a "creator" attribute. Resources in Keycloak >> always have a owner. It can be the resource server (the application) >> itself >> or some user in your realm. See >> >> https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview >> . >> >> I just realized that we have another option in Keycloak that might be >> helpful to solve data filtering. I think it is similar to what you linked >> from OPA docs. Some background first about the capability that may help >> with that. >> >> In Keycloak, policies are allowed to push back claims to resource server >> (the application protecting the resources you want to access). Quite >> similar to Advice/Obligation in XACML. The idea is push back additional >> constratins to the application in order to indicate additional checks that >> should be performed by the policy enforcer. As a note, our CIPs do that in >> order to reinforce access to resources based on any claim pushed to >> Keycloak when evaluating permissions. >> >> Let me give you an example. Consider a Transaction resource that you >> created in Keycloak. This is a generic resource representing all your >> transactions. Suppose you have a specific scope that represents an >> operation that lists all user transactions. Let's call this scope >> "transaction:list". This scope is associated with the Transaction >> resource. >> So you have: >> >> Resource: Transaction >> Scopes: transaction:list >> >> Now, in addition to any other policy that applies to the Transaction >> resource (role, group, whatever) you have a specific permissions that >> govern access to the "transaction:list" scope. This permissions is granted >> by a "List Transaction Policy" as follows: >> >> var permission = $evaluation.getPermission(); >> var identity = $evaluation.getContext().getIdentity(); >> >> permission.addClaim('data.filter.userId', identity.getId()); >> >> $evaluation.grant(); >> >> Now, the client application acting on behalf of your user tries to access >> your application at "/api/v1/transaction" using HTTP GET. You know that >> GET >> method on that endpoint is associated with the "transaction:list" scope, >> so >> you ask Keycloak for permissions to "Transaction" resources + >> "transaction:list" scope. >> >> As a result, Keycloak will give you a response as follows: >> >> "permissions": [ >> { >> "scopes": [ >> "album:list" >> ], >> "claims": { >> "data.filter.userId": [ >> "e68fa92d-6167-438f-844b-78c7abfc0dd2" >> ] >> }, >> "rsid": "d3aaaf68-50cf-4c5c-97b9-99910a7bfb27", >> "rsname": "Transaction Resource" >> } >> ] >> >> In your application you can use the permission granted above, and the >> "data.filter.userId" claim to create a query in your database as follows: >> >> StringBuilder filter = new StringBuilder(); >> Map queryParams = new HashMap(); >> >> for (Map.Entry> entry : >> permission.getClaims().entrySet()) { >> >> if (filter.length() != 0) { >> filter.append(" and "); >> } >> >> String key = entry.getKey(); >> >> if (key.startsWith("data.filter")) { >> String left = key.substring(key.lastIndexOf('.') + 1); >> filter.append(left).append(" = :").append(left); >> queryParams.put(left, entry.getValue()); >> } >> }; >> >> Query query = this.entityManager.createQuery("from Transaction where " >> + filter.toString()); >> >> for (Map.Entry entry : queryParams.entrySet()) { >> query.setParameter(entry.getKey(), entry.getValue()); >> } >> >> The key points here are: >> >> * You are using a single resource to represent all transactions in your >> system >> >> * You are using a specific policy to protect the "transaction:list" >> operation by pushing back to your application how access should be >> enforced >> >> * Access management is still centralized and you can push back the >> "data.filter" claim with any information you want in order to indicate >> to the application how data must be filtered >> >> * Your policies are using information already available from the >> eluvation context (like user id, user attributes, user roles, groups) >> without being forced to push any claim to the server >> >> In fact, I can use this in one of our quickstarts that is using a >> database and protecting data. So we could introduce something similar >> to this in order to filter recors in addition to protect API >> endpoints. >> >> How that sounds to you ? >> >> >> > >> > General: >> > >> > 2.5) In general, it seems to me the bigger the chunks of extra context >> > provided by application logic to the policy engine, the less detail >> about >> > the actual constraints being enforced you have controlled and visible in >> > the policy layer? somewhat defeating the purpose of the policy layer. >> Does >> > that sound correct? I could see us offloading a ton of detail to the >> push >> > claims ? rather than, say, duplicating more of our business model in >> > keycloak ? and then realizing very little of our actual policy >> permission >> > details are visible or controllable in the policy layer. So I am not >> sure >> > what we are getting at that point. >> > >> > a) An answer might be drawing the line at only >> role-based >> > access control in the policy layer since that affinity is more easily >> > provided as input (thought that could even be debated) >> > >> > b) Maybe we try to define and draw the line at >> > ?resource-based? controls only in the policy layer >> > >> > c) Maybe we make the unit of work for each push claim so >> > granular that truly all of the policy rules that are occurring are >> > basically expressed in the policy layer (thus allowing control, >> flexibility >> > and visibility in one consolidated place) >> > >> > >> > >> > Thanks for your time. >> > >> > >> > >> > Rob Byrd >> > >> > DST >> > >> > Solutions Lead >> > >> > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 >> > >> > t: (816) 435-7286 *| *m (816) 509-0119 >> > >> > *rmbyrd at dstsystems.com * | *www.ssctech.com >> > * >> > >> > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] >> > | [image: >> > cid:image002.png at 01D412C1.A14C5770] < >> https://twitter.com/ssctechnologies> | >> > [image: cid:image003.png at 01D412C1.A14C5770] >> > >> > >> > >> > >> > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] >> > *Sent:* Thursday, November 8, 2018 2:20 PM >> > *To:* Byrd, Rob M >> > *Cc:* Dmitry Telegin
; keycloak-user < >> > keycloak-user at lists.jboss.org> >> > *Subject:* Re: [keycloak-user] Data filtering in SQL >> > >> > >> > >> > >> > >> > On Thu, Nov 8, 2018 at 5:44 PM Byrd, Rob M >> wrote: >> > >> > Thanks Dmitry and Pedro, >> > >> > >> > >> > Pardon my simple-minded response below, but I am wondering how these >> > specific items would work? Dmitry, yes I agree your GET >> > /projects/ and GET /projects scenario is on point for the >> issue ? >> > I hope my questions below can further clarify the discussion. Here, I >> will >> > have to make a ?go or no-go? decision in about a week. J I would love >> to >> > take on the challenge of searching for the ?holy grail? in this, but atm >> > will need to figure out what Keycloak (or OPA, etc.) can confidently do >> > today. >> > >> > >> > >> > Thanks for the great discussion and continued help! >> > >> > >> > >> > Questions >> > >> > 1) Simple role-based authorization policy seems doable. >> > >> > - Ex: ?Only veterinarians are allowed to read pet profiles.? >> > >> > >> > >> > 2) But how to answer once more context is needed, such as one resource?s >> > affinity to another? Literally how does the application figure it out? >> > Like the below example would need a pet-veterinarian mapping resolved >> > somehow, it seems: >> > >> > - ?Only the treating veterinarian is allowed to read a pet?s >> profile.? >> > >> > Just like in OPA, but using a different approach, you can also push >> > information (the input in OPA) to your policies. We call this "pushing >> > claims" [1]. In our policy enforcer we also have the concept of a Claim >> > Information Point [2] (similar concent as a PIP) which you can >> configure to >> > automatically push claims to your policies when checking access for a >> > particular resource. There is also a CIP that allows you to fetch claims >> > from external services. >> > >> > >> > >> > Besides, a resource in Keycloak has attributes, which can be anything >> you >> > want. So you could, for instance, have a Pet Foo resources in Keycloak >> and >> > update a "veterinarian" attribute associated with it. So you could have >> a >> > policy that checks if the user making the request is the same defined in >> > the attribute. >> > >> > >> > >> > [1] >> > >> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims >> > >> > [2] >> > >> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point >> > >> > >> > >> > >> > - >> > >> > >> > >> > 3) Keycloak has taken an example of ?Pet owners can access their own >> pet?s >> > profiles.? and said we can write policies saying that "Only Owner" can >> > access "/api/petservice/pet/{id}". But how does the policy engine >> figure >> > out who is the owner of /pet/2 vs /pet/3? >> > >> > I can think two options. Like I mentioned before, we are resource-based >> > and resources have an owner. So you can write policies that check if the >> > resource owner is the user making the authorization request. Another >> option >> > is to push claims. >> > >> > 4) Similarly, an OPA blog >> > >> https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 >> > gives the example where ?Only the treating veterinarian is allowed to >> read >> > a pet?s profile, and only when signed in from a device at the pet?s >> > clinic?. Again, it is easy enough to provide the OPA engine the target >> pet >> > and the current device location, but how exactly is it determined who is >> > the treating veterinarian of that pet and what clinic the pet belongs >> to? >> > >> > 5) In general, the security difficulty is constraining what a user can >> > see/do in a particular feature, so how exactly would a policy engine >> bring >> > back a subset of records that particular user can see (based on their >> > affiliated company, etc.)? >> > >> > 6) Similarly, how exactly would a policy engine bring back all records >> but >> > not the fields a user should not see (such as employee salary field, >> unless >> > the user is a HR VIP)? These last two could be likened to @PostAuth >> > post-filtering in spring security. >> > >> > You can have all those resources protected by Keycloak and make >> > authorization requests to obtain the resources a user has access. We >> > provide a REST API to create resources. And that is the point I tried to >> > make when I said that data security is not really among the use cases we >> > are trying to solve. Although it is possible. Keycloak allows you to >> send a >> > "give me all" permission request. That means returning permissions for >> any >> > resource, managed by Keycloak, that an user can access. But yeah, >> depending >> > on how many resources you have you may end up with a huge response and a >> > bad performance. >> > >> > >> > >> > Another approach is define a single Employee resource with a Salary >> scope >> > to represent all your employees. So you could enforce access to your >> real >> > employees and their salary based on the decisions made by the server for >> > this single resource. >> > >> > >> > >> > The decision for one approach or another really depends on how fine >> > grained you want to be, like I mentioned before. Do you need to manage >> > indivudual employees or they all share the same access policies ? >> > >> > >> > >> > See this >> > >> https://github.com/keycloak/keycloak-quickstarts/tree/master/app-authz-rest-employee >> > . >> > >> > >> > >> > Regarding fields (e.g: salary) you could consider it as a scope >> > associated with a resource. In Keycloak you can define permissions for >> > scopes, not only for resources. >> > >> > >> > >> > >> > >> > Rob Byrd >> > >> > DST >> > >> > Solutions Lead >> > >> > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 >> > >> > t: (816) 435-7286 *| *m (816) 509-0119 >> > >> > *rmbyrd at dstsystems.com * | *www.ssctech.com >> > * >> > >> > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] >> > | [image: >> > cid:image002.png at 01D412C1.A14C5770] < >> https://twitter.com/ssctechnologies> | >> > [image: cid:image003.png at 01D412C1.A14C5770] >> > >> > >> > >> > >> > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] >> > *Sent:* Thursday, November 8, 2018 6:42 AM >> > *To:* Dmitry Telegin
>> > *Cc:* Byrd, Rob M ; keycloak-user < >> > keycloak-user at lists.jboss.org> >> > *Subject:* Re: [keycloak-user] Data filtering in SQL >> > >> > >> > >> > Hi Dmitry, >> > >> > >> > >> > Agree with you when you mention application vs data security. I also >> agree >> > that Keycloak can also solve data security problems. >> > >> > >> > >> > Privacy is one of the main reasons behind our UMA support a very >> important >> > aspect of data security. In addition to privacy, we also added >> extensions >> > to UMA and OAuth2 standards to enable applications to use Keycloak as a >> > Policy Decision Point, mainly target for application security. >> > >> > >> > >> > As PDP (and PAP), Keycloak allows you to govern access to protected >> > resources and to obtain authorization decisions as a result of the >> > evaluation of policies associated with these resources. Being based on >> UMA >> > and OAuth2 we support token-based authorization but also access control >> > based on the permissions granted by the server. So, yeah, it should be >> > possible to filter data based on those permissions as well dynamically >> > create WHERE clauses. >> > >> > >> > >> > My main concerns about data security are scalability and manageability, >> > two aspects that are closely related to how much fine-grained you want >> to >> > be. Like I said, in Keycloak you can protect a set of one or more >> resources >> > as well as scope specific permissions, which can span access decisions >> for >> > one or more resources. >> > >> > >> > >> > We are using data security when you enable permissions to users or >> groups, >> > where results are filtered based on the evaluation of these permissions. >> > Performance wise, evaluation is quite satisfactory, being the main >> > challenges the trade-off between usability vs performance. Recently we >> had >> > important changes to improve the performance of our token endpoint and >> > policy evaluation engine and I think we can perform well when fetching >> > permissions from the server for a set of one or more resources. >> > >> > >> > >> > I'm happy to discuss how we can leverage what we have for data security >> if >> > the community is interested. >> > >> > >> > >> > Regards. >> > >> > Pedro Igor >> > >> > >> > >> > On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin
wrote: >> > >> > Hi Rob, >> > >> > On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: >> > > (Hope this is the correct way to reply - let me know if not) >> > > >> > > Thanks. So my concern is really with the whole idea that an >> Enterprise >> > Application's security constraints could really be all implemented >> based on >> > url-patterns, is that what you guys are thinking? >> > >> > Cannot speak for Keycloak guys, but will put in my 2? as an architect - >> > URL-based (or rather resource-based) authorization covers only one >> aspect >> > of the application security. Data filtering is equally important, but >> it's >> > just another facet of the problem, and needs to be solved accordingly. >> > Indeed, Keycloak doesn't provide OOTB any means for automatically >> limiting >> > subsets of data shown to the user, as Keycloak has a completely >> different >> > scope (namely Web SSO/IDM solution). >> > >> > However, you can still use Keycloak as a central warehouse for your >> > security (meta)data, and use it the way you want. Like I said before, >> > nothing stops you from defining some policies in Keycloak, then >> retrieving >> > them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. >> > >> > Speaking of NoSQL - this might be not directly relevant to your problem, >> > but still interesting. A similar problem has surfaced in the discussion >> > following my talk on Apache Sling + Keycloak [1] earlier this year; the >> > central point was: "okay, we can have Keycloak path-based authorization >> in >> > Sling, but how do we limit the content visible to the user?" >> > That time we came up with some sort of hybrid solution, like path-based >> > security + JCR ACLs and/or application-level rules; but now I think this >> > might be something similar, like generating JCR's equivalent to the >> WHERE >> > clause based on Keycloak policy definition. >> > >> > Just to make sure I understand the case, let's imagine: >> > - there are users and groups (live in Keycloak); >> > - there are, say, "projects" (live in business tier + DB); >> > - there is a policy in Keycloak saying "projects should be accessible >> only >> > to the members of the respective groups"; >> > - based on that: >> > - GET /projects/ should return 200 + representation if the >> user >> > is a member of the group, 403 otherwise; >> > - GET /projects should return the list of projects the current user has >> > access to. >> > >> > Is this correct? >> > >> > [1] >> > >> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html >> > >> > Cheers, >> > Dmitry Telegin >> > CTO, Acutus s.r.o. >> > Keycloak Consulting and Training >> > >> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> > +42 (022) 888-30-71 >> > E-mail: info at acutus.pro >> > >> > > >> > > For example, mostly a user can visit most features (urls) in an >> > application, but it is the subset of things they can see/do within the >> > feature that is the crux of the security issue - and it does not seem >> > feasible to architect urls in such a way that they can be used as the >> key >> > to security. Thoughts? >> > > >> > > Thanks! >> > > >> > > Rob Byrd >> > > DST >> > > Solutions Lead >> > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 >> > > t: (816) 435-7286 | m (816) 509-0119 >> > > rmbyrd at dstsystems.com | www.ssctech.com >> > > Follow us: | | >> > > >> > > -----Original Message----- >> > > > From: Dmitry Telegin [mailto:dt at acutus.pro] >> > > Sent: Friday, November 2, 2018 12:22 AM >> > > > To: Byrd, Rob M ; >> keycloak-user at lists.jboss.org >> > > Subject: Re: [keycloak-user] Data filtering in SQL >> > > >> > > Hello Rob, >> > > >> > > If I get it right, it's all about generating SQL WHERE clause from >> > Keycloak policies? I think this is doable, as Keycloak has a >> well-defined >> > object model for authorization policies, and it's easy to obtain policy >> > definitions in JSON format. I think Pedro Igor will tell you more about >> > that. >> > > >> > > You should pay attention to the following: >> > > - there are differences in semantics between OPA and Keycloak >> policies. >> > For example, Keycloak policies do not operate HTTP methods but rather >> use >> > more generic notion of scopes; >> > > - not every policy type can be easily converted to a WHERE clause. It >> > should be trivial for User/Group/Role policies, but is virtually >> impossible >> > for Script and Rules, as they are just blackboxes that evaluate to true >> or >> > false. Unless of course your DBMS has a built-in JavaScript engine :) >> > > >> > > Good luck! >> > > Dmitry Telegin >> > > CTO, Acutus s.r.o. >> > > Keycloak Consulting and Training >> > > >> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> > > +42 (022) 888-30-71 >> > > E-mail: info at acutus.pro >> > > >> > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: >> > > > I am comparing OPA authorization to Keycloak - how could I enforce >> > Keycloak policy in the SQL closest to the data for good performance, >> > including returning subsets of lists? OPA discusses this at >> > >> https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 >> > . >> > > > >> > > > Thanks! >> > > > >> > > > Rob Byrd >> > > > DST >> > > > Solutions Lead >> > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 >> > > > t: (816) 435-7286 | m (816) 509-0119 >> > > > rmbyrd at dstsystems.com | >> > www.ssctech.com;; >> > > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] < >> > https://www.linkedin.com/company/ss-c-technologies/> | [ >> > cid:image002.png at 01D412C1.A14C5770] < >> https://twitter.com/ssctechnologies >> > > | [cid:image003.png at 01D412C1.A14C5770] < >> > https://www.facebook.com/ssctechnologies/> >> > > > >> > > > >> > > > >> > > > Please consider the environment before printing this email and any >> > attachments. >> > > > >> > > > This e-mail and any attachments are intended only for the individual >> > or company to which it is addressed and may contain information which is >> > privileged, confidential and prohibited from disclosure or unauthorized >> use >> > under applicable law. If you are not the intended recipient of this >> e-mail, >> > you are hereby notified that any use, dissemination, or copying of this >> > e-mail or the information contained in this e-mail is strictly >> prohibited >> > by the sender. If you have received this transmission in error, please >> > return the material received to the sender and delete all copies from >> your >> > system. >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > > >> > > Please consider the environment before printing this email and any >> > attachments. >> > > >> > > This e-mail and any attachments are intended only for the individual >> or >> > company to which it is addressed and may contain information which is >> > privileged, confidential and prohibited from disclosure or unauthorized >> use >> > under applicable law. If you are not the intended recipient of this >> e-mail, >> > you are hereby notified that any use, dissemination, or copying of this >> > e-mail or the information contained in this e-mail is strictly >> prohibited >> > by the sender. If you have received this transmission in error, please >> > return the material received to the sender and delete all copies from >> your >> > system. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > ------------------------------ >> > >> > Please consider the environment before printing this email and any >> > attachments. >> > >> > This e-mail and any attachments are intended only for the individual or >> > company to which it is addressed and may contain information which is >> > privileged, confidential and prohibited from disclosure or unauthorized >> use >> > under applicable law. If you are not the intended recipient of this >> e-mail, >> > you are hereby notified that any use, dissemination, or copying of this >> > e-mail or the information contained in this e-mail is strictly >> prohibited >> > by the sender. If you have received this transmission in error, please >> > return the material received to the sender and delete all copies from >> your >> > system. >> > >> > ------------------------------ >> > Please consider the environment before printing this email and any >> > attachments. >> > >> > This e-mail and any attachments are intended only for the individual or >> > company to which it is addressed and may contain information which is >> > privileged, confidential and prohibited from disclosure or unauthorized >> use >> > under applicable law. If you are not the intended recipient of this >> e-mail, >> > you are hereby notified that any use, dissemination, or copying of this >> > e-mail or the information contained in this e-mail is strictly >> prohibited >> > by the sender. If you have received this transmission in error, please >> > return the material received to the sender and delete all copies from >> your >> > system. >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From willyvic17 at gmail.com Mon Dec 3 16:08:36 2018 From: willyvic17 at gmail.com (William Nankap) Date: Mon, 3 Dec 2018 22:08:36 +0100 Subject: [keycloak-user] Unable to instantiate MessageBodyReader Message-ID: hello when i tried to use the keycloak admin client 4.4.0 to connect to keycloak 4.4.0 i got this error right after i don't understand where the error come. everything was working my used dependices : org.springframework.boot spring-boot-starter-data-jpa org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-tomcat javax.servlet javax.servlet-api 4.0.1 provided javax.servlet servlet-api 2.5 provided mysql mysql-connector-java runtime org.springframework.boot spring-boot-starter-test test org.springframework.security spring-security-test test org.keycloak keycloak-spring-security-adapter 4.4.0.Final org.keycloak keycloak-spring-boot-starter 4.4.0.Final org.keycloak keycloak-admin-client 4.4.0.Final org.jboss.resteasy resteasy-client 3.6.1.Final org.jboss.resteasy resteasy-jaxrs 3.5.1.Final org.jboss.resteasy resteasy-jackson2-provider 3.6.1.Final com.fasterxml.jackson.core jackson-core 2.8.8 io.jsonwebtoken jjwt 0.9.0 com.squareup.okhttp3 okhttp 3.10.0 com.squareup.okhttp3 mockwebserver 3.10.0 test javax.json.bind javax.json.bind-api 1.0 org.eclipse yasson 1.0 org.glassfish javax.json 1.1 javax.xml.bind jaxb-api 2.3.0 21:55:59,063 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /StarmovesProject/signup: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.RuntimeException: java.lang.RuntimeException: RESTEASY003940: Unable to instantiate MessageBodyReader at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:866) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:851) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter.doFilter(KeycloakAuthenticatedActionsFilter.java:74) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter.doFilter(KeycloakSecurityContextRequestFilter.java:77) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: java.lang.RuntimeException: RESTEASY003940: Unable to instantiate MessageBodyReader at org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterBuiltin.java:49) at org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder.getProviderFactory(ResteasyClientBuilder.java:359) at org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder.build(ResteasyClientBuilder.java:392) at org.keycloak.admin.client.Keycloak.(Keycloak.java:58) at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106) at org.starmove.projet.metier.KeycloakAccountImpl.saveUserKeycloak(KeycloakAccountImpl.java:70) at org.starmove.projet.metier.KeycloakAccountImpl$$FastClassBySpringCGLIB$$60efd169.invoke() at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) at org.starmove.projet.metier.KeycloakAccountImpl$$EnhancerBySpringCGLIB$$a64a83d3.saveUserKeycloak() at org.starmove.projet.controller.AccountRestController.register(AccountRestController.java:42) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:209) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:877) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:783) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:974) ... 109 more Caused by: java.lang.RuntimeException: RESTEASY003940: Unable to instantiate MessageBodyReader at org.jboss.resteasy.spi.ResteasyProviderFactory.registerProvider(ResteasyProviderFactory.java:1711) at org.jboss.resteasy.spi.ResteasyProviderFactory.registerProvider(ResteasyProviderFactory.java:1637) at org.jboss.resteasy.plugins.providers.RegisterBuiltin.registerProviders(RegisterBuiltin.java:133) at org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterBuiltin.java:45) ... 137 more Caused by: java.lang.TypeNotPresentException: Type javax.ws.rs.sse.OutboundSseEvent not present at sun.reflect.generics.factory.CoreReflectionFactory.makeNamedType(CoreReflectionFactory.java:117) at sun.reflect.generics.visitor.Reifier.visitClassTypeSignature(Reifier.java:125) at sun.reflect.generics.tree.ClassTypeSignature.accept(ClassTypeSignature.java:49) at sun.reflect.generics.visitor.Reifier.reifyTypeArguments(Reifier.java:68) at sun.reflect.generics.visitor.Reifier.visitClassTypeSignature(Reifier.java:138) at sun.reflect.generics.tree.ClassTypeSignature.accept(ClassTypeSignature.java:49) at sun.reflect.generics.repository.ClassRepository.getSuperInterfaces(ClassRepository.java:108) at java.lang.Class.getGenericInterfaces(Class.java:913) at org.jboss.resteasy.util.Types.searchForInterfaceTemplateParameter(Types.java:56) at org.jboss.resteasy.util.Types.getTemplateParameterOfInterface(Types.java:43) at org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey.(ResteasyProviderFactory.java:160) at org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey.(ResteasyProviderFactory.java:143) at org.jboss.resteasy.spi.ResteasyProviderFactory.addMessageBodyReader(ResteasyProviderFactory.java:978) at org.jboss.resteasy.spi.ResteasyProviderFactory.addMessageBodyReader(ResteasyProviderFactory.java:954) at org.jboss.resteasy.spi.ResteasyProviderFactory.registerProvider(ResteasyProviderFactory.java:1706) ... 140 more Caused by: java.lang.ClassNotFoundException: javax.ws.rs.sse.OutboundSseEvent from [Module "org.jboss.resteasy.resteasy-jaxrs" version 3.5.1.Final from local module loader @3b81a1bc (finder: local module finder @64616ca2 (roots: /opt/keycloak-4.4.0.Final/modules,/opt/keycloak-4.4.0.Final/modules/system/layers/keycloak,/opt/keycloak-4.4.0.Final/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at sun.reflect.generics.factory.CoreReflectionFactory.makeNamedType(CoreReflectionFactory.java:114) ... 154 more From cristian.schuszter at cern.ch Tue Dec 4 03:20:47 2018 From: cristian.schuszter at cern.ch (Cristian Schuszter) Date: Tue, 4 Dec 2018 09:20:47 +0100 Subject: [keycloak-user] Keeping JWT fields after token exchange Message-ID: <6f0bc114-b61e-8cce-62c3-5e2633d0b38c@cern.ch> Hi there, I have an application which allows you to perform social login via Keycloak. I get the JWT token back with some extra fields provided by mappers. Once I do the token exchange for another application, the field disappears from the exchanged JWT. Is there a way of telling the policy to keep the field for the exchanged token? Best regards, Cristian Schuszter From vikram.eswar at gmail.com Tue Dec 4 04:30:23 2018 From: vikram.eswar at gmail.com (Vikram Eswar) Date: Tue, 4 Dec 2018 10:30:23 +0100 Subject: [keycloak-user] Keycloak Multi Tenancy implementation with login through javascript (a webpage) Message-ID: Hello all, I want to assign different realms to different clients (organisations) in keycloak. The login to keycloak is achieved through a webpage which acquires a valid token from keycloak which is then passed with the rest requests that I make from my website to a springboot server that uses a keycloak adapter for authentication. Now, the javascript adapter needs a keycloak configuration file that has details about the realm that I want to log in to. But, the problem is that I do not know which realm the user belongs to because he / she can be from any organisation ie. the login page for all organisations is the same. What is the best way to achieve this ? I assume that this kind of approach is quite common these days but cannot find a solution.. Regards, Vikram From vikram.eswar at gmail.com Tue Dec 4 04:31:04 2018 From: vikram.eswar at gmail.com (Vikram Eswar) Date: Tue, 4 Dec 2018 10:31:04 +0100 Subject: [keycloak-user] Using Keycloak admin client on a web browser Message-ID: Hi all, is it possible to implement a keycloak admin client to add / delete/ update users from a web browser or is it just available for node js ? If it is possible with a browser, could someone please give me some support on how to do that ? Regards, Vikram From geoff at opticks.io Tue Dec 4 04:52:02 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 4 Dec 2018 10:52:02 +0100 Subject: [keycloak-user] Using Keycloak admin client on a web browser In-Reply-To: References: Message-ID: Any user agent that can call a REST API can perform admin tasks. See this documentation: https://www.keycloak.org/docs-api/4.6/rest-api/index.html Since the admin password would be plainly visible in the HTML code executed by the web browser, and not knowing more about your architecture, this sounds like an extremely bad idea. Instead, I believe your web browser should communicate with your own backend, and your backend should perform the admin tasks. This way the admin password will not be visible in the HTML code. Regards, Geoffrey Cleaves On Tue, 4 Dec 2018 at 10:41, Vikram Eswar wrote: > Hi all, > > is it possible to implement a keycloak admin client to add / delete/ update > users from a web browser or is it just available for node js ? If it is > possible with a browser, could someone please give me some support on how > to do that ? > > Regards, > Vikram > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vikram.eswar at gmail.com Tue Dec 4 05:33:52 2018 From: vikram.eswar at gmail.com (Vikram Eswar) Date: Tue, 4 Dec 2018 11:33:52 +0100 Subject: [keycloak-user] Using Keycloak admin client on a web browser In-Reply-To: References: Message-ID: Thanks a lot Geoffrey ! I had the same in mind, but was not sure. Regards, Vikram On Tue, Dec 4, 2018 at 10:52 AM Geoffrey Cleaves wrote: > Any user agent that can call a REST API can perform admin tasks. See this > documentation: https://www.keycloak.org/docs-api/4.6/rest-api/index.html > > Since the admin password would be plainly visible in the HTML code > executed by the web browser, and not knowing more about your architecture, > this sounds like an extremely bad idea. > > Instead, I believe your web browser should communicate with your own > backend, and your backend should perform the admin tasks. This way the > admin password will not be visible in the HTML code. > > Regards, > Geoffrey Cleaves > > On Tue, 4 Dec 2018 at 10:41, Vikram Eswar wrote: > >> Hi all, >> >> is it possible to implement a keycloak admin client to add / delete/ >> update >> users from a web browser or is it just available for node js ? If it is >> possible with a browser, could someone please give me some support on how >> to do that ? >> >> Regards, >> Vikram >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From Bjoern.Peemoeller at berenberg.de Tue Dec 4 05:50:59 2018 From: Bjoern.Peemoeller at berenberg.de (=?utf-8?B?UGVlbcO2bGxlciwgQmrDtnJu?=) Date: Tue, 4 Dec 2018 10:50:59 +0000 Subject: [keycloak-user] LDAP role mapper loses client on client renaming In-Reply-To: References: Message-ID: Hi Marek, thanks for your answer. I just configured a second client "rename-test-2" to reference a role of "rename-test" using the hardcoded role mapper. When I then rename "rename-test" to "renameTest", the role is not updated accordingly. Thus, this problem also affects this mapper. I had a quick look at Keycloak's JIRA, and think that https://issues.jboss.org/browse/KEYCLOAK-2260 covers this issue and https://issues.jboss.org/browse/KEYCLOAK-4730 seems to be related. Kind regards, Bj?rn -----Urspr?ngliche Nachricht----- Von: Marek Posolda [mailto:mposolda at redhat.com] Gesendet: Freitag, 23. November 2018 08:27 An: Peem?ller, Bj?rn; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] LDAP role mapper loses client on client renaming Hi, feel free to create JIRA for this if it doesn't yet exists. Maybe this can be improved, but not sure... BTV. If you have a chance, you? can try to configure some other mappers dependent on client as I think that this issue is not specific to LDAP mappers (EG. hardcodedRole protocol mapper in the "mappers" tab of some client "clientA" and which will point to the client role of "clientB", and check if it handles renaming of clientB etc.) Thanks, Marek On 22/11/2018 09:59, Peem?ller, Bj?rn wrote: > Hi all, > > in our Keycloak installation we have connected Keycloak to an internal AD using user federation and configured a role-ldap-mapper as described in https://www.keycloak.org/docs/latest/server_admin/index.html#_ldap_mappers . > > We now discovered that if we rename a client, than the associated LDAP mapper loses the connection to the client, as it stores only the client name but not its internal id in the mapper configuration. > > Currently, we therefore need to reconfigure all associated mappers once we rename a client. > > Is it possible to avoid this problem (or wouldn't it be even better to store the internal UUID)? > > Kind regards, > Bj?rn > > Bj?rn Peem?ller > IT & IT Operations > > BERENBERG > Joh. Berenberg, Gossler & Co. KG > Neuer Jungfernstieg 20 > 20354 Hamburg > > Telefon +49 40 350 60-8548 > Telefax +49 40 350 60-900 > E-Mail > bjoern.peemoeller at berenberg.de > www.berenberg.de > > Sitz: Hamburg - Amtsgericht Hamburg HRA 42659 > > > Bei Berenberg hat der Schutz Ihrer Daten seit jeher h?chste Priorit?t. > Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: > https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kunde > ninformation%20-%20Binder%20-%20D.pdf > Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender ?ber die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen. > Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info at berenberg.de. Please refer to https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundeninformation-Binder%20EN%20L%20Webdsite.pdf for our confidentiality notice. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user Bei Berenberg hat der Schutz Ihrer Daten seit jeher h?chste Priorit?t. Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundeninformation%20-%20Binder%20-%20D.pdf Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender ?ber die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen. Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info at berenberg.de. Please refer to https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundeninformation-Binder%20EN%20L%20Webdsite.pdf for our confidentiality notice. From geoff at opticks.io Tue Dec 4 06:06:43 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 4 Dec 2018 12:06:43 +0100 Subject: [keycloak-user] Using Keycloak admin client on a web browser In-Reply-To: References: Message-ID: I believe the flow should be that the end user logs into your web app via Keycloak. The web app communicates with your back end using the Keycloak token. Your backend checks for a particular Keycloak role in the token, and if it exists, then the backend communicates with the Admin API using a seperate admin token. Regards, Geoffrey Cleaves On Tue, 4 Dec 2018 at 11:34, Vikram Eswar wrote: > Thanks a lot Geoffrey ! > I had the same in mind, but was not sure. > > Regards, > Vikram > > On Tue, Dec 4, 2018 at 10:52 AM Geoffrey Cleaves wrote: > >> Any user agent that can call a REST API can perform admin tasks. See this >> documentation: https://www.keycloak.org/docs-api/4.6/rest-api/index.html >> >> Since the admin password would be plainly visible in the HTML code >> executed by the web browser, and not knowing more about your architecture, >> this sounds like an extremely bad idea. >> >> Instead, I believe your web browser should communicate with your own >> backend, and your backend should perform the admin tasks. This way the >> admin password will not be visible in the HTML code. >> >> Regards, >> Geoffrey Cleaves >> >> On Tue, 4 Dec 2018 at 10:41, Vikram Eswar wrote: >> >>> Hi all, >>> >>> is it possible to implement a keycloak admin client to add / delete/ >>> update >>> users from a web browser or is it just available for node js ? If it is >>> possible with a browser, could someone please give me some support on how >>> to do that ? >>> >>> Regards, >>> Vikram >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From vikram.eswar at gmail.com Tue Dec 4 06:09:50 2018 From: vikram.eswar at gmail.com (Vikram Eswar) Date: Tue, 4 Dec 2018 12:09:50 +0100 Subject: [keycloak-user] Using Keycloak admin client on a web browser In-Reply-To: References: Message-ID: Yes, correct. Exactly what I have right now. Could you also look at my question with the title "Keycloak Multi Tenancy implementation with login through javascript (a webpage)", please ? Regards, Vikram On Tue, Dec 4, 2018 at 12:06 PM Geoffrey Cleaves wrote: > I believe the flow should be that the end user logs into your web app via > Keycloak. The web app communicates with your back end using the Keycloak > token. Your backend checks for a particular Keycloak role in the token, and > if it exists, then the backend communicates with the Admin API using a > seperate admin token. > > Regards, > Geoffrey Cleaves > > > > > > > > On Tue, 4 Dec 2018 at 11:34, Vikram Eswar wrote: > >> Thanks a lot Geoffrey ! >> I had the same in mind, but was not sure. >> >> Regards, >> Vikram >> >> On Tue, Dec 4, 2018 at 10:52 AM Geoffrey Cleaves >> wrote: >> >>> Any user agent that can call a REST API can perform admin tasks. See >>> this documentation: >>> https://www.keycloak.org/docs-api/4.6/rest-api/index.html >>> >>> Since the admin password would be plainly visible in the HTML code >>> executed by the web browser, and not knowing more about your architecture, >>> this sounds like an extremely bad idea. >>> >>> Instead, I believe your web browser should communicate with your own >>> backend, and your backend should perform the admin tasks. This way the >>> admin password will not be visible in the HTML code. >>> >>> Regards, >>> Geoffrey Cleaves >>> >>> On Tue, 4 Dec 2018 at 10:41, Vikram Eswar >>> wrote: >>> >>>> Hi all, >>>> >>>> is it possible to implement a keycloak admin client to add / delete/ >>>> update >>>> users from a web browser or is it just available for node js ? If it is >>>> possible with a browser, could someone please give me some support on >>>> how >>>> to do that ? >>>> >>>> Regards, >>>> Vikram >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From msakho at redhat.com Tue Dec 4 06:13:26 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 4 Dec 2018 12:13:26 +0100 Subject: [keycloak-user] keycloak gatekeeper samples Message-ID: Hello all, I've read the doc related to keycloak gatekeeper but I would like to see running example configurations. Is there a chance we have ones in the keycloak example repos or somewhere else? Regards, Meissa From bruno at abstractj.org Tue Dec 4 06:23:44 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 4 Dec 2018 09:23:44 -0200 Subject: [keycloak-user] keycloak gatekeeper samples In-Reply-To: References: Message-ID: <20181204112344.GA5577@abstractj.org> I'd suggest to file a Jira with a feature request or enhancement to Keycloak demo https://github.com/keycloak/keycloak-demo/. In this way we can plan for the next releases. On 2018-12-04, Meissa M'baye Sakho wrote: > Hello all, > I've read the doc related to keycloak gatekeeper but I would like to see > running example configurations. > Is there a chance we have ones in the keycloak example repos or somewhere > else? > Regards, > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From jaroslaw.surkont at unibas.ch Tue Dec 4 07:40:53 2018 From: jaroslaw.surkont at unibas.ch (Jaroslaw Surkont) Date: Tue, 4 Dec 2018 13:40:53 +0100 Subject: [keycloak-user] Device Flow in Keycloak Message-ID: <00d9e4bc-92e9-ef08-eb53-5c76cc8222be@unibas.ch> Hi, I am investigating the possibility of using Keycloak with the Device Flow (https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13) for browserless devices. Does Keycloak support Device Flow? If it does, what is the device endpoint (.well-known/openid-configuration does not specify one)? Regards, Jaroslaw From sthorger at redhat.com Tue Dec 4 10:21:23 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Dec 2018 16:21:23 +0100 Subject: [keycloak-user] Device Flow in Keycloak In-Reply-To: <00d9e4bc-92e9-ef08-eb53-5c76cc8222be@unibas.ch> References: <00d9e4bc-92e9-ef08-eb53-5c76cc8222be@unibas.ch> Message-ID: Device Flow is not currently supported in Keycloak On Tue, 4 Dec 2018 at 13:47, Jaroslaw Surkont wrote: > Hi, > > I am investigating the possibility of using Keycloak with the Device > Flow (https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13) for > browserless devices. Does Keycloak support Device Flow? If it does, what > is the device endpoint (.well-known/openid-configuration does not > specify one)? > > Regards, > > Jaroslaw > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From imbacen at gmail.com Tue Dec 4 11:37:36 2018 From: imbacen at gmail.com (cen) Date: Tue, 4 Dec 2018 17:37:36 +0100 Subject: [keycloak-user] Permission with multiple scopes - what does it mean exactly? Message-ID: Hi. in UMA authorization, when adding a scope Permission you can specify a set of scopes. What a "set" means exactly is not very well documented. By trial and error I figured out that: 1. Resource with single scope and corresponding permission with same (single) scope works as expected. 2. Resource with single scope and permission with multiple scopes, of which one of them is the resource scope does not work (auth not granted). Scope set on resource to me means: this is all the things the resource owner is allowed to do with it. Scope set on permission to me means: apply this policies if either of these scopes is needed. That does not seem to be the case tho, according to point #2. Can someone shed some light how scope set on resource resolves against permission scope set? Best regards, cen From psilva at redhat.com Tue Dec 4 12:04:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 4 Dec 2018 15:04:58 -0200 Subject: [keycloak-user] Permission with multiple scopes - what does it mean exactly? In-Reply-To: References: Message-ID: Hi, The scope set on resource does not necessarily mean access to the resource/scopes. Access is granted depending on the policies associated with the permissions you have for both resources and scopes. If you could provide more details on how to reproduce #2, I appreciate. However, if the permission in #2 is denying access it will also be denied for the resource scope. On Tue, Dec 4, 2018 at 2:42 PM cen wrote: > Hi. > > in UMA authorization, when adding a scope Permission you can specify a > set of scopes. What a "set" means exactly is not very well documented. > By trial and error I figured out that: > > 1. Resource with single scope and corresponding permission with same > (single) scope works as expected. > > 2. Resource with single scope and permission with multiple scopes, of > which one of them is the resource scope does not work (auth not granted). > > > Scope set on resource to me means: this is all the things the resource > owner is allowed to do with it. > > Scope set on permission to me means: apply this policies if either of > these scopes is needed. That does not seem to be the case tho, according > to point #2. > > > Can someone shed some light how scope set on resource resolves against > permission scope set? > > > Best regards, cen > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Dec 4 12:09:50 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Dec 2018 18:09:50 +0100 Subject: [keycloak-user] Review Chinese translation update Message-ID: Can someone from the community please review updates to the Chinese translation? https://github.com/keycloak/keycloak/pull/5778 From sthorger at redhat.com Tue Dec 4 12:10:42 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Dec 2018 18:10:42 +0100 Subject: [keycloak-user] Review switch to UTF-8 encoding for Lithuanian translation Message-ID: Can someome from the community please review $sub? https://github.com/keycloak/keycloak/pull/5767 From sthorger at redhat.com Tue Dec 4 13:27:56 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Dec 2018 19:27:56 +0100 Subject: [keycloak-user] Need review for Latvian translation Message-ID: We have an open PR for Latvian translations. Unless someone from the community can review it I will have to reject the PR. https://github.com/keycloak/keycloak/pull/5676 From kevinhoarau0496 at gmail.com Tue Dec 4 13:33:26 2018 From: kevinhoarau0496 at gmail.com (Kevin Hoarau) Date: Tue, 4 Dec 2018 19:33:26 +0100 Subject: [keycloak-user] Keycloak and Wildfly in docker Message-ID: Hi, I'm running my wildfly app with a docker and keycloak too. There are in the same docker network. The problem is when I go in my application ( http://127.0.0.1:8080/akatsuki-javaee-webapp/) the keycloak auth appear, I'm connecting and then I got a Forbidden. I'm trying to solve it since 1 week :/ Please find below some configurations file : *docker-compose.yml :* version: '2' services: wildfly: build: context: WildFly/ container_name: "wildfly" volumes: - /tmp/images:/opt/jboss/images ports: - "8080:8080" networks: - netaka filemanager: build: context: FileManager/ container_name: "filemanager" volumes: - /tmp/images:/usr/local/apache2/htdocs/ ports: - "8082:80" networks: - netaka keycloak: build: context: KeyCloak/ container_name: "keycloak" ports: - "8180:8080" environment: KEYCLOAK_USER: "admin" KEYCLOAK_PASSWORD: "admin" networks: - netaka networks: netaka: driver: bridge *Dockerfile (wildfly) :* FROM jboss/wildfly ADD target/akatsuki-javaee-webapp.war /opt/jboss/wildfly/standalone/deployments/ ENV KEYCLOAK_VERSION 4.6.0.Final WORKDIR /opt/jboss/wildfly/ RUN curl -L https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/adapters/keycloak-oidc/keycloak-wildfly-adapter-dist-$KEYCLOAK_VERSION.tar.gz | tar zx RUN ./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli WORKDIR /opt/jboss # Standalone.xml modifications COPY standalone.xml /opt/jboss/wildfly/standalone/configuration/ RUN mkdir -p /opt/jboss/images ## Attempt fix permissions error ## # Attepmt to fix for Error: Could not rename /opt/jboss/wildfly/standalone/configuration/standalone_xml_history/current # See https://stackoverflow.com/questions/20965737/docker-jboss7-war-commit-server-boot-failed-in-an-unrecoverable-manner RUN rm -rf /opt/jboss/wildfly/standalone/configuration/standalone_xml_history/current *I'm modifying standalone.xml in order to change this :* akatsukiRealm http://127.0.0.1:8180/auth true EXTERNAL akatsukiClient *Dockerfile (keycloak) :* FROM jboss/keycloak COPY standalone.xml /opt/jboss/keycloak/standalone/configuration/ *I'm modifying standalone.xml in order to change this line :* "" *web.xml (in my wildfly app) :* akatsuki-javaee-webapp Index /* user user *And when I'm trying to connect, I got this error :* wildfly | 18:26:46,931 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.ConnectException: Connection refused (Connection refused) wildfly | at java.net.PlainSocketImpl.socketConnect(Native Method) wildfly | at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) wildfly | at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) wildfly | at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) wildfly | at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) wildfly | at java.net.Socket.connect(Socket.java:589) wildfly | at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:120) wildfly | at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179) wildfly | at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) wildfly | at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) wildfly | at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612) wildfly | at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447) wildfly | at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) wildfly | at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) wildfly | at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335) wildfly | at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280) wildfly | at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139) wildfly | at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) wildfly | at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) wildfly | at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) wildfly | at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) wildfly | at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) wildfly | at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) wildfly | at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) wildfly | at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) wildfly | at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) wildfly | at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) wildfly | at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) wildfly | at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) wildfly | at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) wildfly | at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) wildfly | at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) wildfly | at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) wildfly | at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) wildfly | at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) wildfly | at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) wildfly | at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) wildfly | at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) wildfly | at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) wildfly | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) wildfly | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) wildfly | at java.lang.Thread.run(Thread.java:748) wildfly | I can join more details if needed. If someone help me, I would be very grateful. I'm waiting for your response. Thx a lot -- *Kevin HOARAU - Engineering student* Computer Science & Industrial Electronic ISEN From mposolda at redhat.com Wed Dec 5 03:12:35 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:12:35 +0100 Subject: [keycloak-user] How to get access access token with SPNEGOAuthenticator? In-Reply-To: References: Message-ID: <44b62dae-12db-c2e8-855f-7f2a173439cd@redhat.com> On 25/11/2018 05:11, ola rob wrote: > Hi, > > For some legacy reasons, we are using keycloak API/services for > authentication but not redirecting our application to keycloak. We are able > to get access token and refresh token (AccessTokenResponse.class) when we > authenticate using login API by sending username and password. But we are > unable to get them when authenticating using spnego token. > The SPNEGOAuthenticator class doesn't return any access token after > successful authentication. We need these tokens to manage our application > session internally. So, how can we get access and refresh token or response > similar to username password authentication? Are you using OAuth2 Resource-Owner-Password-Credentials (Direct grant) flow? Can you send an example of HTTP request and response you're using just to confirm we're on same page? We don't have support for SPNEGO authentication in the Resource-Owner-Password-Credentials flow (assuming you're using that flow). There is opened JIRA for this. What you can possibly do, is to write your own authenticator implementation, which will handle SPNEGO, and then create authentication flow with your custom authenticator added. The authenticator can probably re-use lots of the code, which the SpnegoAuthenticator used for the "browser" flow is using. The flow will likely need to contain also other authenticators (EG. existing authenticators for username/password assuming that you want to support both username/password and SPNEGO). See Keycloak server development guide and our quickstarts for the authentication for more details. Marek > > SPNEGOAuthenticator spnegoAuthenticator = new > SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken); > spnegoAuthenticator.authenticate(); > if (spnegoAuthenticator.isAuthenticated()) { > String username = spnegoAuthenticator.getAuthenticatedUsername(); // > returning the username correctly. > } > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Dec 5 03:17:15 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:17:15 +0100 Subject: [keycloak-user] group federation? In-Reply-To: References: Message-ID: There is no real group federation support in Keycloak and we probably won't add it due the big complexity. However what you can do is to create Group LDAP mapper (See tab "mappers" in the admin console when you're on the page with your LDAP provider). When you do it, you have the possibility to sync the groups from LDAP to the Keycloak, and have your users from LDAP to be seen as members of the particular Keycloak groups. This approach has some (hopefully) minor limitations. For example when you synced the groups from LDAP to Keycloak and then you remove group "abc" from LDAP, the group will be still visible in Keycloak. But most of the cases, the groups mapper approach should be sufficient. Marek On 26/11/2018 16:39, Wyllys Ingersoll wrote: > We have a realm configured to get federated users from our Active Directory > domain server. Is there a way to also get the list of federated group > information for each user (i.e. include the AD groups that the AD user is a > member of in the federated user information) ? > > thanks... > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Dec 5 03:24:13 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:24:13 +0100 Subject: [keycloak-user] Temporary support for current sign-in flow In-Reply-To: References: Message-ID: <3556de73-0523-2d16-5d5c-20d760b84124@redhat.com> I think you can achieve this with OAuth2 Resource Owner Password Credentials Grant (In Keycloak, it is referred to as Direct Grant flow). As you pointed, it will be good to have this just really as temporary solution for legacy purposes as this approach has quite a lot of limitations in compare to have the login form properly shown on Keycloak side (EG. missing social logins, Registration, "Forget password" functionality etc). Marek On 25/11/2018 23:47, Craig Setera wrote: > As everyone is probably painfully aware from all of my questions, we are in > the midst of replacing our proprietary login flow with a Keycloak > OpenID-based flow. The eventual goal is to use the standard Keycloak login > pages to allow for extra factors of authentication such as Google > Authenticator. > > One option that we've allowed until now is for customers to host custom > login HTML forms (just username and password) on their sites. This is > something that we are (most likely) going to remove support for in the long > run, but in the short term, I think we are going to need to support this if > only to allow for a transition period. The login flow is: > > Customer Site (HTML form) -> > Login Handler (JEE Session) -> > Redirect browser to SPA along with JSESSIONID > > All API calls use JEE sessions for "authentication". What I'm hoping to do > somehow in the short term is: > > Customer Site (HTML form) -> > Login Handler -> > Keycloak -> > Redirect browser to SPA with OAuth codes/tokens > > What is the best/correct way to do something like this? Should I be using > the authorization code grant in this case? > > Thanks for any insights. > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Dec 5 03:30:52 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:30:52 +0100 Subject: [keycloak-user] Motivation behind the removal of client_id from "aud" in the JWT In-Reply-To: <3d828dce-4fad-9934-1e72-6e711f62c227@cern.ch> References: <3d828dce-4fad-9934-1e72-6e711f62c227@cern.ch> Message-ID: <67cf9bb0-f13f-8382-ac18-f1915a0727dd@redhat.com> On 26/11/2018 17:49, Cristian Schuszter wrote: > Hi! > > We just updated from release 4.5.0 to 4.6.0 and discovered that the > "aud" field has been changed to "aud": "account", rather than the > client-id of the application. > > After a bit of digging, we found the commit and associated pull request > for the change: > https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342faf9f6987503#diff-d45230ec2a55480bbaf022aee366e898R85 > > Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't > find it on the Jira board. > > We were counting on the "client_id" being present in the audiences, as > the Microsoft.NET core validators target specifically the audiences in > the JWT token, with no option of targeting the "azp" field. The client_id is still present in the ID Token by default. In the access token it is not present by default now. However per OIDC/OAuth2 specification, the access token is just the opaque string. In theory, you shouldn't assume any specific format of our access token when using it with 3rd party adapter. If you really need to add client_id to the "aud" field, you can achieve it by adding Audience protocol mapper to your client and add the client_id of your client to it. This will defacto add the "hardcoded" client_id to the token. Marek > > Could anybody shed some light as to why the *client_id* was removed from > the audiences? > > > Best regards, > > Cristian Schuszter > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Dec 5 03:36:52 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:36:52 +0100 Subject: [keycloak-user] How to retrieve user ID from Keycloak to my web app In-Reply-To: References: Message-ID: <1df7bd81-6da3-a5ac-a9a2-715bd88b3c5c@redhat.com> If you just authenticated the user and you're using Keycloak servlet adapter, you can just get the ID of authenticated user by calling servletRequest.getRemoteUser() . You can even retrieve the other claims besides user ID. For example email, firstName, lastName etc. It's possible to get them from the token, I suggest to take a look at our quickstart and documentation for more details. Marek On 27/11/2018 05:22, Kunal Kumar wrote: > Before, my web app is has its own login form to authenticate users. > > But since I have connected my web app to Keycloak to authenticate the users > now, my web app does not need to have the login form anymore, hence I need > to remove it. > > This was roughly how I retrieved the users information before Keycloak:- > > if (chkLogin(getUserID(), getUserPwd())) { > MaintainUser mu = new MaintainUser(); > this.usrInfo = null; > String[] usr = mu.validatePassword(getUserID(), getUserPwd()); } > > This is not the full coding, but basically I use the getUserID method to > retrieve the users info and check it for authentication before. How do I > perform this if I want to retrieve the user ID from the Keycloak admin > console? > > > Regards, > > Kunal Kumar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From imbacen at gmail.com Wed Dec 5 03:37:55 2018 From: imbacen at gmail.com (cen) Date: Wed, 5 Dec 2018 09:37:55 +0100 Subject: [keycloak-user] Permission with multiple scopes - what does it mean exactly? In-Reply-To: References: Message-ID: <26f2c8be-a37c-066a-de26-87bfa9eba378@gmail.com> Hi, it turns out I missed that another resource was selected in the permission (Resource field which narrows the scopes available), and it was not the endpoint being accessed. Number of scopes had nothing to do with it and works as intended (it applies the same policy to any of the listed scopes). Best regards, cen Pedro Igor Silva je 4. 12. 18 ob 18:04?napisal: > Hi, > > The scope set on resource?does not necessarily mean access to the > resource/scopes. Access is granted depending on the policies > associated with the permissions you have for both resources and scopes. > > If you could provide more details on how to reproduce #2, I > appreciate. However, if the permission in #2 is denying access it will > also be denied for the resource scope. > > On Tue, Dec 4, 2018 at 2:42 PM cen > wrote: > > Hi. > > in UMA authorization, when adding a scope Permission you can > specify a > set of scopes. What a "set" means exactly is not very well > documented. > By trial and error I figured out that: > > 1. Resource with single scope and corresponding permission with same > (single) scope works as expected. > > 2. Resource with single scope and permission with multiple scopes, of > which one of them is the resource scope does not work (auth not > granted). > > > Scope set on resource to me means: this is all the things the > resource > owner is allowed to do with it. > > Scope set on permission to me means: apply this policies if either of > these scopes is needed. That does not seem to be the case tho, > according > to point #2. > > > Can someone shed some light how scope set on resource resolves > against > permission scope set? > > > Best regards, cen > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Dec 5 03:39:47 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 09:39:47 +0100 Subject: [keycloak-user] start up of keycloak nodes roughly increases two folds for every 100 tenants. In-Reply-To: <2085409309.6617889.1543319173801@mail.yahoo.com> References: <2085409309.6617889.1543319173801.ref@mail.yahoo.com> <2085409309.6617889.1543319173801@mail.yahoo.com> Message-ID: Hi, I suggest to upgrade to latest 4.7.0.Final. I know there were some improvements in recent version regarding this. However you will still probably see some issues as we did not yet try to test with so big amount of realms. We plan to improve on this use-case. Marek On 27/11/2018 12:46, Madhu wrote: > Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. > > Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. > I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? > > Is it absolutely necessary for keycloak to load every thing at start up?? > > This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. > > 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool ? 61) Envers integration enabled? : true > 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool ? 61) HV000001: Hibernate Validator 5.3.6.Final > 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool ? 61) HHH000397: Using ASTQueryTranslatorFactory > ^C > [centos at ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool ? 61) Session Metrics { > 669457663 nanoseconds spent acquiring 92974 JDBC connections; > 148185664 nanoseconds spent releasing 92974 JDBC connections; > 1852958902 nanoseconds spent preparing 92974 JDBC statements; > 35866600579 nanoseconds spent executing 92974 JDBC statements; > 0 nanoseconds spent executing 0 JDBC batches; > 0 nanoseconds spent performing 0 L2C puts; > 0 nanoseconds spent performing 0 L2C hits; > 0 nanoseconds spent performing 0 L2C misses; > 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); > 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) > } > 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s > { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total of 0 entities and 0 collections)} > 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s { > 437680 nanoseconds spent acquiring 1 JDBC connections; > 10539 nanoseconds spent releasing 1 JDBC connections; > 465001 nanoseconds spent preparing 1 JDBC statements; > 719260 nanoseconds spent executing 1 JDBC statements; > 0 nanoseconds spent executing 0 JDBC batches; > 0 nanoseconds spent performing 0 L2C puts; > 0 nanoseconds spent performing 0 L2C hits; > 0 nanoseconds spent performing 0 L2C misses; > 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); > 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) > > All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. > > Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . > > I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. > > Please correct my understanding if i am wrong here.. > > | No of Realms | Start up time in mins | > | 0 realms | 0.22 mins | > | 100 realms | 2.34 mins | > | 200 realms | 2.53 mins | > | 300 realms | 5.34 mins | > | 400 realms | 9.42 mins | > | 500 realms | 14.6 mins | > | 650 realms | 37 mins | > > > Like wise the time taken to create tenants too gradually increases ( i use import to create realms) > > from about 3 seconds for first few realms to about 30 sec for 600th realm.. > > Any advise /help will be appreciated. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From me at tuqire.com Wed Dec 5 03:40:51 2018 From: me at tuqire.com (Tuqire Hussain) Date: Wed, 5 Dec 2018 08:40:51 +0000 Subject: [keycloak-user] (no subject) Message-ID: Hi all, We are currently using the 'keycloak-nodejs-connect' in our node layer and it is mostly working great. However, our production cluster requires an outbound proxy to make requests. Is there a recommended way to set an outbound proxy using the 'keycloak-nodejs-connect' library? Any help would be extremely appreciated. Thank you. -- Kind regards Tuqire www.tuqire.com From mposolda at redhat.com Wed Dec 5 04:08:39 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 10:08:39 +0100 Subject: [keycloak-user] StackOverflowError when listing federated identities In-Reply-To: References: Message-ID: <213cd021-27b3-c8c0-16eb-f4c589500e21@redhat.com> There is JIRA for this https://issues.jboss.org/browse/KEYCLOAK-9002 . Will try to resolve this for the next version. Marek On 27/11/2018 23:01, Wyllys Ingersoll wrote: > Using Keycloak 4.6.0.Final, when I query for all users in a realm which is > federated to an AD domain (only about 25 users in the domain), it pretty > consistently throws exceptions (see below). > > Oddly enough, if I add the parameter "briefRepresentation=true", the list > is returned successfully. I can query for individual users just fine > (brief or full). > > This was not an issue in 4.5.0, Im only seeing now that I upgraded to 4.6.0. > > Possibly a memory issue, but its hard to tell. > Any ideas? > > thanks, > Wyllys Ingersoll > > > 21:32:11,324 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-112) Uncaught server error: java.lang.StackOverflowError > at sun.reflect.GeneratedMethodAccessor378.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) > at com.sun.proxy.$Proxy92.find(Unknown Source) > at > org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:520) > at > org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:369) > at > org.keycloak.models.cache.infinispan.UserAdapter.getUserModel(UserAdapter.java:399) > at > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:42) > at > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > at > org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) > at > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) > at > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > at > org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > at > org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) > at > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) > at > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > ... > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From himalaya18 at gmail.com Wed Dec 5 04:10:28 2018 From: himalaya18 at gmail.com (Himalaya Gupta) Date: Wed, 5 Dec 2018 14:40:28 +0530 Subject: [keycloak-user] Keycloak token refresh when user session is logged out Message-ID: Hi, My Client is ReactJS Application using keycloak javascript adaptor I am trying the below scenario: 1. Login to client application via keyclock server and retrieve the access-token in the client 2. Login to the Key-Clock Admin console and logout the active session for the user for the given client. 3. On the client application i observe the following: The token is still valid as it has not expired.When the token expires, the refresh token request is stuck in refreshing the token (probably stuck as the user is forcefully logged-out via AdminConsole) Can you please let me know if there is a way to detect the Inactive session and force the user to login even if the token is still valid via the JavaScript API? When trying to refresh the token and if the user session is logged out, should the keycloak server just return an error instead of pending response. Could this be a bug? Any help would be appreciated in this regard. Thank you -- Best regards, Himalaya Gupta From mposolda at redhat.com Wed Dec 5 04:10:56 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Dec 2018 10:10:56 +0100 Subject: [keycloak-user] Login after registration fails when other user was logged in before In-Reply-To: <9b3ee83376a977a4a1251adb1a7953fd83c96ee7.camel@apa.at> References: <9b3ee83376a977a4a1251adb1a7953fd83c96ee7.camel@apa.at> Message-ID: Hi, feel free to create JIRA for this (if it doesn't already exists). Hopefully we can improve this in next versions. Thanks, Marek On 28/11/2018 09:56, Rainer-Harbach Marian wrote: > Hi, > > we encountered a problem in a special use case (Keycloak 4.5.0.Final): > We'd like to display a registration button in our application even when > a user (user1) is logged in. > > Directly calling the registration form seems to be supported according > to > http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html > > However, the login after the registration (of user2) fails when user1 > was logged in before. > > The problem can be reproduced by following these steps: > 1. Log user1 into the account app > 2. Open the registration form at https:///auth/realms//protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri= > 3. Register user2 > 4. After registration, this message is shown: "We're sorry... > You are already authenticated as different user in this > session. Please logout first." > The message contains a link "Back to Application". > > However, user1 is not logged in anymore and the link "Back to > Application" leads to the login form. > > This situation is not straightforward for a user to resolve: user1 has > to log in again, then log out, and only then is user2 able to log in. > > The reason appears to be that opening the registration form in step 2 > deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However, > the cookie AUTH_SESSION_ID remains unchanged. > > To me it seems that opening the registration form should cause a new > AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and > KEYCLOAK_SESSION being cleared). > > I'd appreciate any thoughts on that! > > Best regards, > Marian > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Marian.Rainer-Harbach at apa.at Wed Dec 5 04:17:36 2018 From: Marian.Rainer-Harbach at apa.at (Rainer-Harbach Marian) Date: Wed, 5 Dec 2018 09:17:36 +0000 Subject: [keycloak-user] Login after registration fails when other user was logged in before In-Reply-To: References: <9b3ee83376a977a4a1251adb1a7953fd83c96ee7.camel@apa.at> Message-ID: <5595bd17d347821bcaea2895faaeec62e420a1f9.camel@apa.at> Hi Marek, On Wed, 2018-12-05 at 10:10 +0100, Marek Posolda wrote: > feel free to create JIRA for this (if it doesn't already exists). > Hopefully we can improve this in next versions. thanks, I created https://issues.jboss.org/browse/KEYCLOAK-8976 Best regards, Marian From geoff at opticks.io Wed Dec 5 04:57:33 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Wed, 5 Dec 2018 10:57:33 +0100 Subject: [keycloak-user] How do I hide clients from Account | Applications screen? Message-ID: Hi. I don't want users to see clients/applications in which they have no roles. How can I go about accomplishing this? Thanks. [image: Screen Shot 2018-12-05 at 10.55.55.png] Regards, Geoffrey Cleaves -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-12-05 at 10.55.55.png Type: image/png Size: 89260 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181205/fc691c3b/attachment-0001.png From nivethika at thehyve.nl Wed Dec 5 05:35:59 2018 From: nivethika at thehyve.nl (Nivethika Mahasivam) Date: Wed, 5 Dec 2018 11:35:59 +0100 Subject: [keycloak-user] Keycloak-js with cordova-native Message-ID: I am trying to use the Keycloak-js(from 4.4.0.Final) library in my ionic(4) cordova application. I have followed the example and instructions from the documentation. I have installed cordova-plugin-browsertab, cordova-plugin-deeplinks, cordova-plugin-inappbrowser. Added in my config.xml And and my service which uses Keycloak-js looks like below. static init(): Promise { // Create a new Keycloak Client Instance let keycloakAuth: any = new Keycloak({ url: 'https://mydomain.net/auth/', realm: 'mighealth', clientId: 'armt', }); return new Promise((resolve, reject) => { keycloakAuth.init({ onLoad: 'login-required', adapter: 'cordova', responseMode: 'query', redirectUri: 'android-app://org.phidatalab.radar_armt/https/keycloak-cordova-example.github.io/login' }).success(() => { console.log("Success") resolve(); }).error((err) => { reject(err); }); }); } I can successfully build and run the application for android. However, it doesn't work. If I try to run it on browser, I get "universalLink is undefined". I would really like some help to get this working. What am I missing? Any kind of help is much appreciated. Best, Nivethika -- Nivethika Mahasivam | Software Engineer (Real World Data Team) E. nivethika at thehyve.nl T. +31(0)65 041 619 1 Twitter . | LinkedIn . From youcef.belattaf at gmail.com Wed Dec 5 06:10:11 2018 From: youcef.belattaf at gmail.com (youcef belattaf) Date: Wed, 5 Dec 2018 12:10:11 +0100 Subject: [keycloak-user] Using Keycloak to secure AWS API Gateway Lambda endpoints Message-ID: Hello everyone, We'd like to use Keycloak in our new API managed by AWS Lambda / API Gateway. Unfortunatly, we didn't find an adapter for AWS API Gateway / Lambda. So we decided to write an adapter that consists of 2 lambdas : 1/ A Lambda that validates the JWT, and in case of a new public key, requests the Keycloak to get the new public key. This lambda is used as an Authorizer. 2/ A Lambda that deals with revocations. It exposes an endpoint (k_push_not_before) in order to receive Admin Not Before Policy Pushes. What do you think of this solution, your feedback and experiences on Keyckoak and AWS Gateway / Lambda are welcome. Regards, Youcef From psilva at redhat.com Wed Dec 5 06:40:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 5 Dec 2018 09:40:11 -0200 Subject: [keycloak-user] NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount In-Reply-To: References: Message-ID: Hi Andrew, I'm wondering if you are using distributable for any other reason but propagation of the security context. Is that the case? Thanks. Pedro Igor On Thu, Nov 29, 2018 at 9:10 PM Andrew Murphy wrote: > I have been pulling my hair out over this thinking something was amiss > with my configuration, but it turns out to be something unrelated. My > web.xml includes the attribute which I have subsequently > learnt contractually obligates you to ensure all session attributes are > serializable. The ElytronAccount object obviously isn't, which resulted in > the reported NotSerializableException in my webapp after successful > authentication. > > I have since commented out in web.xml and all is working > flawlessly. > > On Wed, 21 Nov 2018 at 21:40, Andrew Murphy > wrote: > > > > > I've installed the keycloak-wildfly-adapter-dist-4.6.0.Final.zip adapter > > in a clean version of WildFly Full 14.0.1.Final, running on Windows 8.1. > > The keycloak server is running on a separate port. > > > > When I configure the adapter subsystem (server not running) with the > newer > > Elytron adapter using > > > > > cd bin > > > jboss-cli.bat --file=adapter-elytron-install-offline.cli > -Dserver.config=standalone-full.xml > > > > and thereafter attempt to sign into a basic war application I get the > > keycloak login page, followed by an error page once credentials are > posted. > > The server.log reports the following (abbreviated) error stacktrace > > > > 2018-11-21 20:17:37,654 ERROR [io.undertow.request] (default task-1) > > UT005023: Exception handling request to /curo-crm/: > > java.lang.IllegalArgumentException: > > org.infinispan.commons.marshall.NotSerializableException: > > org.keycloak.adapters.elytron.ElytronAccount > > at > > > org.wildfly.clustering.web.infinispan.session.coarse.CoarseSessionAttributes.setAttribute(CoarseSessionAttributes.java:71) > > [snip] > > Caused by: org.infinispan.commons.marshall.NotSerializableException: > > org.keycloak.adapters.elytron.ElytronAccount > > > > Now, if I configure the adapter subsystem with the legacy non-Elytron > > adapter on WildFly using > > > > > cd bin > > > jboss-cli.bat --file=adapter-install-offline.cli > -Dserver.config=standalone-full.xml > > > > everything works without errors i.e. I can access the protected web app > on > > login success. > > > > Question 1: Have I missed something in the server configuration that is > > causing the NotSerializableException? > > Question 2: The keycloak config documentation recommends the use of the > > newer Elytron adapter over the legacy non-Elytron adapter, but gives no > > reasoning. Are there drawbacks to using the legacy version? > > > > Thanks > > > > > > -- > Andrew Murphy > Mobile: +353 (0)8 3802 2469 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From wyllys.ingersoll at keepertech.com Wed Dec 5 09:10:33 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Wed, 5 Dec 2018 09:10:33 -0500 Subject: [keycloak-user] group federation? In-Reply-To: References: Message-ID: I eventually figured out that the Group LDAP Mapper was the thing I needed, but thanks for the response. -Wyllys On Wed, Dec 5, 2018 at 3:17 AM Marek Posolda wrote: > There is no real group federation support in Keycloak and we probably > won't add it due the big complexity. > > However what you can do is to create Group LDAP mapper (See tab > "mappers" in the admin console when you're on the page with your LDAP > provider). When you do it, you have the possibility to sync the groups > from LDAP to the Keycloak, and have your users from LDAP to be seen as > members of the particular Keycloak groups. > > This approach has some (hopefully) minor limitations. For example when > you synced the groups from LDAP to Keycloak and then you remove group > "abc" from LDAP, the group will be still visible in Keycloak. But most > of the cases, the groups mapper approach should be sufficient. > > Marek > > On 26/11/2018 16:39, Wyllys Ingersoll wrote: > > We have a realm configured to get federated users from our Active > Directory > > domain server. Is there a way to also get the list of federated group > > information for each user (i.e. include the AD groups that the AD user > is a > > member of in the federated user information) ? > > > > thanks... > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From wyllys.ingersoll at keepertech.com Wed Dec 5 09:12:47 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Wed, 5 Dec 2018 09:12:47 -0500 Subject: [keycloak-user] StackOverflowError when listing federated identities In-Reply-To: <213cd021-27b3-c8c0-16eb-f4c589500e21@redhat.com> References: <213cd021-27b3-c8c0-16eb-f4c589500e21@redhat.com> Message-ID: thanks! We had to revert back to 4.5.0 because of this problem. Once this is fixed, we'll try to move forward again. On Wed, Dec 5, 2018 at 4:08 AM Marek Posolda wrote: > There is JIRA for this https://issues.jboss.org/browse/KEYCLOAK-9002 . > Will try to resolve this for the next version. > > Marek > > On 27/11/2018 23:01, Wyllys Ingersoll wrote: > > Using Keycloak 4.6.0.Final, when I query for all users in a realm which > is > > federated to an AD domain (only about 25 users in the domain), it pretty > > consistently throws exceptions (see below). > > > > Oddly enough, if I add the parameter "briefRepresentation=true", the list > > is returned successfully. I can query for individual users just fine > > (brief or full). > > > > This was not an issue in 4.5.0, Im only seeing now that I upgraded to > 4.6.0. > > > > Possibly a memory issue, but its hard to tell. > > Any ideas? > > > > thanks, > > Wyllys Ingersoll > > > > > > 21:32:11,324 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > > (default task-112) Uncaught server error: java.lang.StackOverflowError > > at sun.reflect.GeneratedMethodAccessor378.invoke(Unknown Source) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) > > at com.sun.proxy.$Proxy92.find(Unknown Source) > > at > > > org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:520) > > at > > > org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:369) > > at > > > org.keycloak.models.cache.infinispan.UserAdapter.getUserModel(UserAdapter.java:399) > > at > > > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:42) > > at > > > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > > at > > > org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) > > at > > > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) > > at > > > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > > at > > > org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) > > at > > > org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) > > at > > > org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) > > at > > > org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) > > ... > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bojan.milosavljevic95 at gmail.com Wed Dec 5 10:48:34 2018 From: bojan.milosavljevic95 at gmail.com (=?UTF-8?Q?Bojan_Milosavljevi=C4=87?=) Date: Wed, 5 Dec 2018 16:48:34 +0100 Subject: [keycloak-user] Play framework and Keycloak Message-ID: Hello, I am having some doubts - namely I have a Play framework project, Controllers represent my backend, views my frontend. Now I want to enable only some users (with specific role) to access one of my views (html page). For now, whole communication works like this: JS sends request to Keycloak to login, if login is successful -> go to page, if not ->return error. 1. Do you think it would be better to somehow secure this frontend using my backend (written in Java) and how would I do it, since I really don't understand Java adapters....? 2. If it is OK to leave communication as it is, how would I forbid certain users to access some pages, since I can't find how to set necessary restrictions through code and on server. Thank you very much. From bart.lievens at unifiedpost.com Wed Dec 5 12:45:50 2018 From: bart.lievens at unifiedpost.com (Bart Lievens) Date: Wed, 5 Dec 2018 18:45:50 +0100 Subject: [keycloak-user] Legacy none email username updated when editing account and "Email as username" is enabled Message-ID: <1D315DD1-3092-469E-8038-F78BF42FFB97@unifiedpost.com> Hello, I noticed the following behaviour using Keycloak 4.6.0.Final and not sure it?s a bug or the intended behaviour. I am migrating a legacy application user database to keycloak (using User Storage SPI and Import strategy) The legacy user database has old usernames that are not emails and at some point in time the choice was made to only allow emails addresses for logins. As a result I end up with still active usernames that are no emails, but I turned on the "Email as username? which I was expecting to only influence new users as tooltip says : "If enabled then username field is hidden from registration form and email is used as username for new user.? With this setup I encountered the case where a legacy user (without email username) goes to his account page and wants to update for example his First name but also his username gets changed to the email field. The user might not even see this because the username is no longer displayed. But because of the username being changed, the next time he/she tries log with the usual username and password this is no longer possible as username being used is no longer valdi. This seems like a bug, but I found this was requested in https://issues.jboss.org/browse/KEYCLOAK-3685 Any thoughts on how I can work around this or if there is already a issue related to this or should I create a new JIRA issue to fix the problem/bug ? Thanks From okianl at yahoo.com Wed Dec 5 13:24:27 2018 From: okianl at yahoo.com (Lucian Ochian) Date: Wed, 5 Dec 2018 18:24:27 +0000 (UTC) Subject: [keycloak-user] Outbound Proxy for Keycloak Server(backchannel calls) References: <1129736262.2322447.1544034267578.ref@mail.yahoo.com> Message-ID: <1129736262.2322447.1544034267578@mail.yahoo.com> Hi all, I really need to setup an outbound proxy for the keycloak server(3.4.3) to be used in the back-channel calls back to the client nodes.? Can anybody help?? Thanks a lot, Lucian From okianl at yahoo.com Wed Dec 5 13:52:25 2018 From: okianl at yahoo.com (Lucian Ochian) Date: Wed, 5 Dec 2018 18:52:25 +0000 (UTC) Subject: [keycloak-user] Outbound Proxy for Keycloak Server(backchannel calls) References: <1445535044.2344603.1544035945040.ref@mail.yahoo.com> Message-ID: <1445535044.2344603.1544035945040@mail.yahoo.com> Hi all, I really need to setup an outbound proxy for the keycloak server(3.4.3) to be used in the back-channel calls back to the client nodes.? Can anybody help?? Thanks a lot, Lucian PS: sorry if this is a duplicate, I wasn't sure if the first email went through because I got membership confirmation email back From graham.burgess at razer.com Wed Dec 5 19:47:16 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Thu, 6 Dec 2018 00:47:16 +0000 Subject: [keycloak-user] 4.5.0.Final failing to start Message-ID: I am getting the follow stack trace from the logs when 4.5.0.Final tries to start on 2 of my Keycloak cluster (thankfully both non-production): 00:42:40,128 WARN [org.jboss.modules.define] (main) Failed to define class org.jboss.as.server.BootstrapImpl$ShutdownHook in Module "org.jboss.as.server" version 5.0.0.Final from local module loader @2b95e48b (finder: local module finde r @4a3329b9 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base)): java.lang.NoClassDefFoundError: Failed to link org/jboss/as/server/BootstrapImpl$Shutdow nHook (Module "org.jboss.as.server" version 5.0.0.Final from local module loader @2b95e48b (finder: local module finder @4a3329b9 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/ modules/system/layers/base))): datadog/trace/agent/tooling/context/FieldBackedProvider$ContextAccessor$java$lang$Runnable$datadog$trace$bootstrap$instrumentation$java$concurrent$State at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:763) at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:519) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:339) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:126) at org.jboss.modules.Module.loadModuleClass(Module.java:731) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:247) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at org.jboss.as.server.BootstrapImpl.(BootstrapImpl.java:67) at org.jboss.as.server.Bootstrap$Factory.newInstance(Bootstrap.java:275) at org.jboss.as.server.Main.main(Main.java:105) at org.jboss.modules.Module.run(Module.java:352) at org.jboss.modules.Module.run(Module.java:320) at org.jboss.modules.Main.main(Main.java:593) java.lang.NoClassDefFoundError: Failed to link org/jboss/as/server/BootstrapImpl$ShutdownHook (Module "org.jboss.as.server" version 5.0.0.Final from local module loader @2b95e48b (finder: local module finder @4a3329b9 (roots: /opt/jboss/ keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))): datadog/trace/agent/tooling/context/FieldBackedProvider$ContextAccessor$java$lang$Runnable$datadog$trace$bootstrap$ins trumentation$java$concurrent$State at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:763) at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:519) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:339) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:126) at org.jboss.modules.Module.loadModuleClass(Module.java:731) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:247) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at org.jboss.as.server.BootstrapImpl.(BootstrapImpl.java:67) at org.jboss.as.server.Bootstrap$Factory.newInstance(Bootstrap.java:275) at org.jboss.as.server.Main.main(Main.java:105) at org.jboss.modules.Module.run(Module.java:352) at org.jboss.modules.Module.run(Module.java:320) at org.jboss.modules.Main.main(Main.java:593) 00:42:40,251 FATAL [org.jboss.as.server] (main) WFLYSRV0239: Aborting with exit code 1 Thankfully my production cluster is up at the moment but I fear that if it restarts (for whatever reason) it too will fail. Anyone else seen and solve this one? For the record, I am already looking at upgrading to 4.7.0.Final but that has it's own set of issues that I am currently working through. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com | Razer Game Store | Razer Insider | Razer zVault [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png] [Twitter_Social_Icon_Rounded_Square_Color] [glyph-logo_May2016] [youtube_social_squircle_red] Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 33672 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181206/45dd8066/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 1085 bytes Desc: image006.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181206/45dd8066/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image007.png Type: image/png Size: 1200 bytes Desc: image007.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181206/45dd8066/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image008.png Type: image/png Size: 954 bytes Desc: image008.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181206/45dd8066/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image009.png Type: image/png Size: 1337 bytes Desc: image009.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181206/45dd8066/attachment-0007.png From Deepti.Tyagi at halliburton.com Wed Dec 5 22:56:43 2018 From: Deepti.Tyagi at halliburton.com (Deepti Tyagi) Date: Thu, 6 Dec 2018 03:56:43 +0000 Subject: [keycloak-user] Backward compatibility on Clients using Keycloak v3.0.0 Message-ID: <847A59EDBBC62D43BEE2CFA482C6CB6A648DBB89@NP1EXMB105.corp.halliburton.com> Hi Team, Do we support backward compatibility on clients like Wildfly 10.1.0, JavaScript.js, Node.js that are using Keycloak v3.0.0 client adapters? We would like to upgrade Keycloak to v4.6 and keep existing client adapters on v3.0.0 for now to allow them to upgrade it on later point of time. Is there any known regression issue in this scenario? Thanks, Deepti ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From erlend at hamnaberg.net Thu Dec 6 02:07:26 2018 From: erlend at hamnaberg.net (Erlend Hamnaberg) Date: Thu, 6 Dec 2018 08:07:26 +0100 Subject: [keycloak-user] 4.7.0.Final Release notes missing Message-ID: The site seems to not be updated to include the release notes for 4.7.0. https://www.keycloak.org/docs/latest/release_notes/index.html /Erlend From msakho at redhat.com Thu Dec 6 03:07:27 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 6 Dec 2018 09:07:27 +0100 Subject: [keycloak-user] Outbound Proxy for Keycloak Server(backchannel calls) In-Reply-To: <1445535044.2344603.1544035945040@mail.yahoo.com> References: <1445535044.2344603.1544035945040.ref@mail.yahoo.com> <1445535044.2344603.1544035945040@mail.yahoo.com> Message-ID: Lucian, You can use the cli commands below: #All parameters : https://www.keycloak.org/docs/latest/server_installation/index.html#outgoing-http-requests /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default/:map-put(name=properties,key=connection-pool-size, value="512") /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default/:map-put(name=properties,key=max-pooled-per-route, value="128") /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=["host;NO_PROXY",".*\\.local;NO_PROXY",".*;proxyhost:port"]) Le mer. 5 d?c. 2018 ? 19:57, Lucian Ochian a ?crit : > Hi all, > I really need to setup an outbound proxy for the keycloak server(3.4.3) to > be used in the back-channel calls back to the client nodes. > Can anybody help? > Thanks a lot, > Lucian > PS: sorry if this is a duplicate, I wasn't sure if the first email went > through because I got membership confirmation email back > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dharlaftis at ekt.gr Thu Dec 6 03:54:12 2018 From: dharlaftis at ekt.gr (Dimitris Charlaftis) Date: Thu, 6 Dec 2018 10:54:12 +0200 Subject: [keycloak-user] logout from keycloak security proxy not possible Message-ID: <69819ff9-02e3-e5d2-fe70-8ca4988c9299@ekt.gr> Greetings, i would like to post the following issue: I have set up a docker security proxy? container: (from image jboss/keycloak-proxy ) and a test application behind that proxy that authenticates users through a keykloak docker container (jboss/keycloak image). When i *logout *from keycloak? central realm pahe, the session with the test application DOES NOT FINISH and the client test application is not logged out. Can you help please? proxy.json configuration { "target-url": "http://test_app ", "bind-address": "0.0.0.0", "send-access-token": true, "http-port": "8180", "https-port": "8443", "applications": [ { "base-path": "/", "adapter-config": { "realm": "internal_applications", "auth-server-url": "http://keycloak_server/auth ", "resource": "test_app", "ssl-required": "external", "credentials":{ "secret":"fgweggeg-ffff-fffff-fgfgff-fffffffffff" } }, "constraints": [ { "pattern": "/*", "authenticate": true } ] } ] } thank you!!! -- _____________________________ Dimitris Charlaftis Software Engineer National Documentation Center email: dharlaftis at ekt.gr _____________________________ From l.lech at ringler.ch Thu Dec 6 04:57:09 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Thu, 6 Dec 2018 09:57:09 +0000 Subject: [keycloak-user] Cryptic error VFS000002: Failed to clean existing content for temp file provider of type temp while starting docker image Message-ID: <5E48B917000C984B86B77170F441903A133DCEE2@exch.ringler.ch> Hello, When I'm trying to start keycloak 4.5.0 docker image, I'm getting cryptic error message: [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this I've tried setting the environment variable KEYCLOAK_LOGLEVEL to DEBUG, as described in https://hub.docker.com/r/jboss/keycloak/ , but it didn't change anything. I still get that cryptic error log and nothing more. I can't log into docker image to check log files, because it got killed afterwards, so it makes finding the problem hardly possible. Has the name of the ENV variable changed, or it's generally not possible to change log level using official docker image? Best regards, Lukasz Lech From robstyle1234 at gmail.com Thu Dec 6 05:33:44 2018 From: robstyle1234 at gmail.com (ola rob) Date: Thu, 6 Dec 2018 16:03:44 +0530 Subject: [keycloak-user] How to get access access token with SPNEGOAuthenticator? In-Reply-To: <44b62dae-12db-c2e8-855f-7f2a173439cd@redhat.com> References: <44b62dae-12db-c2e8-855f-7f2a173439cd@redhat.com> Message-ID: Thanks Marek! Yes, we are using direct grant flow. Does this approach also need browser redirection? If yes, then this may not help us as we are looking for just an API to pass spnego token and get the user authenticated resulting in a access/refresh token. The challenge negotiation with browser is being handled internally by us. Thanks! On Wed, Dec 5, 2018 at 1:42 PM Marek Posolda wrote: > On 25/11/2018 05:11, ola rob wrote: > > Hi, > > > > For some legacy reasons, we are using keycloak API/services for > > authentication but not redirecting our application to keycloak. We are > able > > to get access token and refresh token (AccessTokenResponse.class) when we > > authenticate using login API by sending username and password. But we are > > unable to get them when authenticating using spnego token. > > The SPNEGOAuthenticator class doesn't return any access token after > > successful authentication. We need these tokens to manage our application > > session internally. So, how can we get access and refresh token or > response > > similar to username password authentication? > > Are you using OAuth2 Resource-Owner-Password-Credentials (Direct grant) > flow? Can you send an example of HTTP request and response you're using > just to confirm we're on same page? > > We don't have support for SPNEGO authentication in the > Resource-Owner-Password-Credentials flow (assuming you're using that > flow). There is opened JIRA for this. What you can possibly do, is to > write your own authenticator implementation, which will handle SPNEGO, > and then create authentication flow with your custom authenticator > added. The authenticator can probably re-use lots of the code, which the > SpnegoAuthenticator used for the "browser" flow is using. The flow will > likely need to contain also other authenticators (EG. existing > authenticators for username/password assuming that you want to support > both username/password and SPNEGO). See Keycloak server development > guide and our quickstarts for the authentication for more details. > > Marek > > > > > SPNEGOAuthenticator spnegoAuthenticator = new > > SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken); > > spnegoAuthenticator.authenticate(); > > if (spnegoAuthenticator.isAuthenticated()) { > > String username = spnegoAuthenticator.getAuthenticatedUsername(); // > > returning the username correctly. > > } > > > > Thanks in advance! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From pulkitsrivastavajd at gmail.com Thu Dec 6 07:31:08 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Thu, 6 Dec 2018 18:01:08 +0530 Subject: [keycloak-user] Version upgrade issue Message-ID: Hey, We are facing issues on working with new version of keycloak. The jar we created using the old version of keycloak are not compatible with the new version. Some of the classes we extended to make custom spi's have been changes. For example: IdentityProviderBean KeycloakContext Old version: 3.4.3 New Version: 4.6.0 Does anyone has any idea as to why keycloak does not supports backward compatibility?. Thanks, Pulkit From pulkitsrivastavajd at gmail.com Thu Dec 6 07:40:49 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Thu, 6 Dec 2018 18:10:49 +0530 Subject: [keycloak-user] Keycloak Jar plugin issue Message-ID: Hey, We are facing issues with custom jar plugin in keycloak. We used the following approach: classpath:${jboss.home.dir}/providers/* module:com.identity-bridge.authentication-api module:com.identity-bridge.login-rest-api module:com.identity-bridge.registration-spi And placed these jars inside module folder of keycloak. But when we tried placing the jars inside "providers" folder in keycloak as mentioned in first line(so that we don't have to make any change in standalone.xml for jars), keycloak stated giving "NoClassDefFound" error for some classes. Any idea as to why this happening.? Thanks, Pulkit From luca.stancapiano at vige.it Thu Dec 6 08:10:58 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Thu, 6 Dec 2018 14:10:58 +0100 (CET) Subject: [keycloak-user] get users from postman Message-ID: <172700185.949484.1544101858833@pim.register.it> I'm trying to call via REST through POSTMAN the list of users through the get path: http://localhost:8180/auth/admin/realms/school-domain/users Here my keycloak configuration where I create 2 users, 4 roles, a 'school' client and a 'school-domain' realm: { "realm": "school-domain", "enabled": true, "accessTokenLifespan": 60, "accessCodeLifespan": 60, "accessCodeLifespanUserAction": 300, "ssoSessionIdleTimeout": 600, "ssoSessionMaxLifespan": 36000, "sslRequired": "external", "registrationAllowed": true, "resetPasswordAllowed": true, "editUsernameAllowed": true, "loginWithEmailAllowed": false, "duplicateEmailsAllowed": true, "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "requiredCredentials": [ "password" ], "users": [ { "username": "root", "enabled": true, "email": "lsflashboss62 at gmail.com", "credentials": [ { "type": "password", "value": "gtn" } ], "realmRoles": [ "admin" ], "clientRoles": { "account": [ "manage-account" ] } }, { "username": "HUHUJJJKJJKN", "enabled": true, "email": "luca.stancapiano at vige.it", "firstName": "Luca", "lastName": "Stancapiano", "credentials": [ { "type": "password", "value": "gtn" } ], "realmRoles": [ "pupil" ], "clientRoles": { "account": [ "manage-account" ] } } ], "clients": [ { "clientId": "school", "rootUrl": "http://localhost:8080/school", "enabled": true, "redirectUris": [ "http://localhost:8080/school/*" ], "webOrigins": [ "http://localhost:8080" ], "publicClient": false, "secret": "bce5816d-98c4-404f-a18d-bcc5cb005c79", "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, "authorizationSettings": { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "Default Resource", "type": "urn:school:resources:default", "ownerManagedAccess": false, "attributes": { }, "_id": "c338b2be-da73-471c-9bb0-77ad52e1f88f", "uris": [ "/*" ] } ], "policies": [ { "id": "edb01393-180e-4d95-afd3-92b3ac5a6d41", "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }, { "id": "1f5dce97-54e3-4dcf-92bd-a2a59120286f", "name": "Default Permission", "description": "A permission that applies to the default resource type", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "defaultResourceType": "urn:school:resources:default", "applyPolicies": "[\"Default Policy\"]" } } ], "scopes": [] } } ], "roles": { "realm": [ { "name": "admin", "description": "Administrator privileges" }, { "name": "schooloperator", "description": "School Operator privileges" }, { "name": "teacher", "description": "Teacher privileges" }, { "name": "pupil", "description": "Pupil privileges" } ] } } Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. Here the Oauth configuration used to receive the token: Token Name: Token Name Grant Type: Authorization Code Callback URL: http://localhost:8080/school Auth URL: http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth Access Token URL: http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token Client ID: school Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 Client Authentication: Send as Basic Auth header The Callback URL is an active simple web app starting on the 8080 port. The token creation is ok but when I call the server with the created token I get a 401 Unauthorized error. What I miss? From jramos at redhat.com Thu Dec 6 09:08:04 2018 From: jramos at redhat.com (Joao Paulo Ramos) Date: Thu, 6 Dec 2018 12:08:04 -0200 Subject: [keycloak-user] get users from postman In-Reply-To: <172700185.949484.1544101858833@pim.register.it> References: <172700185.949484.1544101858833@pim.register.it> Message-ID: Hello Luca, In your webapp's Keycloak Client, try putting it as baerer only. Also, in the the HTTP request that you make, be sure you are setting the token in the header of the HTTP request, with the following parameter: {"Authorization" : "bearer " + $TOKEN} Thanks, JO?O PAULO RAMOS Red Hat Brasil On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano wrote: > I'm trying to call via REST through POSTMAN the list of users through the > get path: http://localhost:8180/auth/admin/realms/school-domain/users > > Here my keycloak configuration where I create 2 users, 4 roles, a 'school' > client and a 'school-domain' realm: > > { > "realm": "school-domain", > "enabled": true, > "accessTokenLifespan": 60, > "accessCodeLifespan": 60, > "accessCodeLifespanUserAction": 300, > "ssoSessionIdleTimeout": 600, > "ssoSessionMaxLifespan": 36000, > "sslRequired": "external", > "registrationAllowed": true, > "resetPasswordAllowed": true, > "editUsernameAllowed": true, > "loginWithEmailAllowed": false, > "duplicateEmailsAllowed": true, > "privateKey": > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > "publicKey": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "requiredCredentials": [ > "password" > ], > "users": [ > { > "username": "root", > "enabled": true, > "email": "lsflashboss62 at gmail.com", > "credentials": [ > { > "type": "password", > "value": "gtn" > } > ], > "realmRoles": [ > "admin" > ], > "clientRoles": { > "account": [ > "manage-account" > ] > } > }, > { > "username": "HUHUJJJKJJKN", > "enabled": true, > "email": "luca.stancapiano at vige.it", > "firstName": "Luca", > "lastName": "Stancapiano", > "credentials": [ > { > "type": "password", > "value": "gtn" > } > ], > "realmRoles": [ > "pupil" > ], > "clientRoles": { > "account": [ > "manage-account" > ] > } > } > ], > "clients": [ > { > "clientId": "school", > "rootUrl": "http://localhost:8080/school", > "enabled": true, > "redirectUris": [ > "http://localhost:8080/school/*" > ], > "webOrigins": [ > "http://localhost:8080" > ], > "publicClient": false, > "secret": "bce5816d-98c4-404f-a18d-bcc5cb005c79", > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "authorizationSettings": { > "allowRemoteResourceManagement": true, > "policyEnforcementMode": "ENFORCING", > "resources": [ > { > "name": "Default Resource", > "type": > "urn:school:resources:default", > "ownerManagedAccess": > false, > "attributes": { > > }, > "_id": > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > "uris": [ > "/*" > ] > } > ], > "policies": [ > { > "id": > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > "name": "Default Policy", > "description": "A policy > that grants access only for users within this realm", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": > "AFFIRMATIVE", > "config": { > "code": "// by > default, grants any permission associated with this > policy\n$evaluation.grant();\n" > } > }, > { > "id": > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > "name": "Default > Permission", > "description": "A > permission that applies to the default resource type", > "type": "resource", > "logic": "POSITIVE", > "decisionStrategy": > "UNANIMOUS", > "config": { > > "defaultResourceType": "urn:school:resources:default", > "applyPolicies": > "[\"Default Policy\"]" > } > } > ], > "scopes": [] > } > } > ], > "roles": { > "realm": [ > { > "name": "admin", > "description": "Administrator privileges" > }, > { > "name": "schooloperator", > "description": "School Operator privileges" > }, > { > "name": "teacher", > "description": "Teacher privileges" > }, > { > "name": "pupil", > "description": "Pupil privileges" > } > ] > } > } > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. > Here the Oauth configuration used to receive the token: > > Token Name: Token Name > Grant Type: Authorization Code > Callback URL: http://localhost:8080/school > Auth URL: > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > Access Token URL: > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > Client ID: school > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > Client Authentication: Send as Basic Auth header > > The Callback URL is an active simple web app starting on the 8080 port. > The token creation is ok but when I call the server with the created token > I get a 401 Unauthorized error. What I miss? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kkcmadhu at yahoo.com Thu Dec 6 09:12:48 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Thu, 6 Dec 2018 14:12:48 +0000 (UTC) Subject: [keycloak-user] start up of keycloak nodes roughly increases two folds for every 100 tenants. In-Reply-To: References: <2085409309.6617889.1543319173801.ref@mail.yahoo.com> <2085409309.6617889.1543319173801@mail.yahoo.com> Message-ID: <1050781910.1733453.1544105568610@mail.yahoo.com> Thanks Marek, I tried with Keycloak 4.1.7, unfortunately, the start up time in my case has increased tremendously for my 621 tenants, the start up time for keycloak node was about 40 mins, and after moving to 4.1.7 i see this? increased to 1 hours 30 min + (still not starting)... I also see that the cpu usage for the keycloak process is constatnly 100% .i tried with c4.xlarge (4 core) .upgraded to c4.x2large( 8 core), still the? cpu usage is 100% and there is no big difference in start up time ( comes down by max 2 mins)i.e 40 mins to 38 mins. The connection pool size is set adequately lareage 60 +,but i don't see many session in my database instance (not more than1 or 2 sessions). The cpu usage in database (my sql is almost less than 1% and occassionly spikes to 2%).. upon enabling hibernate stats in keycloak, i keep seeing messages like this : 2:21:53,612 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544098883667,sessions opened=1,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=0,connections obtained=11728,statements prepared=11728,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=15688,entities updated=0,entities inserted=0,entities deleted=0,entities fetched=91,collections loaded=10187,collections updated=0,collections removed=0,collections recreated=0,collections fetched=10187,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=1263,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=13] Important entities statistics:org.keycloak.models.jpa.entities.AuthenticationFlowEntity - inserted: 0, updated: 0, removed: 0, loaded: 1081, fetched: 0org.keycloak.models.jpa.entities.RealmAttributeEntity - inserted: 0, updated: 0, removed: 0, loaded: 1909, fetched: 0org.keycloak.models.jpa.entities.ComponentEntity - inserted: 0, updated: 0, removed: 0, loaded: 1079, fetched: 0org.keycloak.models.jpa.entities.ProtocolMapperEntity - inserted: 0, updated: 0, removed: 0, loaded: 3419, fetched: 0org.keycloak.models.jpa.entities.RoleEntity - inserted: 0, updated: 0, removed: 0, loaded: 271, fetched: 0org.keycloak.models.jpa.entities.ClientScopeEntity - inserted: 0, updated: 0, removed: 0, loaded: 906, fetched: 0org.keycloak.models.jpa.entities.RequiredActionProviderEntity - inserted: 0, updated: 0, removed: 0, loaded: 450, fetched: 0org.keycloak.models.jpa.entities.AuthenticationExecutionEntity - inserted: 0, updated: 0, removed: 0, loaded: 2795, fetched: 0org.keycloak.models.jpa.entities.ComponentConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 3235, fetched: 0org.keycloak.models.jpa.entities.AuthenticatorConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 180, fetched: 0 Important collections statistics:org.keycloak.models.jpa.entities.ClientScopeEntity.protocolMappers - recreated: 0, updated: 0, removed: 0, loaded: 901, fetched: 901org.keycloak.models.jpa.entities.ClientScopeEntity.attributes - recreated: 0, updated: 0, removed: 0, loaded: 900, fetched: 900org.keycloak.models.jpa.entities.ProtocolMapperEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 3419, fetched: 3419org.keycloak.models.jpa.entities.AuthenticatorConfigEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 180, fetched: 180org.keycloak.models.jpa.entities.AuthenticationFlowEntity.executions - recreated: 0, updated: 0, removed: 0, loaded: 1081, fetched: 1081org.keycloak.models.jpa.entities.ComponentEntity.componentConfigs - recreated: 0, updated: 0, removed: 0, loaded: 1079, fetched: 1079org.keycloak.models.jpa.entities.RequiredActionProviderEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 450, fetched: 450 Important queries statistics:.....................................select m.role.id from ClientScopeRoleMappingEntity m where m.clientScope = :clientScopeexecutionCount=900executionAvgTime=0 ms 14:03:23,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544104973645,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=28,connections obtained=272,statements prepared=294,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=23,entities updated=2,entities inserted=30,entities deleted=0,entities fetched=0,collections loaded=154,collections updated=6,collections removed=0,collections recreated=8,collections fetched=154,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=73,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:03:53,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105003646,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=37,connections obtained=189,statements prepared=211,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=13,entities updated=2,entities inserted=39,entities deleted=0,entities fetched=0,collections loaded=81,collections updated=6,collections removed=0,collections recreated=8,collections fetched=81,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=63,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:23,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105033647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=31,connections obtained=232,statements prepared=276,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=20,entities updated=4,entities inserted=35,entities deleted=0,entities fetched=0,collections loaded=121,collections updated=12,collections removed=0,collections recreated=16,collections fetched=121,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=69,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=1] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:53,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105063647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=32,connections obtained=235,statements prepared=257,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=19,entities updated=2,entities inserted=34,entities deleted=0,entities fetched=0,collections loaded=122,collections updated=6,collections removed=0,collections recreated=8,collections fetched=122,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=68,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: ? On Wednesday, 5 December, 2018, 2:09:55 PM IST, Marek Posolda wrote: Hi, I suggest to upgrade to latest 4.7.0.Final. I know there were some improvements in recent version regarding this. However you will still probably see some issues as we did not yet try to test with so big amount of realms. We plan to improve on this use-case. Marek On 27/11/2018 12:46, Madhu wrote: > Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. > > Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. > I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? > > Is it absolutely necessary for keycloak to load every thing at start up?? > > This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. > > 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool ? 61) Envers integration enabled? : true > 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool ? 61) HV000001: Hibernate Validator 5.3.6.Final > 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool ? 61) HHH000397: Using ASTQueryTranslatorFactory > ^C > [centos at ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool ? 61) Session Metrics { >? 669457663 nanoseconds spent acquiring 92974 JDBC connections; >? 148185664 nanoseconds spent releasing 92974 JDBC connections; >? 1852958902 nanoseconds spent preparing 92974 JDBC statements; >? 35866600579 nanoseconds spent executing 92974 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); >? 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) > } > 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s > { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total? of 0 entities and 0 collections)} > 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s { >? 437680 nanoseconds spent acquiring 1 JDBC connections; >? 10539 nanoseconds spent releasing 1 JDBC connections; >? 465001 nanoseconds spent preparing 1 JDBC statements; >? 719260 nanoseconds spent executing 1 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); >? 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) > > All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. > > Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . > > I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. > > Please correct my understanding if i am wrong here.. > > | No of Realms | Start up time in mins | > | 0 realms | 0.22 mins | > | 100 realms | 2.34 mins | > | 200 realms | 2.53 mins | > | 300 realms | 5.34 mins | > | 400 realms | 9.42 mins | > | 500 realms | 14.6 mins | > | 650 realms | 37 mins | > > > Like wise the time taken to create tenants too gradually increases ( i use import to create realms) > > from about 3 seconds for first few realms to about 30 sec for 600th realm.. > > Any advise /help will be appreciated. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Dec 6 09:13:02 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Dec 2018 15:13:02 +0100 Subject: [keycloak-user] Version upgrade issue In-Reply-To: References: Message-ID: We support extending Keycloak through custom providers only. Further, only the user storage provider is supported at the moment (server-spi). For SPIs in server-spi-private you can create custom providers here, but there is no guarantee for backwards compatibility. IdentityProviderBean is an internal class - no backwards compatiblity here KeycloakContext is not something we support extending - this is to be used from providers in supported SPIs only On Thu, 6 Dec 2018 at 13:36, Pulkit Srivastava wrote: > Hey, > > We are facing issues on working with new version of keycloak. The jar we > created using the old version of keycloak are not compatible with the new > version. Some of the classes we extended to make custom spi's have been > changes. For example: > > IdentityProviderBean > KeycloakContext > > Old version: 3.4.3 > New Version: 4.6.0 > > Does anyone has any idea as to why keycloak does not supports backward > compatibility?. > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Dec 6 09:14:22 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Dec 2018 15:14:22 +0100 Subject: [keycloak-user] Keycloak Jar plugin issue In-Reply-To: References: Message-ID: Hi, Deploying custom providers in this approach was deprecated a long time ago. You need to update your providers to use the hot deployment approach. Check the docs for details. On Thu, 6 Dec 2018 at 13:43, Pulkit Srivastava wrote: > Hey, > We are facing issues with custom jar plugin in keycloak. > We used the following approach: > > > > classpath:${jboss.home.dir}/providers/* > module:com.identity-bridge.authentication-api > > module:com.identity-bridge.login-rest-api > module:com.identity-bridge.registration-spi > > And placed these jars inside module folder of keycloak. > > But when we tried placing the jars inside "providers" folder in keycloak as > mentioned in first line(so that we don't have to make any change in > standalone.xml for jars), keycloak stated giving "NoClassDefFound" error > for some classes. Any idea as to why this happening.? > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Dec 6 09:15:21 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Dec 2018 15:15:21 +0100 Subject: [keycloak-user] 4.7.0.Final Release notes missing In-Reply-To: References: Message-ID: Not missing really, it was just that 4.7 didn't contain anything note worthy as we only mention bigger things in the release notes. Check JIRA for full details on what is in a release. On Thu, 6 Dec 2018 at 08:10, Erlend Hamnaberg wrote: > The site seems to not be updated to include the release notes for 4.7.0. > > https://www.keycloak.org/docs/latest/release_notes/index.html > > /Erlend > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Dec 6 09:17:05 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Dec 2018 15:17:05 +0100 Subject: [keycloak-user] Backward compatibility on Clients using Keycloak v3.0.0 In-Reply-To: <847A59EDBBC62D43BEE2CFA482C6CB6A648DBB89@NP1EXMB105.corp.halliburton.com> References: <847A59EDBBC62D43BEE2CFA482C6CB6A648DBB89@NP1EXMB105.corp.halliburton.com> Message-ID: There is no known regression, but we only have the capacity to test with the last 3.x release (3.4.3). On Thu, 6 Dec 2018 at 05:02, Deepti Tyagi wrote: > Hi Team, > > Do we support backward compatibility on clients like Wildfly 10.1.0, > JavaScript.js, Node.js that are using Keycloak v3.0.0 client adapters? > > We would like to upgrade Keycloak to v4.6 and keep existing client > adapters on v3.0.0 for now to allow them to upgrade it on later point of > time. > > Is there any known regression issue in this scenario? > > Thanks, > Deepti > > ---------------------------------------------------------------------- > This e-mail, including any attached files, may contain confidential and > privileged information for the sole use of the intended recipient. Any > review, use, distribution, or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive information > for the intended recipient), please contact the sender by reply e-mail and > delete all copies of this message. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From luca.stancapiano at vige.it Thu Dec 6 10:01:05 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Thu, 6 Dec 2018 16:01:05 +0100 (CET) Subject: [keycloak-user] get users from postman In-Reply-To: References: <172700185.949484.1544101858833@pim.register.it> Message-ID: <2073800070.955140.1544108466658@pim.register.it> Hi Joan, the problem is not the token. The Oauth 2.0 interface just generates a bearer token . Also if I change the Oauth 2.0 Authorization in Bearer token I have the same problem. So the problem is not the token > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos ha scritto: > > > Hello Luca, > > In your webapp's Keycloak Client, try putting it as baerer only. > Also, in the the HTTP request that you make, be sure you are setting the > token in the header of the HTTP request, with the following parameter: > > {"Authorization" : "bearer " + $TOKEN} > > Thanks, > > JO?O PAULO RAMOS > > Red Hat Brasil > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano > wrote: > > > I'm trying to call via REST through POSTMAN the list of users through the > > get path: http://localhost:8180/auth/admin/realms/school-domain/users > > > > Here my keycloak configuration where I create 2 users, 4 roles, a 'school' > > client and a 'school-domain' realm: > > > > { > > "realm": "school-domain", > > "enabled": true, > > "accessTokenLifespan": 60, > > "accessCodeLifespan": 60, > > "accessCodeLifespanUserAction": 300, > > "ssoSessionIdleTimeout": 600, > > "ssoSessionMaxLifespan": 36000, > > "sslRequired": "external", > > "registrationAllowed": true, > > "resetPasswordAllowed": true, > > "editUsernameAllowed": true, > > "loginWithEmailAllowed": false, > > "duplicateEmailsAllowed": true, > > "privateKey": > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > "publicKey": > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "requiredCredentials": [ > > "password" > > ], > > "users": [ > > { > > "username": "root", > > "enabled": true, > > "email": "lsflashboss62 at gmail.com", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "realmRoles": [ > > "admin" > > ], > > "clientRoles": { > > "account": [ > > "manage-account" > > ] > > } > > }, > > { > > "username": "HUHUJJJKJJKN", > > "enabled": true, > > "email": "luca.stancapiano at vige.it", > > "firstName": "Luca", > > "lastName": "Stancapiano", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "realmRoles": [ > > "pupil" > > ], > > "clientRoles": { > > "account": [ > > "manage-account" > > ] > > } > > } > > ], > > "clients": [ > > { > > "clientId": "school", > > "rootUrl": "http://localhost:8080/school", > > "enabled": true, > > "redirectUris": [ > > "http://localhost:8080/school/*" > > ], > > "webOrigins": [ > > "http://localhost:8080" > > ], > > "publicClient": false, > > "secret": "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > "serviceAccountsEnabled": true, > > "authorizationServicesEnabled": true, > > "authorizationSettings": { > > "allowRemoteResourceManagement": true, > > "policyEnforcementMode": "ENFORCING", > > "resources": [ > > { > > "name": "Default Resource", > > "type": > > "urn:school:resources:default", > > "ownerManagedAccess": > > false, > > "attributes": { > > > > }, > > "_id": > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > "uris": [ > > "/*" > > ] > > } > > ], > > "policies": [ > > { > > "id": > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > "name": "Default Policy", > > "description": "A policy > > that grants access only for users within this realm", > > "type": "js", > > "logic": "POSITIVE", > > "decisionStrategy": > > "AFFIRMATIVE", > > "config": { > > "code": "// by > > default, grants any permission associated with this > > policy\n$evaluation.grant();\n" > > } > > }, > > { > > "id": > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > "name": "Default > > Permission", > > "description": "A > > permission that applies to the default resource type", > > "type": "resource", > > "logic": "POSITIVE", > > "decisionStrategy": > > "UNANIMOUS", > > "config": { > > > > "defaultResourceType": "urn:school:resources:default", > > "applyPolicies": > > "[\"Default Policy\"]" > > } > > } > > ], > > "scopes": [] > > } > > } > > ], > > "roles": { > > "realm": [ > > { > > "name": "admin", > > "description": "Administrator privileges" > > }, > > { > > "name": "schooloperator", > > "description": "School Operator privileges" > > }, > > { > > "name": "teacher", > > "description": "Teacher privileges" > > }, > > { > > "name": "pupil", > > "description": "Pupil privileges" > > } > > ] > > } > > } > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. > > Here the Oauth configuration used to receive the token: > > > > Token Name: Token Name > > Grant Type: Authorization Code > > Callback URL: http://localhost:8080/school > > Auth URL: > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > Access Token URL: > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > Client ID: school > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > Client Authentication: Send as Basic Auth header > > > > The Callback URL is an active simple web app starting on the 8080 port. > > The token creation is ok but when I call the server with the created token > > I get a 401 Unauthorized error. What I miss? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From luca.stancapiano at vige.it Thu Dec 6 10:03:02 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Thu, 6 Dec 2018 16:03:02 +0100 (CET) Subject: [keycloak-user] get users from postman In-Reply-To: References: <172700185.949484.1544101858833@pim.register.it> Message-ID: <347228097.955246.1544108582656@pim.register.it> But changing the postman configuration from Oauth 2.0 to Bearer token I see the error is changed. Now I have a 403 Forbidden > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos ha scritto: > > > Hello Luca, > > In your webapp's Keycloak Client, try putting it as baerer only. > Also, in the the HTTP request that you make, be sure you are setting the > token in the header of the HTTP request, with the following parameter: > > {"Authorization" : "bearer " + $TOKEN} > > Thanks, > > JO?O PAULO RAMOS > > Red Hat Brasil > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano > wrote: > > > I'm trying to call via REST through POSTMAN the list of users through the > > get path: http://localhost:8180/auth/admin/realms/school-domain/users > > > > Here my keycloak configuration where I create 2 users, 4 roles, a 'school' > > client and a 'school-domain' realm: > > > > { > > "realm": "school-domain", > > "enabled": true, > > "accessTokenLifespan": 60, > > "accessCodeLifespan": 60, > > "accessCodeLifespanUserAction": 300, > > "ssoSessionIdleTimeout": 600, > > "ssoSessionMaxLifespan": 36000, > > "sslRequired": "external", > > "registrationAllowed": true, > > "resetPasswordAllowed": true, > > "editUsernameAllowed": true, > > "loginWithEmailAllowed": false, > > "duplicateEmailsAllowed": true, > > "privateKey": > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > "publicKey": > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "requiredCredentials": [ > > "password" > > ], > > "users": [ > > { > > "username": "root", > > "enabled": true, > > "email": "lsflashboss62 at gmail.com", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "realmRoles": [ > > "admin" > > ], > > "clientRoles": { > > "account": [ > > "manage-account" > > ] > > } > > }, > > { > > "username": "HUHUJJJKJJKN", > > "enabled": true, > > "email": "luca.stancapiano at vige.it", > > "firstName": "Luca", > > "lastName": "Stancapiano", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "realmRoles": [ > > "pupil" > > ], > > "clientRoles": { > > "account": [ > > "manage-account" > > ] > > } > > } > > ], > > "clients": [ > > { > > "clientId": "school", > > "rootUrl": "http://localhost:8080/school", > > "enabled": true, > > "redirectUris": [ > > "http://localhost:8080/school/*" > > ], > > "webOrigins": [ > > "http://localhost:8080" > > ], > > "publicClient": false, > > "secret": "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > "serviceAccountsEnabled": true, > > "authorizationServicesEnabled": true, > > "authorizationSettings": { > > "allowRemoteResourceManagement": true, > > "policyEnforcementMode": "ENFORCING", > > "resources": [ > > { > > "name": "Default Resource", > > "type": > > "urn:school:resources:default", > > "ownerManagedAccess": > > false, > > "attributes": { > > > > }, > > "_id": > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > "uris": [ > > "/*" > > ] > > } > > ], > > "policies": [ > > { > > "id": > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > "name": "Default Policy", > > "description": "A policy > > that grants access only for users within this realm", > > "type": "js", > > "logic": "POSITIVE", > > "decisionStrategy": > > "AFFIRMATIVE", > > "config": { > > "code": "// by > > default, grants any permission associated with this > > policy\n$evaluation.grant();\n" > > } > > }, > > { > > "id": > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > "name": "Default > > Permission", > > "description": "A > > permission that applies to the default resource type", > > "type": "resource", > > "logic": "POSITIVE", > > "decisionStrategy": > > "UNANIMOUS", > > "config": { > > > > "defaultResourceType": "urn:school:resources:default", > > "applyPolicies": > > "[\"Default Policy\"]" > > } > > } > > ], > > "scopes": [] > > } > > } > > ], > > "roles": { > > "realm": [ > > { > > "name": "admin", > > "description": "Administrator privileges" > > }, > > { > > "name": "schooloperator", > > "description": "School Operator privileges" > > }, > > { > > "name": "teacher", > > "description": "Teacher privileges" > > }, > > { > > "name": "pupil", > > "description": "Pupil privileges" > > } > > ] > > } > > } > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. > > Here the Oauth configuration used to receive the token: > > > > Token Name: Token Name > > Grant Type: Authorization Code > > Callback URL: http://localhost:8080/school > > Auth URL: > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > Access Token URL: > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > Client ID: school > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > Client Authentication: Send as Basic Auth header > > > > The Callback URL is an active simple web app starting on the 8080 port. > > The token creation is ok but when I call the server with the created token > > I get a 401 Unauthorized error. What I miss? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From msakho at redhat.com Thu Dec 6 10:58:54 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 6 Dec 2018 16:58:54 +0100 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> Message-ID: Hello Alistair, Have you created the pull request for the keycloak-export module? It's a very useful one and I think it could be nice if it becomes fully a part of keycloak. Meissa Le ven. 17 ao?t 2018 ? 14:40, Doswald Alistair a ?crit : > I?ve done the PR for the extension page (keycloak-authorization and > keycloak-export), and it?s been accepted. For the client-mapper I?ll see > what?s necessary to be done to have it merged directly into Keycloak. > > For the mechanism of keycloak-authorization, I for one would like having > this functionality supported OOTB, whether through our (admittedly not very > sophisticated) system, or another. I received a message from Stian > Thorgersen on the dev mailing (here: > http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011116.html ) > list asking more details about the module, so I?ll at least be discussing > the matter with him. > > Cheers, > > Alistair > > From: Pedro Igor Silva > Sent: vendredi 10 ao?t 2018 18:52 > To: Marek Posolda > Cc: Doswald Alistair ; > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust > project > > Cool stuff ! Thanks for sharing. > > I've looked keycloak-authorization very quickly and changes look really > simple, I'm glad to start a discussion about supporting this OOTB. Maybe > this can be part of the review of admin fine-grained permissions we are > planning. > > Regards. > Pedro Igor > > On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda > wrote: > Thanks for the heads up! > > IMO it will be cool if you send PR for the javascript mapper directly to > Keycloak, however we may need automated test and also docs (separate PR > needs to be sent for the docs). > > For the keycloak-authorization and keycloak-export (and maybe for > keycloak-client-mappers too if you don't have time for the PR to > upstream), it may be good to send PR to update the extensions page > maybe? It's here: https://www.keycloak.org/extensions.html and sources > are here: > > https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions > . Assuming that those things are generally useful for the other users > from the community (I am not 100% sure about the keycloak-authorization. > Rather leaving to you to decide if it's generally useful or not). The > keycloak-wsfed is already on the extensions page. > > Thanks! > Marek > > > On 10/08/18 11:44, Doswald Alistair wrote: > > Hello, > > > > I just wanted to let this mailing list know that for the Cloudtrust > project (https://github.com/cloudtrust), we have developed a certain > number modules for Keycloak. These are currently compatible with the > version 3.4.3.Final of Keycloak, but we will make them compatible with > Keycloak 4.X (where X will be the latest sub-version of Keycloak when we > start working on this) as soon as we can. These modules are: > > > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an > implementation of the WS-Federation protocol for keycloak. This allows to > select the WS-Federation protocol for Keycloak clients and for identity > brokers. > > > > * keycloak-authorization ( > https://github.com/cloudtrust/keycloak-authorization): this module allows > the use of the client authorization system to prevent a user which is > authenticated in a Keycloak realm to access a given client. It works no > matter which protocol is used, and without the client having to support any > extra protocol. Note: this solution is a bit hacky, but necessary for one > of our use-cases. > > > > * keycloak-client-mappers ( > https://github.com/cloudtrust/keycloak-client-mappers): a module for > adding any mappers that we might need that are not yet part of Keycloak. > Currently only contains a JavaScript mapper for SAML, analogous to the OIDC > script mapper. I've noticed that there's an open issue for this feature ( > https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could > submit this code not as a module but a solution to the issue. > > > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a > module adding an endpoint to fully export a realm while Keycloak is still > running (no need for restarts!). > > > > Cheers, > > > > Alistair > > > > PS: I'm mailing this both dev and user mailing lists as I believe it may > interest members of both mailing lists > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From brushmate at gmail.com Thu Dec 6 15:24:42 2018 From: brushmate at gmail.com (Steffen Kreutz) Date: Thu, 6 Dec 2018 21:24:42 +0100 Subject: [keycloak-user] UserStorageProvider for an external database Message-ID: Hey guys, I am trying to implement a custom UserStorageProvider that loads users from an external database. I wonder how I can make the database connection parameters configurable and I thought of adding another datasource to WildFly. But I don't know how I can 'inject' this datasource into my module. Do you have any recommendations for me? Best, Steffen From tom at spicule.co.uk Thu Dec 6 16:48:44 2018 From: tom at spicule.co.uk (Tom Barber) Date: Thu, 6 Dec 2018 13:48:44 -0800 Subject: [keycloak-user] Group attribute lookup via NodeJS Message-ID: Hello folks I?ve got Keycloak hooked up to the NodeJS connector and I saw the info about getting the username and stuff back via: console.log(req.kauth.grant.access_token.content) I?d also like to assign users to groups and store some metadata with those groups that the application can access. Is that possible using NodeJS either using the adapter or by some other mechanism? Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email. From mwaki011 at gmail.com Thu Dec 6 17:37:57 2018 From: mwaki011 at gmail.com (Mike Wakim) Date: Thu, 6 Dec 2018 17:37:57 -0500 Subject: [keycloak-user] PAM Module with Keycloak Message-ID: Has anyone used a PAM module with keycloak in the past? Essentially we are interested in allowing Linux systems to authenticate with Keycloak. The PAM module would be used for multiple system level use cases such as Login, sFTP, SSH, LDAP, etc. I raised KEYCLOAK-9001 but the ticket got rejected as it falls outside of the scope of the Keycloak project. I am wondering if any one else in the community has had a similar usecase or is aware of any current modules for PAM and Keycloak? Thanks, Mike From Brian.Brooks at datapath.com Thu Dec 6 18:18:51 2018 From: Brian.Brooks at datapath.com (Brian Brooks (US)) Date: Thu, 6 Dec 2018 23:18:51 +0000 Subject: [keycloak-user] 4.7.0.Final Release notes missing In-Reply-To: References: Message-ID: <2994acfa-31b5-9ba5-cd1a-5a6577bbd095@datapath.com> The JIRA link to the Keycloak 4.7.0.Final release notes is: https://issues.jboss.org/projects/KEYCLOAK/versions/12339668 Brian On 12/6/2018 9:15 AM, Stian Thorgersen wrote: > Not missing really, it was just that 4.7 didn't contain anything note > worthy as we only mention bigger things in the release notes. Check JIRA > for full details on what is in a release. > > On Thu, 6 Dec 2018 at 08:10, Erlend Hamnaberg wrote: >> The site seems to not be updated to include the release notes for 4.7.0. >> >> https://www.keycloak.org/docs/latest/release_notes/index.html >> >> /Erlend From manisha04.nandal at gmail.com Thu Dec 6 22:49:01 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Fri, 7 Dec 2018 09:19:01 +0530 Subject: [keycloak-user] keycloak version change Custom SPI not backward compatible Message-ID: Hi, We are facing issues while working with new version of keycloak. The jar we created using the old version of keycloak are not compatible with the new version. Some of the classes we extended to make custom spi's have been changes. For example: IdentityProviderBean KeycloakContext *Old version: 3.4.3* *New Version: 4.6.0* Does anyone has any idea as to why keycloak does not supports backward compatibility?. Thanks, Manisha From manisha04.nandal at gmail.com Thu Dec 6 23:04:04 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Fri, 7 Dec 2018 09:34:04 +0530 Subject: [keycloak-user] deployment issue for custom SPI in keycloak Message-ID: Hi, We are facing issues with custom spi deployment in keycloak. There are two different strategy that can be used for custom development 1. place jar in module directory and make an entry in standalone.xml , say *module:module_name * 2. place jar in providers directory, no change needed in standalone.xml (we already have * classpath:${jboss.home.dir}/providers/** ) first strategy works fine but modification in standalone.xml needed. We want to use the second strategy but it gives us errors for some of the classes like [*0m[31m04:35:56,275 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-59) Uncaught server error: java.lang.NoClassDefFoundError: org/infinispan/Cache * Any idea , how can we fix this? Thanks, 'Manisha From gareth at garethwestern.com Fri Dec 7 01:56:52 2018 From: gareth at garethwestern.com (Gareth Western) Date: Fri, 07 Dec 2018 07:56:52 +0100 Subject: [keycloak-user] keycloak version change Custom SPI not backward compatible In-Reply-To: References: Message-ID: <1f0cd08092e830a73486edfe3bb75150c081e5ca.camel@garethwestern.com> Hi Manisha, A major version change (e.g. "3.y.z" to "4.y.z") does indicate that there may be incompatible API changes: https://semver.org/ I suggest that you review the release notes and JIRA task board to find more details about specific changes that affect you. Kind regards, Gareth On Fri, 2018-12-07 at 09:19 +0530, Manisha Nandal wrote: > Hi, > We are facing issues while working with new version of keycloak. The > jar > we created using the old version of keycloak are not compatible with > the > new version. Some of the classes we extended to make custom spi's > have been > changes. For example: > > IdentityProviderBean > > KeycloakContext > > *Old version: 3.4.3* > > *New Version: 4.6.0* > > Does anyone has any idea as to why keycloak does not supports > backward > compatibility?. > Thanks, > Manisha > From mposolda at redhat.com Fri Dec 7 02:35:58 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 7 Dec 2018 08:35:58 +0100 Subject: [keycloak-user] How to get access access token with SPNEGOAuthenticator? In-Reply-To: References: <44b62dae-12db-c2e8-855f-7f2a173439cd@redhat.com> Message-ID: <8bd35b1f-7f3c-8e08-1453-0f7c4a2281cc@redhat.com> On 06/12/2018 11:33, ola rob wrote: > Thanks Marek! Yes, we are using direct grant flow. Does this approach > also need browser redirection? If yes, then this may not help us as we > are looking for just an API to pass spnego token and get the user > authenticated resulting in a access/refresh token. The challenge > negotiation with browser is being handled internally by us. No, this flow doesn't need browser redirection. That's why I mentioned that you may need to develop your own Authenticator. The default SpnegoAuthenticator we have is for the browser flow, so you may need something similar, which will be able to just extract SPNEGO token and "authenticate" it. I think you may be able to re-use mot of the parts done in the SpnegoAuthenticator, but not everything. For inspiration, I suggest to take a look at the authenticators used by the Direct Grant flow (ValidateUsername, ValidatePassword, ValidateOTP) and compare them with the authenticators for the "browser" flow. I believe this may give you the inspiration. Marek > > Thanks! > > On Wed, Dec 5, 2018 at 1:42 PM Marek Posolda > wrote: > > On 25/11/2018 05:11, ola rob wrote: > > Hi, > > > > For some legacy reasons, we are using keycloak API/services for > > authentication but not redirecting our application to keycloak. > We are able > > to get access token and refresh token > (AccessTokenResponse.class) when we > > authenticate using login API by sending username and password. > But we are > > unable to get them when authenticating using spnego token. > > The SPNEGOAuthenticator class doesn't return any access token after > > successful authentication. We need these tokens to manage our > application > > session internally. So, how can we get access and refresh token > or response > > similar to username password authentication? > > Are you using OAuth2 Resource-Owner-Password-Credentials (Direct > grant) > flow? Can you send an example of HTTP request and response you're > using > just to confirm we're on same page? > > We don't have support for SPNEGO authentication in the > Resource-Owner-Password-Credentials flow (assuming you're using that > flow). There is opened JIRA for this. What you can possibly do, is to > write your own authenticator implementation, which will handle > SPNEGO, > and then create authentication flow with your custom authenticator > added. The authenticator can probably re-use lots of the code, > which the > SpnegoAuthenticator used for the "browser" flow is using. The flow > will > likely need to contain also other authenticators (EG. existing > authenticators for username/password assuming that you want to > support > both username/password and SPNEGO). See Keycloak server development > guide and our quickstarts for the authentication for more details. > > Marek > > > > >? ?SPNEGOAuthenticator spnegoAuthenticator = new > > SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken); > > spnegoAuthenticator.authenticate(); > >? ?if (spnegoAuthenticator.isAuthenticated()) { > > String username = spnegoAuthenticator.getAuthenticatedUsername(); // > > returning the username correctly. > > } > > > > Thanks in advance! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From testoauth55 at gmail.com Fri Dec 7 03:09:06 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 7 Dec 2018 13:39:06 +0530 Subject: [keycloak-user] KeycloakInstalled adapter: Using public client token from keycloak installed adapter to access confidential client Message-ID: I have created a confidential client - "*server-app"* that secures my Jetty app through Keycloak jetty adapter and a public client - "*web-app*" that is provided to all clients of my server app. Both *web-app* and *server-app* exist under same realm. In *web-app* client, I have created a *token mapper for 'aud' claim:* *new java.util.ArrayList(["server-app","web-app"]);* When I generate a token through keycloak JS adapter or through postman for web-app client, *I am able* to use the same token to access my jetty app( that is secured with confidential client). But when launching *keycloakinstalled *adapter (*.loginDesktop() api*) with public client(json of web-app client), after successful login , while trying to access the same Jetty app(secured with confidential client) I get: *type=CODE_TO_TOKEN_ERROR, realmId=myRealm, clientId=null, userId=null, ipAddress=10.252.70.71, error=invalid_client_credentials, grant_type=authorization_code* Is the same kind of access not supported in KeycloakInstalled adapter ? Also, if I launch KeycloakInstalled adapter with confidential client json, everything works fine i.e I am allowed access to jetty app. From geoff at opticks.io Fri Dec 7 04:55:10 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 7 Dec 2018 10:55:10 +0100 Subject: [keycloak-user] get users from postman In-Reply-To: <347228097.955246.1544108582656@pim.register.it> References: <172700185.949484.1544101858833@pim.register.it> <347228097.955246.1544108582656@pim.register.it> Message-ID: Be sure that the token you are using to list the users has a manage-realm role. On Thu, 6 Dec 2018 at 16:09, Luca Stancapiano wrote: > But changing the postman configuration from Oauth 2.0 to Bearer token I > see the error is changed. Now I have a 403 Forbidden > > > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos ha > scritto: > > > > > > Hello Luca, > > > > In your webapp's Keycloak Client, try putting it as baerer only. > > Also, in the the HTTP request that you make, be sure you are setting the > > token in the header of the HTTP request, with the following parameter: > > > > {"Authorization" : "bearer " + $TOKEN} > > > > Thanks, > > > > JO?O PAULO RAMOS > > > > Red Hat Brasil > > > > > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano < > luca.stancapiano at vige.it> > > wrote: > > > > > I'm trying to call via REST through POSTMAN the list of users through > the > > > get path: http://localhost:8180/auth/admin/realms/school-domain/users > > > > > > Here my keycloak configuration where I create 2 users, 4 roles, a > 'school' > > > client and a 'school-domain' realm: > > > > > > { > > > "realm": "school-domain", > > > "enabled": true, > > > "accessTokenLifespan": 60, > > > "accessCodeLifespan": 60, > > > "accessCodeLifespanUserAction": 300, > > > "ssoSessionIdleTimeout": 600, > > > "ssoSessionMaxLifespan": 36000, > > > "sslRequired": "external", > > > "registrationAllowed": true, > > > "resetPasswordAllowed": true, > > > "editUsernameAllowed": true, > > > "loginWithEmailAllowed": false, > > > "duplicateEmailsAllowed": true, > > > "privateKey": > > > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > > "publicKey": > > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > > "requiredCredentials": [ > > > "password" > > > ], > > > "users": [ > > > { > > > "username": "root", > > > "enabled": true, > > > "email": "lsflashboss62 at gmail.com", > > > "credentials": [ > > > { > > > "type": "password", > > > "value": "gtn" > > > } > > > ], > > > "realmRoles": [ > > > "admin" > > > ], > > > "clientRoles": { > > > "account": [ > > > "manage-account" > > > ] > > > } > > > }, > > > { > > > "username": "HUHUJJJKJJKN", > > > "enabled": true, > > > "email": "luca.stancapiano at vige.it", > > > "firstName": "Luca", > > > "lastName": "Stancapiano", > > > "credentials": [ > > > { > > > "type": "password", > > > "value": "gtn" > > > } > > > ], > > > "realmRoles": [ > > > "pupil" > > > ], > > > "clientRoles": { > > > "account": [ > > > "manage-account" > > > ] > > > } > > > } > > > ], > > > "clients": [ > > > { > > > "clientId": "school", > > > "rootUrl": "http://localhost:8080/school", > > > "enabled": true, > > > "redirectUris": [ > > > "http://localhost:8080/school/*" > > > ], > > > "webOrigins": [ > > > "http://localhost:8080" > > > ], > > > "publicClient": false, > > > "secret": > "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > > "serviceAccountsEnabled": true, > > > "authorizationServicesEnabled": true, > > > "authorizationSettings": { > > > "allowRemoteResourceManagement": true, > > > "policyEnforcementMode": "ENFORCING", > > > "resources": [ > > > { > > > "name": "Default > Resource", > > > "type": > > > "urn:school:resources:default", > > > "ownerManagedAccess": > > > false, > > > "attributes": { > > > > > > }, > > > "_id": > > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > > "uris": [ > > > "/*" > > > ] > > > } > > > ], > > > "policies": [ > > > { > > > "id": > > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > > "name": "Default > Policy", > > > "description": "A > policy > > > that grants access only for users within this realm", > > > "type": "js", > > > "logic": "POSITIVE", > > > "decisionStrategy": > > > "AFFIRMATIVE", > > > "config": { > > > "code": "// by > > > default, grants any permission associated with this > > > policy\n$evaluation.grant();\n" > > > } > > > }, > > > { > > > "id": > > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > > "name": "Default > > > Permission", > > > "description": "A > > > permission that applies to the default resource type", > > > "type": "resource", > > > "logic": "POSITIVE", > > > "decisionStrategy": > > > "UNANIMOUS", > > > "config": { > > > > > > "defaultResourceType": "urn:school:resources:default", > > > > "applyPolicies": > > > "[\"Default Policy\"]" > > > } > > > } > > > ], > > > "scopes": [] > > > } > > > } > > > ], > > > "roles": { > > > "realm": [ > > > { > > > "name": "admin", > > > "description": "Administrator > privileges" > > > }, > > > { > > > "name": "schooloperator", > > > "description": "School Operator > privileges" > > > }, > > > { > > > "name": "teacher", > > > "description": "Teacher privileges" > > > }, > > > { > > > "name": "pupil", > > > "description": "Pupil privileges" > > > } > > > ] > > > } > > > } > > > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. > > > Here the Oauth configuration used to receive the token: > > > > > > Token Name: Token Name > > > Grant Type: Authorization Code > > > Callback URL: http://localhost:8080/school > > > Auth URL: > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > > Access Token URL: > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > > Client ID: school > > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > > Client Authentication: Send as Basic Auth header > > > > > > The Callback URL is an active simple web app starting on the 8080 port. > > > The token creation is ok but when I call the server with the created > token > > > I get a 401 Unauthorized error. What I miss? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From geoff at opticks.io Fri Dec 7 05:11:01 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 7 Dec 2018 11:11:01 +0100 Subject: [keycloak-user] Group attribute lookup via NodeJS In-Reply-To: References: Message-ID: One option would be to create a custom mapper in Keycloak whereby you add the data you're describing as a claim inside the token. You'll probably need to use a script based mapper, which requires you to explicitly enable the preview feature when launching Keycloak. See this related issue for tips: https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final Otherwise, your backend can speak to the Admin REST API to get the data your want. With this option you'll probably need to make multiple API calls, one to get a list of the user's groups, and then another to get all the metadata about each group: https://www.keycloak.org/docs-api/4.6/rest-api/index.html On Thu, 6 Dec 2018 at 22:54, Tom Barber wrote: > Hello folks > > I?ve got Keycloak hooked up to the NodeJS connector and I saw the info > about getting the username and stuff back via: > > console.log(req.kauth.grant.access_token.content) > > I?d also like to assign users to groups and store some metadata with those > groups that the application can access. Is that possible using NodeJS > either using the adapter or by some other mechanism? > > Thanks > > Tom > > -- > > > Spicule Limited is registered in England & Wales. Company Number: > 09954122. Registered office: First Floor, Telecom House, 125-135 Preston > Road, Brighton, England, BN1 6AF. VAT No. 251478891. > > > > > All engagements > are subject to Spicule Terms and Conditions of Business. This email and > its > contents are intended solely for the individual to whom it is addressed > and > may contain information that is confidential, privileged or otherwise > protected from disclosure, distributing or copying. Any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Spicule Limited. The company accepts no > liability for any damage caused by any virus transmitted by this email. If > you have received this message in error, please notify us immediately by > reply email before deleting it from your system. Service of legal notice > cannot be effected on Spicule Limited by email. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From tom at spicule.co.uk Fri Dec 7 05:21:28 2018 From: tom at spicule.co.uk (Tom Barber) Date: Fri, 7 Dec 2018 10:21:28 +0000 Subject: [keycloak-user] Group attribute lookup via NodeJS In-Reply-To: References: Message-ID: Thanks Geoffrey I'll take a look! On Fri, 7 Dec 2018, 10:11 Geoffrey Cleaves One option would be to create a custom mapper in Keycloak whereby you add > the data you're describing as a claim inside the token. You'll probably > need to use a script based mapper, which requires you to explicitly enable > the preview feature when launching Keycloak. See this related issue for > tips: > https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final > > Otherwise, your backend can speak to the Admin REST API to get the data > your want. With this option you'll probably need to make multiple API > calls, one to get a list of the user's groups, and then another to get all > the metadata about each group: > https://www.keycloak.org/docs-api/4.6/rest-api/index.html > > > > On Thu, 6 Dec 2018 at 22:54, Tom Barber wrote: > >> Hello folks >> >> I?ve got Keycloak hooked up to the NodeJS connector and I saw the info >> about getting the username and stuff back via: >> >> console.log(req.kauth.grant.access_token.content) >> >> I?d also like to assign users to groups and store some metadata with those >> groups that the application can access. Is that possible using NodeJS >> either using the adapter or by some other mechanism? >> >> Thanks >> >> Tom >> >> -- >> >> >> Spicule Limited is registered in England & Wales. Company Number: >> 09954122. Registered office: First Floor, Telecom House, 125-135 Preston >> Road, Brighton, England, BN1 6AF. VAT No. 251478891. >> >> >> >> >> All engagements >> are subject to Spicule Terms and Conditions of Business. This email and >> its >> contents are intended solely for the individual to whom it is addressed >> and >> may contain information that is confidential, privileged or otherwise >> protected from disclosure, distributing or copying. Any views or opinions >> presented in this email are solely those of the author and do not >> necessarily represent those of Spicule Limited. The company accepts no >> liability for any damage caused by any virus transmitted by this email. >> If >> you have received this message in error, please notify us immediately by >> reply email before deleting it from your system. Service of legal notice >> cannot be effected on Spicule Limited by email. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Regards, > Geoffrey Cleaves > > > > > > -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email. From alistair.doswald at elca.ch Fri Dec 7 08:38:35 2018 From: alistair.doswald at elca.ch (Doswald Alistair) Date: Fri, 7 Dec 2018 13:38:35 +0000 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> Message-ID: Hello Meissa, I?m a bit surprised about a question for Keycloak-export, as I thought that it was mostly Keycloak-authorization which was of interest. That being said, I haven?t created a pull request for this feature, no, though it is available still as an extension on the cloudtrust project github (the latest release here https://github.com/cloudtrust/keycloak-export/releases/download/0.4/keycloak-export.tar.gz works on keycloak 4.6.0.FInal). When I discussed the matter on the dev mailing list there were concerns about the following aspects: data integrity, size of transfer and security. Our position was that security is OK (data transferred over https), but that size and data integrity could be a concern depending on the use case. However, from what I understood, there wasn?t really any interest of bringing the feature to Keycloak. If that has changed, I?ll gladly submit a pull request for the code. Best regards, Alistair Doswald From: Meissa M'baye Sakho Sent: jeudi 6 d?cembre 2018 16:59 To: Doswald Alistair Cc: Pedro Igor Silva ; Marek Posolda ; keycloak-user ; Issa Gueye - Red Hat Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust project Hello Alistair, Have you created the pull request for the keycloak-export module? It's a very useful one and I think it could be nice if it becomes fully a part of keycloak. Meissa Le ven. 17 ao?t 2018 ? 14:40, Doswald Alistair > a ?crit : I?ve done the PR for the extension page (keycloak-authorization and keycloak-export), and it?s been accepted. For the client-mapper I?ll see what?s necessary to be done to have it merged directly into Keycloak. For the mechanism of keycloak-authorization, I for one would like having this functionality supported OOTB, whether through our (admittedly not very sophisticated) system, or another. I received a message from Stian Thorgersen on the dev mailing (here: http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011116.html ) list asking more details about the module, so I?ll at least be discussing the matter with him. Cheers, Alistair From: Pedro Igor Silva > Sent: vendredi 10 ao?t 2018 18:52 To: Marek Posolda > Cc: Doswald Alistair >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust project Cool stuff ! Thanks for sharing. I've looked keycloak-authorization very quickly and changes look really simple, I'm glad to start a discussion about supporting this OOTB. Maybe this can be part of the review of admin fine-grained permissions we are planning. Regards. Pedro Igor On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda >> wrote: Thanks for the heads up! IMO it will be cool if you send PR for the javascript mapper directly to Keycloak, however we may need automated test and also docs (separate PR needs to be sent for the docs). For the keycloak-authorization and keycloak-export (and maybe for keycloak-client-mappers too if you don't have time for the PR to upstream), it may be good to send PR to update the extensions page maybe? It's here: https://www.keycloak.org/extensions.html and sources are here: https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions . Assuming that those things are generally useful for the other users from the community (I am not 100% sure about the keycloak-authorization. Rather leaving to you to decide if it's generally useful or not). The keycloak-wsfed is already on the extensions page. Thanks! Marek On 10/08/18 11:44, Doswald Alistair wrote: > Hello, > > I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are: > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers. > > * keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases. > > * keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue. > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!). > > Cheers, > > Alistair > > PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From timo.kockert at codecentric.de Fri Dec 7 08:55:45 2018 From: timo.kockert at codecentric.de (Timo Kockert) Date: Fri, 7 Dec 2018 14:55:45 +0100 Subject: [keycloak-user] HTTP status 400 from Tomcat after successful login Message-ID: Hello everyone, I have configured a web application, that is running in Tomcat, to authenticate users with Keycloak. Everything is running fine if I deploy the app to my local Tomcat, even when using the remote Keycloak instance. However, when I deploy the app to another Tomcat running behind an Apache HTTP Server, the following happens: * When I navigate to https://my-domain.tld/app I get redirected to the Keycloak login * After I log in successfully, Keycloak redirects me to :/app of the Tomcat * The Tomcat answers with HTTP status 400 My keycloak.json looks like this: { "realm": "cdb_test", "auth-server-url": "https://keycloak-server.tld/auth", "ssl-required": "external", "resource": "cdb_test", "public-client": true } The VHost is configured like this: ProxyPass /app http://:/app/ ProxyPassReverse /app http://:/app/ ProxyPassReverseCookiePath / /app/ I turned on debug logging for the Keycloak Tomcat adapter, see attachment. Any advice? Thanks in advance Timo -------------- next part -------------- 2018-12-07 13:49:30,542 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] adminRequest http://10.255.192.36:8380/cdb_test/ 2018-12-07 13:49:30,549 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] there was no code 2018-12-07 13:49:30,549 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] redirecting to auth server 2018-12-07 13:49:30,550 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] callback uri: http://10.255.192.36:8380/cdb_test/ 2018-12-07 13:49:30,558 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] Sending redirect to login page: https://keycloak-server.tld/auth/realms/cdb_test/protocol/openid-connect/auth?response_type=code&client_id=cdb_test&redirect_uri=http%3A%2F%2F10.255.192.36%3A8380%2Fcdb_test%2F&state=323a2382-95f7-4f38-817f-f16e5c665263&login=true&scope=openid 2018-12-07 13:49:40,764 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] adminRequest http://10.255.192.36:8380/cdb_test/?state=323a2382-95f7-4f38-817f-f16e5c665263&session_state=4ab2b9de-0873-4bda-b399-401408ff8765&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..iFkVW6NKojXqpqSdYH2CHg.nzoW--PKidBu1mim1o9U4XyZYIsEzwyjXmec-bUw69Hd-Qzu5lrx5tFnWJaZhuWhcK1ALjT3BUB-u_SgMIWenDKio3CISzWoiRT5p9lmcKicpue-YZzKmB6ochIMypR2F6JL6cdmnmwrN1h9ObvciyjJzXmGvl-yHDrnxe19Tdm5lRZvjUHAJrwVW3T4LVTqcK8JRNLu_AZgMh9updEdA1N8dwihPm6Xg67GLCutaeMe0dCBBhgktV-dLRf7xsvw.ZYlyaCIMhz4YSufSBLBW_w 2018-12-07 13:49:40,765 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] there was a code, resolving 2018-12-07 13:49:40,766 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] checking state cookie for after code 2018-12-07 13:49:40,766 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] No state cookie From nitzekos at yahoo.gr Fri Dec 7 09:17:01 2018 From: nitzekos at yahoo.gr (=?UTF-8?B?zqTOts6tzrrOv8+CIM6dzrnOus+MzrvOsc6/z4I=?=) Date: Fri, 7 Dec 2018 14:17:01 +0000 (UTC) Subject: [keycloak-user] Group Role Mapping References: <1174353251.572514.1544192221499.ref@mail.yahoo.com> Message-ID: <1174353251.572514.1544192221499@mail.yahoo.com> Hello all, Congratulation for this great product. We are using it to provide authentication for a new web-app we are deploying. In the feature we may use it for authorization also. I have read many articles and posts on this list but I am still not sure if my problem is considered a problem/bug or I have done something wrong. I have this situation:LDAP GROUP group1, mapped to Keycloak group1user1, user2 and user3 members of group1, All this work ok as I used group-ldap-mapper.Now, let's say that in my realm I have 3 clients: client1, client2 and client3. All of these clients have some similar needs, so to support all of them I am using Realm roles and not client roles. So, I created role1 for my realm. Afterwards I wanted to assigned role1 to all members of the group1, so I went to Groups->group1->Edit->Role Mappings and from the available Realm Roles I selected role1 and I assigned it. Now, what I would expect is two things: 1) If I go to Roles->role1->Users In Role, to see all the members of group1. This doesn't happen! 2) If I go to users->user1->Role Mappings I would expect to see the role1 as an Assigned Role but I see it as an Effective Role. Now this causes me the problem that if for any reason I want to remove the role1 form a single user i.e., user1 I cannot since it is only in the Effective Roles list. However, if I go specifically and assign role1 to a user from Users->Role Mappings then both those cases mentioned above work ok. Am I doing something wrong here? How this should work? Do you have any suggestion? I am pretty sure that this scenario makes sense for an administrator where he/she wants to assign some roles to existing groups coming from LDAP/Active Directory and also have the flexibility to remove roles from specific users of a Group. Otherwise administrator should go and assign the role to each user separately.I forgot to mention that we are using Keycloak 4.6. I also have some questions about some calls of the Rest API but I think it's better not to write them here and send another mail.? From mposolda at redhat.com Fri Dec 7 09:37:03 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 7 Dec 2018 15:37:03 +0100 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> Message-ID: On 07/12/2018 14:38, Doswald Alistair wrote: > > Hello Meissa, > > I?m a bit surprised about a question for Keycloak-export, as I thought > that it was mostly Keycloak-authorization which was of interest. > > That being said, I haven?t created a pull request for this feature, > no, though it is available still as an extension on the cloudtrust > project github (the latest release here > https://github.com/cloudtrust/keycloak-export/releases/download/0.4/keycloak-export.tar.gz > works on keycloak 4.6.0.FInal). > > When I discussed the matter on the dev mailing list there were > concerns about the following aspects: data integrity, size of transfer > and security. Our position was that security is OK (data transferred > over https), but that size and data integrity could be a concern > depending on the use case. However, from what I understood, there > wasn?t really any interest of bringing the feature to Keycloak. > Yes, the size and data integrity can be a concern and that's the reason why it's not officially supported to run full export/import in "online" mode. I know there is a workaround, which defacto allows "hot" export/import in case that you have cluster environment. When you have 2 Keycloak nodes, you can stop one of the node and then trigger export/import on that node. But it's not something to recommend in production due the issues with the integrity (Data can be changed in the meantime on node1 when export/import is in progress on node2, which can result in broken data and tricky errors). Marek > If that has changed, I?ll gladly submit a pull request for the code. > > Best regards, > > Alistair Doswald > > *From:* Meissa M'baye Sakho > *Sent:* jeudi 6 d?cembre 2018 16:59 > *To:* Doswald Alistair > *Cc:* Pedro Igor Silva ; Marek Posolda > ; keycloak-user ; > Issa Gueye - Red Hat > *Subject:* Re: [keycloak-user] Keycloak Modules developed for the > Cloudtrust project > > Hello Alistair, > > Have you created the pull request for the keycloak-export module? > > It's a very useful?one and I think it could be nice if it becomes > fully a part of keycloak. > > Meissa > > Le?ven. 17 ao?t 2018 ??14:40, Doswald Alistair > > a ?crit?: > > I?ve done the PR for the extension page (keycloak-authorization > and keycloak-export), and it?s been accepted. For the > client-mapper I?ll see what?s necessary to be done to have it > merged directly into Keycloak. > > For the mechanism of keycloak-authorization, I for one would like > having this functionality supported OOTB, whether through our > (admittedly not very sophisticated) system, or another. I received > a message from Stian Thorgersen on the dev mailing (here: > http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011116.html > ) list asking more details about the module, so I?ll at least be > discussing the matter with him. > > Cheers, > > Alistair > > From: Pedro Igor Silva > > Sent: vendredi 10 ao?t 2018 18:52 > To: Marek Posolda > > Cc: Doswald Alistair >; keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Keycloak Modules developed for the > Cloudtrust project > > Cool stuff ! Thanks for sharing. > > I've looked keycloak-authorization very quickly and changes look > really simple, I'm glad to start a discussion about supporting > this OOTB. Maybe this can be part of the review of admin > fine-grained permissions we are planning. > > Regards. > Pedro Igor > > On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda > >> wrote: > Thanks for the heads up! > > IMO it will be cool if you send PR for the javascript mapper > directly to > Keycloak, however we may need automated test and also docs > (separate PR > needs to be sent for the docs). > > For the keycloak-authorization and keycloak-export (and maybe for > keycloak-client-mappers too if you don't have time for the PR to > upstream), it may be good to send PR to update the extensions page > maybe? It's here: https://www.keycloak.org/extensions.html > and sources > are here: > https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions > . Assuming that those things are generally useful for the other users > from the community (I am not 100% sure about the > keycloak-authorization. > Rather leaving to you to decide if it's generally useful or not). The > keycloak-wsfed is already on the extensions page. > > Thanks! > Marek > > > On 10/08/18 11:44, Doswald Alistair wrote: > > Hello, > > > > I just wanted to let this mailing list know that for the > Cloudtrust project (https://github.com/cloudtrust), we have > developed a certain number modules for Keycloak. These are > currently compatible with the version 3.4.3.Final of Keycloak, but > we will make them compatible with Keycloak 4.X (where X will be > the latest sub-version of Keycloak when we start working on this) > as soon as we can. These modules are: > > > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): > an implementation of the WS-Federation protocol for keycloak. This > allows to select the WS-Federation protocol for Keycloak clients > and for identity brokers. > > > > * keycloak-authorization > (https://github.com/cloudtrust/keycloak-authorization): this > module allows the use of the client authorization system to > prevent a user which is authenticated in a Keycloak realm to > access a given client. It works no matter which protocol is used, > and without the client having to support any extra protocol. Note: > this solution is a bit hacky, but necessary for one of our use-cases. > > > > * keycloak-client-mappers > (https://github.com/cloudtrust/keycloak-client-mappers): a module > for adding any mappers that we might need that are not yet part of > Keycloak. Currently only contains a JavaScript mapper for SAML, > analogous to the OIDC script mapper. I've noticed that there's an > open issue for this feature > (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I > could submit this code not as a module but a solution to the issue. > > > > * keycloak-export > (https://github.com/cloudtrust/keycloak-export): a module adding > an endpoint to fully export a realm while Keycloak is still > running (no need for restarts!). > > > > Cheers, > > > > Alistair > > > > PS: I'm mailing this both dev and user mailing lists as I > believe it may interest members of both mailing lists > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chapani at protonmail.com Fri Dec 7 11:20:35 2018 From: chapani at protonmail.com (chapani) Date: Fri, 07 Dec 2018 16:20:35 +0000 Subject: [keycloak-user] Admin With Restricted User Management Message-ID: <8OOh8ispSisji3oNF5tY-KxLGq2FsrYAURjMXzmh7lxgrTfuJhcChWE_8cJAqeA8WNCRbOoAVUsNIZALLu48QxB5kU4CaL6SasY-pbfw6NY=@protonmail.com> Good Afternoon! Can I create an admin that can ONLY do these: - Create/Manage a user who is automatically assigned a specific group or a role - View/Manage users that belong to a specific group or a role When this admin logs into Keycloak server, he should only see one tab, "Users", that belong to a specific group or a role and shouldn't see any other users or other menu items. Thanks, - chapani Sent with [ProtonMail](https://protonmail.com) Secure Email. From vikram.eswar at fleetroute.com Fri Dec 7 11:25:21 2018 From: vikram.eswar at fleetroute.com (Vikram) Date: Fri, 7 Dec 2018 17:25:21 +0100 Subject: [keycloak-user] Admin With Restricted User Management In-Reply-To: <8OOh8ispSisji3oNF5tY-KxLGq2FsrYAURjMXzmh7lxgrTfuJhcChWE_8cJAqeA8WNCRbOoAVUsNIZALLu48QxB5kU4CaL6SasY-pbfw6NY=@protonmail.com> References: <8OOh8ispSisji3oNF5tY-KxLGq2FsrYAURjMXzmh7lxgrTfuJhcChWE_8cJAqeA8WNCRbOoAVUsNIZALLu48QxB5kU4CaL6SasY-pbfw6NY=@protonmail.com> Message-ID: Hi, I have the same problem here. Please let me know if you find a solution. Thanks in advance, Vikram On 12/7/2018 5:20 PM, chapani wrote: > Good Afternoon! > > Can I create an admin that can ONLY do these: > > - Create/Manage a user who is automatically assigned a specific group or a role > - View/Manage users that belong to a specific group or a role > > When this admin logs into Keycloak server, he should only see one tab, "Users", that belong to a specific group or a role and shouldn't see any other users or other menu items. > > Thanks, > - chapani > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From manuel.waltschek at prisma-solutions.at Fri Dec 7 11:33:47 2018 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Fri, 7 Dec 2018 16:33:47 +0000 Subject: [keycloak-user] Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker Message-ID: <12e7f4fe7aab4802b9c5e68796a9634c@EXMBX24.SFP-Net.skyfillers.local> Hello there, I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP (external IdP) and I want my application to authenticate against this external IdP. I imported the IdP Metadata of samltest into my IdP settings and exported following SP descriptor into IdP of samltest: Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY= urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified While "vde-tirol" is the client-id configured in my client and the ACS-url is the one I configured Fine Grain SAML Endpoint Configuration of my client. After I try to access a protected ressource I get redirected to a page of samltest telling me there went something wrong and I detected that the authnrequest sent from my IdP broker did not have the ACS-url http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol http://localhost:8180/auth/realms/prisma-keycloak-saml-idp I get the following Error from openSAML: Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol' nor response location 'null' matched 'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint' Do you have a clue what went wrong? Is this intended behaviour, that the AssertionConsumerServiceURL in the AuthnRequest does not match? Thank you in advance, Manuel Waltschek From adrianmatei at gmail.com Fri Dec 7 11:50:18 2018 From: adrianmatei at gmail.com (Adrian Matei) Date: Fri, 7 Dec 2018 17:50:18 +0100 Subject: [keycloak-user] verify client roles in web.xml (JBoss adapter) Message-ID: Hello everyone, How can I check in web.xml a client role? It seems that only REALM roles can be checked there. I tried also the nodejs adapter convention "client-id:CLIENT_ROLE" but still nothing... thanks From geoff at opticks.io Fri Dec 7 11:55:04 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 7 Dec 2018 17:55:04 +0100 Subject: [keycloak-user] Admin With Restricted User Management In-Reply-To: References: <8OOh8ispSisji3oNF5tY-KxLGq2FsrYAURjMXzmh7lxgrTfuJhcChWE_8cJAqeA8WNCRbOoAVUsNIZALLu48QxB5kU4CaL6SasY-pbfw6NY=@protonmail.com> Message-ID: Not sure, but you can try by enable custom permissions on Users. [image: Screen Shot 2018-12-07 at 17.52.27.png] On Fri, 7 Dec 2018 at 17:28, Vikram wrote: > Hi, > > I have the same problem here. Please let me know if you find a solution. > > Thanks in advance, > > Vikram > > On 12/7/2018 5:20 PM, chapani wrote: > > Good Afternoon! > > > > Can I create an admin that can ONLY do these: > > > > - Create/Manage a user who is automatically assigned a specific group or > a role > > - View/Manage users that belong to a specific group or a role > > > > When this admin logs into Keycloak server, he should only see one tab, > "Users", that belong to a specific group or a role and shouldn't see any > other users or other menu items. > > > > Thanks, > > - chapani > > > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-12-07 at 17.52.27.png Type: image/png Size: 97901 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181207/52d7a612/attachment-0001.png From luca.stancapiano at vige.it Fri Dec 7 12:49:26 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Fri, 7 Dec 2018 18:49:26 +0100 (CET) Subject: [keycloak-user] get users from postman In-Reply-To: References: <172700185.949484.1544101858833@pim.register.it> <347228097.955246.1544108582656@pim.register.it> Message-ID: <946610059.992387.1544204966406@pim.register.it> Thanks Geoffrey, if you agree, let me use the query-users role as my example only needs to query users. I created new groups configurated with the old roles more query-users role. Here the new configuration: { "realm": "school-domain", "enabled": true, "accessTokenLifespan": 60, "accessCodeLifespan": 60, "accessCodeLifespanUserAction": 300, "ssoSessionIdleTimeout": 600, "ssoSessionMaxLifespan": 36000, "sslRequired": "external", "registrationAllowed": true, "resetPasswordAllowed": true, "editUsernameAllowed": true, "loginWithEmailAllowed": false, "duplicateEmailsAllowed": true, "privateKey": ......., "publicKey": ......., "requiredCredentials": [ "password" ], "users": [ { "username": "root", "enabled": true, "email": "lsflashboss62 at gmail.com", "credentials": [ { "type": "password", "value": "gtn" } ], "groups": [ "admin" ] }, { "username": "hfgfghhgffhgfgh", "enabled": true, "email": "luca.stancapiano at vige.it", "firstName": "Luca", "lastName": "Stancapiano", "credentials": [ { "type": "password", "value": "gtn" } ], "groups": [ "pupil" ] } ], "groups": [ { "name": "admin", "path": "/admin", "attributes": { }, "realmRoles": [ "admin" ], "clientRoles": { "realm-management": [ "query-users" ], "account": [ "manage-account" ] }, "subGroups": [] }, { "name": "pupil", "path": "/pupil", "attributes": { }, "realmRoles": [ "pupil" ], "clientRoles": { "realm-management": [ "query-users" ], "account": [ "manage-account" ] }, "subGroups": [] } ] } Now, when I connect through postman to the url http://localhost:8180/auth/admin/realms/school-domain/users using the 'root' user imported through the configuration, I receive an empty list, when I espect the two users ('root' and 'hfgfghhgffhgfgh') imported through the configuration. Where I wrong now? > Il 7 dicembre 2018 alle 10.55 Geoffrey Cleaves ha scritto: > > > Be sure that the token you are using to list the users has a manage-realm > role. > > On Thu, 6 Dec 2018 at 16:09, Luca Stancapiano > wrote: > > > But changing the postman configuration from Oauth 2.0 to Bearer token I > > see the error is changed. Now I have a 403 Forbidden > > > > > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos ha > > scritto: > > > > > > > > > Hello Luca, > > > > > > In your webapp's Keycloak Client, try putting it as baerer only. > > > Also, in the the HTTP request that you make, be sure you are setting the > > > token in the header of the HTTP request, with the following parameter: > > > > > > {"Authorization" : "bearer " + $TOKEN} > > > > > > Thanks, > > > > > > JO?O PAULO RAMOS > > > > > > Red Hat Brasil > > > > > > > > > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano < > > luca.stancapiano at vige.it> > > > wrote: > > > > > > > I'm trying to call via REST through POSTMAN the list of users through > > the > > > > get path: http://localhost:8180/auth/admin/realms/school-domain/users > > > > > > > > Here my keycloak configuration where I create 2 users, 4 roles, a > > 'school' > > > > client and a 'school-domain' realm: > > > > > > > > { > > > > "realm": "school-domain", > > > > "enabled": true, > > > > "accessTokenLifespan": 60, > > > > "accessCodeLifespan": 60, > > > > "accessCodeLifespanUserAction": 300, > > > > "ssoSessionIdleTimeout": 600, > > > > "ssoSessionMaxLifespan": 36000, > > > > "sslRequired": "external", > > > > "registrationAllowed": true, > > > > "resetPasswordAllowed": true, > > > > "editUsernameAllowed": true, > > > > "loginWithEmailAllowed": false, > > > > "duplicateEmailsAllowed": true, > > > > "privateKey": > > > > > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > > > "publicKey": > > > > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > > > "requiredCredentials": [ > > > > "password" > > > > ], > > > > "users": [ > > > > { > > > > "username": "root", > > > > "enabled": true, > > > > "email": "lsflashboss62 at gmail.com", > > > > "credentials": [ > > > > { > > > > "type": "password", > > > > "value": "gtn" > > > > } > > > > ], > > > > "realmRoles": [ > > > > "admin" > > > > ], > > > > "clientRoles": { > > > > "account": [ > > > > "manage-account" > > > > ] > > > > } > > > > }, > > > > { > > > > "username": "HUHUJJJKJJKN", > > > > "enabled": true, > > > > "email": "luca.stancapiano at vige.it", > > > > "firstName": "Luca", > > > > "lastName": "Stancapiano", > > > > "credentials": [ > > > > { > > > > "type": "password", > > > > "value": "gtn" > > > > } > > > > ], > > > > "realmRoles": [ > > > > "pupil" > > > > ], > > > > "clientRoles": { > > > > "account": [ > > > > "manage-account" > > > > ] > > > > } > > > > } > > > > ], > > > > "clients": [ > > > > { > > > > "clientId": "school", > > > > "rootUrl": "http://localhost:8080/school", > > > > "enabled": true, > > > > "redirectUris": [ > > > > "http://localhost:8080/school/*" > > > > ], > > > > "webOrigins": [ > > > > "http://localhost:8080" > > > > ], > > > > "publicClient": false, > > > > "secret": > > "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > > > "serviceAccountsEnabled": true, > > > > "authorizationServicesEnabled": true, > > > > "authorizationSettings": { > > > > "allowRemoteResourceManagement": true, > > > > "policyEnforcementMode": "ENFORCING", > > > > "resources": [ > > > > { > > > > "name": "Default > > Resource", > > > > "type": > > > > "urn:school:resources:default", > > > > "ownerManagedAccess": > > > > false, > > > > "attributes": { > > > > > > > > }, > > > > "_id": > > > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > > > "uris": [ > > > > "/*" > > > > ] > > > > } > > > > ], > > > > "policies": [ > > > > { > > > > "id": > > > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > > > "name": "Default > > Policy", > > > > "description": "A > > policy > > > > that grants access only for users within this realm", > > > > "type": "js", > > > > "logic": "POSITIVE", > > > > "decisionStrategy": > > > > "AFFIRMATIVE", > > > > "config": { > > > > "code": "// by > > > > default, grants any permission associated with this > > > > policy\n$evaluation.grant();\n" > > > > } > > > > }, > > > > { > > > > "id": > > > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > > > "name": "Default > > > > Permission", > > > > "description": "A > > > > permission that applies to the default resource type", > > > > "type": "resource", > > > > "logic": "POSITIVE", > > > > "decisionStrategy": > > > > "UNANIMOUS", > > > > "config": { > > > > > > > > "defaultResourceType": "urn:school:resources:default", > > > > > > "applyPolicies": > > > > "[\"Default Policy\"]" > > > > } > > > > } > > > > ], > > > > "scopes": [] > > > > } > > > > } > > > > ], > > > > "roles": { > > > > "realm": [ > > > > { > > > > "name": "admin", > > > > "description": "Administrator > > privileges" > > > > }, > > > > { > > > > "name": "schooloperator", > > > > "description": "School Operator > > privileges" > > > > }, > > > > { > > > > "name": "teacher", > > > > "description": "Teacher privileges" > > > > }, > > > > { > > > > "name": "pupil", > > > > "description": "Pupil privileges" > > > > } > > > > ] > > > > } > > > > } > > > > > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. > > > > Here the Oauth configuration used to receive the token: > > > > > > > > Token Name: Token Name > > > > Grant Type: Authorization Code > > > > Callback URL: http://localhost:8080/school > > > > Auth URL: > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > > > Access Token URL: > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > > > Client ID: school > > > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > > > Client Authentication: Send as Basic Auth header > > > > > > > > The Callback URL is an active simple web app starting on the 8080 port. > > > > The token creation is ok but when I call the server with the created > > token > > > > I get a 401 Unauthorized error. What I miss? > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Regards, > Geoffrey Cleaves From geoff at opticks.io Fri Dec 7 17:20:35 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 7 Dec 2018 23:20:35 +0100 Subject: [keycloak-user] get users from postman In-Reply-To: <946610059.992387.1544204966406@pim.register.it> References: <172700185.949484.1544101858833@pim.register.it> <347228097.955246.1544108582656@pim.register.it> <946610059.992387.1544204966406@pim.register.it> Message-ID: Ciao Luca, I don't have a clear answer for you. But I have had some problems in the past creating roles using a similar JSON representation to the one you use. I found that although Keycloak did not complain, it did not actually assign the roles as I had hoped. Could this be happening to you? Instead of importing this JSON, I recommend you use the Admin Console to manually create the users and assign them the roles. Then try again with Postman. When I use Postman to call the users endpoint with a proper token, I do get a list of all my user successfully. It should work. Good luck! On Fri, 7 Dec 2018 at 18:49, Luca Stancapiano wrote: > Thanks Geoffrey, if you agree, let me use the query-users role as my > example only needs to query users. I created new groups configurated with > the old roles more query-users role. Here the new configuration: > > { > "realm": "school-domain", > "enabled": true, > "accessTokenLifespan": 60, > "accessCodeLifespan": 60, > "accessCodeLifespanUserAction": 300, > "ssoSessionIdleTimeout": 600, > "ssoSessionMaxLifespan": 36000, > "sslRequired": "external", > "registrationAllowed": true, > "resetPasswordAllowed": true, > "editUsernameAllowed": true, > "loginWithEmailAllowed": false, > "duplicateEmailsAllowed": true, > "privateKey": ......., > "publicKey": ......., > "requiredCredentials": [ > "password" > ], > "users": [ > { > "username": "root", > "enabled": true, > "email": "lsflashboss62 at gmail.com", > "credentials": [ > { > "type": "password", > "value": "gtn" > } > ], > "groups": [ > "admin" > ] > }, > { > "username": "hfgfghhgffhgfgh", > "enabled": true, > "email": "luca.stancapiano at vige.it", > "firstName": "Luca", > "lastName": "Stancapiano", > "credentials": [ > { > "type": "password", > "value": "gtn" > } > ], > "groups": [ > "pupil" > ] > } > ], > "groups": [ > { > "name": "admin", > "path": "/admin", > "attributes": { > > }, > "realmRoles": [ > "admin" > ], > "clientRoles": { > "realm-management": [ > "query-users" > ], > "account": [ > "manage-account" > ] > }, > "subGroups": [] > }, > { > "name": "pupil", > "path": "/pupil", > "attributes": { > > }, > "realmRoles": [ > "pupil" > ], > "clientRoles": { > "realm-management": [ > "query-users" > ], > "account": [ > "manage-account" > ] > }, > "subGroups": [] > } > ] > } > > Now, when I connect through postman to the url > http://localhost:8180/auth/admin/realms/school-domain/users using the > 'root' user imported through the configuration, I receive an empty list, > when I espect the two users ('root' and 'hfgfghhgffhgfgh') imported through > the configuration. Where I wrong now? > > > Il 7 dicembre 2018 alle 10.55 Geoffrey Cleaves ha > scritto: > > > > > > Be sure that the token you are using to list the users has a manage-realm > > role. > > > > On Thu, 6 Dec 2018 at 16:09, Luca Stancapiano > > wrote: > > > > > But changing the postman configuration from Oauth 2.0 to Bearer token I > > > see the error is changed. Now I have a 403 Forbidden > > > > > > > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos > ha > > > scritto: > > > > > > > > > > > > Hello Luca, > > > > > > > > In your webapp's Keycloak Client, try putting it as baerer only. > > > > Also, in the the HTTP request that you make, be sure you are setting > the > > > > token in the header of the HTTP request, with the following > parameter: > > > > > > > > {"Authorization" : "bearer " + $TOKEN} > > > > > > > > Thanks, > > > > > > > > JO?O PAULO RAMOS > > > > > > > > Red Hat Brasil > > > > > > > > > > > > > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano < > > > luca.stancapiano at vige.it> > > > > wrote: > > > > > > > > > I'm trying to call via REST through POSTMAN the list of users > through > > > the > > > > > get path: > http://localhost:8180/auth/admin/realms/school-domain/users > > > > > > > > > > Here my keycloak configuration where I create 2 users, 4 roles, a > > > 'school' > > > > > client and a 'school-domain' realm: > > > > > > > > > > { > > > > > "realm": "school-domain", > > > > > "enabled": true, > > > > > "accessTokenLifespan": 60, > > > > > "accessCodeLifespan": 60, > > > > > "accessCodeLifespanUserAction": 300, > > > > > "ssoSessionIdleTimeout": 600, > > > > > "ssoSessionMaxLifespan": 36000, > > > > > "sslRequired": "external", > > > > > "registrationAllowed": true, > > > > > "resetPasswordAllowed": true, > > > > > "editUsernameAllowed": true, > > > > > "loginWithEmailAllowed": false, > > > > > "duplicateEmailsAllowed": true, > > > > > "privateKey": > > > > > > > > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > > > > "publicKey": > > > > > > > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > > > > "requiredCredentials": [ > > > > > "password" > > > > > ], > > > > > "users": [ > > > > > { > > > > > "username": "root", > > > > > "enabled": true, > > > > > "email": "lsflashboss62 at gmail.com", > > > > > "credentials": [ > > > > > { > > > > > "type": "password", > > > > > "value": "gtn" > > > > > } > > > > > ], > > > > > "realmRoles": [ > > > > > "admin" > > > > > ], > > > > > "clientRoles": { > > > > > "account": [ > > > > > "manage-account" > > > > > ] > > > > > } > > > > > }, > > > > > { > > > > > "username": "HUHUJJJKJJKN", > > > > > "enabled": true, > > > > > "email": "luca.stancapiano at vige.it", > > > > > "firstName": "Luca", > > > > > "lastName": "Stancapiano", > > > > > "credentials": [ > > > > > { > > > > > "type": "password", > > > > > "value": "gtn" > > > > > } > > > > > ], > > > > > "realmRoles": [ > > > > > "pupil" > > > > > ], > > > > > "clientRoles": { > > > > > "account": [ > > > > > "manage-account" > > > > > ] > > > > > } > > > > > } > > > > > ], > > > > > "clients": [ > > > > > { > > > > > "clientId": "school", > > > > > "rootUrl": "http://localhost:8080/school", > > > > > "enabled": true, > > > > > "redirectUris": [ > > > > > "http://localhost:8080/school/*" > > > > > ], > > > > > "webOrigins": [ > > > > > "http://localhost:8080" > > > > > ], > > > > > "publicClient": false, > > > > > "secret": > > > "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > > > > "serviceAccountsEnabled": true, > > > > > "authorizationServicesEnabled": true, > > > > > "authorizationSettings": { > > > > > "allowRemoteResourceManagement": > true, > > > > > "policyEnforcementMode": > "ENFORCING", > > > > > "resources": [ > > > > > { > > > > > "name": "Default > > > Resource", > > > > > "type": > > > > > "urn:school:resources:default", > > > > > > "ownerManagedAccess": > > > > > false, > > > > > "attributes": { > > > > > > > > > > }, > > > > > "_id": > > > > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > > > > "uris": [ > > > > > "/*" > > > > > ] > > > > > } > > > > > ], > > > > > "policies": [ > > > > > { > > > > > "id": > > > > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > > > > "name": "Default > > > Policy", > > > > > "description": "A > > > policy > > > > > that grants access only for users within this realm", > > > > > "type": "js", > > > > > "logic": > "POSITIVE", > > > > > "decisionStrategy": > > > > > "AFFIRMATIVE", > > > > > "config": { > > > > > "code": > "// by > > > > > default, grants any permission associated with this > > > > > policy\n$evaluation.grant();\n" > > > > > } > > > > > }, > > > > > { > > > > > "id": > > > > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > > > > "name": "Default > > > > > Permission", > > > > > "description": "A > > > > > permission that applies to the default resource type", > > > > > "type": "resource", > > > > > "logic": > "POSITIVE", > > > > > "decisionStrategy": > > > > > "UNANIMOUS", > > > > > "config": { > > > > > > > > > > "defaultResourceType": "urn:school:resources:default", > > > > > > > > "applyPolicies": > > > > > "[\"Default Policy\"]" > > > > > } > > > > > } > > > > > ], > > > > > "scopes": [] > > > > > } > > > > > } > > > > > ], > > > > > "roles": { > > > > > "realm": [ > > > > > { > > > > > "name": "admin", > > > > > "description": "Administrator > > > privileges" > > > > > }, > > > > > { > > > > > "name": "schooloperator", > > > > > "description": "School Operator > > > privileges" > > > > > }, > > > > > { > > > > > "name": "teacher", > > > > > "description": "Teacher privileges" > > > > > }, > > > > > { > > > > > "name": "pupil", > > > > > "description": "Pupil privileges" > > > > > } > > > > > ] > > > > > } > > > > > } > > > > > > > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth > 2.0. > > > > > Here the Oauth configuration used to receive the token: > > > > > > > > > > Token Name: Token Name > > > > > Grant Type: Authorization Code > > > > > Callback URL: http://localhost:8080/school > > > > > Auth URL: > > > > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > > > > Access Token URL: > > > > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > > > > Client ID: school > > > > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > > > > Client Authentication: Send as Basic Auth header > > > > > > > > > > The Callback URL is an active simple web app starting on the 8080 > port. > > > > > The token creation is ok but when I call the server with the > created > > > token > > > > > I get a 401 Unauthorized error. What I miss? > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > > Regards, > > Geoffrey Cleaves > -- Regards, Geoffrey Cleaves From stefan.meschke at gmail.com Sat Dec 8 08:24:59 2018 From: stefan.meschke at gmail.com (Stefan Meschke) Date: Sat, 8 Dec 2018 14:24:59 +0100 Subject: [keycloak-user] Bind user to another Message-ID: <22173D9C-F4E3-45CF-AEDD-AD642A5FC2A5@gmail.com> Hello, is there a way to bind one user to another (e.g. for impersonation, query, ?)? Example: 4 users in one realm: user-a, user-b, user-c, user-d * user-c should be able to impersonate into user-a, but not into user-b. * user-d should be able to impersonate and query all users It would be also very cool, if one user is able to remove the binding. Thanks in advance! Cheers Stefan From geoff at opticks.io Sat Dec 8 12:29:47 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sat, 8 Dec 2018 18:29:47 +0100 Subject: [keycloak-user] Admin With Restricted User Management In-Reply-To: References: <8OOh8ispSisji3oNF5tY-KxLGq2FsrYAURjMXzmh7lxgrTfuJhcChWE_8cJAqeA8WNCRbOoAVUsNIZALLu48QxB5kU4CaL6SasY-pbfw6NY=@protonmail.com> Message-ID: Further info: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions I believe that the docs are a little bit out of date and that you also need to give a user the view-realm role to allow him to log into the admin console. On Fri, 7 Dec 2018 at 17:55, Geoffrey Cleaves wrote: > Not sure, but you can try by enable custom permissions on Users. > [image: Screen Shot 2018-12-07 at 17.52.27.png] > > On Fri, 7 Dec 2018 at 17:28, Vikram wrote: > >> Hi, >> >> I have the same problem here. Please let me know if you find a solution. >> >> Thanks in advance, >> >> Vikram >> >> On 12/7/2018 5:20 PM, chapani wrote: >> > Good Afternoon! >> > >> > Can I create an admin that can ONLY do these: >> > >> > - Create/Manage a user who is automatically assigned a specific group >> or a role >> > - View/Manage users that belong to a specific group or a role >> > >> > When this admin logs into Keycloak server, he should only see one tab, >> "Users", that belong to a specific group or a role and shouldn't see any >> other users or other menu items. >> > >> > Thanks, >> > - chapani >> > >> > Sent with [ProtonMail](https://protonmail.com) Secure Email. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > > Regards, > Geoffrey Cleaves > > > > > > -- Regards, Geoffrey Cleaves From testoauth55 at gmail.com Sat Dec 8 22:46:34 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Sun, 9 Dec 2018 09:16:34 +0530 Subject: [keycloak-user] KeycloakInstalled adapter: Using public client token from keycloak installed adapter to access confidential client In-Reply-To: References: Message-ID: Anyone else faced this issue? On Fri, Dec 7, 2018 at 1:39 PM Bruce Wings wrote: > I have created a confidential client - "*server-app"* that secures my > Jetty app through Keycloak jetty adapter and a public client - "*web-app*" > that is provided to all clients of my server app. Both *web-app* and > *server-app* exist under same realm. > > In *web-app* client, I have created a *token mapper for 'aud' claim:* > > *new java.util.ArrayList(["server-app","web-app"]);* > > When I generate a token through keycloak JS adapter or through postman for > web-app client, *I am able* to use the same token to access my jetty app( > that is secured with confidential client). > > But when launching *keycloakinstalled *adapter (*.loginDesktop() api*) > with public client(json of web-app client), after successful login , while > trying to access the same Jetty app(secured with confidential client) I > get: > > *type=CODE_TO_TOKEN_ERROR, realmId=myRealm, clientId=null, userId=null, > ipAddress=10.252.70.71, error=invalid_client_credentials, > grant_type=authorization_code* > > Is the same kind of access not supported in KeycloakInstalled adapter ? > > Also, if I launch KeycloakInstalled adapter with confidential client json, > everything works fine i.e I am allowed access to jetty app. > From luca.stancapiano at vige.it Sun Dec 9 05:48:53 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Sun, 9 Dec 2018 11:48:53 +0100 (CET) Subject: [keycloak-user] get users from postman In-Reply-To: References: <172700185.949484.1544101858833@pim.register.it> <347228097.955246.1544108582656@pim.register.it> <946610059.992387.1544204966406@pim.register.it> Message-ID: <1741260846.1000096.1544352533946@pim.register.it> I resolved changing the role from 'query-users' to 'view-users'. It seems that the view-users role contains the 'query-users' and the 'query-groups' role and without one of them I cannot receive the user list. Thanks anyway > Il 7 dicembre 2018 alle 23.20 Geoffrey Cleaves ha scritto: > > > Ciao Luca, > > I don't have a clear answer for you. But I have had some problems in the > past creating roles using a similar JSON representation to the one you use. > I found that although Keycloak did not complain, it did not actually assign > the roles as I had hoped. Could this be happening to you? Instead of > importing this JSON, I recommend you use the Admin Console to manually > create the users and assign them the roles. Then try again with Postman. > > When I use Postman to call the users endpoint with a proper token, I do get > a list of all my user successfully. It should work. > > Good luck! > > On Fri, 7 Dec 2018 at 18:49, Luca Stancapiano > wrote: > > > Thanks Geoffrey, if you agree, let me use the query-users role as my > > example only needs to query users. I created new groups configurated with > > the old roles more query-users role. Here the new configuration: > > > > { > > "realm": "school-domain", > > "enabled": true, > > "accessTokenLifespan": 60, > > "accessCodeLifespan": 60, > > "accessCodeLifespanUserAction": 300, > > "ssoSessionIdleTimeout": 600, > > "ssoSessionMaxLifespan": 36000, > > "sslRequired": "external", > > "registrationAllowed": true, > > "resetPasswordAllowed": true, > > "editUsernameAllowed": true, > > "loginWithEmailAllowed": false, > > "duplicateEmailsAllowed": true, > > "privateKey": ......., > > "publicKey": ......., > > "requiredCredentials": [ > > "password" > > ], > > "users": [ > > { > > "username": "root", > > "enabled": true, > > "email": "lsflashboss62 at gmail.com", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "groups": [ > > "admin" > > ] > > }, > > { > > "username": "hfgfghhgffhgfgh", > > "enabled": true, > > "email": "luca.stancapiano at vige.it", > > "firstName": "Luca", > > "lastName": "Stancapiano", > > "credentials": [ > > { > > "type": "password", > > "value": "gtn" > > } > > ], > > "groups": [ > > "pupil" > > ] > > } > > ], > > "groups": [ > > { > > "name": "admin", > > "path": "/admin", > > "attributes": { > > > > }, > > "realmRoles": [ > > "admin" > > ], > > "clientRoles": { > > "realm-management": [ > > "query-users" > > ], > > "account": [ > > "manage-account" > > ] > > }, > > "subGroups": [] > > }, > > { > > "name": "pupil", > > "path": "/pupil", > > "attributes": { > > > > }, > > "realmRoles": [ > > "pupil" > > ], > > "clientRoles": { > > "realm-management": [ > > "query-users" > > ], > > "account": [ > > "manage-account" > > ] > > }, > > "subGroups": [] > > } > > ] > > } > > > > Now, when I connect through postman to the url > > http://localhost:8180/auth/admin/realms/school-domain/users using the > > 'root' user imported through the configuration, I receive an empty list, > > when I espect the two users ('root' and 'hfgfghhgffhgfgh') imported through > > the configuration. Where I wrong now? > > > > > Il 7 dicembre 2018 alle 10.55 Geoffrey Cleaves ha > > scritto: > > > > > > > > > Be sure that the token you are using to list the users has a manage-realm > > > role. > > > > > > On Thu, 6 Dec 2018 at 16:09, Luca Stancapiano > > > wrote: > > > > > > > But changing the postman configuration from Oauth 2.0 to Bearer token I > > > > see the error is changed. Now I have a 403 Forbidden > > > > > > > > > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos > > ha > > > > scritto: > > > > > > > > > > > > > > > Hello Luca, > > > > > > > > > > In your webapp's Keycloak Client, try putting it as baerer only. > > > > > Also, in the the HTTP request that you make, be sure you are setting > > the > > > > > token in the header of the HTTP request, with the following > > parameter: > > > > > > > > > > {"Authorization" : "bearer " + $TOKEN} > > > > > > > > > > Thanks, > > > > > > > > > > JO?O PAULO RAMOS > > > > > > > > > > Red Hat Brasil > > > > > > > > > > > > > > > > > > > > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano < > > > > luca.stancapiano at vige.it> > > > > > wrote: > > > > > > > > > > > I'm trying to call via REST through POSTMAN the list of users > > through > > > > the > > > > > > get path: > > http://localhost:8180/auth/admin/realms/school-domain/users > > > > > > > > > > > > Here my keycloak configuration where I create 2 users, 4 roles, a > > > > 'school' > > > > > > client and a 'school-domain' realm: > > > > > > > > > > > > { > > > > > > "realm": "school-domain", > > > > > > "enabled": true, > > > > > > "accessTokenLifespan": 60, > > > > > > "accessCodeLifespan": 60, > > > > > > "accessCodeLifespanUserAction": 300, > > > > > > "ssoSessionIdleTimeout": 600, > > > > > > "ssoSessionMaxLifespan": 36000, > > > > > > "sslRequired": "external", > > > > > > "registrationAllowed": true, > > > > > > "resetPasswordAllowed": true, > > > > > > "editUsernameAllowed": true, > > > > > > "loginWithEmailAllowed": false, > > > > > > "duplicateEmailsAllowed": true, > > > > > > "privateKey": > > > > > > > > > > > > "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", > > > > > > "publicKey": > > > > > > > > > > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > > > > > "requiredCredentials": [ > > > > > > "password" > > > > > > ], > > > > > > "users": [ > > > > > > { > > > > > > "username": "root", > > > > > > "enabled": true, > > > > > > "email": "lsflashboss62 at gmail.com", > > > > > > "credentials": [ > > > > > > { > > > > > > "type": "password", > > > > > > "value": "gtn" > > > > > > } > > > > > > ], > > > > > > "realmRoles": [ > > > > > > "admin" > > > > > > ], > > > > > > "clientRoles": { > > > > > > "account": [ > > > > > > "manage-account" > > > > > > ] > > > > > > } > > > > > > }, > > > > > > { > > > > > > "username": "HUHUJJJKJJKN", > > > > > > "enabled": true, > > > > > > "email": "luca.stancapiano at vige.it", > > > > > > "firstName": "Luca", > > > > > > "lastName": "Stancapiano", > > > > > > "credentials": [ > > > > > > { > > > > > > "type": "password", > > > > > > "value": "gtn" > > > > > > } > > > > > > ], > > > > > > "realmRoles": [ > > > > > > "pupil" > > > > > > ], > > > > > > "clientRoles": { > > > > > > "account": [ > > > > > > "manage-account" > > > > > > ] > > > > > > } > > > > > > } > > > > > > ], > > > > > > "clients": [ > > > > > > { > > > > > > "clientId": "school", > > > > > > "rootUrl": "http://localhost:8080/school", > > > > > > "enabled": true, > > > > > > "redirectUris": [ > > > > > > "http://localhost:8080/school/*" > > > > > > ], > > > > > > "webOrigins": [ > > > > > > "http://localhost:8080" > > > > > > ], > > > > > > "publicClient": false, > > > > > > "secret": > > > > "bce5816d-98c4-404f-a18d-bcc5cb005c79", > > > > > > "serviceAccountsEnabled": true, > > > > > > "authorizationServicesEnabled": true, > > > > > > "authorizationSettings": { > > > > > > "allowRemoteResourceManagement": > > true, > > > > > > "policyEnforcementMode": > > "ENFORCING", > > > > > > "resources": [ > > > > > > { > > > > > > "name": "Default > > > > Resource", > > > > > > "type": > > > > > > "urn:school:resources:default", > > > > > > > > "ownerManagedAccess": > > > > > > false, > > > > > > "attributes": { > > > > > > > > > > > > }, > > > > > > "_id": > > > > > > "c338b2be-da73-471c-9bb0-77ad52e1f88f", > > > > > > "uris": [ > > > > > > "/*" > > > > > > ] > > > > > > } > > > > > > ], > > > > > > "policies": [ > > > > > > { > > > > > > "id": > > > > > > "edb01393-180e-4d95-afd3-92b3ac5a6d41", > > > > > > "name": "Default > > > > Policy", > > > > > > "description": "A > > > > policy > > > > > > that grants access only for users within this realm", > > > > > > "type": "js", > > > > > > "logic": > > "POSITIVE", > > > > > > "decisionStrategy": > > > > > > "AFFIRMATIVE", > > > > > > "config": { > > > > > > "code": > > "// by > > > > > > default, grants any permission associated with this > > > > > > policy\n$evaluation.grant();\n" > > > > > > } > > > > > > }, > > > > > > { > > > > > > "id": > > > > > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f", > > > > > > "name": "Default > > > > > > Permission", > > > > > > "description": "A > > > > > > permission that applies to the default resource type", > > > > > > "type": "resource", > > > > > > "logic": > > "POSITIVE", > > > > > > "decisionStrategy": > > > > > > "UNANIMOUS", > > > > > > "config": { > > > > > > > > > > > > "defaultResourceType": "urn:school:resources:default", > > > > > > > > > > "applyPolicies": > > > > > > "[\"Default Policy\"]" > > > > > > } > > > > > > } > > > > > > ], > > > > > > "scopes": [] > > > > > > } > > > > > > } > > > > > > ], > > > > > > "roles": { > > > > > > "realm": [ > > > > > > { > > > > > > "name": "admin", > > > > > > "description": "Administrator > > > > privileges" > > > > > > }, > > > > > > { > > > > > > "name": "schooloperator", > > > > > > "description": "School Operator > > > > privileges" > > > > > > }, > > > > > > { > > > > > > "name": "teacher", > > > > > > "description": "Teacher privileges" > > > > > > }, > > > > > > { > > > > > > "name": "pupil", > > > > > > "description": "Pupil privileges" > > > > > > } > > > > > > ] > > > > > > } > > > > > > } > > > > > > > > > > > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth > > 2.0. > > > > > > Here the Oauth configuration used to receive the token: > > > > > > > > > > > > Token Name: Token Name > > > > > > Grant Type: Authorization Code > > > > > > Callback URL: http://localhost:8080/school > > > > > > Auth URL: > > > > > > > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth > > > > > > Access Token URL: > > > > > > > > > > > > http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token > > > > > > Client ID: school > > > > > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79 > > > > > > Client Authentication: Send as Basic Auth header > > > > > > > > > > > > The Callback URL is an active simple web app starting on the 8080 > > port. > > > > > > The token creation is ok but when I call the server with the > > created > > > > token > > > > > > I get a 401 Unauthorized error. What I miss? > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > -- > > > > > > Regards, > > > Geoffrey Cleaves > > > > > -- > > Regards, > Geoffrey Cleaves From bart.lievens at unifiedpost.com Sun Dec 9 07:26:16 2018 From: bart.lievens at unifiedpost.com (Bart Lievens) Date: Sun, 9 Dec 2018 13:26:16 +0100 Subject: [keycloak-user] UserStorageProvider for an external database Message-ID: Hello, I solved the problem not by adding a datasource to WildFly but by adding the configuration parameters to the UserStorageProviderFactory and creating the EntityManager inside the UserStorageProviderFactory and then passing it on when creating a UserStorageProvider. My UserStorageProviderFactory looks something like (with 4.6.0.Final & 4.7.0.Final) : public class ExternalUserStorageProviderFactory implements UserStorageProviderFactory { private static final transient Logger logger = LoggerFactory.getLogger(ExternalUserStorageProviderFactory.class); private static final String CONF_NAME_JDBC_URL = "jdbcUrl"; private static final String CONF_NAME_JDBC_USER = "user"; private static final String CONF_NAME_JDBC_PASSWORD = "password"; protected static final List configMetadata; private Map entityManagers = new HashMap<>(); static { ProviderConfigurationBuilder builder = ProviderConfigurationBuilder.create(); builder.property().name(CONF_NAME_JDBC_URL).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc Url") .defaultValue("jdbc:postgresql://host:port/database") .helpText("Postgres JDBC Connection URL to external user db") .add(); builder.property().name(CONF_NAME_JDBC_USER).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc User") .helpText("JDBC Connection User") .add(); builder.property().name(CONF_NAME_JDBC_PASSWORD).type(ProviderConfigProperty.PASSWORD).label("Jdbc Password") .helpText("JDBC Connection Password") .add(); configMetadata = builder.build(); } @Override public List getConfigProperties() { return configMetadata; } @Override public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel componentModel) throws ComponentValidationException { if (componentModel.getConfig().getFirst(CONF_NAME_JDBC_URL) == null || componentModel.getConfig().getFirst(CONF_NAME_JDBC_USER) == null || componentModel.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD) == null) { throw new ComponentValidationException("The jdbc Url, User and Password are requirec"); } try { createEntityManager(componentModel); } catch (Exception e) { logger.warn("Invalid configuration {}", e.getCause() == null ? e.getMessage() : e.getCause().getMessage()); throw new ComponentValidationException("Could not setup jdbc connection : " + (e.getCause() == null ? e.getMessage() : e.getCause().getMessage())); } } @Override public ExternalUserStorageProvider create(KeycloakSession session, ComponentModel model) { try { if (entityManagers.get(model.getId()) == null) { createEntityManager(model); } return new ExternalUserStorageProvider(entityManagers.get(model.getId()), model, session); } catch (Exception e) { throw new RuntimeException(e); } } @Override public String getId() { return "external-user-db"; } @Override public String getHelpText() { return "External User Database Storage Provider"; } private void createEntityManager(ComponentModel model) { logger.info("creating entityManager for {}", model.getName()); Properties properties = getProperties(model); EntityManagerFactory entityManagerFactory = Persistence.createEntityManagerFactory("external-user-storage", properties); entityManagers.put(model.getId(), entityManagerFactory.createEntityManager()); } private Properties getProperties(ComponentModel model) { Properties properties = new Properties(); // Add class loader needed to find persistence.xml properties.put(AvailableSettings.CLASSLOADERS, Arrays.asList(this.getClass().getClassLoader())); // Set JPA properties properties.put(AvailableSettings.JPA_PERSISTENCE_PROVIDER, HibernatePersistenceProvider.class.getName()); properties.put(AvailableSettings.JPA_TRANSACTION_TYPE, PersistenceUnitTransactionType.JTA.name()); // postgresql jdbc connection config properties.put(AvailableSettings.JPA_JDBC_DRIVER, "org.postgresql.Driver"); properties.put(AvailableSettings.JPA_JDBC_URL, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_URL))); properties.put(AvailableSettings.JPA_JDBC_USER, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_USER))); properties.put(AvailableSettings.JPA_JDBC_PASSWORD, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD))); // hibernate properties.put(AvailableSettings.DIALECT, org.hibernate.dialect.PostgreSQL95Dialect.class.getName()); properties.put(AvailableSettings.SHOW_SQL, Boolean.FALSE); // set JTA properties properties.put(AvailableSettings.JTA_PLATFORM, JBossAppServerJtaPlatform.class.getName()); return properties; } } From msakho at redhat.com Mon Dec 10 01:16:08 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Mon, 10 Dec 2018 07:16:08 +0100 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> Message-ID: Marek, I was considering the hot solution regarding the cloud environment (Openshift) where customer require zero downtime while making a backup for disaster recovery purpose. In that case, there will be no data integrity issue and they would be able to export without stopping their cluster. Actually te only solution we can to it is to scale down the nodes to 0 which mean stopping all RHSSO pods. This is way I think that Doswald solution would need the requirement. Meissa Le ven. 7 d?c. 2018 ? 15:37, Marek Posolda a ?crit : > On 07/12/2018 14:38, Doswald Alistair wrote: > > Hello Meissa, > > > > I?m a bit surprised about a question for Keycloak-export, as I thought > that it was mostly Keycloak-authorization which was of interest. > > > > That being said, I haven?t created a pull request for this feature, no, > though it is available still as an extension on the cloudtrust project > github (the latest release here > https://github.com/cloudtrust/keycloak-export/releases/download/0.4/keycloak-export.tar.gz > works on keycloak 4.6.0.FInal). > > > > When I discussed the matter on the dev mailing list there were concerns > about the following aspects: data integrity, size of transfer and security. > Our position was that security is OK (data transferred over https), but > that size and data integrity could be a concern depending on the use case. > However, from what I understood, there wasn?t really any interest of > bringing the feature to Keycloak. > > Yes, the size and data integrity can be a concern and that's the reason > why it's not officially supported to run full export/import in "online" > mode. > > I know there is a workaround, which defacto allows "hot" export/import in > case that you have cluster environment. When you have 2 Keycloak nodes, you > can stop one of the node and then trigger export/import on that node. But > it's not something to recommend in production due the issues with the > integrity (Data can be changed in the meantime on node1 when export/import > is in progress on node2, which can result in broken data and tricky errors). > > Marek > > > > If that has changed, I?ll gladly submit a pull request for the code. > > > > Best regards, > > > > Alistair Doswald > > > > *From:* Meissa M'baye Sakho > *Sent:* jeudi 6 d?cembre 2018 16:59 > *To:* Doswald Alistair > > *Cc:* Pedro Igor Silva ; Marek > Posolda ; keycloak-user > ; Issa > Gueye - Red Hat > *Subject:* Re: [keycloak-user] Keycloak Modules developed for the > Cloudtrust project > > > > Hello Alistair, > > Have you created the pull request for the keycloak-export module? > > It's a very useful one and I think it could be nice if it becomes fully a > part of keycloak. > > Meissa > > > > > > Le ven. 17 ao?t 2018 ? 14:40, Doswald Alistair > a ?crit : > > I?ve done the PR for the extension page (keycloak-authorization and > keycloak-export), and it?s been accepted. For the client-mapper I?ll see > what?s necessary to be done to have it merged directly into Keycloak. > > For the mechanism of keycloak-authorization, I for one would like having > this functionality supported OOTB, whether through our (admittedly not very > sophisticated) system, or another. I received a message from Stian > Thorgersen on the dev mailing (here: > http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011116.html ) > list asking more details about the module, so I?ll at least be discussing > the matter with him. > > Cheers, > > Alistair > > From: Pedro Igor Silva > Sent: vendredi 10 ao?t 2018 18:52 > To: Marek Posolda > Cc: Doswald Alistair ; > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust > project > > Cool stuff ! Thanks for sharing. > > I've looked keycloak-authorization very quickly and changes look really > simple, I'm glad to start a discussion about supporting this OOTB. Maybe > this can be part of the review of admin fine-grained permissions we are > planning. > > Regards. > Pedro Igor > > On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda > wrote: > Thanks for the heads up! > > IMO it will be cool if you send PR for the javascript mapper directly to > Keycloak, however we may need automated test and also docs (separate PR > needs to be sent for the docs). > > For the keycloak-authorization and keycloak-export (and maybe for > keycloak-client-mappers too if you don't have time for the PR to > upstream), it may be good to send PR to update the extensions page > maybe? It's here: https://www.keycloak.org/extensions.html and sources > are here: > > https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions > . Assuming that those things are generally useful for the other users > from the community (I am not 100% sure about the keycloak-authorization. > Rather leaving to you to decide if it's generally useful or not). The > keycloak-wsfed is already on the extensions page. > > Thanks! > Marek > > > On 10/08/18 11:44, Doswald Alistair wrote: > > Hello, > > > > I just wanted to let this mailing list know that for the Cloudtrust > project (https://github.com/cloudtrust), we have developed a certain > number modules for Keycloak. These are currently compatible with the > version 3.4.3.Final of Keycloak, but we will make them compatible with > Keycloak 4.X (where X will be the latest sub-version of Keycloak when we > start working on this) as soon as we can. These modules are: > > > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an > implementation of the WS-Federation protocol for keycloak. This allows to > select the WS-Federation protocol for Keycloak clients and for identity > brokers. > > > > * keycloak-authorization ( > https://github.com/cloudtrust/keycloak-authorization): this module allows > the use of the client authorization system to prevent a user which is > authenticated in a Keycloak realm to access a given client. It works no > matter which protocol is used, and without the client having to support any > extra protocol. Note: this solution is a bit hacky, but necessary for one > of our use-cases. > > > > * keycloak-client-mappers ( > https://github.com/cloudtrust/keycloak-client-mappers): a module for > adding any mappers that we might need that are not yet part of Keycloak. > Currently only contains a JavaScript mapper for SAML, analogous to the OIDC > script mapper. I've noticed that there's an open issue for this feature ( > https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could > submit this code not as a module but a solution to the issue. > > > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a > module adding an endpoint to fully export a realm while Keycloak is still > running (no need for restarts!). > > > > Cheers, > > > > Alistair > > > > PS: I'm mailing this both dev and user mailing lists as I believe it may > interest members of both mailing lists > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From brushmate at gmail.com Mon Dec 10 03:40:39 2018 From: brushmate at gmail.com (Steffen Kreutz) Date: Mon, 10 Dec 2018 09:40:39 +0100 Subject: [keycloak-user] UserStorageProvider for an external database In-Reply-To: References: Message-ID: Hi, that's surely possible, but I absolutely don't want to have the configuration in my code (especially not the password). Thus I somehow have to inject the configuration 'from the outside'. Best, Steffen Am So., 9. Dez. 2018 um 13:27 Uhr schrieb Bart Lievens < bart.lievens at unifiedpost.com>: > Hello, > > I solved the problem not by adding a datasource to WildFly but by adding > the configuration parameters to the UserStorageProviderFactory > and creating the EntityManager inside the UserStorageProviderFactory and > then passing it on when creating a UserStorageProvider. > > My UserStorageProviderFactory looks something like (with 4.6.0.Final & > 4.7.0.Final) : > public class ExternalUserStorageProviderFactory implements > UserStorageProviderFactory { > private static final transient Logger logger = > LoggerFactory.getLogger(ExternalUserStorageProviderFactory.class); > private static final String CONF_NAME_JDBC_URL = "jdbcUrl"; > private static final String CONF_NAME_JDBC_USER = "user"; > private static final String CONF_NAME_JDBC_PASSWORD = "password"; > > protected static final List configMetadata; > private Map entityManagers = new HashMap<>(); > > static { > ProviderConfigurationBuilder builder = > ProviderConfigurationBuilder.create(); > > builder.property().name(CONF_NAME_JDBC_URL).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc > Url") > .defaultValue("jdbc:postgresql://host:port/database") > .helpText("Postgres JDBC Connection URL to external user > db") > .add(); > > builder.property().name(CONF_NAME_JDBC_USER).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc > User") > .helpText("JDBC Connection User") > .add(); > > builder.property().name(CONF_NAME_JDBC_PASSWORD).type(ProviderConfigProperty.PASSWORD).label("Jdbc > Password") > .helpText("JDBC Connection Password") > .add(); > configMetadata = builder.build(); > } > > @Override > public List getConfigProperties() { > return configMetadata; > } > > @Override > public void validateConfiguration(KeycloakSession session, RealmModel > realm, ComponentModel componentModel) throws ComponentValidationException { > if (componentModel.getConfig().getFirst(CONF_NAME_JDBC_URL) == null > || componentModel.getConfig().getFirst(CONF_NAME_JDBC_USER) == > null > || > componentModel.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD) == null) { > throw new ComponentValidationException("The jdbc Url, User and > Password are requirec"); > } > try { > createEntityManager(componentModel); > } catch (Exception e) { > logger.warn("Invalid configuration {}", e.getCause() == null ? > e.getMessage() : e.getCause().getMessage()); > throw new ComponentValidationException("Could not setup jdbc > connection : " + (e.getCause() == null ? e.getMessage() : > e.getCause().getMessage())); > } > } > > @Override > public ExternalUserStorageProvider create(KeycloakSession session, > ComponentModel model) { > try { > if (entityManagers.get(model.getId()) == null) { > createEntityManager(model); > } > return new > ExternalUserStorageProvider(entityManagers.get(model.getId()), model, > session); > } catch (Exception e) { > throw new RuntimeException(e); > } > } > > @Override > public String getId() { > return "external-user-db"; > } > > @Override > public String getHelpText() { > return "External User Database Storage Provider"; > } > > private void createEntityManager(ComponentModel model) { > logger.info("creating entityManager for {}", model.getName()); > Properties properties = getProperties(model); > EntityManagerFactory entityManagerFactory = > Persistence.createEntityManagerFactory("external-user-storage", properties); > entityManagers.put(model.getId(), > entityManagerFactory.createEntityManager()); > } > > private Properties getProperties(ComponentModel model) { > Properties properties = new Properties(); > // Add class loader needed to find persistence.xml > properties.put(AvailableSettings.CLASSLOADERS, > Arrays.asList(this.getClass().getClassLoader())); > // Set JPA properties > properties.put(AvailableSettings.JPA_PERSISTENCE_PROVIDER, > HibernatePersistenceProvider.class.getName()); > properties.put(AvailableSettings.JPA_TRANSACTION_TYPE, > PersistenceUnitTransactionType.JTA.name()); > // postgresql jdbc connection config > properties.put(AvailableSettings.JPA_JDBC_DRIVER, > "org.postgresql.Driver"); > properties.put(AvailableSettings.JPA_JDBC_URL, > EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_URL))); > properties.put(AvailableSettings.JPA_JDBC_USER, > EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_USER))); > properties.put(AvailableSettings.JPA_JDBC_PASSWORD, > EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD))); > // hibernate > properties.put(AvailableSettings.DIALECT, > org.hibernate.dialect.PostgreSQL95Dialect.class.getName()); > properties.put(AvailableSettings.SHOW_SQL, Boolean.FALSE); > // set JTA properties > properties.put(AvailableSettings.JTA_PLATFORM, > JBossAppServerJtaPlatform.class.getName()); > return properties; > } > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From uo67113 at gmail.com Mon Dec 10 03:40:54 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 10 Dec 2018 09:40:54 +0100 Subject: [keycloak-user] HTTP status 400 from Tomcat after successful login In-Reply-To: References: Message-ID: Hello Timo, Perhaps enable tomcat access logging [1] can help you to debug this issue. You can compare the request with mod_proxy with the one without. Out of curiosity: why do you need to set ProxyPassReverseCookiePath / /app/ ? Hope it helps, Luis [1] https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging El dom., 9 dic. 2018 a las 10:22, Timo Kockert () escribi?: > Hello everyone, > > I have configured a web application, that is running in Tomcat, to > authenticate users with Keycloak. Everything is running fine if I > deploy the app to my local Tomcat, even when using the remote Keycloak > instance. > > However, when I deploy the app to another Tomcat running behind an > Apache HTTP Server, the following happens: > > * When I navigate to https://my-domain.tld/app I get redirected to the > Keycloak login > * After I log in successfully, Keycloak redirects me to > :/app of the Tomcat > * The Tomcat answers with HTTP status 400 > > My keycloak.json looks like this: > > { > "realm": "cdb_test", > "auth-server-url": "https://keycloak-server.tld/auth", > "ssl-required": "external", > "resource": "cdb_test", > "public-client": true > } > > The VHost is configured like this: > > ProxyPass /app http://:/app/ > ProxyPassReverse /app http://:/app/ > ProxyPassReverseCookiePath / /app/ > > I turned on debug logging for the Keycloak Tomcat adapter, see attachment. > > Any advice? > > Thanks in advance > Timo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From thomas.darimont at googlemail.com Mon Dec 10 04:41:05 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 10 Dec 2018 10:41:05 +0100 Subject: [keycloak-user] How to create a 'provisioning only' user in Keycloak? Message-ID: Hello Keycloak-Users, I'd like to create users solely for Keycloak instance provisioning operations (e.g. via kcadm.sh), which should not able to login via the admin-console. Does anyone know a way to do this? Cheers, Thomas From sthorger at redhat.com Mon Dec 10 05:00:32 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Dec 2018 11:00:32 +0100 Subject: [keycloak-user] How to create a 'provisioning only' user in Keycloak? In-Reply-To: References: Message-ID: If you want this before startup you can use the add-user-keycloak.sh script with "--roles". If you want it at runtime then kcadm.sh is your friend, should be examples in the docs on how to do that one. On Mon, 10 Dec 2018 at 10:52, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello Keycloak-Users, > > I'd like to create users solely for Keycloak instance provisioning > operations (e.g. via kcadm.sh), which should not able to login via the > admin-console. > > Does anyone know a way to do this? > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Simon.Vogensen at sos.eu Mon Dec 10 05:02:53 2018 From: Simon.Vogensen at sos.eu (Simon Buch Vogensen) Date: Mon, 10 Dec 2018 10:02:53 +0000 Subject: [keycloak-user] OIDC Identity Provider userinfo parsing problem Message-ID: <0B5FE54E105AE740942983F0F633CF85464161D8@EUIEX04.sos.eu> Hi We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider. When keycloak requests userinfo from signicat the response does not parse correctly. Here is an example response. {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"} The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all. The fix I have come up with would be a currentNode = baseNode.get(fieldPath); call after no node has been found. See line 206. I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak? Is this problem fixed in newer versions of keycloak? Thanks in advance Regards Simon Buch Vogensen From thomas.darimont at googlemail.com Mon Dec 10 05:18:30 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 10 Dec 2018 11:18:30 +0100 Subject: [keycloak-user] How to create a 'provisioning only' user in Keycloak? In-Reply-To: References: Message-ID: Hi Stian, Thanks for the quick response but that's not exactly what I want to do. I know how to add a keycloak user via add-user-keycloak.sh, what I don't know is how to ensure that this user can only be used for provisioning operations via kcadm.sh and is NOT able to use the admin-console. Background is: - I want to secure the keycloak admin user with an additional OTP token. This works fine for the admin-console but then I cannot use kcadm.sh anymore with that user, because of the additional token. - I now want to create a dedicated technical user for provisioning operations that cannot login to the admin-console. Cheers, Thomas Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen < sthorger at redhat.com>: > If you want this before startup you can use the add-user-keycloak.sh > script with "--roles". If you want it at runtime then kcadm.sh is your > friend, should be examples in the docs on how to do that one. > > On Mon, 10 Dec 2018 at 10:52, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hello Keycloak-Users, >> >> I'd like to create users solely for Keycloak instance provisioning >> operations (e.g. via kcadm.sh), which should not able to login via the >> admin-console. >> >> Does anyone know a way to do this? >> >> Cheers, >> Thomas >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From bart.lievens at unifiedpost.com Mon Dec 10 06:05:23 2018 From: bart.lievens at unifiedpost.com (Bart Lievens) Date: Mon, 10 Dec 2018 13:05:23 +0200 Subject: [keycloak-user] UserStorageProvider for an external database In-Reply-To: References: Message-ID: <015F5C1D-086A-42A4-8470-BD3667A189CC@unifiedpost.com> Hello, I think you are not understanding the solution fully, the configuration values are not in code at all. The static strings are just the names of the configuration variables, not actual username or password. They can be set from Keycloak admin pages (User Federation) or as part of the realm configuration json, you should also be able to inject them that way using the Admin API?s. The values will be store in the keycloak db like other configurations in keycloak. > On 10 Dec 2018, at 10:40, Steffen Kreutz wrote: > > Hi, > > that's surely possible, but I absolutely don't want to have the configuration in my code (especially not the password). Thus I somehow have to inject the configuration 'from the outside'. > > Best, > > Steffen > > Am So., 9. Dez. 2018 um 13:27 Uhr schrieb Bart Lievens >: > Hello, > > I solved the problem not by adding a datasource to WildFly but by adding the configuration parameters to the UserStorageProviderFactory > and creating the EntityManager inside the UserStorageProviderFactory and then passing it on when creating a UserStorageProvider. > > My UserStorageProviderFactory looks something like (with 4.6.0.Final & 4.7.0.Final) : > public class ExternalUserStorageProviderFactory implements UserStorageProviderFactory { > private static final transient Logger logger = LoggerFactory.getLogger(ExternalUserStorageProviderFactory.class); > private static final String CONF_NAME_JDBC_URL = "jdbcUrl"; > private static final String CONF_NAME_JDBC_USER = "user"; > private static final String CONF_NAME_JDBC_PASSWORD = "password"; > > protected static final List configMetadata; > private Map entityManagers = new HashMap<>(); > > static { > ProviderConfigurationBuilder builder = ProviderConfigurationBuilder.create(); > builder.property().name(CONF_NAME_JDBC_URL).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc Url") > .defaultValue("jdbc:postgresql://host:port/database") > .helpText("Postgres JDBC Connection URL to external user db") > .add(); > builder.property().name(CONF_NAME_JDBC_USER).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc User") > .helpText("JDBC Connection User") > .add(); > builder.property().name(CONF_NAME_JDBC_PASSWORD).type(ProviderConfigProperty.PASSWORD).label("Jdbc Password") > .helpText("JDBC Connection Password") > .add(); > configMetadata = builder.build(); > } > > @Override > public List getConfigProperties() { > return configMetadata; > } > > @Override > public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel componentModel) throws ComponentValidationException { > if (componentModel.getConfig().getFirst(CONF_NAME_JDBC_URL) == null > || componentModel.getConfig().getFirst(CONF_NAME_JDBC_USER) == null > || componentModel.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD) == null) { > throw new ComponentValidationException("The jdbc Url, User and Password are requirec"); > } > try { > createEntityManager(componentModel); > } catch (Exception e) { > logger.warn("Invalid configuration {}", e.getCause() == null ? e.getMessage() : e.getCause().getMessage()); > throw new ComponentValidationException("Could not setup jdbc connection : " + (e.getCause() == null ? e.getMessage() : e.getCause().getMessage())); > } > } > > @Override > public ExternalUserStorageProvider create(KeycloakSession session, ComponentModel model) { > try { > if (entityManagers.get(model.getId()) == null) { > createEntityManager(model); > } > return new ExternalUserStorageProvider(entityManagers.get(model.getId()), model, session); > } catch (Exception e) { > throw new RuntimeException(e); > } > } > > @Override > public String getId() { > return "external-user-db"; > } > > @Override > public String getHelpText() { > return "External User Database Storage Provider"; > } > > private void createEntityManager(ComponentModel model) { > logger.info ("creating entityManager for {}", model.getName()); > Properties properties = getProperties(model); > EntityManagerFactory entityManagerFactory = Persistence.createEntityManagerFactory("external-user-storage", properties); > entityManagers.put(model.getId(), entityManagerFactory.createEntityManager()); > } > > private Properties getProperties(ComponentModel model) { > Properties properties = new Properties(); > // Add class loader needed to find persistence.xml > properties.put(AvailableSettings.CLASSLOADERS, Arrays.asList(this.getClass().getClassLoader())); > // Set JPA properties > properties.put(AvailableSettings.JPA_PERSISTENCE_PROVIDER, HibernatePersistenceProvider.class.getName()); > properties.put(AvailableSettings.JPA_TRANSACTION_TYPE, PersistenceUnitTransactionType.JTA.name ()); > // postgresql jdbc connection config > properties.put(AvailableSettings.JPA_JDBC_DRIVER, "org.postgresql.Driver"); > properties.put(AvailableSettings.JPA_JDBC_URL, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_URL))); > properties.put(AvailableSettings.JPA_JDBC_USER, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_USER))); > properties.put(AvailableSettings.JPA_JDBC_PASSWORD, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD))); > // hibernate > properties.put(AvailableSettings.DIALECT, org.hibernate.dialect.PostgreSQL95Dialect.class.getName()); > properties.put(AvailableSettings.SHOW_SQL, Boolean.FALSE); > // set JTA properties > properties.put(AvailableSettings.JTA_PLATFORM, JBossAppServerJtaPlatform.class.getName()); > return properties; > } > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bart Lievens | Manager Classic Taskforce UnifiedPost Group Avenue Reine Astrid 92A, 1310 La Hulpe, Belgium T: +32 2 634 06 28 | M: +32 495 279 559 W: www.unifiedpost.com | E: Bart.Lievens at unifiedpost.com From keshav.sharma at shl.com Mon Dec 10 06:35:47 2018 From: keshav.sharma at shl.com (Keshav Sharma) Date: Mon, 10 Dec 2018 11:35:47 +0000 Subject: [keycloak-user] Single Sign out in Spring MVC App Message-ID: Hi , I want to logout from application but when I am doing logout form one app and again using the login url it is redirecting me to success page without doing authentication. Please provide the configuration that needs to be done in spring mvc app so that I can configure logout correctly. Regards, Regards, ______________________________________________________ Keshav Sharma Software Engineer Direct: +91-124-479-6219 SHL | www.shl.com 9th Floor, Tower 10-B, DLF Cyber City, Phase II, Gurugram, Haryana - 122002, India ______________________________________________________ ________________________________ This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to SHL and/or its affiliates. If you have received this e-mail in error, please notify the sender and immediately destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s), is prohibited. If you would like to know how SHL collects, processes, uses, and stores personal data please go to www.shl.com/privacy to learn more. From timo.kockert at codecentric.de Mon Dec 10 06:35:46 2018 From: timo.kockert at codecentric.de (Timo Kockert) Date: Mon, 10 Dec 2018 12:35:46 +0100 Subject: [keycloak-user] HTTP status 400 from Tomcat after successful login In-Reply-To: References: Message-ID: Hello Luis, thanks for your reply! I was able to get a step further... I think. I added "ProxyPreserveHost On" to the VHost configuration. Now Keycloak redirects me to http://my-domain.tld/app (http without s) after the login. Something (I haven't figured out wether it's the HTTP Server or the Tomcat) redirects from HTTP to HTTPS after which the Tomcat returns 403 and prints the following message to the log: {"error":"invalid_grant","error_description":"Incorrect redirect_uri"} I guess the problem is the redirect to HTTP instead of HTTPS? I tried adding RequestHeader set X-Forwarded-Proto "https" to the VHost configuration but that didn't help. Any further advice? Btw, I didn't write the inital VHost configuration, "ProxyPassReverseCookiePath" was there when I started working on it. Probably from some template. Thanks in advance Timo Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodr?guez Fern?ndez : > > Hello Timo, > > Perhaps enable tomcat access logging [1] can help you to debug this issue. > You can compare the request with mod_proxy with the one without. > > Out of curiosity: why do you need to set ProxyPassReverseCookiePath / /app/ > ? > > Hope it helps, > > Luis > > [1] > https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging > > El dom., 9 dic. 2018 a las 10:22, Timo Kockert () > escribi?: > > > Hello everyone, > > > > I have configured a web application, that is running in Tomcat, to > > authenticate users with Keycloak. Everything is running fine if I > > deploy the app to my local Tomcat, even when using the remote Keycloak > > instance. > > > > However, when I deploy the app to another Tomcat running behind an > > Apache HTTP Server, the following happens: > > > > * When I navigate to https://my-domain.tld/app I get redirected to the > > Keycloak login > > * After I log in successfully, Keycloak redirects me to > > :/app of the Tomcat > > * The Tomcat answers with HTTP status 400 > > > > My keycloak.json looks like this: > > > > { > > "realm": "cdb_test", > > "auth-server-url": "https://keycloak-server.tld/auth", > > "ssl-required": "external", > > "resource": "cdb_test", > > "public-client": true > > } > > > > The VHost is configured like this: > > > > ProxyPass /app http://:/app/ > > ProxyPassReverse /app http://:/app/ > > ProxyPassReverseCookiePath / /app/ > > > > I turned on debug logging for the Keycloak Tomcat adapter, see attachment. > > > > Any advice? > > > > Thanks in advance > > Timo > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Timo Kockert | Senior Software Engineer codecentric AG | dock14 | Am Mittelhafen 14 | 48155 M?nster | Deutschland mobil: +49 151 1086 7040 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de | www.more4fi.de Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From jonas.scherer at dkfz-heidelberg.de Mon Dec 10 09:03:46 2018 From: jonas.scherer at dkfz-heidelberg.de (Scherer, Jonas) Date: Mon, 10 Dec 2018 14:03:46 +0000 Subject: [keycloak-user] Gatekeeper security proxy configuration In-Reply-To: <1544446321736.91789@dkfz-heidelberg.de> References: <1544446321736.91789@dkfz-heidelberg.de> Message-ID: <1544450626451.28088@dkfz-heidelberg.de> Hey everybody, I try to replace the "old" keycloak security proxy (https://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html) with Gatekeeper (https://github.com/keycloak/keycloak-gatekeeper). My setup is within Kubernetes and looks like: Keycloak | | Gatekeeper ---- reverse-proxy (Traefik) -- application So http://mypage/myapplication arrives at port 80 on Gatekeeper (GK). GK will check if the user is logged in and has the correct role and then will proxy the url to the service of my reverse-proxy, which will handle the routing to the corresponding application within the Kubernetes-cluster. Everything behind GK is just accessible inside the cluster. This is working with the old setup and Keylcoak security-proxy, but with Gatekeeper everything is working as expected, except the proxying to the reverse proxy. It seems to redirect me to the kubernetes-service url instead of proxying the traffic through GK. The reverse-proxy service is just accessible within the Cluster so this will not work for me. Is there a way to configure Gatekeeper to work just like the security proxy? Thank you for your help! Jonas From uo67113 at gmail.com Mon Dec 10 10:16:30 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 10 Dec 2018 16:16:30 +0100 Subject: [keycloak-user] HTTP status 400 from Tomcat after successful login In-Reply-To: References: Message-ID: Hello Timo, You have a couple of options: - Use https in your apache mod_proxy configuration (ProxyPass /app https://...) This implies to have the SSLProxyEngine on with the SSLProxyCACertificateFile poiting to your CA certificate See the mod_ssl docs for more details on this [1] For a PROD installation that would be my preferred option - For testing quickly you can always try to cheat keycloak adding scheme="https" to your HTTP connector in tomcat [2] Me I do this for cheating the SAML adapter ;) [3] Hope it helps, Luis [1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyengine [2] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html [3] https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87d77e3968c/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java#L175 El lun., 10 dic. 2018 a las 12:39, Timo Kockert (< timo.kockert at codecentric.de>) escribi?: > Hello Luis, > > thanks for your reply! > > I was able to get a step further... I think. > > I added "ProxyPreserveHost On" to the VHost configuration. Now > Keycloak redirects me to http://my-domain.tld/app (http without s) > after the login. Something (I haven't figured out wether it's the HTTP > Server or the Tomcat) redirects from HTTP to HTTPS after which the > Tomcat returns 403 and prints the following message to the log: > > {"error":"invalid_grant","error_description":"Incorrect redirect_uri"} > > I guess the problem is the redirect to HTTP instead of HTTPS? I tried > adding > > RequestHeader set X-Forwarded-Proto "https" > > to the VHost configuration but that didn't help. Any further advice? > > Btw, I didn't write the inital VHost configuration, > "ProxyPassReverseCookiePath" was there when I started working on it. > Probably from some template. > > Thanks in advance > Timo > > > Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodr?guez Fern?ndez > : > > > > Hello Timo, > > > > Perhaps enable tomcat access logging [1] can help you to debug this > issue. > > You can compare the request with mod_proxy with the one without. > > > > Out of curiosity: why do you need to set ProxyPassReverseCookiePath / > /app/ > > ? > > > > Hope it helps, > > > > Luis > > > > [1] > > > https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging > > > > El dom., 9 dic. 2018 a las 10:22, Timo Kockert (< > timo.kockert at codecentric.de>) > > escribi?: > > > > > Hello everyone, > > > > > > I have configured a web application, that is running in Tomcat, to > > > authenticate users with Keycloak. Everything is running fine if I > > > deploy the app to my local Tomcat, even when using the remote Keycloak > > > instance. > > > > > > However, when I deploy the app to another Tomcat running behind an > > > Apache HTTP Server, the following happens: > > > > > > * When I navigate to https://my-domain.tld/app I get redirected to the > > > Keycloak login > > > * After I log in successfully, Keycloak redirects me to > > > :/app of the Tomcat > > > * The Tomcat answers with HTTP status 400 > > > > > > My keycloak.json looks like this: > > > > > > { > > > "realm": "cdb_test", > > > "auth-server-url": "https://keycloak-server.tld/auth", > > > "ssl-required": "external", > > > "resource": "cdb_test", > > > "public-client": true > > > } > > > > > > The VHost is configured like this: > > > > > > ProxyPass /app http://:/app/ > > > ProxyPassReverse /app http://:/app/ > > > ProxyPassReverseCookiePath / /app/ > > > > > > I turned on debug logging for the Keycloak Tomcat adapter, see > attachment. > > > > > > Any advice? > > > > > > Thanks in advance > > > Timo > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > > > - Samuel Beckett > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Timo Kockert | Senior Software Engineer > > codecentric AG | dock14 | Am Mittelhafen 14 | 48155 M?nster | Deutschland > mobil: +49 151 1086 7040 > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de | > www.more4fi.de > > Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz > > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt > vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie > nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten > haben, informieren Sie bitte sofort den Absender und l?schen Sie diese > E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte > Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die > unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From manuel.waltschek at prisma-solutions.at Mon Dec 10 13:12:24 2018 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Mon, 10 Dec 2018 18:12:24 +0000 Subject: [keycloak-user] WG: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker In-Reply-To: <12e7f4fe7aab4802b9c5e68796a9634c@EXMBX24.SFP-Net.skyfillers.local> References: <12e7f4fe7aab4802b9c5e68796a9634c@EXMBX24.SFP-Net.skyfillers.local> Message-ID: <0384390c33d844ebaf305a2d72059459@EXMBX24.SFP-Net.skyfillers.local> Hello, I am sorry but am resending this because I got ignored for the third time now and I just can't figure out what to do. If you cannot help me on this one, please give me a step by step explanation how to configure an application as a service provider to authenticate against an external SAML idp (with keycloak IdP broker) since I cannot figure it out with the latest documentation. Thank you, Manuel Von: Manuel Waltschek Gesendet: Freitag, 07. Dezember 2018 17:34 An: 'keycloak-user at lists.jboss.org' Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker Hello there, I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP (external IdP) and I want my application to authenticate against this external IdP. I imported the IdP Metadata of samltest into my IdP settings and exported following SP descriptor into IdP of samltest: Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY= urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified While "vde-tirol" is the client-id configured in my client and the ACS-url is the one I configured Fine Grain SAML Endpoint Configuration of my client. After I try to access a protected ressource I get redirected to a page of samltest telling me there went something wrong and I detected that the authnrequest sent from my IdP broker did not have the ACS-url http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol http://localhost:8180/auth/realms/prisma-keycloak-saml-idp> I get the following Error from openSAML: Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol' nor response location 'null' matched 'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint' Do you have a clue what went wrong? Is this intended behaviour, that the AssertionConsumerServiceURL in the AuthnRequest does not match? Thank you in advance, Manuel Waltschek From dt at acutus.pro Mon Dec 10 17:16:00 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 01:16:00 +0300 Subject: [keycloak-user] WG: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker In-Reply-To: <0384390c33d844ebaf305a2d72059459@EXMBX24.SFP-Net.skyfillers.local> References: <12e7f4fe7aab4802b9c5e68796a9634c@EXMBX24.SFP-Net.skyfillers.local> <0384390c33d844ebaf305a2d72059459@EXMBX24.SFP-Net.skyfillers.local> Message-ID: <1544480160.2648.1.camel@acutus.pro> Hello Manuel, sorry for late response, You did almost everything right, except for a couple of things: - You generally don't need to modify ACS URL inside your SPSSODescriptor while importing it into a 3rd party IdP (samltest.id in your case). This is unless you want an IdP-initiated SSO, in which case you should follow the doc [1] (paragraph beginning with "When using identity brokering"). I'd rather suggest that you have SP-initiated SSO working first, which doesn't require any tweaking to SP metadata; - You shouldn't override client's ACS URL. The ACS of a client and the ACS of Keycloak facing 3rd party IdP are different things. Trying to substitute one for another you will create a loopback. (Probably you did that "in accordance" with the aforementioned paragraph, but it can be a bit misleading since it describes the process as if Keycloak were your 3rd party IdP, not samltest.id.) With the above, I suggest that you recreate your samltest.id IdP in Keycloak, import metadata from https://samltest.id/saml/idp, then go to Export tab and transfer the metadata verbatim to samltest.id. Second, undo any ACS URL modifications you've made to the client settings. After that, you should be able to access your application and sign in via samltest IdP. [1] https://www.keycloak.org/docs/latest/server_admin/#idp-initiated-login Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-10 at 18:12 +0000, Manuel Waltschek wrote: > Hello, > > I am sorry but am resending this because I got ignored for the third time now and I just can't figure out what to do. > > If you cannot help me on this one, please give me a step by step explanation how to configure an application as a service provider to authenticate against an external SAML idp (with keycloak IdP broker) since I cannot figure it out with the latest documentation. > > Thank you, > > Manuel > > Von: Manuel Waltschek > Gesendet: Freitag, 07. Dezember 2018 17:34 > > > An: 'keycloak-user at lists.jboss.org' > Betreff: Wrong AssertionConsumerServiceURL in AuthnRequest of IdP broker > > Hello there, > > I am trying to configure my Keycloak server to act as an IdP broker for samltest.id IdP (external IdP) and I want my application to authenticate against this external IdP. > I imported the IdP Metadata of samltest into my IdP settings and exported following SP descriptor into IdP of samltest: > > ; > ???? ????????????protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">; > ???????? > ??????????; > ????????????Ovdow5dx1a_BxPju-WIV7_-LKmhBPUDGXMKEPsXoDYY > ???????????? > ??????????????MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY= ?09Certificate> > ???????????? > ?????????? > ???????? > ????????; > ????????urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified > ???????? > ???????? ????????????????Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol" > ????????????????index="1" isDefault="true" /> > ???? > > > While "vde-tirol" is the client-id configured in my client and the ACS-url is the one I configured Fine Grain SAML Endpoint Configuration of my client. > > After I try to access a protected ressource I get redirected to a page of samltest telling me there went something wrong and I detected that the authnrequest sent from my IdP broker did not have the ACS-url http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol > > > ????????????????http://localhost:8180/auth/realms/prisma-keycloak-saml-idp>; > ???????????????? > > > I get the following Error from openSAML: > > Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint/clients/vde-tirol' nor response location 'null' matched 'http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/prisma-keycloak-saml-idp/endpoint' > > Do you have a clue what went wrong? Is this intended behaviour, that the AssertionConsumerServiceURL in the AuthnRequest does not match? > > Thank you in advance, > > Manuel Waltschek > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 10 17:42:57 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 01:42:57 +0300 Subject: [keycloak-user] HTTP status 400 from Tomcat after successful login In-Reply-To: References: Message-ID: <1544481777.2648.3.camel@acutus.pro> Timo, To secure a Tomcat webapp that is behind an SSL-terminating reverse proxy, you basically need a checklist of three items: - make sure that your reverse proxy forwards all the necessary info to the backend, including hostname and protocol; - in Tomcat, configure proxy (host and "https" scheme) on a connector level; - reflect the changes in the client config in Keycloak (use https:// and your proxy URL). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-07 at 14:55 +0100, Timo Kockert wrote: > Hello everyone, > > I have configured a web application, that is running in Tomcat, to > authenticate users with Keycloak. Everything is running fine if I > deploy the app to my local Tomcat, even when using the remote Keycloak > instance. > > However, when I deploy the app to another Tomcat running behind an > Apache HTTP Server, the following happens: > > > * When I navigate to https://my-domain.tld/app I get redirected to the > Keycloak login > * After I log in successfully, Keycloak redirects me to > :/app of the Tomcat > * The Tomcat answers with HTTP status 400 > > My keycloak.json looks like this: > > { > ? "realm": "cdb_test", > > ? "auth-server-url": "https://keycloak-server.tld/auth", > ? "ssl-required": "external", > ? "resource": "cdb_test", > ? "public-client": true > } > > The VHost is configured like this: > > ProxyPass /app http://:/app/ > ProxyPassReverse /app http://:/app/ > ProxyPassReverseCookiePath / /app/ > > I turned on debug logging for the Keycloak Tomcat adapter, see attachment. > > Any advice? > > Thanks in advance > Timo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 10 23:27:32 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 07:27:32 +0300 Subject: [keycloak-user] How to create a 'provisioning only' user in Keycloak? In-Reply-To: References: Message-ID: <1544502452.14238.1.camel@acutus.pro> Hello Thomas, To authenticate, kcadm uses direct grant and client credentials grant (aka service account) against the admin-cli client. You can create an admin user and prohibit interactive login for him only with a one-line JavaScript authenticator inside your browser flow. This won't affect either of the grant types used by kcadm. A bit hacky, but should work 100%. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-10 at 10:41 +0100, Thomas Darimont wrote: > Hello Keycloak-Users, > > I'd like to create users solely for Keycloak instance provisioning > operations (e.g. via kcadm.sh), which should not able to login via the > admin-console. > > Does anyone know a way to do this? > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 10 23:40:33 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 07:40:33 +0300 Subject: [keycloak-user] UserStorageProvider for an external database In-Reply-To: References: Message-ID: <1544503233.14238.3.camel@acutus.pro> Hello Bart, Regarding your initial question on JNDI datasource vs. manual configuration - from the architect's standpoint, each of the approaches has its pros and cons (as always). Your approach has an obvious benefit of automatic config propagation to the nodes, thanks to Keycloak components model backed by Infinispan and shared database. But if (or when) it comes to advanced configuration options like SSL, connection pooling, tracing etc., you'll end up reimplementing more and more datasource handling logic that has already been implemented in the corresponding Wildfly subsystem. Having datasources configured in Wildfly (and accessed via JNDI) will get you rid of reinventing the wheel. However, in this case you need to take care of the proper config propagation to the cluster members. This is done automatically in the Keycloak/Wildfly domain mode, but for standalone and its variants you will have to use jboss-cli (maybe in combination with configuration management tools like Ansible etc.) Many software products allow for both variants, either setting up connection properties manually or using JNDI datasource configured at the application server level. I suggest that if you strive for a production-ready solution, you should consider implementing JNDI too. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sun, 2018-12-09 at 13:26 +0100, Bart Lievens wrote: > Hello,? > > I solved the problem not by adding a datasource to WildFly but by adding the configuration parameters to the UserStorageProviderFactory? > and creating the EntityManager inside the UserStorageProviderFactory and then passing it on when creating a UserStorageProvider. > > My UserStorageProviderFactory looks something like (with 4.6.0.Final & 4.7.0.Final) : > public class ExternalUserStorageProviderFactory implements UserStorageProviderFactory { > ????private static final transient Logger logger = LoggerFactory.getLogger(ExternalUserStorageProviderFactory.class); > ????private static final String CONF_NAME_JDBC_URL = "jdbcUrl"; > ????private static final String CONF_NAME_JDBC_USER = "user"; > ????private static final String CONF_NAME_JDBC_PASSWORD = "password"; > > ????protected static final List configMetadata; > ????private Map entityManagers = new HashMap<>(); > > ????static { > ????????ProviderConfigurationBuilder builder = ProviderConfigurationBuilder.create(); > ????????builder.property().name(CONF_NAME_JDBC_URL).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc Url") > ???????????????.defaultValue("jdbc:postgresql://host:port/database") > ???????????????.helpText("Postgres JDBC Connection URL to external user db") > ???????????????.add(); > ????????builder.property().name(CONF_NAME_JDBC_USER).type(ProviderConfigProperty.STRING_TYPE).label("Jdbc User") > ???????????????.helpText("JDBC Connection User") > ???????????????.add(); > ????????builder.property().name(CONF_NAME_JDBC_PASSWORD).type(ProviderConfigProperty.PASSWORD).label("Jdbc Password") > ???????????????.helpText("JDBC Connection Password") > ???????????????.add(); > ????????configMetadata = builder.build(); > ????} > > ????@Override > ????public List getConfigProperties() { > ????????return configMetadata; > ????} > > ????@Override > ????public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel componentModel) throws ComponentValidationException { > ????????if (componentModel.getConfig().getFirst(CONF_NAME_JDBC_URL) == null > ????????????|| componentModel.getConfig().getFirst(CONF_NAME_JDBC_USER) == null > ????????????|| componentModel.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD) == null) { > ????????????throw new ComponentValidationException("The jdbc Url, User and Password are requirec"); > ????????} > ????????try { > ????????????createEntityManager(componentModel); > ????????} catch (Exception e) { > ????????????logger.warn("Invalid configuration {}", e.getCause() == null ? e.getMessage() : e.getCause().getMessage()); > ????????????throw new ComponentValidationException("Could not setup jdbc connection : " + (e.getCause() == null ? e.getMessage() : e.getCause().getMessage())); > ????????} > ????} > > ????@Override > ????public ExternalUserStorageProvider create(KeycloakSession session, ComponentModel model) { > ????????try { > ????????????if (entityManagers.get(model.getId()) == null) { > ????????????????createEntityManager(model); > ????????????} > ????????????return new ExternalUserStorageProvider(entityManagers.get(model.getId()), model, session); > ????????} catch (Exception e) { > ????????????throw new RuntimeException(e); > ????????} > ????} > > ????@Override > ????public String getId() { > ????????return "external-user-db"; > ????} > > ????@Override > ????public String getHelpText() { > ????????return "External User Database Storage Provider"; > ????} > > ????private void createEntityManager(ComponentModel model) { > ????????logger.info("creating entityManager for {}", model.getName()); > ????????Properties properties = getProperties(model); > ????????EntityManagerFactory entityManagerFactory = Persistence.createEntityManagerFactory("external-user-storage", properties); > ????????entityManagers.put(model.getId(), entityManagerFactory.createEntityManager()); > ????} > > ????private Properties getProperties(ComponentModel model) { > ????????Properties properties = new Properties(); > ????????// Add class loader needed to find persistence.xml > ????????properties.put(AvailableSettings.CLASSLOADERS, Arrays.asList(this.getClass().getClassLoader())); > ????????// Set JPA properties > ????????properties.put(AvailableSettings.JPA_PERSISTENCE_PROVIDER, HibernatePersistenceProvider.class.getName()); > ????????properties.put(AvailableSettings.JPA_TRANSACTION_TYPE, PersistenceUnitTransactionType.JTA.name()); > ????????// postgresql jdbc connection config? > ????????properties.put(AvailableSettings.JPA_JDBC_DRIVER, "org.postgresql.Driver"); > ????????properties.put(AvailableSettings.JPA_JDBC_URL, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_URL))); > ????????properties.put(AvailableSettings.JPA_JDBC_USER, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_USER))); > ????????properties.put(AvailableSettings.JPA_JDBC_PASSWORD, EnvUtil.replace(model.getConfig().getFirst(CONF_NAME_JDBC_PASSWORD))); > ????????// hibernate > ????????properties.put(AvailableSettings.DIALECT, org.hibernate.dialect.PostgreSQL95Dialect.class.getName()); > ????????properties.put(AvailableSettings.SHOW_SQL, Boolean.FALSE); > ????????// set JTA properties > ????????properties.put(AvailableSettings.JTA_PLATFORM, JBossAppServerJtaPlatform.class.getName()); > ????????return properties; > ????} > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Dec 11 02:53:05 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 11 Dec 2018 08:53:05 +0100 Subject: [keycloak-user] How to create a 'provisioning only' user in Keycloak? In-Reply-To: References: Message-ID: If I don't remember incorrectly kcadmin supports client credentials grant. So you can use a service account instead of a regular user and use JWT based auth or mutual SSL. Even client-id/secret would work as service accounts can't login to admin console, but they can use admin endpoints. On Mon, 10 Dec 2018 at 11:18, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hi Stian, > > Thanks for the quick response but that's not exactly what I want to do. > > I know how to add a keycloak user via add-user-keycloak.sh, what I don't > know is how to ensure > that this user can only be used for provisioning operations via kcadm.sh > and is NOT able to use the admin-console. > > Background is: > - I want to secure the keycloak admin user with an additional OTP token. > This works fine for the admin-console but then I > cannot use kcadm.sh anymore with that user, because of the additional > token. > - I now want to create a dedicated technical user for provisioning > operations that cannot login to the admin-console. > > Cheers, > Thomas > > Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen < > sthorger at redhat.com>: > >> If you want this before startup you can use the add-user-keycloak.sh >> script with "--roles". If you want it at runtime then kcadm.sh is your >> friend, should be examples in the docs on how to do that one. >> >> On Mon, 10 Dec 2018 at 10:52, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> Hello Keycloak-Users, >>> >>> I'd like to create users solely for Keycloak instance provisioning >>> operations (e.g. via kcadm.sh), which should not able to login via the >>> admin-console. >>> >>> Does anyone know a way to do this? >>> >>> Cheers, >>> Thomas >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From tahonen at redhat.com Tue Dec 11 07:31:01 2018 From: tahonen at redhat.com (Tero Ahonen) Date: Tue, 11 Dec 2018 13:31:01 +0100 Subject: [keycloak-user] Problem accessing admin console in 4.7 keycloak Message-ID: Hi, Just updated from 3.4 to 4.7, executed migration script without errors etc. I?m running keycloak in container in Openshift and getting invalid parameter redirect_uri when trying to login to console. There is no error in the log when keycloak starts. Same config is working for 3.4 master realms security-admin-console valid redirect url is /auth/admin/master/console/* Log says 11:50:09,795 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.131.10.1, error=invalid_redirect_uri, redirect_uri= https://foobar.com/auth/admin/master/console/ Do I have to add valid hostname / domain to somewhere in the keycloak conf or wildfly conf. .t From vagelis.savvas at gmail.com Tue Dec 11 10:45:59 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Tue, 11 Dec 2018 17:45:59 +0200 Subject: [keycloak-user] Custom message in authenticator script Message-ID: Hello, I have created a theme and extended the base login form with an extra input field. I've also created a Script Authenticator that checks the value of the extra field and permits or not the authentication. My authenticator script runs after the builtin 'Username Password form' (Browser flow). Now I would like to do two things when authentication fails because of my script: 1. Use a custom i18n error message instead of showing one of? the messages of the builtin AuthenticationFlowError. Is there a way to do so? 2. Stay on the login page and show the error message instead of being sent to a 'We're sorry...' page with a link back to the login form. For instance the builtin 'Username Password form' stays on the login form with an error message when authentication fails which is nice and clean. Currently I fail the authentication with 'context.clearUser(); context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);' but I've tried various methods from 'context' without achieving either 1 or 2 of my requirements. Cheers, Vagelis From manuel.waltschek at prisma-solutions.at Tue Dec 11 11:27:04 2018 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Tue, 11 Dec 2018 16:27:04 +0000 Subject: [keycloak-user] first login flow with SAML external IdP Message-ID: Hello there, I have the use case that I want SP initiated SAML SSO against an external IdP. After succesful login on the external IdP I get redirected to my brokering IdP which wants to do some Authentication flow stuff, but I would like to skip authentication against keycloak and just redirect to my application after the assertion was successfully verified. After some research I found that this might not be implemented yet: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009605.html https://issues.jboss.org/browse/KEYCLOAK-4240 So alternatively I thought of just importing a new user by following the steps of : https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow But what happens is, that I see two requests on http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/login-actions/first-broker-login first one as GET with code 302 and after that the browser sends a POST to http://localhost:8180/auth/realms/prisma-keycloak-saml-idp/broker/after-first-broker-login?session_code=aCXwyrUGaBqNNyrfpi5LsYkKFe2L-_fUIaFBTeg_FsI&client_id=http%3A%2F%2Flocalhost%3A8080%2Fvde-tirol&tab_id=xH0H-u3taN0 As POST-param it got the following EncryptedAssertion from my idp-broker: http://localhost:8180/auth/realms/prisma-keycloak-saml-idpJvFxhVjCdc85MCr2WZJN285h4zKGevcFN/8oSgGBk/k=ahd0C3jr3gSCaHR2UDqNbzr5lVPL+2Dd2IggVhUZSuTRq9BEQXxOwe3jLK/7CldG39rSPkpxkyTMvGRMhJT5fe0sWf9U3PcsbT0h1vGUqphIaFb8Y0TizYpkeTrN2jk+d6+h3WrVYiOXg8PNyww0Vf7ParqIdKMkrAsQ4NVAlW9FWHgleN3N7EpZtrFiwPo7YyEc+8i95TtNA063+9rfS7J35HmOem+UjZXPKWSsWSc/JqqKo9KTLydGEVn6Nt4/lTophMB9YOP0kV0h/IkHwO0/fCCvn8SAObIDHo9sTQt6uQOOp9RnYIxT0Q0FW8L9MSl7uAhgb1jK06njKrfelA==MIICvzCCAacCBgFnUHFoLDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwHhcNMTgxMTI2MTQzMjQ4WhcNMjgxMTI2MTQzNDI4WjAjMSEwHwYDVQQDDBhwcmlzbWEta2V5Y2xvYWstc2FtbC1pZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC069gg6qpIEn61cp+kfqDnsTb93529dNPwmbs4ukxhOIFW7Ic6SsabDvvlokaC/fNOHcfLV8KSyTYcd4E8ESw65dGaGtBUwr2Egmq8U/KVOLxcjQStze6TZU3TAnaoU7ZhYXzCipnLEHMDzLSVUYUNVzX2cfNHwipGJvw8ribB51vKByn/LhyrhDfHGwmlP6Fkth3T0cKlN27x4s5zfBje1lp0uQagatUPcmwm51K3vSNHu1rz6CGOJviHVXu9T1T6adxw83Az6FK6Z+hNA/uzCYUafcY2xYK6z7nJiXVwbCg+ZYqRuWa/hjMZ3ViWb9J3iPGmjGfYQsYK5W/kyqiXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAwfSPO+MY8JTaI5qRF11O3iiMh99wTy+V9NdYp1No2HRxfAZiZeGTgWusYgrO2bQ37BGVs6Iw/7XU/eSzOfeYVmWgm1XFvimVq9Z8FVKfH93CRnhbmgnPV2wKPIlmKjzV5KinjZfbuX/6hO3jCRaYk4B4RgNnnNX5yJEbhxQdtRsTpYyPbxrLcCRx37T/U+g+JuoW03H23rFssS4OcEgoMPSBfKDE/DJDypOyl75YB8C0t5zOidFN0LNbw428X2LG04ZcD9rvyND9u5SEVzAjWp2EM7QD6klhXPDIyGSEMjKSNC+IFMpAmZLsHAVih8o8NqsNMxmsuEXVVONI1M0EY=tOvYIOqqSBJ+tXKfpH6g57E2/d+dvXTT8Jm7OLpMYTiBVuyHOkrGmw775aJGgv3zTh3Hy1fCksk2HHeBPBEsOuXRmhrQVMK9hIJqvFPylTi8XI0Erc3uk2VN0wJ2qFO2YWF8woqZyxBzA8y0lVGFDVc19nHzR8IqRib8PK4mwedbygcp/y4cq4Q3xxsJpT+hZLYd09HCpTdu8eLOc3wY3tZadLkGoGrVD3JsJudSt70jR7ta8+ghjib4h1V7vU9U+mnccPNwM+hSumfoTQP7swmFGn3GNsWCus+5yYl1cGwoPmWKkblmv4YzGd1Ylm/Sd4jxpoxn2ELGCuVv5Mqolw==AQABWBkcmRAsyrpLfkrhnDWX1OwEW80bK5ICUjsHIVfyCsk9PSnSvDdhJyh7ZMgOv6/mAOL3jSEKDoJn2evbLkJR7g3UXzZ5RdS84vj+IgkynoxQtWpfWsIeziwkBUPSpxlviVUEI+/d/LouLlCBbhHF7JLkX4284NVN/TPOS7y6FwgA2lLmWGYefvce0W3DxN+g1NZDKlIo1GZlMrU4TwwkSP9zyedS+wdG1k3GssWa7g2PqRLWQcW59V6shI5FDltvFZDSINQurAQkQPQeLm+ibrRT78Nmp1X9x19G3DQ1PlsO6O/m05n/Uj8qX3EhJA8RP1TXQ/yQrNKzwbc2IGi7zQ==JpORpoEaJ108oXp2yDZIGATg4ZoMaX92b0ICB8XavN+f/6f8G/3gHJiO9lmd22vnDW9oK4S1Rm+pKVWuGs69CRKdaCikRECns/NkSyItulQDOEzll3md4X0x+C1nIrlybHPCQnew+m9Hmm/4d6m95NBKPl+fBjWUtpMD6i4BeKg2rrGcucX+wVKUbfPwkD6xX9SRpJT9aO9J03gFA4793vOmMFVlgKlG52r2nrscZPVrgMLUONAhhtlAk19W6bBX8bcWDXii8TF/Le2sR9J434jwjiLMt2sCBI3tmBYxalD38crUPr0P9lXfVXUILFHmiPIqoHsMIDxg191gwebpsxDUX2SCsLUcw5ONIf0nLc13jYC40Imkyq1cjaD4vC+d5yu2hNULs7c71rlDON8pnnoNfz3d7HQiZgL1pTRoYkvkw3EI+0Q0+hfn/0AsCkbo901qInmHPFooV7Y4Rs5cQI0qlx/DdiTSyQsEWSIzZVxlJgtcQqHv2D8bRxQzHdz0T5YhN/nBQSpVkkHw0KqG49IIydppJc5jd3tNz4aiOX1MxqLeXLyphg++XVIN3XFlTqHc8iS7mccJAbf2Oq7aJqKvf7K4L2l2cwHC8fpWAKxJvatbvwzK65f3Fy0RhjTJQHAt3cLksgxo/yKzsaxlDRcVqHI8OtZ0KVzcrzbPuf8NIvHHNLIMtmj571PiQtbTAQj3AgBPXqALBygnJ+ywFrUcpRISvQQxJqPVTFfhsdFohCqMwCTYaeIUTzxRPSyp4GZnI3iugI+FCGVa6cH4tsQVcqVpqoytIEDELjeheS17jIXT1nxcpxC6FavUoDf7b5qxHZV3pnerAlWPm72Yz670h8mhng2rLG0BVLzjoDFneapYsTBz8RXXm877mi29GJjh+93fDuN/v/wHXdZWYfyjPuSmQkymBMt0UPxaQTb3Q+DbM3DgEi8WrsuXdykugXyT2fR/CWJMViP05N68poqps1VEWAdQTUoacNnq1X6nAjLF95rqI1xk6nTXMoF5DK09HPl2fAMMJ1viE0EcDFmnaewZSLyNZwnC8zmeLxRkGOKvGk3vvdKAfpvvHMacsf7fwXRVg0YGAkSeWSzT1F30S1/qNv85Ys7d76iPfLg2UELkG9t/AcA5V3woWPZVBB7Gm8hl8V9urgVOMtGS+qxU5GUMYR5MTO8XXu1KphXYPLj5ylGVCNo38iIO3FsjizZGqbsiqG4M8uwX+3r7+2BNZhC0ZxHZ9yqTgiQxfr51BKpmNKBbPnDZ1vswfYS8SaBp+P0RDBvolJeIbVbItZkvrZMaYv/oouq1NiCpRnYgIvudt618gE/Hod+52u5mtj31/wYWCzYLIS3osazP+Vy5C8Bv0c2I+MQjLlyB8ZqgyvRBFE5myJIXZ4+TjrGGjhPUsLIu1Ehfw8d7mgJbOrNnGGmq/0kKPVVrcnIUvE1aF11w7l6VuulKdqFPDm0F1ESenkelTPFePDvH9Ne15WS4rfsB13wzx8bmi0CNVi7V/kd1zfq/4bmB/HjicNw2rCt4hT0EscHKk9vF1SvYvHhGWQq9w3fKWb/lh6sqWyFNcIt4SNTtHa297EMkLobMlBbh6tXnDOH0EC7HyvknmLKjXXN223XIxuVEwoOossqX+Yq4kLPZwT/MvIZrb222CrD2oVyHQwYm2BQHB8/7N75YwQonmEj2Mm1m8HVIo0LQX7Q5QJ176SbxZwdLOGEiAZtHxtjploAIfmnWP2s5OdDY5AOjkgCZ+k+0J04L7zrf9YIRl82F4qhBLv/XSfncdFkqAHph8ijK38w0zEYAc2c6GZ5p+I700ONkbg9tbTAdXgXqAXv6g9fWnjSjwXpmb/hnYV0k/dCufcr1QEkHDL7NCH8fwiOigzCy1ExDUnhVcFwSFL9BptrrBpCWHkJlGA/4hWm7QadvXPAEKuToGM0P21FXNlWoEDuauKWQxKlZIX2meVyTavSHHTniWRwp5QzzLT3xHlfU0WsKNGvqWo6XtBXxJnjEHQWY15g0ZSa6Os9RKkL050HWkRcVxH9is91Uf9Tsge9g5X34ODwETbzxvqvSzpejg4CrNOK6JgPIG3mKHxeb3ASDgSuQLKrCKGSb+li0QwyJUfwmUFruTa2IgRd4AbKZc7gLyBE3mce+cMDHlIW5dgD+vIgeYDsdRdbbWjBr/HYjwZB/GBwAlRQwTj3QGZY6AvhnUBRySzn6PEqNLV3jSJenzA1YicYfHdmG3uHxILJsGlJxuhNqSroy4nLHQ3Nv5AeD9jz6xdSZLyuWMB2e/Oc+4+9KRzjGb9Q7lYjxLN+Q52Ydbh4ZdOAWaBf05vNlvMvX6PKRGe11kYryvIE0vL6V2tWZ5tBH1oO0qTiu5srBBKkB3piVj86HyhuHBUXb4dlgEaf/hSbSd+P7ee51MG+n+laYCbBpVh9pWWk4AnwnqhOWrrCte4IOIgQfAJYoi59I6Ewt22WKp6xS86Nz9o/f4TOdLuKaUsc+k2StBkbvbbMfncxsxfAyEsA3vq51PwCWH8bGIKnySI4KRfcpULiYhsm7i9KDNfwxjHjswDRh3kDgB23dGl8s95mT7oI34W1hELqjVs+DU20b1Ojcq7YDdhqU7F0D888GZzf6ZKNkT1DJv+hHxpDtBswa9NT6ufTIcHG5kxbxcSTg1erOzbiurXKxEIykrkO4ZFiM1Mjhuvzm89CinkpPgzI1zy3chwHFANif5TZpVKlEqIeY6qMUW5ry9f0K+ln0EM1VH5CfyFLznIEyNYe0cxAtWFwXMX71m9IZndDzIpucd0RcgJyakf7ws1uzDSsrbwIy9uj3J13VVPc/2ThSIrreHloFX5/QfyIZSFFRTCREcjfJTJHcq4GFJ9lmxyG1avV61Zt3/O155vWct0fB355i3omytfxq/s9jvCY1sqs7buil9SZBbh3Ro9egGeE1QmWzXq41SAV6i3+cyYpnbExFOWAJ/lamVs/OmdQZve3p8hYLnG+fiTHm4ZSZNr5uaaR5aVPgEGCQCm2R8HTwBH/45GufBj82o3OCdNNiXFrRSpmPzlA9E3oxQV3rYaUICCY+M3uzmoFsS//beTMVnQ5HOJL9Ko5PUj4heoyFwmjMM9xGUQFgf+84fJUoBVDJevrdx/OLmyh+xxMoqqpq3FrTEWCSif2R/RDeFE3dobR2RQYXparI/01u+hU/Aeg9runenc74rF6BsysI9WjvWlK+AsRl/l1RJFx+UvMraXAYmHHtfGu8qRVxCkiQ65TaSCRCaT9iZupDM4I8t2hGud7FbEfOxPjcn2Ln4sOdVfKaTaZNh/CzDPs163YBy2wr79JbrEP98t3QWVG5qxOjRWx0FPCf9yuymOSByM0Ywm+wL6h21xPg0PgVF7huX9iL2MWzOtQd0/Ii9VbhjKvIsIEAnkzrDlTPNIqhWQ/xgnDd9lLmtbmlzHe8JI2KHPoFVzN2b3Zorqwp4Xi7tQrSp773hUVLBAAfgu2KmLRU09eIzSyxl5L4osSo1kyAEzgbCkZo/DG6pd9pJzjiPz3pjEzp01EDPVHuNoVgOKDV1bJUqmzPqbeGqPI8WODAeC/4pA6dRzK3lgjGWx5Hvv3VbvaUAddYm0SdVVkuY8QJxJkzL49tUqeIaiHa+httN/Ez59LKQCLSE94QDWAyuenf2lSZ8WcckMa1jAx59n3F/OfCYVr9YxxoEnsDx/xBSKf3AKqjPwbuenYka5dl2RZ/OBsPkvcDJeWJm6T8MGxkzo2mAm4RWDs5zGpMyda14m5nS/TOetzzyTnMZlKlamJnH0OLbZeKW9DogWsg8FGQPwYtqSljKVhNnHfdDsuum99DBM4w/7l/FFSfTX3wmW4EpnrLrbMHP8nfc5j2Q6xiUFw/k3Vg6up/LTZ+GoB9l9v4Ir8eJDeCelEtxnkyE0Tt77wwMNQm0qn4/hVxgFCBaeoRhizMN0RtSHv6vSMh8VJ7U+OZZs7suRZ7siAhqfIzpV0f8GdIcnuMSx2jt5nceGmfT5jTp1/W6NYGikHmH2/tq/DSPxmZsr1L3uY6h6KOp+90D9MMUZhFKOrrshR9+sXdVdFvAVawSxVBaIxstI4YtE8VjL8xdo6qNyReZozX2AeQ5i/K7118i0PSvT5ebezFsn25Ta0oIlu39YJ1K35/dYgVOlJdKmp0QQQ33ye3XcJbQFrRMHHHJVQxpqhF6UoRDyrK2SmNH+gN77VNtE5K2my1HEz3IaHgbwBv0gviyK0p+0/7oh46mh/KCLrsPPAjnlH7j7q/oHJEiDcNDuiwaZM9u6e+fB+DTM/IbnEkZU7LlqL01iKDucENhMdNRqH5WUSrJXgHuYFiIa9lYXqEBAIK0US84pyJIe/6J5zmRWKxLMbl5M2zA1R+Gb3tr2s/jHQgGxRgTwOsFcld4MEOaCn3ISqDnR41pID4LeQWlcWswwWMJZ9GSWUQn3h/zKGU+uUEsJOjtJKOo3dTwZvwNrDFTbMh8MsvGuIVpHloHnfhZrg2zhpbtD0hOGZQTpHVLcTrfcoRjhuuowAQyTvRNs0OqtxvBy3fcES7DFABuztcRfxHquv65n1AE3iysC5KMQFkp1b8SXLOIf85S0hzQrZNBBCB1GpxHvkvcU1MklT6WvyUuz9b6PyzqwOVF8QdTfdZibSgsxdynDkwfGBVDzZ2c7BtmKw5Ead7G1Ud20R0Yg13tcjgbR99uFFhLa/OaCJkV+L2ezMgVPrH4NtV14ASk8wTzGgJALHcuKU+Np57jBRdbVaHoHMVJJKNdsgL+mSNcWrl2bexPCuo4HOx8+UmVwJC4ANmdwyc/mb8iRtA2ah30GfNrfYst6R/w9LJ2CRubF8on0U8gdY7UTDL4VG/Cs/ylga8NBLhr8dZCmAclL9OvaYzQhlUUUHbAQXycD78wKP2fpvKlIsmE/2WR4TNd7wpaRYGZ+6rrs76BNZIGFFJa+YZrArjh9z/bDA+h8zYu0LeqGVrsE89Nwr79hyeASHsDhwbB9vwFAku3A53erX+qGy5P+qCQC5b5rGTUjoTewITCpbGrtnpbRE4GwLpxBfVfOJ8oplSCqamEBlc8BTzbe82jv2jzO+oBzHfTXTX7c7elsFxi0gxPZn8pZjNkNflzx023HnPWZNxD5zv3E283IzwLlKXwmZVmiG1IM8mk++GgOTVnAgLeo0l3Jd9ecBM+QQVI4KcfSfW7GoTb9lHPY7dK1K5W1yOOkZ+QJzSl9oyG3WvlTCZoStVBn1TiLbh+cBSEB0L1+7vMFBD7WkWbpW5ZZr1Fo6kP30gveTCi2wnB0hi8WOH0gZ7iQXbA0BoIPKlJnK46AhJQQ5HnuX+0jQDQNY1xiDnGSOLVmpk4a4Whs/88YkeDOpbIpMYow6jlhMNhF/FipTy6hgSy9wT5Uh/9GcMAhXb1s32hXt+YJomY5wLbr7Eg7gCKUe4/pL5r61VmgddhVmXdRQdDpYLUBCussJl9lTUTCVBqnllEzydNfjskm4mebgg0j0pheIPeJlX8hUi6K04lco8y+p66bNIMVIxxWkNPkyZX1JwD7jY31nbRUV1VGpV4wBbWJ4HjdHnC+eu7+vdTTe3dPaKqs9HmEOwmvwvnsHqxAaCaoYUeEJmwRdNclhRthoDe+TJ4md9YJzrwpkes8p7CCD7IlQj9QOZEUUX83Xeu1r2a0aligKZwYrSu9SPHNDS4ffkOmiARJMJxmLbF1W1GkossrAVJv25EyxPw5/eEjUBoH1c3MrAFC/kgQ86/uO47nZjghvgp9S66k1L5/3ukWPkdn1p31wLDX+jYE7PBjVl5tK+rRxdkOpHKjfxFRYZbkpCXiHnRrGkdEKc83toQzh4wuWPHvrVcPDcXLfWHAJMyOCJuuADEQvcOW0RZl+IfbNWJsxt9QWEWp0B0fR5560sfVWcbHtwzQemkpLs4v1VG5xFLphbh05t7MDOdwuy5pz3NtmazBhVrwfJG32OYERF92jPvEI3ofKZMX1hIrL762gzeVHOuWteREE+svMSys7x4UdAI7SEKM3FFAaf84e0eoZVD20ZuUbewLT0eR0xmDNEFkPOnLgi27zF0B+zz9ycx4JS0rvJHsq/al+2GAZc+EEtPDi50RREg5CubRJhGEIQvJH2JPIrWVQ3D1QLyLEULziByD30A0TYumWrmPhVcRkkUjQNrgo9z77Cv+SIJwableLcMOf1JQ0qe9W5alER8pCZ7OAilc1X2nX5TNniSAh0p4wrxzDB0I1nV/Sz1lqcT5H89CPBOO0+5N+X5FYKTIjm1e1K9KsfFRWIFlObjhYeWOZT7zS2XDhC1tr7LMfD8xed8CbYBcoGKt8APJUSn9Jx6Pb7u4Stm0Xk+jBKZqycKmMSC121Zyq4xf6qS8QJQWfmNcg0U9fgXtT+4KZN2nmLsM504eYFqpbttM+yogJVSOMs3CanT6SczKa7pPIXPD94QydXwgaPJs3zXuEp5oGQdRm4MRq/xcwh1WcUtSkDwbT1mvEejjhT+T6FEmyG4Qww3EMS3uyWL4un9a1Mq9kqtOWtSa7VIQLeaiz+K8Y53g5K/yyaQf+NEESHN8l1Mucz1xuvI8Hcxu4dDO8Z2HjdFFqU7QMNsdMDDB/ylWXA2zXKqCGs5chXpN7mIC0+KbsO5lgf0WOJtzV630eBpMCI0yvIPecELHOB2YGIYcJSe+CG/7SEZeAZw9+URk5V70Xl6B7n55GQdqS6s6V0MeDt6QeTfcj3Byynn7nJS13Scionf9bYsaS+i95PpjjwSWW7altQAUUMwOHWOMgSlgQLm3eOk3eVNBsIsd9rprWr9mVzhdw+K5ukrRKTOE5DSOZttGMrC6Zrt3l7biLytlQK7od97SA2MwBnv9AAvSFInu5FBdHZUWdlHe90gzgh9Yakir61cE2nNxuhwqMRMgqo0McD1ntdGWjPHke7QVUCZJJWdm3pbv+b/0+neVd7gGKGiUlcWRVQLbT8ZtubhyaR6+re6dzFgl4dENibwqqkAVUh24UWPhltKvEZJPoYUxGU3C2okdy1OXksqqWgT0V2it3QW5CbV5Xj5qn2owEDmYl2GMc8cZcGY7iYFcyhPKIpW0z0t10W88Lccw3VMwPF9bDdLARMAEeJ7yTQZwabLqzkNW3O/ny92efAEKW6qj+HcAhFZcPDW1AdjWiLnKZiWCTF0qaSjP3iYFWkJKXQ1l618fxP02eekof8TTll1eUT0YV8eWLAXptfarUCIKSEQjWhHRJwKHeeaLcTjXannZ3a4EqX7okWvvtrlTO8LxKv00XXBkzRnsnG3j1H8NTTY708VYZ4n1R7PAQrQVYh3dViijnhkIJOlm5acUi6c3ebdf3t4mKCNI826DZ4PnyWLCDpUrDUXZNnPmEcFbahajm4NrnKFRQeHTZeERJg9j7cZcj+4XTSdrKBWmK8B5DHo1Rlew== As a response I get 405 Method not allowed and get redirected to a keycloak page saying "internal server error" Why is this happening? Are there any good alternatives to this flow for my use case? Thank you, Manuel From vikram.eswar at fleetroute.com Tue Dec 11 11:48:53 2018 From: vikram.eswar at fleetroute.com (Vikram) Date: Tue, 11 Dec 2018 17:48:53 +0100 Subject: [keycloak-user] Keycloak Multi Tenancy implementation with login through javascript (a webpage) Message-ID: Hello all, I want to assign different realms to different clients (organisations) in keycloak. The login to keycloak is achieved through a webpage which acquires a valid token from keycloak which is then passed with the rest requests that I make from my website to a springboot server that uses a keycloak adapter for authentication. Now, the javascript adapter needs a keycloak configuration file that has details about the realm that I want to log in to. But, the problem is that I do not know which realm the user belongs to because he / she can be from any organisation ie. the login page for all organisations is the same. What is the best way to achieve this ? I assume that this kind of approach is quite common these days but cannot find a solution.. Regards, Vikram From vikram.eswar at fleetroute.com Tue Dec 11 11:52:56 2018 From: vikram.eswar at fleetroute.com (Vikram) Date: Tue, 11 Dec 2018 17:52:56 +0100 Subject: [keycloak-user] Add user with a pre existing client role and group through Java Message-ID: Hi, I am trying to add a user with a pre existing client role and group through java code in my springboot server. I want to achieve this through a logged in user that can only see / manage the users of his/her group and also the new created user should be assigned a group and a? client role on creation. The group should be the same as the group of the user that is logged in and the client role could be hardcoded. Thanks, Vikram From geoff at opticks.io Tue Dec 11 13:00:32 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 11 Dec 2018 19:00:32 +0100 Subject: [keycloak-user] Keycloak Multi Tenancy implementation with login through javascript (a webpage) In-Reply-To: References: Message-ID: The javascript adapter's Keycloak object can be initialized with a JSON variable instead of using a config file. Could you use this to your advantage? In my case the clientId is variable, not the realm. Maybe have a intermediate page where the user fills in his user name, which allows you to find the correct realm before redirecting to Keycloak? On Tue, 11 Dec 2018 at 17:52, Vikram wrote: > Hello all, > > I want to assign different realms to different clients (organisations) > in keycloak. The login to keycloak is achieved through a webpage which > acquires a valid token from keycloak which is then passed with the rest > requests that I make from my website to a springboot server that uses a > keycloak adapter for authentication. > > Now, the javascript adapter needs a keycloak configuration file that has > details about the realm that I want to log in to. But, the problem is > that I do not know which realm the user belongs to because he / she can > be from any organisation ie. the login page for all organisations is the > same. > > What is the best way to achieve this ? I assume that this kind of > approach is quite common these days but cannot find a solution.. > > Regards, > Vikram > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves From dt at acutus.pro Tue Dec 11 13:49:50 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 21:49:50 +0300 Subject: [keycloak-user] Custom message in authenticator script In-Reply-To: References: Message-ID: <1544554190.2046.1.camel@acutus.pro> Hello Vagelis, You can use the following snippet: function myError(context) { return context.form() .setError("My i18n-ed custom message", []).createLogin(); } function authenticate(context) { ... if (authShouldFail) { var challengeResponse = myError(context); // context.failure(AuthenticationFlowError.INVALID_USER); context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); return; } context.success(); } Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-12-11 at 17:45 +0200, Vagelis Savvas wrote: > Hello, > I have created a theme and extended the base login form with an extra? > input field. > I've also created a Script Authenticator that checks the value of the? > extra field and permits or not the authentication. > My authenticator script runs after the builtin 'Username Password form'? > (Browser flow). > Now I would like to do two things when authentication fails because of? > my script: > > 1. Use a custom i18n error message instead of showing one of? the? > messages of the builtin AuthenticationFlowError. Is there a way to do so? > 2. Stay on the login page and show the error message instead of being? > sent to a 'We're sorry...' page with a link back to the login form. > For instance the builtin 'Username Password form' stays on the login? > form with an error message when authentication fails which is nice and? > clean. > Currently I fail the authentication with 'context.clearUser();? > context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);' > but I've tried various methods from 'context' without achieving either 1? > or 2 of my requirements. > > Cheers, > Vagelis > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Dec 11 14:29:45 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 11 Dec 2018 22:29:45 +0300 Subject: [keycloak-user] OIDC Identity Provider userinfo parsing problem In-Reply-To: <0B5FE54E105AE740942983F0F633CF85464161D8@EUIEX04.sos.eu> References: <0B5FE54E105AE740942983F0F633CF85464161D8@EUIEX04.sos.eu> Message-ID: <1544556585.2046.3.camel@acutus.pro> Hello Simon, I think you don't need to introduce a dedicated IdentityProvider to workaround the dot issue. Instead, you can try creating a protocol mapper. As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for some test/demo access. Do you have any info on it? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote: > Hi > > We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider. > When keycloak requests userinfo from signicat the response does not parse correctly. > > Here is an example response. > > {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"} > > The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all. > > The fix I have come up with would be a > > currentNode = baseNode.get(fieldPath); > > call after no node has been found. See line 206. > > I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak? > > Is this problem fixed in newer versions of keycloak? > > Thanks in advance > > Regards > Simon Buch Vogensen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Sebastian.Loesch at governikus.de Tue Dec 11 15:10:29 2018 From: Sebastian.Loesch at governikus.de (=?iso-8859-1?Q?L=F6sch=2C_Sebastian?=) Date: Tue, 11 Dec 2018 20:10:29 +0000 Subject: [keycloak-user] Map authenticator information to AccessToken Message-ID: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> Hello folks, we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? Best regards, Sebastian L?sch -- Solution Engineering Governikus GmbH & Co. KG From dt at acutus.pro Tue Dec 11 16:21:26 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 12 Dec 2018 00:21:26 +0300 Subject: [keycloak-user] Map authenticator information to AccessToken In-Reply-To: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> References: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> Message-ID: <1544563286.10225.1.camel@acutus.pro> Hello Sebastian, Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers. This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses: var statuses = authenticationSession.getExecutionStatus(); Then process it and attach the data to the user session: authenticationSession.setUserSessionNote(key, val); After that, the data will become available to the mapper: var foo = userSession.notes["foo"]; The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED. Feel free to ask any further questions, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-12-11 at 20:10 +0000, L?sch, Sebastian wrote: > Hello folks, > > > > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. > > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? > > > > Best regards, > > Sebastian L?sch > > > > -- > > Solution Engineering > > Governikus GmbH & Co. KG > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Tue Dec 11 23:15:06 2018 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 12 Dec 2018 04:15:06 +0000 Subject: [keycloak-user] Keycloak Themes not loading (in admin) after upgrading to 4.4 Message-ID: We upgraded our Dev and Stage keycloak instances about a month ago to 4.4 with no issues. Today we took the exact same docker container that is deployed in our staging environment and moved it to production. Our custom theme is loading on the login pages, but the theme is not selectable in any of the realm admin pages. We checked the database and the themes are set correctly in the realm table. What could be the issue? We are running in a clustered mode with two keycloak instances. -- Christopher Savory From himalaya18 at gmail.com Wed Dec 12 00:01:33 2018 From: himalaya18 at gmail.com (Himalaya Gupta) Date: Wed, 12 Dec 2018 10:31:33 +0530 Subject: [keycloak-user] Expire active token when user session if logged out Message-ID: Hi, My Client is ReactJS Application using keycloak javascript adaptor I am trying the below scenario: 1. Login to client application via keyclock server and retrieve the access-token in the client 2. Login to the Key-Clock Admin console and logout the active session for the user for the given client. 3. On the client application i observe the following: The token is still valid as it has not expired.When the token expires, the refresh token request is stuck in refreshing the token (probably stuck as the user is forcefully logged-out via AdminConsole) Can you please let me know if there is a way to detect the Inactive session and force the user to login even if the token is still valid via the JavaScript API? When trying to refresh the token and if the user session is logged out, should the keycloak server just return an error instead of pending response. Could this be a bug? Any help would be appreciated in this regard. Thank you -- Best regards, Himalaya Gupta From vagelis.savvas at gmail.com Wed Dec 12 03:04:06 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Wed, 12 Dec 2018 10:04:06 +0200 Subject: [keycloak-user] Custom message in authenticator script In-Reply-To: <1544554190.2046.1.camel@acutus.pro> References: <1544554190.2046.1.camel@acutus.pro> Message-ID: <53e98293-a239-a04d-df55-1a950cd493f9@gmail.com> Thank you a lot Dmitry, that did the trick. I had to add: ? context.resetFlow(); when my script fails the authentication because of invalid input on my extra (but optional) input field. If I didn't reset the flow then a valid username/password but invalid input on my extra field would leave the flow in a state where hitting the refresh browser button would re-post and would cause the auth to succeed (because of the valid username/passwords). Hope this sounds clear :-) Cheers, Vagelis On 11/12/2018 20:49, Dmitry Telegin wrote: > Hello Vagelis, > > You can use the following snippet: > > function myError(context) { > return context.form() > .setError("My i18n-ed custom message", []).createLogin(); > } > > function authenticate(context) { > > ... > > if (authShouldFail) { > var challengeResponse = myError(context); > // context.failure(AuthenticationFlowError.INVALID_USER); > context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); > return; > } > > context.success(); > > } > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-12-11 at 17:45 +0200, Vagelis Savvas wrote: >> Hello, >> I have created a theme and extended the base login form with an extra >> input field. >> I've also created a Script Authenticator that checks the value of the >> extra field and permits or not the authentication. >> My authenticator script runs after the builtin 'Username Password form' >> (Browser flow). >> Now I would like to do two things when authentication fails because of >> my script: >> >> 1. Use a custom i18n error message instead of showing one of? the >> messages of the builtin AuthenticationFlowError. Is there a way to do so? >> 2. Stay on the login page and show the error message instead of being >> sent to a 'We're sorry...' page with a link back to the login form. >> For instance the builtin 'Username Password form' stays on the login >> form with an error message when authentication fails which is nice and >> clean. >> Currently I fail the authentication with 'context.clearUser(); >> context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);' >> but I've tried various methods from 'context' without achieving either 1 >> or 2 of my requirements. >> >> Cheers, >> Vagelis >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From kkcmadhu at yahoo.com Wed Dec 12 03:26:52 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Wed, 12 Dec 2018 08:26:52 +0000 (UTC) Subject: [keycloak-user] start up of keycloak nodes roughly increases two folds for every 100 tenants. In-Reply-To: <1050781910.1733453.1544105568610@mail.yahoo.com> References: <2085409309.6617889.1543319173801.ref@mail.yahoo.com> <2085409309.6617889.1543319173801@mail.yahoo.com> <1050781910.1733453.1544105568610@mail.yahoo.com> Message-ID: <58735361.3145851.1544603212111@mail.yahoo.com> Hi, Just and update.I rand another test, where i created tenants from scratch in keycloak 4.7 , in that case, the startup time is pretty good, for about 900 tenants with 6 to 7 clients , 3 user groups, 3 to 4 custom mappers and 50 users in each tenants takes less than 30 seconds ( this was taking about 40 to 50 min) in keycloak 4.5...This is really awesome.. But, i upgrade from 4.5 to 4.7, the system does not even start up after 2 hours :(? On Thursday, 6 December, 2018, 7:42:48 PM IST, Madhu wrote: Thanks Marek, I tried with Keycloak 4.1.7, unfortunately, the start up time in my case has increased tremendously for my 621 tenants, the start up time for keycloak node was about 40 mins, and after moving to 4.1.7 i see this? increased to 1 hours 30 min + (still not starting)... I also see that the cpu usage for the keycloak process is constatnly 100% .i tried with c4.xlarge (4 core) .upgraded to c4.x2large( 8 core), still the? cpu usage is 100% and there is no big difference in start up time ( comes down by max 2 mins)i.e 40 mins to 38 mins. The connection pool size is set adequately lareage 60 +,but i don't see many session in my database instance (not more than1 or 2 sessions). The cpu usage in database (my sql is almost less than 1% and occassionly spikes to 2%).. upon enabling hibernate stats in keycloak, i keep seeing messages like this : 2:21:53,612 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544098883667,sessions opened=1,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=0,connections obtained=11728,statements prepared=11728,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=15688,entities updated=0,entities inserted=0,entities deleted=0,entities fetched=91,collections loaded=10187,collections updated=0,collections removed=0,collections recreated=0,collections fetched=10187,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=1263,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=13] Important entities statistics:org.keycloak.models.jpa.entities.AuthenticationFlowEntity - inserted: 0, updated: 0, removed: 0, loaded: 1081, fetched: 0org.keycloak.models.jpa.entities.RealmAttributeEntity - inserted: 0, updated: 0, removed: 0, loaded: 1909, fetched: 0org.keycloak.models.jpa.entities.ComponentEntity - inserted: 0, updated: 0, removed: 0, loaded: 1079, fetched: 0org.keycloak.models.jpa.entities.ProtocolMapperEntity - inserted: 0, updated: 0, removed: 0, loaded: 3419, fetched: 0org.keycloak.models.jpa.entities.RoleEntity - inserted: 0, updated: 0, removed: 0, loaded: 271, fetched: 0org.keycloak.models.jpa.entities.ClientScopeEntity - inserted: 0, updated: 0, removed: 0, loaded: 906, fetched: 0org.keycloak.models.jpa.entities.RequiredActionProviderEntity - inserted: 0, updated: 0, removed: 0, loaded: 450, fetched: 0org.keycloak.models.jpa.entities.AuthenticationExecutionEntity - inserted: 0, updated: 0, removed: 0, loaded: 2795, fetched: 0org.keycloak.models.jpa.entities.ComponentConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 3235, fetched: 0org.keycloak.models.jpa.entities.AuthenticatorConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 180, fetched: 0 Important collections statistics:org.keycloak.models.jpa.entities.ClientScopeEntity.protocolMappers - recreated: 0, updated: 0, removed: 0, loaded: 901, fetched: 901org.keycloak.models.jpa.entities.ClientScopeEntity.attributes - recreated: 0, updated: 0, removed: 0, loaded: 900, fetched: 900org.keycloak.models.jpa.entities.ProtocolMapperEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 3419, fetched: 3419org.keycloak.models.jpa.entities.AuthenticatorConfigEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 180, fetched: 180org.keycloak.models.jpa.entities.AuthenticationFlowEntity.executions - recreated: 0, updated: 0, removed: 0, loaded: 1081, fetched: 1081org.keycloak.models.jpa.entities.ComponentEntity.componentConfigs - recreated: 0, updated: 0, removed: 0, loaded: 1079, fetched: 1079org.keycloak.models.jpa.entities.RequiredActionProviderEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 450, fetched: 450 Important queries statistics:.....................................select m.role.id from ClientScopeRoleMappingEntity m where m.clientScope = :clientScopeexecutionCount=900executionAvgTime=0 ms 14:03:23,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544104973645,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=28,connections obtained=272,statements prepared=294,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=23,entities updated=2,entities inserted=30,entities deleted=0,entities fetched=0,collections loaded=154,collections updated=6,collections removed=0,collections recreated=8,collections fetched=154,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=73,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:03:53,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105003646,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=37,connections obtained=189,statements prepared=211,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=13,entities updated=2,entities inserted=39,entities deleted=0,entities fetched=0,collections loaded=81,collections updated=6,collections removed=0,collections recreated=8,collections fetched=81,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=63,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:23,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105033647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=31,connections obtained=232,statements prepared=276,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=20,entities updated=4,entities inserted=35,entities deleted=0,entities fetched=0,collections loaded=121,collections updated=12,collections removed=0,collections recreated=16,collections fetched=121,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=69,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=1] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:53,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2)Statistics[start time=1544105063647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=32,connections obtained=235,statements prepared=257,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=19,entities updated=2,entities inserted=34,entities deleted=0,entities fetched=0,collections loaded=122,collections updated=6,collections removed=0,collections recreated=8,collections fetched=122,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=68,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: ? On Wednesday, 5 December, 2018, 2:09:55 PM IST, Marek Posolda wrote: Hi, I suggest to upgrade to latest 4.7.0.Final. I know there were some improvements in recent version regarding this. However you will still probably see some issues as we did not yet try to test with so big amount of realms. We plan to improve on this use-case. Marek On 27/11/2018 12:46, Madhu wrote: > Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. > > Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. > I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? > > Is it absolutely necessary for keycloak to load every thing at start up?? > > This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. > > 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool ? 61) Envers integration enabled? : true > 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool ? 61) HV000001: Hibernate Validator 5.3.6.Final > 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool ? 61) HHH000397: Using ASTQueryTranslatorFactory > ^C > [centos at ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool ? 61) Session Metrics { >? 669457663 nanoseconds spent acquiring 92974 JDBC connections; >? 148185664 nanoseconds spent releasing 92974 JDBC connections; >? 1852958902 nanoseconds spent preparing 92974 JDBC statements; >? 35866600579 nanoseconds spent executing 92974 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); >? 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) > } > 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s > { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total? of 0 entities and 0 collections)} > 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s { >? 437680 nanoseconds spent acquiring 1 JDBC connections; >? 10539 nanoseconds spent releasing 1 JDBC connections; >? 465001 nanoseconds spent preparing 1 JDBC statements; >? 719260 nanoseconds spent executing 1 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); >? 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) > > All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. > > Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . > > I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. > > Please correct my understanding if i am wrong here.. > > | No of Realms | Start up time in mins | > | 0 realms | 0.22 mins | > | 100 realms | 2.34 mins | > | 200 realms | 2.53 mins | > | 300 realms | 5.34 mins | > | 400 realms | 9.42 mins | > | 500 realms | 14.6 mins | > | 650 realms | 37 mins | > > > Like wise the time taken to create tenants too gradually increases ( i use import to create realms) > > from about 3 seconds for first few realms to about 30 sec for 600th realm.. > > Any advise /help will be appreciated. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Dec 12 04:08:26 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Dec 2018 10:08:26 +0100 Subject: [keycloak-user] start up of keycloak nodes roughly increases two folds for every 100 tenants. In-Reply-To: <58735361.3145851.1544603212111@mail.yahoo.com> References: <2085409309.6617889.1543319173801.ref@mail.yahoo.com> <2085409309.6617889.1543319173801@mail.yahoo.com> <1050781910.1733453.1544105568610@mail.yahoo.com> <58735361.3145851.1544603212111@mail.yahoo.com> Message-ID: <69c64db8-c44c-856d-9896-a139719fe838@redhat.com> On 12/12/2018 09:26, Madhu wrote: > Hi, > > Just and update. > I rand another test, where i created tenants from scratch in keycloak > 4.7 , in that case, the startup time is pretty good, for about 900 > tenants with 6 to 7 clients , 3 user groups, 3 to 4 custom mappers and > 50 users in each tenants takes less than 30 seconds ( this was taking > about 40 to 50 min) in keycloak 4.5...This is really awesome.. > > But, i upgrade from 4.5 to 4.7, the system does not even start up > after 2 hours :( Thanks for the update. If you want to know the cuase, maybe you can try to enable debug logging in standalone.xml for category "org.keycloak.migration" and "org.keycloak.connections.jpa" ? I have some suspicion that the issue can be in the MigrateTo4_6_0 class, but not 100% sure. Anyway, my previous statement still applies - Keycloak has currently known limitations with big number of realms. The few use-cases (startup time) were fixed in 4.7, but there are probably plenty of others, which are not. And even if the migration issue is fixed, there will be still some others shown later... We generally want to improve performance with big number of realms. Hopefully there is a time to do more work in Keycloak 5.x. Marek > > > > > On Thursday, 6 December, 2018, 7:42:48 PM IST, Madhu > wrote: > > > Thanks Marek, > > I tried with Keycloak 4.1.7, unfortunately, the start up time in my > case has increased tremendously for my 621 tenants, the start up time > for keycloak node was about 40 mins, and after moving to 4.1.7 i see > this? increased to 1 hours 30 min + (still not starting)... > > > > I also see that the cpu usage for the keycloak process is constatnly > 100% .i tried with c4.xlarge (4 core) . > upgraded to c4.x2large( 8 core), still the? cpu usage is 100% and > there is no big difference in start up time ( comes down by max 2 > mins)i.e 40 mins to 38 mins. > > > The connection pool size is set adequately lareage 60 +,but i don't > see many session in my database instance (not more than1 or 2 sessions). > > The cpu usage in database (my sql is almost less than 1% and > occassionly spikes to 2%).. > > upon enabling hibernate stats in keycloak, i keep seeing messages like > this : > > 2:21:53,612 INFO [org.keycloak.connections.jpa.HibernateStatsReporter] > (Timer-2) > Statistics[start time=1544098883667,sessions opened=1,sessions > closed=0,transactions=0,successful transactions=0,optimistic lock > failures=0,flushes=0,connections obtained=11728,statements > prepared=11728,statements closed=0,second level cache puts=0,second > level cache hits=0,second level cache misses=0,entities > loaded=15688,entities updated=0,entities inserted=0,entities > deleted=0,entities fetched=91,collections loaded=10187,collections > updated=0,collections removed=0,collections recreated=0,collections > fetched=10187,naturalId queries executed to database=0,naturalId cache > puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max > query time=0,queries executed to database=1263,query cache > puts=0,query cache hits=0,query cache misses=0,update timestamps cache > puts=0,update timestamps cache hits=0,update timestamps cache > misses=0,max query time=13] > > Important entities statistics: > org.keycloak.models.jpa.entities.AuthenticationFlowEntity - inserted: > 0, updated: 0, removed: 0, loaded: 1081, fetched: 0 > org.keycloak.models.jpa.entities.RealmAttributeEntity - inserted: 0, > updated: 0, removed: 0, loaded: 1909, fetched: 0 > org.keycloak.models.jpa.entities.ComponentEntity - inserted: 0, > updated: 0, removed: 0, loaded: 1079, fetched: 0 > org.keycloak.models.jpa.entities.ProtocolMapperEntity - inserted: 0, > updated: 0, removed: 0, loaded: 3419, fetched: 0 > org.keycloak.models.jpa.entities.RoleEntity - inserted: 0, updated: 0, > removed: 0, loaded: 271, fetched: 0 > org.keycloak.models.jpa.entities.ClientScopeEntity - inserted: 0, > updated: 0, removed: 0, loaded: 906, fetched: 0 > org.keycloak.models.jpa.entities.RequiredActionProviderEntity - > inserted: 0, updated: 0, removed: 0, loaded: 450, fetched: 0 > org.keycloak.models.jpa.entities.AuthenticationExecutionEntity - > inserted: 0, updated: 0, removed: 0, loaded: 2795, fetched: 0 > org.keycloak.models.jpa.entities.ComponentConfigEntity - inserted: 0, > updated: 0, removed: 0, loaded: 3235, fetched: 0 > org.keycloak.models.jpa.entities.AuthenticatorConfigEntity - inserted: > 0, updated: 0, removed: 0, loaded: 180, fetched: 0 > > Important collections statistics: > org.keycloak.models.jpa.entities.ClientScopeEntity.protocolMappers - > recreated: 0, updated: 0, removed: 0, loaded: 901, fetched: 901 > org.keycloak.models.jpa.entities.ClientScopeEntity.attributes - > recreated: 0, updated: 0, removed: 0, loaded: 900, fetched: 900 > org.keycloak.models.jpa.entities.ProtocolMapperEntity.config - > recreated: 0, updated: 0, removed: 0, loaded: 3419, fetched: 3419 > org.keycloak.models.jpa.entities.AuthenticatorConfigEntity.config - > recreated: 0, updated: 0, removed: 0, loaded: 180, fetched: 180 > org.keycloak.models.jpa.entities.AuthenticationFlowEntity.executions - > recreated: 0, updated: 0, removed: 0, loaded: 1081, fetched: 1081 > org.keycloak.models.jpa.entities.ComponentEntity.componentConfigs - > recreated: 0, updated: 0, removed: 0, loaded: 1079, fetched: 1079 > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.config - > recreated: 0, updated: 0, removed: 0, loaded: 450, fetched: 450 > > Important queries statistics: > ........... > .......................... > select m.role.id from ClientScopeRoleMappingEntity m where > m.clientScope = :clientScope > executionCount=900 > executionAvgTime=0 ms > > 14:03:23,646 INFO > [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) > Statistics[start time=1544104973645,sessions opened=0,sessions > closed=0,transactions=0,successful transactions=0,optimistic lock > failures=0,flushes=28,connections obtained=272,statements > prepared=294,statements closed=0,second level cache puts=0,second > level cache hits=0,second level cache misses=0,entities > loaded=23,entities updated=2,entities inserted=30,entities > deleted=0,entities fetched=0,collections loaded=154,collections > updated=6,collections removed=0,collections recreated=8,collections > fetched=154,naturalId queries executed to database=0,naturalId cache > puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max > query time=0,queries executed to database=73,query cache puts=0,query > cache hits=0,query cache misses=0,update timestamps cache > puts=0,update timestamps cache hits=0,update timestamps cache > misses=0,max query time=0] > > Important entities statistics: > > Important collections statistics: > > Important queries statistics: > > > 14:03:53,647 INFO > [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) > Statistics[start time=1544105003646,sessions opened=0,sessions > closed=0,transactions=0,successful transactions=0,optimistic lock > failures=0,flushes=37,connections obtained=189,statements > prepared=211,statements closed=0,second level cache puts=0,second > level cache hits=0,second level cache misses=0,entities > loaded=13,entities updated=2,entities inserted=39,entities > deleted=0,entities fetched=0,collections loaded=81,collections > updated=6,collections removed=0,collections recreated=8,collections > fetched=81,naturalId queries executed to database=0,naturalId cache > puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max > query time=0,queries executed to database=63,query cache puts=0,query > cache hits=0,query cache misses=0,update timestamps cache > puts=0,update timestamps cache hits=0,update timestamps cache > misses=0,max query time=0] > > Important entities statistics: > > Important collections statistics: > > Important queries statistics: > > > 14:04:23,647 INFO > [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) > Statistics[start time=1544105033647,sessions opened=0,sessions > closed=0,transactions=0,successful transactions=0,optimistic lock > failures=0,flushes=31,connections obtained=232,statements > prepared=276,statements closed=0,second level cache puts=0,second > level cache hits=0,second level cache misses=0,entities > loaded=20,entities updated=4,entities inserted=35,entities > deleted=0,entities fetched=0,collections loaded=121,collections > updated=12,collections removed=0,collections recreated=16,collections > fetched=121,naturalId queries executed to database=0,naturalId cache > puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max > query time=0,queries executed to database=69,query cache puts=0,query > cache hits=0,query cache misses=0,update timestamps cache > puts=0,update timestamps cache hits=0,update timestamps cache > misses=0,max query time=1] > > Important entities statistics: > > Important collections statistics: > > Important queries statistics: > > > 14:04:53,646 INFO > [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) > Statistics[start time=1544105063647,sessions opened=0,sessions > closed=0,transactions=0,successful transactions=0,optimistic lock > failures=0,flushes=32,connections obtained=235,statements > prepared=257,statements closed=0,second level cache puts=0,second > level cache hits=0,second level cache misses=0,entities > loaded=19,entities updated=2,entities inserted=34,entities > deleted=0,entities fetched=0,collections loaded=122,collections > updated=6,collections removed=0,collections recreated=8,collections > fetched=122,naturalId queries executed to database=0,naturalId cache > puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max > query time=0,queries executed to database=68,query cache puts=0,query > cache hits=0,query cache misses=0,update timestamps cache > puts=0,update timestamps cache hits=0,update timestamps cache > misses=0,max query time=0] > > Important entities statistics: > > Important collections statistics: > > Important queries statistics: > > > > > > > > On Wednesday, 5 December, 2018, 2:09:55 PM IST, Marek Posolda > wrote: > > > Hi, > > I suggest to upgrade to latest 4.7.0.Final. I know there were some > improvements in recent version regarding this. > > However you will still probably see some issues as we did not yet try to > test with so big amount of realms. We plan to improve on this use-case. > > Marek > > On 27/11/2018 12:46, Madhu wrote: > > Hi I am using keycloak 4.5. i created about 600+ tenants with 50 > users each for a performance testing. > > > > Upon creating tenants the start up time of keycloak increases > drastically. This seems to be due to pretty much all entities at start > up.. > > I tried disabling realm cache, user cache and did not help.. can you > suggest how to bring down the start up time? > > > > Is it absolutely necessary for keycloak to load every thing at start > up?? > > > > This is an extract from hibernate stat i got on a c4 xlarge ec2 > instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. > > > > 018-11-24 10:33:19,998 INFO > [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService > Thread Pool ? 61) Envers integration enabled? : true > > 2018-11-24 10:33:20,499 INFO > [org.hibernate.validator.internal.util.Version] (ServerService Thread > Pool ? 61) HV000001: Hibernate Validator 5.3.6.Final > > 2018-11-24 10:33:21,296 INFO > [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] > (ServerService Thread Pool ? 61) HHH000397: Using > ASTQueryTranslatorFactory > > ^C > > [centos at ip-172-31-45-199 log]$ > 11:10:45,750 INFO [org.hibernate.engi > ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th > read Pool ? 61) Session Metrics { > >? 669457663 nanoseconds spent acquiring 92974 JDBC connections; > >? 148185664 nanoseconds spent releasing 92974 JDBC connections; > >? 1852958902 nanoseconds spent preparing 92974 JDBC statements; > >? 35866600579 nanoseconds spent executing 92974 JDBC statements; > >? 0 nanoseconds spent executing 0 JDBC batches; > >? 0 nanoseconds spent performing 0 L2C puts; > >? 0 nanoseconds spent performing 0 L2C hits; > >? 0 nanoseconds spent performing 0 L2C misses; > >? 543461113 nanoseconds spent executing 2 flushes (flushing a total > of 227216 entities and 158902 collections); > >? 2197548626817 nanoseconds spent executing 14139 partial-flushes ( > flushing a total of* 1042012050 entities and 1042012050 collections*) > > } > > 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS > essionEventListener] (ServerService Thread Pool ? 61) Session Metric s > > { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 > nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds > spent preparing 1 JDBC statements; 909784 nanoseconds spent executing > 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 > nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent > performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; > 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 > entities and 0 collections); 0 nanoseconds spent executing 0 > partial-flushes (flushing a total? of 0 entities and 0 collections)} > > 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS > essionEventListener] (ServerService Thread Pool ? 61) Session Metric s { > >? 437680 nanoseconds spent acquiring 1 JDBC connections; > >? 10539 nanoseconds spent releasing 1 JDBC connections; > >? 465001 nanoseconds spent preparing 1 JDBC statements; > >? 719260 nanoseconds spent executing 1 JDBC statements; > >? 0 nanoseconds spent executing 0 JDBC batches; > >? 0 nanoseconds spent performing 0 L2C puts; > >? 0 nanoseconds spent performing 0 L2C hits; > >? 0 nanoseconds spent performing 0 L2C misses; > >? 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en > tities and 0 collections); > >? 17455 nanoseconds spent executing 1 partial-flushes (flushing a > total of 0 entities and 0 collections) > > > > All My 600 +realms are pretty much same i.e. each realm has a client > scope, a java script mapper (to get all the realm roles into resouce > role),couple of attribute mappers, 2 users groups ( 1 for admins) and > 1 for other users. i have about 50 users in each realm and all the > user belongs to one of the 2 user groups ( no custom roles though).. > > > > Also, I bench marked the start up time after creating 50 or 100 > realms and the start up time increases as the number of realms increases . > > > > I am able to manage as i have disabled the admin console and use > rest endpoints.. but still the start up time and loading pretty much > every thing seems little wiered. > > > > Please correct my understanding if i am wrong here.. > > > > | No of Realms | Start up time in mins | > > | 0 realms | 0.22 mins | > > | 100 realms | 2.34 mins | > > | 200 realms | 2.53 mins | > > | 300 realms | 5.34 mins | > > | 400 realms | 9.42 mins | > > | 500 realms | 14.6 mins | > > | 650 realms | 37 mins | > > > > > > Like wise the time taken to create tenants too gradually increases ( > i use import to create realms) > > > > from about 3 seconds for first few realms to about 30 sec for 600th > realm.. > > > > Any advise /help will be appreciated. > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From subscription.sites at gmail.com Wed Dec 12 05:13:02 2018 From: subscription.sites at gmail.com (subscription sites) Date: Wed, 12 Dec 2018 11:13:02 +0100 Subject: [keycloak-user] deciding on using keycloak or not Message-ID: Hi there, Just a general question: I'm currently deciding on which opensource SSO-solution I should use in a project. >From what I can gather, Keycloak has all the features I need. There is however one caveat here: the recent acquisition by IBM. I'm wondering if there could be a potential consequence for keycloak and if so, what could it be? Could the project be completely cancelled? Could the product disappear altogether or fall without any support? I know that there probably isn't any clear information about this, even at IBM/Redhat internally at the moment, but I don't want to choose a product, integrate multiple applications with it and then get stuck in a year or so having to do it all over again. Any ideas/input? Kind regards, P. From testoauth55 at gmail.com Wed Dec 12 05:20:45 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Wed, 12 Dec 2018 15:50:45 +0530 Subject: [keycloak-user] Authorization : Scope cannot be added to multiple permission Message-ID: (The configuration discussed below is done under the Authorization tab) I have created Authorization Scope. When I create 2 scope based permissions : *Perm1 and Perm2 *and add this scope to both, *no error is shown and scope is successfully added.* But when I look at the scopes at my client end, I see that only 1 permission has that scope. (scope gets reflected in whichever permission is added at the end. It gets disappeared from previous permission). Is this the intended behavior? The way I checked the scopes is by intercepting request and obtaining permission list in my Java client. *KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());* *AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();* *List permList = (authzContext==null) ? null : authzContext.getPermissions();* *for(Permission perm : permList) {* * Set scopeList = perm.getScopes();* * // other stuff* *}* From kkcmadhu at yahoo.com Wed Dec 12 07:30:48 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Wed, 12 Dec 2018 12:30:48 +0000 (UTC) Subject: [keycloak-user] start up of keycloak nodes roughly increases two folds for every 100 tenants. In-Reply-To: <69c64db8-c44c-856d-9896-a139719fe838@redhat.com> References: <2085409309.6617889.1543319173801.ref@mail.yahoo.com> <2085409309.6617889.1543319173801@mail.yahoo.com> <1050781910.1733453.1544105568610@mail.yahoo.com> <58735361.3145851.1544603212111@mail.yahoo.com> <69c64db8-c44c-856d-9896-a139719fe838@redhat.com> Message-ID: <566684338.3214705.1544617848274@mail.yahoo.com> Hi Marek, Thanks for quick response and you are right. i see migrate to 4_6 all over my logs... ? ? ? name: keycloak-default? ? ? ? ...]2018-12-12 11:28:00,787 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 64) HHH000412: Hibernate Core {5.3.6.Final}2018-12-12 11:28:00,789 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 64) HHH000206: hibernate.properties not found2018-12-12 11:28:00,968 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 64) HCANN000001: Hibernate Commons Annotations {5.0.4.Final}2018-12-12 11:28:01,167 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 64) HHH000400: Using dialect: org.hibernate.dialect.MySQL57Dialect2018-12-12 11:28:01,216 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 64) Envers integration enabled? : true2018-12-12 11:28:01,830 INFO? [org.hibernate.orm.beans] (ServerService Thread Pool -- 64) HHH10005002: No explicit CDI BeanManager reference was passed to Hibernate, but CDI is available on the Hibernate ClassLoader.2018-12-12 11:28:01,903 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 6.0.13.Final2018-12-12 11:28:03,601 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory2018-12-12 11:28:04,097 DEBUG [org.keycloak.migration.MigrationModelManager] (ServerService Thread Pool -- 64) Migrating older model to 4.6.02018-12-12 11:47:56,674 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:48:12,272 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:48:14,004 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:48:29,549 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:48:31,292 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:48:46,667 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:48:48,383 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:49:03,859 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:49:05,558 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:49:21,108 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:49:22,869 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes2018-12-12 11:49:38,398 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Client scope 'roles' assigned to all the clients2018-12-12 11:49:40,154 DEBUG [org.keycloak.migration.migrators.MigrateTo4_6_0] (ServerService Thread Pool -- 64) Added 'roles' and 'web-origins' default client scopes On Wednesday, 12 December, 2018, 2:38:32 PM IST, Marek Posolda wrote: On 12/12/2018 09:26, Madhu wrote: Hi, Just and update. I rand another test, where i created tenants from scratch in keycloak 4.7 , in that case, the startup time is pretty good, for about 900 tenants with 6 to 7 clients , 3 user groups, 3 to 4 custom mappers and 50 users in each tenants takes less than 30 seconds ( this was taking about 40 to 50 min) in keycloak 4.5...This is really awesome.. But, i upgrade from 4.5 to 4.7, the system does not even start up after 2 hours :( Thanks for the update. If you want to know the cuase, maybe you can try to enable debug logging in standalone.xml for category "org.keycloak.migration" and "org.keycloak.connections.jpa" ? I have some suspicion that the issue can be in the MigrateTo4_6_0 class, but not 100% sure. Anyway, my previous statement still applies - Keycloak has currently known limitations with big number of realms. The few use-cases (startup time) were fixed in 4.7, but there are probably plenty of others, which are not. And even if the migration issue is fixed, there will be still some others shown later... We generally want to improve performance with big number of realms. Hopefully there is a time to do more work in Keycloak 5.x. Marek On Thursday, 6 December, 2018, 7:42:48 PM IST, Madhu wrote: Thanks Marek, I tried with Keycloak 4.1.7, unfortunately, the start up time in my case has increased tremendously for my 621 tenants, the start up time for keycloak node was about 40 mins, and after moving to 4.1.7 i see this? increased to 1 hours 30 min + (still not starting)... I also see that the cpu usage for the keycloak process is constatnly 100% .i tried with c4.xlarge (4 core) . upgraded to c4.x2large( 8 core), still the? cpu usage is 100% and there is no big difference in start up time ( comes down by max 2 mins)i.e 40 mins to 38 mins. The connection pool size is set adequately lareage 60 +,but i don't see many session in my database instance (not more than1 or 2 sessions). The cpu usage in database (my sql is almost less than 1% and occassionly spikes to 2%).. upon enabling hibernate stats in keycloak, i keep seeing messages like this : 2:21:53,612 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) Statistics[start time=1544098883667,sessions opened=1,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=0,connections obtained=11728,statements prepared=11728,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=15688,entities updated=0,entities inserted=0,entities deleted=0,entities fetched=91,collections loaded=10187,collections updated=0,collections removed=0,collections recreated=0,collections fetched=10187,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=1263,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=13] Important entities statistics: org.keycloak.models.jpa.entities.AuthenticationFlowEntity - inserted: 0, updated: 0, removed: 0, loaded: 1081, fetched: 0 org.keycloak.models.jpa.entities.RealmAttributeEntity - inserted: 0, updated: 0, removed: 0, loaded: 1909, fetched: 0 org.keycloak.models.jpa.entities.ComponentEntity - inserted: 0, updated: 0, removed: 0, loaded: 1079, fetched: 0 org.keycloak.models.jpa.entities.ProtocolMapperEntity - inserted: 0, updated: 0, removed: 0, loaded: 3419, fetched: 0 org.keycloak.models.jpa.entities.RoleEntity - inserted: 0, updated: 0, removed: 0, loaded: 271, fetched: 0 org.keycloak.models.jpa.entities.ClientScopeEntity - inserted: 0, updated: 0, removed: 0, loaded: 906, fetched: 0 org.keycloak.models.jpa.entities.RequiredActionProviderEntity - inserted: 0, updated: 0, removed: 0, loaded: 450, fetched: 0 org.keycloak.models.jpa.entities.AuthenticationExecutionEntity - inserted: 0, updated: 0, removed: 0, loaded: 2795, fetched: 0 org.keycloak.models.jpa.entities.ComponentConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 3235, fetched: 0 org.keycloak.models.jpa.entities.AuthenticatorConfigEntity - inserted: 0, updated: 0, removed: 0, loaded: 180, fetched: 0 Important collections statistics: org.keycloak.models.jpa.entities.ClientScopeEntity.protocolMappers - recreated: 0, updated: 0, removed: 0, loaded: 901, fetched: 901 org.keycloak.models.jpa.entities.ClientScopeEntity.attributes - recreated: 0, updated: 0, removed: 0, loaded: 900, fetched: 900 org.keycloak.models.jpa.entities.ProtocolMapperEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 3419, fetched: 3419 org.keycloak.models.jpa.entities.AuthenticatorConfigEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 180, fetched: 180 org.keycloak.models.jpa.entities.AuthenticationFlowEntity.executions - recreated: 0, updated: 0, removed: 0, loaded: 1081, fetched: 1081 org.keycloak.models.jpa.entities.ComponentEntity.componentConfigs - recreated: 0, updated: 0, removed: 0, loaded: 1079, fetched: 1079 org.keycloak.models.jpa.entities.RequiredActionProviderEntity.config - recreated: 0, updated: 0, removed: 0, loaded: 450, fetched: 450 Important queries statistics: ........... .......................... select m.role.id from ClientScopeRoleMappingEntity m where m.clientScope = :clientScope executionCount=900 executionAvgTime=0 ms 14:03:23,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) Statistics[start time=1544104973645,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=28,connections obtained=272,statements prepared=294,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=23,entities updated=2,entities inserted=30,entities deleted=0,entities fetched=0,collections loaded=154,collections updated=6,collections removed=0,collections recreated=8,collections fetched=154,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=73,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:03:53,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) Statistics[start time=1544105003646,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=37,connections obtained=189,statements prepared=211,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=13,entities updated=2,entities inserted=39,entities deleted=0,entities fetched=0,collections loaded=81,collections updated=6,collections removed=0,collections recreated=8,collections fetched=81,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=63,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:23,647 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) Statistics[start time=1544105033647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=31,connections obtained=232,statements prepared=276,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=20,entities updated=4,entities inserted=35,entities deleted=0,entities fetched=0,collections loaded=121,collections updated=12,collections removed=0,collections recreated=16,collections fetched=121,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=69,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=1] Important entities statistics: Important collections statistics: Important queries statistics: 14:04:53,646 INFO? [org.keycloak.connections.jpa.HibernateStatsReporter] (Timer-2) Statistics[start time=1544105063647,sessions opened=0,sessions closed=0,transactions=0,successful transactions=0,optimistic lock failures=0,flushes=32,connections obtained=235,statements prepared=257,statements closed=0,second level cache puts=0,second level cache hits=0,second level cache misses=0,entities loaded=19,entities updated=2,entities inserted=34,entities deleted=0,entities fetched=0,collections loaded=122,collections updated=6,collections removed=0,collections recreated=8,collections fetched=122,naturalId queries executed to database=0,naturalId cache puts=0,naturalId cache hits=0,naturalId cache misses=0,naturalId max query time=0,queries executed to database=68,query cache puts=0,query cache hits=0,query cache misses=0,update timestamps cache puts=0,update timestamps cache hits=0,update timestamps cache misses=0,max query time=0] Important entities statistics: Important collections statistics: Important queries statistics: ? On Wednesday, 5 December, 2018, 2:09:55 PM IST, Marek Posolda wrote: Hi, I suggest to upgrade to latest 4.7.0.Final. I know there were some improvements in recent version regarding this. However you will still probably see some issues as we did not yet try to test with so big amount of realms. We plan to improve on this use-case. Marek On 27/11/2018 12:46, Madhu wrote: > Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. > > Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. > I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? > > Is it absolutely necessary for keycloak to load every thing at start up?? > > This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. > > 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool ? 61) Envers integration enabled? : true > 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool ? 61) HV000001: Hibernate Validator 5.3.6.Final > 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool ? 61) HHH000397: Using ASTQueryTranslatorFactory > ^C > [centos at ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engine.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool ? 61) Session Metrics { >? 669457663 nanoseconds spent acquiring 92974 JDBC connections; >? 148185664 nanoseconds spent releasing 92974 JDBC connections; >? 1852958902 nanoseconds spent preparing 92974 JDBC statements; >? 35866600579 nanoseconds spent executing 92974 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); >? 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) > } > 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s > { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total? of 0 entities and 0 collections)} > 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool ? 61) Session Metric s { >? 437680 nanoseconds spent acquiring 1 JDBC connections; >? 10539 nanoseconds spent releasing 1 JDBC connections; >? 465001 nanoseconds spent preparing 1 JDBC statements; >? 719260 nanoseconds spent executing 1 JDBC statements; >? 0 nanoseconds spent executing 0 JDBC batches; >? 0 nanoseconds spent performing 0 L2C puts; >? 0 nanoseconds spent performing 0 L2C hits; >? 0 nanoseconds spent performing 0 L2C misses; >? 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); >? 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) > > All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. > > Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . > > I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. > > Please correct my understanding if i am wrong here.. > > | No of Realms | Start up time in mins | > | 0 realms | 0.22 mins | > | 100 realms | 2.34 mins | > | 200 realms | 2.53 mins | > | 300 realms | 5.34 mins | > | 400 realms | 9.42 mins | > | 500 realms | 14.6 mins | > | 650 realms | 37 mins | > > > Like wise the time taken to create tenants too gradually increases ( i use import to create realms) > > from about 3 seconds for first few realms to about 30 sec for 600th realm.. > > Any advise /help will be appreciated. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kkcmadhu at yahoo.com Wed Dec 12 08:58:49 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Wed, 12 Dec 2018 13:58:49 +0000 (UTC) Subject: [keycloak-user] importing/exporting users alone in keycloak References: <381304704.3293505.1544623129114.ref@mail.yahoo.com> Message-ID: <381304704.3293505.1544623129114@mail.yahoo.com> is there a way to import/export users alone in keycloak "bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=" seems to export the entire realm, i am interested in importing users info alone (i.e user, user attribute, user role mapping, user user group association) any suggestions? Madhu From nikola.malenic at netsetglobal.rs Wed Dec 12 12:00:05 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Wed, 12 Dec 2018 18:00:05 +0100 Subject: [keycloak-user] Keycloak email behind reverse proxy Message-ID: <00c801d4923c$216cf9b0$6446ed10$@netsetglobal.rs> Hello, I want to send an email to the user to update his password after he gets created using Keycloak's API. One note: I am doing user creation in different application than Keycloak and then call Keycloak in Admin client's name. Here is how I do this currently: userRessource.get(id).executeActionsEmail(Arrays.asList("UPDATE_PASSWORD")); The problem is that I have a reverse proxy in front of KeyCloak, so users won't be able to access Keycloak at all. And email that is sent has url pointing to Keycloak's address. Is there a way to configure Keycloak to somehow send email with url pointing to the reverse proxy? Thanks in advance, Nikola From geoff at opticks.io Wed Dec 12 12:01:17 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Wed, 12 Dec 2018 18:01:17 +0100 Subject: [keycloak-user] Only permit social login for existing, linked accounts Message-ID: How can I allow identity providers like Google to only be used to login with an existing account? I'm sure this has been asked (I see the questions ) and answered (this I can't find) and must have something to do with custom authentication flows. I've made a copy of the First Broker Login flow and messed around with priorities and requirements, but I can't get it right. Thanks, Geoff From nikola.malenic at netsetglobal.rs Wed Dec 12 12:08:15 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Wed, 12 Dec 2018 18:08:15 +0100 Subject: [keycloak-user] Keycloak behind reverse proxy Message-ID: <00d401d4923d$455362a0$cffa27e0$@netsetglobal.rs> I configured mutual-ssl authentication on Keycloak. That means that user coming to Keycloak does SSL handshake allowing Keycloak to extract data from client certificate and map that data to an existing user at Keycloak, and based on that authenticate the user. Now, I need to configure reverse proxy in front of Keycloak. I'm using Apache's httpd. The problem is that user's browser now does SSL handshake with the reverse proxy server instead of Keycloak and sends plain http request, disabling Keycloak to map and authenticate the user. Is there a proposed method to achieve this? Can I configure some reverse proxy (maybe not httpd) to proxy requests on the transport layer? Or should I somehow configure Keycloak for this? Maybe configure the proxy to be KC's client and do the authentication somehow? Many thanks, Nikola From rnori at redhat.com Wed Dec 12 12:20:20 2018 From: rnori at redhat.com (Ravi Shankar Nori) Date: Wed, 12 Dec 2018 12:20:20 -0500 Subject: [keycloak-user] Keycloak revoke endpoint Message-ID: Hi, I am working on integrating oVirt Engine with Keycloak as an external authentication provider. In oVirt we have Java/Ruby/Python SDKs that need to obtain a token directly from Keycloak and then revoke the token at the end of the session. I see Keycloak has a logout endpoint that takes the refresh token to perform logout. Is there another endpoint that can take the access token to perform the logout like a "revoke" endpoint? Thanks, Ravi From vagelis.savvas at gmail.com Wed Dec 12 12:32:37 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Wed, 12 Dec 2018 19:32:37 +0200 Subject: [keycloak-user] Run script on logout Message-ID: <0fdca98b-74dd-14d4-1c6f-65fc16163424@gmail.com> Hello, is there a way to run custom code on a user logout? Something like an authenticator script would be ideal, but if that's not possible which are the available options,if any? Cheers, Vagelis From ionel.gardais at tech-advantage.com Wed Dec 12 14:18:09 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Wed, 12 Dec 2018 20:18:09 +0100 (CET) Subject: [keycloak-user] [FGTSPAM] Keycloak behind reverse proxy In-Reply-To: <00d401d4923d$455362a0$cffa27e0$@netsetglobal.rs> References: <00d401d4923d$455362a0$cffa27e0$@netsetglobal.rs> Message-ID: <2120306582.214984.1544642289613.JavaMail.zimbra@tech-advantage.com> Hi Nikola, May I suggest you to have a look at haproxy as a reverse proxy ? It could handle cert passthrough for you. http://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/ -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Nikola Malenic" ?: "keycloak-user" Envoy?: Mercredi 12 D?cembre 2018 18:08:15 Objet: [FGTSPAM] [keycloak-user] Keycloak behind reverse proxy I configured mutual-ssl authentication on Keycloak. That means that user coming to Keycloak does SSL handshake allowing Keycloak to extract data from client certificate and map that data to an existing user at Keycloak, and based on that authenticate the user. Now, I need to configure reverse proxy in front of Keycloak. I'm using Apache's httpd. The problem is that user's browser now does SSL handshake with the reverse proxy server instead of Keycloak and sends plain http request, disabling Keycloak to map and authenticate the user. Is there a proposed method to achieve this? Can I configure some reverse proxy (maybe not httpd) to proxy requests on the transport layer? Or should I somehow configure Keycloak for this? Maybe configure the proxy to be KC's client and do the authentication somehow? Many thanks, Nikola _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From jernej.porenta at 3fs.si Wed Dec 12 14:46:29 2018 From: jernej.porenta at 3fs.si (Jernej Porenta) Date: Wed, 12 Dec 2018 20:46:29 +0100 Subject: [keycloak-user] 4.6.0 Upgrade disables client scopes In-Reply-To: References: <01F89E35-A10A-41BB-8570-73B08353AC62@sap.com> <99650048-66d6-e6e5-fee6-e092c0439c9b@redhat.com> Message-ID: Anyone with the solution to it? br, Jernej > On 21 Nov 2018, at 18:07, Lamina, Marco wrote: > > To answer your questions: > - I upgraded from 4.5.0 to 4.6.0 > - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected > - Even when I create a new client and add the scope, it is not added to the token > > Thanks, > Marco > > > ?On 11/21/18, 5:19 AM, "Marek Posolda" wrote: > > No, it doesn't need to be updated in any profile like Token Exchange. > > Question is, from which version you upgraded? Note that during upgrade > to 4.0.0, the realm default client scopes are not automatically linked > to the clients. Thing is, that clients from previous version already has > some protocolMappers defined on them, so the clientScopes are not added > to it. You may need to do change your clients manually and remove > protocolMappers from them and link them to default client scopes. > > Just the new clients, which you will create now through admin UI, will > have the client scopes added to them. See details in the docs: > https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes > > BTV. When you're on client, you can click to "Client Scopes" and then > "Evaluate" to see what are applied client scopes and check what > clientScopes will be applied based on the value of "scope" parameter. > > Marek > > On 21/11/2018 01:55, Lamina, Marco wrote: >> Hi, >> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the ?scope? parameter is ignored and none of my default client scopes are applied. The ?scope? claim in the token endpoint response is always empty. >> Is that a feature that needs to be enabled similar to the token exchange? >> >> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final >> >> Thanks, >> Marco >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3802 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181212/b48f9bce/attachment-0001.bin From keshav.sharma at shl.com Wed Dec 12 15:16:13 2018 From: keshav.sharma at shl.com (Keshav Sharma) Date: Wed, 12 Dec 2018 20:16:13 +0000 Subject: [keycloak-user] 4.6.0 Class cast exception Message-ID: Hi All, I am getting below exception. Can anyone help me out in fixing below issue .Very Urgent. Issue : private KeycloakSecurityContext getSession(HttpServletRequest req) { return (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName()); } I am getting class cast exception RefreshKeycloakSecurityContext can not be cast to KeycloakSecurityContext. Thanks in Advance? Regards, ______________________________________________________ Keshav Sharma ______________________________________________________ -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Jernej Porenta Sent: Thursday, December 13, 2018 1:16 AM To: keycloak-user Subject: Re: [keycloak-user] 4.6.0 Upgrade disables client scopes Anyone with the solution to it? br, Jernej > On 21 Nov 2018, at 18:07, Lamina, Marco wrote: > > To answer your questions: > - I upgraded from 4.5.0 to 4.6.0 > - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected > - Even when I create a new client and add the scope, it is not added to the token > > Thanks, > Marco > > > ?On 11/21/18, 5:19 AM, "Marek Posolda" wrote: > > No, it doesn't need to be updated in any profile like Token Exchange. > > Question is, from which version you upgraded? Note that during upgrade > to 4.0.0, the realm default client scopes are not automatically linked > to the clients. Thing is, that clients from previous version already has > some protocolMappers defined on them, so the clientScopes are not added > to it. You may need to do change your clients manually and remove > protocolMappers from them and link them to default client scopes. > > Just the new clients, which you will create now through admin UI, will > have the client scopes added to them. See details in the docs: > https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes > > BTV. When you're on client, you can click to "Client Scopes" and then > "Evaluate" to see what are applied client scopes and check what > clientScopes will be applied based on the value of "scope" parameter. > > Marek > > On 21/11/2018 01:55, Lamina, Marco wrote: >> Hi, >> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the ?scope? parameter is ignored and none of my default client scopes are applied. The ?scope? claim in the token endpoint response is always empty. >> Is that a feature that needs to be enabled similar to the token exchange? >> >> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final >> >> Thanks, >> Marco >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to SHL and/or its affiliates. If you have received this e-mail in error, please notify the sender and immediately destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s), is prohibited. If you would like to know how SHL collects, processes, uses, and stores personal data please go to www.shl.com/privacy to learn more. From chris.savory at edlogics.com Wed Dec 12 16:05:14 2018 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 12 Dec 2018 21:05:14 +0000 Subject: [keycloak-user] Keycloak Themes not loading (in admin) after upgrading to 4.4 In-Reply-To: References: Message-ID: I think we figured out the problem. We are doing "chmod -R 777 /opt/jboss/keycloak/themes" in the Docker file, but for some reason the jboss user gets a permission denied when trying to read our custom files (it reads keycloak and base themes fine). If we root into the docker container and manually change the file permissions, everything starts working as it should. So something is going wrong between the Docker build and Docker run of our keycloak app. We are working with our hosting provider to try to figure it out. -- Christopher Savory ?On 12/11/18, 10:18 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Chris Savory" wrote: We upgraded our Dev and Stage keycloak instances about a month ago to 4.4 with no issues. Today we took the exact same docker container that is deployed in our staging environment and moved it to production. Our custom theme is loading on the login pages, but the theme is not selectable in any of the realm admin pages. We checked the database and the themes are set correctly in the realm table. What could be the issue? We are running in a clustered mode with two keycloak instances. -- Christopher Savory _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From marco.lamina at sap.com Wed Dec 12 19:21:55 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Thu, 13 Dec 2018 00:21:55 +0000 Subject: [keycloak-user] Incorrect UMA Policy Evaluation Message-ID: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> Hi, I?m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. I create a UMA policy granting my user ?view? access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the ?delete? scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting ?response_mode=decision?, I get: { "result": true } There is no policy that gives my user access to the ?delete? scope anywhere, so shouldn?t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions Thanks, Marco From cbodine at msn.com Wed Dec 12 20:17:02 2018 From: cbodine at msn.com (CLAYTON BODINE) Date: Thu, 13 Dec 2018 01:17:02 +0000 Subject: [keycloak-user] Keycloak does not return Principal for Spring Boot with Spring Security project Message-ID: Hello all: I have followed the steps from http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html and found that Keycloak will secure the example but does not seem to be able to return a Principal. I am not sure what I have done wrong, especially since I have not modified the example. I noticed that I am using Spring Boot 1.5.16.RELEASE which is several versions ahead of the example (but a few versions behind what is available from https://start.spring.io/. I think Keycloak is great but if I cannot somehow learn who the logged in user is from the Principal (or some other means) then I might not be able to use it for the projects that I have in mind. Thanks! Clayton Spring Framework - Spring Initializr {"_links":{"maven-project":{"href":"https://start.spring.io/starter.zip?type=maven-project{&dependencies,packaging,javaVersion,language,bootVersion,groupId,artifactId ... start.spring.io [https://lh4.googleusercontent.com/proxy/Nu0C05WIS1nzgEEGZJ58I5B3iH2zTo7CFpj6WQDYZMPkGl-x-p3H8cHyYZHVIV33h-MB4Afc6tRb6Qli5JEObkEc10EDXe2kpn1Yf6S4rdB7q0RyxpRqL4ivep-zyhJtbVI=w1200-h630-p-k-no-nu] Easily secure your Spring Boot applications with Keycloak Keycloak defines the concept of a realm in which you will define your clients, which in Keycloak terminology means an application that will be secured by Keycloak, it can be a Web App, a Java EE backend, a Spring Boot etc. blog.keycloak.org From dt at acutus.pro Wed Dec 12 23:22:33 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 13 Dec 2018 07:22:33 +0300 Subject: [keycloak-user] Run script on logout In-Reply-To: <0fdca98b-74dd-14d4-1c6f-65fc16163424@gmail.com> References: <0fdca98b-74dd-14d4-1c6f-65fc16163424@gmail.com> Message-ID: <1544674953.11723.1.camel@acutus.pro> Hello Vagelis, There's no "logout" equivalent for authenticators (including script), but you can implement an EventListenerProvider [1] and listen for EventType.LOGOUT events. [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/event-listener-sysout Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-12-12 at 19:32 +0200, Vagelis Savvas wrote: > Hello, > > is there a way to run custom code on a user logout? > Something like an authenticator script would be ideal, > but if that's not possible which are the available options,if any? > > Cheers, > Vagelis > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Thu Dec 13 02:29:19 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 13 Dec 2018 08:29:19 +0100 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> Message-ID: >From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco Hi, > I?m using the protection API to manage UMA policies for my Keycloak > resources. However, I get false-positive results when requesting > permissions for a resource via the token endpoint. > > Example: > I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. > I create a UMA policy granting my user ?view? access to this resource. If I > now call the token endpoint (as suggested in [1]) to obtain permissions for > the ?delete? scope by setting: > > response_mode=permissions > permission=dataset-42#delete > > , I get the following (confusing) result: > > [{ > "scopes": ["view"], > "rsid": "dataset-42", > "rsname": "urn:atlas-api:resources:dataset:42" > }] > > When setting ?response_mode=decision?, I get: > > { > "result": true > } > > There is no policy that gives my user access to the ?delete? scope > anywhere, so shouldn?t I get a negative result here? > > Links: > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Thu Dec 13 02:31:22 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 13 Dec 2018 08:31:22 +0100 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> Message-ID: Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves From your description it sounds like a bug. I believe there's a setting > where you instruct KC to enforce permissions or not and if you don't select > enforce, the default is to grant permission. Make sure you've got the > correct. > > You'll need to open a bug report on Jira with clear steps to reproduce the > problem. > > On Thu, Dec 13, 2018, 01:26 Lamina, Marco >> Hi, >> I?m using the protection API to manage UMA policies for my Keycloak >> resources. However, I get false-positive results when requesting >> permissions for a resource via the token endpoint. >> >> Example: >> I have a resource with ID ?dataset-42? and two scopes ?view? and >> ?delete?. I create a UMA policy granting my user ?view? access to this >> resource. If I now call the token endpoint (as suggested in [1]) to obtain >> permissions for the ?delete? scope by setting: >> >> response_mode=permissions >> permission=dataset-42#delete >> >> , I get the following (confusing) result: >> >> [{ >> "scopes": ["view"], >> "rsid": "dataset-42", >> "rsname": "urn:atlas-api:resources:dataset:42" >> }] >> >> When setting ?response_mode=decision?, I get: >> >> { >> "result": true >> } >> >> There is no policy that gives my user access to the ?delete? scope >> anywhere, so shouldn?t I get a negative result here? >> >> Links: >> [1] >> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions >> >> Thanks, >> Marco >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From vagelis.savvas at gmail.com Thu Dec 13 07:45:31 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Thu, 13 Dec 2018 14:45:31 +0200 Subject: [keycloak-user] Run script on logout In-Reply-To: <1544674953.11723.1.camel@acutus.pro> References: <0fdca98b-74dd-14d4-1c6f-65fc16163424@gmail.com> <1544674953.11723.1.camel@acutus.pro> Message-ID: <32b0da5d-25b0-5b21-2627-ddcd8da2a15f@gmail.com> Hi Dmitry, ok thanx. Since the listener runs as part of Keycloak I need to forward the event in my Wildfly based REST API which ultimately needs to know about logouts. That's quite some infrastructure to build. (or handle the event on the EventListenerProvider itself which is easier but means that some of the API logic runs on Keycloak). Cheers, Vagelis On 13/12/2018 06:22, Dmitry Telegin wrote: > Hello Vagelis, > > There's no "logout" equivalent for authenticators (including script), but you can implement an EventListenerProvider [1] and listen for EventType.LOGOUT events. > > [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/event-listener-sysout > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-12-12 at 19:32 +0200, Vagelis Savvas wrote: >> Hello, >> >> is there a way to run custom code on a user logout? >> Something like an authenticator script would be ideal, >> but if that's not possible which are the available options,if any? >> >> Cheers, >> Vagelis >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From vagelis.savvas at gmail.com Thu Dec 13 08:12:13 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Thu, 13 Dec 2018 15:12:13 +0200 Subject: [keycloak-user] Admin Client for Java Message-ID: <435df5c1-e849-d427-0f6c-ef6a3a200e38@gmail.com> Hello, I am using the Admin Client Java library to administer Keycloak resources (users,roles, groups, etc.) for a multi-tenant REST API running on Wildfly. I wonder what's the recommended usage of the library in this context, where multiple concurrent requests are the norm. Is it multi-threading safe? Should I use one instance for all tenants or maybe an instance per tenant? Cheers, Vagelis From geoff at opticks.io Thu Dec 13 08:31:46 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 13 Dec 2018 14:31:46 +0100 Subject: [keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :) Message-ID: Hello. I have a simple JS execution which denies access as the first step of the first broker login flow. I would like to access some of the attributes that Keycloak writes out to the log when executing this flow (see below) What objects or variables must my JS execution load in order to get the identity_provider_identity attribute listed below? 20:29:56,588 WARN [org.keycloak.events] (default task-527) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic, userId=null, ipAddress=90., error=user_not_found, identity_provider=google, auth_method=openid-connect, redirect_uri=http://localhost:8222?clientid=tic, identity_provider_identity=user at gmail.com, code_id=b07317fdb Thanks in advance! Geoff From suaybsimsek58 at gmail.com Thu Dec 13 09:05:07 2018 From: suaybsimsek58 at gmail.com (=?UTF-8?B?xZ51YXliIMWeaW3Fn2Vr?=) Date: Thu, 13 Dec 2018 17:05:07 +0300 Subject: [keycloak-user] keycloak 3.4.3 not setup Windows 10 Message-ID: I installed the 3.4.3 version of the keycloak on my computer.Errors occur when I run the standalone.bat folder in the bin folder.I couldn't find the solution to this error.Please,help. 16:34:57,379 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 more Caused by: java.lang.ExceptionInInitializerError at org.keycloak.protocol.docker.DockerAuthV2ProtocolFactory.isSupported(DockerAuthV2ProtocolFactory.java:79) at org.keycloak.services.DefaultKeycloakSessionFactory.isEnabled(DefaultKeycloakSessionFactory.java:237) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:215) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:77) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:327) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:117) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 28 more Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.ProfileValue.COMMUN?TY at org.keycloak.common.Profile.(Profile.java:114) at org.keycloak.common.Profile.(Profile.java:62) ... 39 more Caused by: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.ProfileValue.COMMUN?TY at java.lang.Enum.valueOf(Enum.java:238) at org.keycloak.common.Profile$ProfileValue.valueOf(Profile.java:50) at org.keycloak.common.Profile.(Profile.java:97) ... 40 more 16:34:57,395 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 16:34:57,399 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0008: Undertow HTTPS listener https suspending 16:34:57,402 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-8) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 16:34:57,410 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-4) WFLYJCA0019: Stopped Driver service with driver-name = h2 16:34:57,414 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 127.0.0.1:8443 16:34:57,422 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0019: Host default-host stopping 16:34:57,425 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0008: Undertow HTTP listener default suspending 16:34:57,428 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 127.0.0.1:8099 16:34:57,432 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0004: Undertow 1.4.18.Final stopping 16:34:57,434 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped clientSessions cache from keycloak container 16:34:57,443 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped client-mappings cache from ejb container 16:34:57,443 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped sessions cache from keycloak container 16:34:57,444 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 62ms 16:34:57,454 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 16:34:57,455 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped actionTokens cache from keycloak container 16:34:57,456 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authorization cache from keycloak container 16:34:57,457 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 16:34:57,458 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0003: Stopped users cache from keycloak container 16:34:57,457 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container 16:34:57,457 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container 16:34:57,456 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped realms cache from keycloak container 16:34:57,458 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped work cache from keycloak container 16:34:57,457 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped keys cache from keycloak container 16:34:57,478 ERROR [org.jboss.as.server] (ServerService Thread Pool -- 45) WFLYSRV0022: Deploy of deployment "keycloak-server.war" was rolled back with no failure message 16:34:57,485 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 3.4.3.Final (WildFly Core 3.0.8.Final) stopped in 101ms Press any key to continue . . . From kkcmadhu at yahoo.com Thu Dec 13 11:29:41 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Thu, 13 Dec 2018 16:29:41 +0000 (UTC) Subject: [keycloak-user] importing/exporting users alone in keycloak In-Reply-To: <381304704.3293505.1544623129114@mail.yahoo.com> References: <381304704.3293505.1544623129114.ref@mail.yahoo.com> <381304704.3293505.1544623129114@mail.yahoo.com> Message-ID: <833203169.3092579.1544718581922@mail.yahoo.com> Well.. the work around i have for faster migration from 4.5 to 4.7 is to export all the realms using? standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/home/centos/keycloak-export -Dkeycloak.migration.usersExportStrategy=SAME_FILE -Djboss.socket.binding.port-offset=1000 -c standalone-ha.xml And then, set up keycloak 4.7 from scratch (with a fresh database)and import the data to the new database using sudo ./bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/home/centos/keycloak-export? -Dkeycloak.migration.usersExportStrategy=SAME_FILE -Dkeycloak.migration.strategy=OVERWRITE_EXISTING -Djboss.socket.binding.port-offset=1000 -c standalone-ha.xml This way i am manging to avoid the huge time taken with? "[org.keycloak.migration.migrators.MigrateTo4_6_0]" Regards,Madhu On Wednesday, 12 December, 2018, 7:28:49 PM IST, Madhu wrote: is there a way to import/export users alone in keycloak "bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=" seems to export the entire realm, i am interested in importing users info alone (i.e user, user attribute, user role mapping, user user group association) any suggestions? Madhu From tdockendorf at osc.edu Thu Dec 13 11:44:39 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Thu, 13 Dec 2018 16:44:39 +0000 Subject: [keycloak-user] Unable to query currently set bindCredentials for LDAP Message-ID: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends. I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly. Is there a way to have Keycloak return the actual value that?s stored in the database? I have found where in the database this is stored but I?d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support. If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work? I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm?s configured LDAP. Thanks, - Trey [1] $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password | jq .config.bindCredential Logging into http://localhost:8080/auth as user admin of realm master [ "**********" ] -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center From geoff at opticks.io Thu Dec 13 11:59:44 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 13 Dec 2018 17:59:44 +0100 Subject: [keycloak-user] manipulate IdP attributes in authentication script Message-ID: Hi Cristovao, did you ever figure this out? ---- > Hi, I'd like to know if it is possible to add a Script execution to "first broker login" and somehow manipulate (set/see/etc...) the user's IdP information? I'm asking this cause my Identity Provider is a federation (like eduGAIN), and I am having issues when users use the same credentials in 2 different IdPs...in Keycloak all attributes will be the same except the identity_provider_id which will cause a conflict (violates unique_id constraint) with the already existing user account in Keycloak, which already has a link to that Keycloak IdP (which in practice is a federation). Best regards, Cris From marco.lamina at sap.com Thu Dec 13 12:36:45 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Thu, 13 Dec 2018 17:36:45 +0000 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> Message-ID: <13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com> Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak?s policy enforcement mode is set to ?enforcing?. I will create a ticket. However, if it ends up being a bug, wouldn?t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I?m a bit puzzled. From: Geoffrey Cleaves Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco wrote: Hi, I?m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. I create a UMA policy granting my user ?view? access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the ?delete? scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting ?response_mode=decision?, I get: { "result": true } There is no policy that gives my user access to the ?delete? scope anywhere, so shouldn?t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From marco.lamina at sap.com Thu Dec 13 13:00:33 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Thu, 13 Dec 2018 18:00:33 +0000 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> Message-ID: Ticket: https://issues.jboss.org/browse/KEYCLOAK-9093 From: Geoffrey Cleaves Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco wrote: Hi, I?m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. I create a UMA policy granting my user ?view? access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the ?delete? scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting ?response_mode=decision?, I get: { "result": true } There is no policy that gives my user access to the ?delete? scope anywhere, so shouldn?t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Thu Dec 13 13:28:42 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 13 Dec 2018 19:28:42 +0100 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: <13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com> References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> <13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com> Message-ID: Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation. On Thu, Dec 13, 2018, 18:36 Lamina, Marco Just to be 100% certain, I created a test resource with its own resource > type and tried again. It shows the same behavior. Keycloak?s policy > enforcement mode is set to ?enforcing?. > > I will create a ticket. However, if it ends up being a bug, wouldn?t that > be a fairly substantial flaw in the policy evaluation engine that should be > causing problems all over the place in Keycloak systems out there? I?m a > bit puzzled. > > > > > > *From: *Geoffrey Cleaves > *Date: *Wednesday, December 12, 2018 at 11:32 PM > *To: *"Lamina, Marco" > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] Incorrect UMA Policy Evaluation > > > > Also, if you have a resource level permission which grants access, I think > that includes all scopes, so look into that. > > > > On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves > From your description it sounds like a bug. I believe there's a setting > where you instruct KC to enforce permissions or not and if you don't select > enforce, the default is to grant permission. Make sure you've got the > correct. > > > > You'll need to open a bug report on Jira with clear steps to reproduce the > problem. > > > > On Thu, Dec 13, 2018, 01:26 Lamina, Marco > Hi, > I?m using the protection API to manage UMA policies for my Keycloak > resources. However, I get false-positive results when requesting > permissions for a resource via the token endpoint. > > Example: > I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. > I create a UMA policy granting my user ?view? access to this resource. If I > now call the token endpoint (as suggested in [1]) to obtain permissions for > the ?delete? scope by setting: > > response_mode=permissions > permission=dataset-42#delete > > , I get the following (confusing) result: > > [{ > "scopes": ["view"], > "rsid": "dataset-42", > "rsname": "urn:atlas-api:resources:dataset:42" > }] > > When setting ?response_mode=decision?, I get: > > { > "result": true > } > > There is no policy that gives my user access to the ?delete? scope > anywhere, so shouldn?t I get a negative result here? > > Links: > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From marco.lamina at sap.com Thu Dec 13 14:14:52 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Thu, 13 Dec 2018 19:14:52 +0000 Subject: [keycloak-user] Incorrect UMA Policy Evaluation In-Reply-To: References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com> <13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com> Message-ID: <360F7E39-62E0-429B-A19A-A9432E69A274@sap.com> I?ve used regular policies / permissions at first, but found that the way they are evaluated showed inconsistencies. Unfortunately, neither the documentation nor the community were able to give an explanation as to how the policy evaluation actually works. I switched to using only UMA policies, hoping that this would simplify things. This approach seemed to work fine at first, but the results are just as confusing and unpredictable as everything I?ve tried before. The documentation does a good job at explaining how to use Keycloak?s authorization services, but the evaluation engine seems to be a magic black box. It would be great to have a piece of documentation that explains in more detail how the evaluation results I see can be traced back to the permissions that I create in Keycloak. From: Geoffrey Cleaves Date: Thursday, December 13, 2018 at 10:29 AM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation. On Thu, Dec 13, 2018, 18:36 Lamina, Marco wrote: Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak?s policy enforcement mode is set to ?enforcing?. I will create a ticket. However, if it ends up being a bug, wouldn?t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I?m a bit puzzled. From: Geoffrey Cleaves > Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" > Cc: keycloak-user > Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco wrote: Hi, I?m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. I create a UMA policy granting my user ?view? access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the ?delete? scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting ?response_mode=decision?, I get: { "result": true } There is no policy that gives my user access to the ?delete? scope anywhere, so shouldn?t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Dec 13 19:34:27 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 14 Dec 2018 03:34:27 +0300 Subject: [keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :) In-Reply-To: References: Message-ID: <1544747667.12484.1.camel@acutus.pro> Hello Geoffrey, I was right about to click Send when I finally noticed that statement in parentheses :-D you were 100% right, what else can I say :) Here we go, try this snippet: SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); function authenticate(context) { var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); var biCtx = serializedCtx.deserialize(session, authenticationSession); LOG.info(biCtx.username); LOG.info(biCtx.idpConfig.alias); context.success(); } Also take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. Good luck :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-12-13 at 14:31 +0100, Geoffrey Cleaves wrote: > Hello. I have a simple JS execution which denies access as the first step > of the first broker login flow. I would like to access some of the > attributes that Keycloak writes out to the log when executing this flow > (see below) > > What objects or variables must my JS execution load in order to get the > identity_provider_identity attribute listed below? > > 20:29:56,588 WARN??[org.keycloak.events] (default task-527) > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic, > userId=null, ipAddress=90., error=user_not_found, identity_provider=google, > auth_method=openid-connect, redirect_uri=http://localhost:8222?clientid=tic, > identity_provider_identity=user at gmail.com, code_id=b07317fdb > > Thanks in advance! > > Geoff > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wolfbro92 at gmail.com Thu Dec 13 22:03:23 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Fri, 14 Dec 2018 11:03:23 +0800 Subject: [keycloak-user] Displaying Client ID in Keycloak Login Page Message-ID: I have a few clients that are under my realm, and would like to display the name of each of them at the login page to that specific client ids respectively. I know that the realm display name is represented by *realm.displayNameHtml *, but how do i display the client ID? Regards, Kunal Kumar From dt at acutus.pro Thu Dec 13 23:32:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 14 Dec 2018 07:32:16 +0300 Subject: [keycloak-user] Displaying Client ID in Keycloak Login Page In-Reply-To: References: Message-ID: <1544761936.16111.1.camel@acutus.pro> Hello Kunal, For that, you will need to create a custom login theme [1]. Keycloak exposes client info as the "client" object, so you can use the following expressions in your Freemarker templates: ${client.clientId} ${client.name} etc. Look at ClientBean [2] for more info. [1] https://www.keycloak.org/docs/latest/server_development/index.html#_themes [2] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/ClientBean.java Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 11:03 +0800, Kunal Kumar wrote: > I have a few clients that are under my realm, and would like to display the > name of each of them at the login page to that specific client ids > respectively. > > I know that the realm display name is represented by *realm.displayNameHtml > *, but how do i display the client ID? > > > Regards, > Kunal Kumar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Dec 14 00:13:36 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 14 Dec 2018 08:13:36 +0300 Subject: [keycloak-user] Unable to query currently set bindCredentials for LDAP In-Reply-To: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> References: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> Message-ID: <1544764416.16111.5.camel@acutus.pro> Hello Trey, The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me. OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this: GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote: > I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends.??I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly.??Is there a way to have Keycloak return the actual value that?s stored in the database???I have found where in the database this is stored but I?d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support. > > If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work???I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm?s configured LDAP. > > Thanks, > - Trey > > [1] > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password | jq .config.bindCredential > > Logging into http://localhost:8080/auth as user admin of realm master > > [ > ? "**********" > ] > > -- > Trey Dockendorf > HPC Systems Engineer > Ohio Supercomputer Center > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From david_christian.herrmann at daimler.com Fri Dec 14 02:32:15 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Fri, 14 Dec 2018 07:32:15 +0000 Subject: [keycloak-user] Cross Realm authorization Message-ID: Hello, we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session); if (authResult == null) { throw new NotAuthorizedException("Bearer token required"); } And if(!auth.hasClientRole(client,"view-users")){ throw new NotAuthorizedException("Necessary permission not available"); } We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. Here AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session); if (authResult == null) { throw new NotAuthorizedException("Bearer token required"); } Always results in unauthorized. Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars [Computergenerierter Alternativtext: RDIU] Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: ellbogen.spr?che.anf?nge E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 4473 bytes Desc: image003.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181214/7d03016e/attachment.jpg From wolfbro92 at gmail.com Fri Dec 14 03:43:25 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Fri, 14 Dec 2018 16:43:25 +0800 Subject: [keycloak-user] Displaying Client ID in Keycloak Login Page In-Reply-To: <1544761936.16111.1.camel@acutus.pro> References: <1544761936.16111.1.camel@acutus.pro> Message-ID: Thank you for your help! client.clientID did the trick On Fri, Dec 14, 2018 at 12:32 PM Dmitry Telegin
wrote: > Hello Kunal, > > For that, you will need to create a custom login theme [1]. Keycloak > exposes client info as the "client" object, so you can use the following > expressions in your Freemarker templates: > ${client.clientId} > ${client.name} > > etc. Look at ClientBean [2] for more info. > > [1] > https://www.keycloak.org/docs/latest/server_development/index.html#_themes > [2] > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/ClientBean.java > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-12-14 at 11:03 +0800, Kunal Kumar wrote: > > I have a few clients that are under my realm, and would like to display > the > > name of each of them at the login page to that specific client ids > > respectively. > > > > I know that the realm display name is represented by > *realm.displayNameHtml > > *, but how do i display the client ID? > > > > > > Regards, > > Kunal Kumar > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From niko at n-k.de Fri Dec 14 04:08:18 2018 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 14 Dec 2018 10:08:18 +0100 Subject: [keycloak-user] Magic Link feature removed? In-Reply-To: References: Message-ID: Hi, is there any news/information about the "Magic Link" feature like mentioned below? Will it be available someday in KC or do we have to do it on our own? Cheers, - Niko > Am 22.05.2018 um 15:43 schrieb Stefan Hesse : > > Hello, > > according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942 > Magic Link was introduced in version 4.0.0.Beta1. > > I am running 4.0.0.Beta.2, and I tried to follow the following tutorial > in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8 > > Strangely the option does not appear in the Beta2 anymore. > > Was the feature removed again? > > Regards > > Stefan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Dec 14 05:16:48 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 14 Dec 2018 11:16:48 +0100 Subject: [keycloak-user] Magic Link feature removed? In-Reply-To: References: Message-ID: We may be considering including login via email next year, but there are a lot of improvements we need to make around authentication flows to make it a properly supported and generic feature. In the meantime take a look at https://github.com/stianst/keycloak-experimental/tree/master/magic-link. Should be relatively easy to adapt that to your needs. On Fri, 14 Dec 2018 at 10:12, Niko K?bler wrote: > Hi, > > is there any news/information about the "Magic Link" feature like > mentioned below? > Will it be available someday in KC or do we have to do it on our own? > > Cheers, > - Niko > > > > Am 22.05.2018 um 15:43 schrieb Stefan Hesse : > > > > Hello, > > > > according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942 > > Magic Link was introduced in version 4.0.0.Beta1. > > > > I am running 4.0.0.Beta.2, and I tried to follow the following tutorial > > in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8 > > > > Strangely the option does not appear in the Beta2 anymore. > > > > Was the feature removed again? > > > > Regards > > > > Stefan > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From niko at n-k.de Fri Dec 14 05:36:08 2018 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 14 Dec 2018 11:36:08 +0100 Subject: [keycloak-user] Magic Link feature removed? In-Reply-To: References: Message-ID: <37B68F35-DB28-4EF7-9B75-D6E4EF02D069@n-k.de> Thanks, Stian, yes, I already had a look on it, but I thought I'd be better to use the built-in functionality, if that were already there. :) > Am 14.12.2018 um 11:16 schrieb Stian Thorgersen : > > We may be considering including login via email next year, but there are a lot of improvements we need to make around authentication flows to make it a properly supported and generic feature. > > In the meantime take a look at https://github.com/stianst/keycloak-experimental/tree/master/magic-link . Should be relatively easy to adapt that to your needs. > > On Fri, 14 Dec 2018 at 10:12, Niko K?bler > wrote: > Hi, > > is there any news/information about the "Magic Link" feature like mentioned below? > Will it be available someday in KC or do we have to do it on our own? > > Cheers, > - Niko > > > > Am 22.05.2018 um 15:43 schrieb Stefan Hesse >: > > > > Hello, > > > > according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942 > > Magic Link was introduced in version 4.0.0.Beta1. > > > > I am running 4.0.0.Beta.2, and I tried to follow the following tutorial > > in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8 > > > > Strangely the option does not appear in the Beta2 anymore. > > > > Was the feature removed again? > > > > Regards > > > > Stefan > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Fri Dec 14 05:39:39 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 14 Dec 2018 16:09:39 +0530 Subject: [keycloak-user] Server Admin : How to know export completed Message-ID: I am using standalone.sh/.bat for export the keycloak configuration and user. Since, when running on command line, the keycloak does not give any specific message regarding whether backup was completed , completed successfully or failed, what is the best way to know the status? From testoauth55 at gmail.com Fri Dec 14 05:44:26 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 14 Dec 2018 16:14:26 +0530 Subject: [keycloak-user] Any example of keycloak export import artifact present in maven Message-ID: I came across this maven artifact provided by keycloak team: https://mvnrepository.com/artifact/org.keycloak/keycloak-export-import-zip/1.5.1.Final But I could not find any examples for this. Can anyone please share a doc / example related to this? From geoff at opticks.io Fri Dec 14 05:49:09 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 14 Dec 2018 11:49:09 +0100 Subject: [keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :) In-Reply-To: <1544747667.12484.1.camel@acutus.pro> References: <1544747667.12484.1.camel@acutus.pro> Message-ID: Thanks Dmitry, I never in a 1000 years would have figured this out. My goal with all of this is to only allow a user to log in with Google (or other provider) if there is already an account created with the same email address. My code below works, but instead of returning an entire custom page on failure, it would be nice to use the existing template with simply a different text. I hate to abuse of your free time, but if you have any tips for that I would be most appreciative. AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); // take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.type("javax.ws.rs.core.MediaType"); response = Response.status(401).entity("

You must have an existing account to log in.

").type(MediaType.TEXT_HTML_TYPE).build(); users = session.users().getUsers(realm, false); function authenticate(context) { var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); var biCtx = serializedCtx.deserialize(session, authenticationSession); var idpUsername = biCtx.username; LOG.info("username = " + idpUsername); LOG.info("alias = " + biCtx.idpConfig.alias); for(var u in users) { //LOG.info("u = " + users[u].getEmail()); if(idpUsername===users[u].getEmail()) { context.success(); return; } } context.failure(AuthenticationFlowError.USER_DISABLED, response); return; } On Fri, 14 Dec 2018 at 01:34, Dmitry Telegin
wrote: > Hello Geoffrey, > > I was right about to click Send when I finally noticed that statement in > parentheses :-D you were 100% right, what else can I say :) > > Here we go, try this snippet: > > SerializedBrokeredIdentityContext = > Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); > AbstractIdpAuthenticator = > Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); > > function authenticate(context) { > > var serializedCtx = > SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, > AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); > > var biCtx = serializedCtx.deserialize(session, authenticationSession); > > LOG.info(biCtx.username); > LOG.info(biCtx.idpConfig.alias); > > context.success(); > > } > > Also take a look at org.keycloak.broker.provider.BrokeredIdentityContext > to figure out what else you can obtain from that object. > > Good luck :) > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-12-13 at 14:31 +0100, Geoffrey Cleaves wrote: > > Hello. I have a simple JS execution which denies access as the first step > > of the first broker login flow. I would like to access some of the > > attributes that Keycloak writes out to the log when executing this flow > > (see below) > > > > What objects or variables must my JS execution load in order to get the > > identity_provider_identity attribute listed below? > > > > 20:29:56,588 WARN [org.keycloak.events] (default task-527) > > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic, > > userId=null, ipAddress=90., error=user_not_found, > identity_provider=google, > > auth_method=openid-connect, redirect_uri= > http://localhost:8222?clientid=tic, > > identity_provider_identity=user at gmail.com, code_id=b07317fdb > > > > Thanks in advance! > > > > Geoff > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves From geoff at opticks.io Fri Dec 14 05:53:29 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 14 Dec 2018 11:53:29 +0100 Subject: [keycloak-user] manipulate IdP attributes in authentication script In-Reply-To: References: Message-ID: Cris, it's probably too late for you, but Dmitry Telegin has answered our burning question. See code below for tips: AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); // take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.type("javax.ws.rs.core.MediaType"); response = Response.status(401).entity("

You must have an existing account to log in.

").type(MediaType.TEXT_HTML_TYPE).build(); users = session.users().getUsers(realm, false); function authenticate(context) { var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); var biCtx = serializedCtx.deserialize(session, authenticationSession); var idpUsername = biCtx.username; LOG.info("username = " + idpUsername); LOG.info("alias = " + biCtx.idpConfig.alias); for(var u in users) { //LOG.info("u = " + users[u].getEmail()); if(idpUsername===users[u].getEmail()) { context.success(); return; } } context.failure(AuthenticationFlowError.USER_DISABLED, response); return; } On Fri, 14 Dec 2018 at 08:41, Crist?v?o Cordeiro < cristovao.cordeiro at sixsq.com> wrote: > Hi, no sorry. > > Best regards, > > *Crist?v?o Cordeiro* > > > On Thu, 13 Dec 2018 at 17:59, Geoffrey Cleaves wrote: > >> Hi Cristovao, did you ever figure this out? >> >> ---- >> > Hi, >> >> I'd like to know if it is possible to add a Script execution to "first >> broker login" and somehow manipulate (set/see/etc...) the user's IdP >> information? >> >> I'm asking this cause my Identity Provider is a federation (like eduGAIN), >> and I am having issues when users use the same credentials in 2 different >> IdPs...in Keycloak all attributes will be the same except the >> identity_provider_id which will cause a conflict (violates unique_id >> constraint) with the already existing user account in Keycloak, which >> already has a link to that Keycloak IdP (which in practice is a federation). >> >> Best regards, >> Cris >> >> >> -- Regards, Geoffrey Cleaves From bhavana at browserstack.com Fri Dec 14 07:01:55 2018 From: bhavana at browserstack.com (Bhavana Motwani) Date: Fri, 14 Dec 2018 17:31:55 +0530 Subject: [keycloak-user] Issues faced in IdP initiated flow Message-ID: Hi all, We are using Keycloak as a SP. So far we have done the following: - Configured an external IDP (eg. auth0) to broker the authentication in a realm. - Created an open-id connect client in the same realm - Using the keycloak-connect node lib in our web application to connect to client. - We are successfully able to do a SP initiated SSO authentication. Facing issues with IDP initiated SSO - Do we have to create a client in our Keycloak? if yes what will be the changes. - What will be the possible changes on the IDP side that we have brokered. We are trying with Auth0. - this is the link we are using : https://www.keycloak.org/docs/4.5/server_admin/index.html#idp-initiated-login , but documentation is not very clear. Thank you for the help From keshav.sharma at shl.com Fri Dec 14 07:28:01 2018 From: keshav.sharma at shl.com (Keshav Sharma) Date: Fri, 14 Dec 2018 12:28:01 +0000 Subject: [keycloak-user] 4.6.0 Class cast exception In-Reply-To: References: Message-ID: Still waiting for the help :( Regards, ______________________________________________________ Keshav Sharma Software Engineer Direct: +91-124-479-6219 SHL | www.shl.com 9th Floor, Tower 10-B, DLF Cyber City, Phase II, Gurugram, Haryana ? 122002, India ______________________________________________________ -----Original Message----- From: Keshav Sharma Sent: Thursday, December 13, 2018 1:46 AM To: keycloak-user Subject: RE: [keycloak-user] 4.6.0 Class cast exception Hi All, I am getting below exception. Can anyone help me out in fixing below issue .Very Urgent. Issue : private KeycloakSecurityContext getSession(HttpServletRequest req) { return (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName()); } I am getting class cast exception RefreshKeycloakSecurityContext can not be cast to KeycloakSecurityContext. Thanks in Advance? Regards, ______________________________________________________ Keshav Sharma ______________________________________________________ -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Jernej Porenta Sent: Thursday, December 13, 2018 1:16 AM To: keycloak-user Subject: Re: [keycloak-user] 4.6.0 Upgrade disables client scopes Anyone with the solution to it? br, Jernej > On 21 Nov 2018, at 18:07, Lamina, Marco wrote: > > To answer your questions: > - I upgraded from 4.5.0 to 4.6.0 > - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected > - Even when I create a new client and add the scope, it is not added to the token > > Thanks, > Marco > > > ?On 11/21/18, 5:19 AM, "Marek Posolda" wrote: > > No, it doesn't need to be updated in any profile like Token Exchange. > > Question is, from which version you upgraded? Note that during upgrade > to 4.0.0, the realm default client scopes are not automatically linked > to the clients. Thing is, that clients from previous version already has > some protocolMappers defined on them, so the clientScopes are not added > to it. You may need to do change your clients manually and remove > protocolMappers from them and link them to default client scopes. > > Just the new clients, which you will create now through admin UI, will > have the client scopes added to them. See details in the docs: > https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes > > BTV. When you're on client, you can click to "Client Scopes" and then > "Evaluate" to see what are applied client scopes and check what > clientScopes will be applied based on the value of "scope" parameter. > > Marek > > On 21/11/2018 01:55, Lamina, Marco wrote: >> Hi, >> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the ?scope? parameter is ignored and none of my default client scopes are applied. The ?scope? claim in the token endpoint response is always empty. >> Is that a feature that needs to be enabled similar to the token exchange? >> >> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final >> >> Thanks, >> Marco >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to SHL and/or its affiliates. If you have received this e-mail in error, please notify the sender and immediately destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s), is prohibited. If you would like to know how SHL collects, processes, uses, and stores personal data please go to www.shl.com/privacy to learn more. From Mahendra.Satrasala at jtv.com Fri Dec 14 11:04:28 2018 From: Mahendra.Satrasala at jtv.com (Satrasala, Mahendra) Date: Fri, 14 Dec 2018 16:04:28 +0000 Subject: [keycloak-user] Fw: SSO saml and jwt client In-Reply-To: <1544801765316.59360@JTV.com> References: <1544801446375.92650@JTV.com>,<1544801765316.59360@JTV.com> Message-ID: <1544803467505.51430@JTV.com> I can SSO across different JWT clients but if I try to access a SAML client, I am redirected to the login page even if I have an active session for the user in keycloak after an OIDC authentication. Is it possible to automatically authenticate the user for the SAML client? Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication. Thanks in advance!! From son.dastan at gmail.com Fri Dec 14 11:28:48 2018 From: son.dastan at gmail.com (Soner Dastan) Date: Fri, 14 Dec 2018 17:28:48 +0100 Subject: [keycloak-user] UserStorageProvider for an external database Message-ID: Hey Steffen, There are couple of ways to do it AFAIK. What we did for our custom UserStorageProvider was to setup a datasource configuration in the existing keycloak datatsources configuration. In the section of the standalone.xml you have to add following. We are using an external Postgres DB so my config looks like: jdbc:postgresql://:5432/yourDB postgresql postgres postgres Then in the section (when it is not already defined) you need to add the driver you use. In my case it is Postgres: org.postgresql.xa.PGXADataSource In your custom UserStorageProviderFactory ideally in the constructor you can lookup for the datasource: public UserStorageProviderFactory() throws NamingException { InitialContext context = new InitialContext(); dataSource = (DataSource) context.lookup("java:jboss/datasources/yourDB"); try { log.info("datasource: " + dataSource.toString()); log.info("WORKING: " + dataSource.getConnection().isValid(3000)); } catch (SQLException e) { e.printStackTrace(); } } In the create method of your custom factory you can pass the Connection object to your UserStorageProvider: public UserStorageProvider create(KeycloakSession keycloakSession, ComponentModel componentModel) { try { return new UserStorageProvider(keycloakSession, componentModel, dataSource.getConnection()); } catch (SQLException e) { throw new RuntimeException("Could not get a connection for DB"); } } In your provider class you can use this connection to do the lookup for users etc. I hope this helps. Best, Soner From tdockendorf at osc.edu Fri Dec 14 13:46:12 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Fri, 14 Dec 2018 18:46:12 +0000 Subject: [keycloak-user] Unable to query currently set bindCredentials for LDAP In-Reply-To: <1544764416.16111.5.camel@acutus.pro> References: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> <1544764416.16111.5.camel@acutus.pro> Message-ID: <13B9955C-AA84-4036-945E-2F0171ED00BF@osc.edu> So my goal is for Puppet code to be given bind credentials and know if the provided value is currently configured in Keycloak. Since the plain-text value isn't easily accessed I was hoping to use testLDAPConnection API call to test if the provided credentials currently configured in Keycloak are still valid so that Puppet could know if it needs to update with Puppet provided credentials. In order to do this I'd have to make a call to testLDAPConnection and have it use bindCredential from the database and not have to be specified. Is that possible? So far I'm not having much luck. Also only getting useful response if I use POST (per API docs) and not GET. Is bindCredential not read from the database if omitted as query parameter? Get token: export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=admin" \ -d 'password=OMIT' \ -d 'grant_type=password' \ -d 'client_id=admin-cli' | jq -r '.access_token') $ curl -X POST 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > -H "Accept: application/json" \ > -H "Authorization: Bearer $TKN" {"errorMessage":"LDAP test error"} $ curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > -H "Accept: application/json" \ > -H "Authorization: Bearer $TKN" -v * About to connect() to localhost port 8080 (#0) * Trying ::1... * Connection refused * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc HTTP/1.1 > User-Agent: curl/7.29.0 > Host: localhost:8080 > Accept: application/json > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ > < HTTP/1.1 405 Method Not Allowed < Connection: keep-alive < Content-Length: 0 < Date: Fri, 14 Dec 2018 18:43:20 GMT < * Connection #0 to host localhost left intact -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center ?On 12/14/18, 12:13 AM, "Dmitry Telegin"
wrote: Hello Trey, The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me. OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this: GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote: > I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends. I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly. Is there a way to have Keycloak return the actual value that?s stored in the database? I have found where in the database this is stored but I?d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support. > > If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work? I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm?s configured LDAP. > > Thanks, > - Trey > > [1] > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password | jq .config.bindCredential > > Logging into http://localhost:8080/auth as user admin of realm master > > [ > "**********" > ] > > -- > Trey Dockendorf > HPC Systems Engineer > Ohio Supercomputer Center > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From burgergold at hotmail.com Sat Dec 15 16:46:09 2018 From: burgergold at hotmail.com (Yannick Bergeron) Date: Sat, 15 Dec 2018 21:46:09 +0000 Subject: [keycloak-user] Keycloak authentication/authorization with multiple AD/forests/domains Message-ID: We have several AD forest, and many domains. Devs want to use Keycloak for authentication/authorization. We also have to deal with some users having the same userid in more than 1 domain. We have trusts between our main/target domain and the other. Keycloak server is in the main domain. Users are used to log as domain\user but not user at fqdn.of.domain What would be the best to do that? If Keycloak Kerberos authentication is configured, is it possible to know from which domain the authenticated user is from to fetch more information from LDAP after that? Can we front Keycloak with an IIS with windows authentication and use the http session variables somehow in keycloak as the user is already authenticated? Other options? From dt at acutus.pro Sun Dec 16 21:41:21 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 05:41:21 +0300 Subject: [keycloak-user] Unable to query currently set bindCredentials for LDAP In-Reply-To: <13B9955C-AA84-4036-945E-2F0171ED00BF@osc.edu> References: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> <1544764416.16111.5.camel@acutus.pro> <13B9955C-AA84-4036-945E-2F0171ED00BF@osc.edu> Message-ID: <1545014481.12250.1.camel@acutus.pro> Hello Trey, Please try the following link: GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=&componentId=&connectionTimeout=&connectionUrl=&useTruststoreSpi=ldapsOnly You should substitute the values in angle brackets with your actual ones. You can look them up by firing Admin console, going to LDAP config, pressing F12, clicking "Test authentication" and examining the contents of the resulting GET request. You should also leave bindCredential as is; this special value (10 asterisks) instructs Keycloak to perform testing with the saved credentials. You will get HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 18:46 +0000, Dockendorf, Trey wrote: > So my goal is for Puppet code to be given bind credentials and know if the provided value is currently configured in Keycloak.??Since the plain-text value isn't easily accessed I was hoping to use testLDAPConnection API call to test if the provided credentials currently configured in Keycloak are still valid so that Puppet could know if it needs to update with Puppet provided credentials.??In order to do this I'd have to make a call to testLDAPConnection and have it use bindCredential from the database and not have to be specified.??Is that possible???So far I'm not having much luck.??Also only getting useful response if I use POST (per API docs) and not GET.??Is bindCredential not read from the database if omitted as query parameter? > > Get token: > export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \ > ?-H "Content-Type: application/x-www-form-urlencoded" \ > ?-d "username=admin" \ > ?-d 'password=OMIT' \ > ?-d 'grant_type=password' \ > ?-d 'client_id=admin-cli' | jq -r '.access_token') > > $ curl -X POST 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > > ? -H "Accept: application/json" \ > > ? -H "Authorization: Bearer $TKN" > > {"errorMessage":"LDAP test error"} > > $ curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > > ?-H "Accept: application/json" \ > > ?-H "Authorization: Bearer $TKN" -v > > * About to connect() to localhost port 8080 (#0) > *???Trying ::1... > * Connection refused > *???Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 8080 (#0) > > GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc HTTP/1.1 > > User-Agent: curl/7.29.0 > > Host: localhost:8080 > > Accept: application/json > > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ > > > > < HTTP/1.1 405 Method Not Allowed > < Connection: keep-alive > < Content-Length: 0 > < Date: Fri, 14 Dec 2018 18:43:20 GMT > * Connection #0 to host localhost left intact > > --? > Trey Dockendorf > > HPC Systems Engineer > Ohio Supercomputer Center > > > ?On 12/14/18, 12:13 AM, "Dmitry Telegin"
wrote: > > ????Hello Trey, > ???? > ????The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me. > ???? > ????OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this: > ???? > ????GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly > ???? > ????This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. > ???? > ????Good luck, > ????Dmitry Telegin > ????CTO, Acutus s.r.o. > ????Keycloak Consulting and Training > ???? > ????Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > ????+42 (022) 888-30-71 > ????E-mail: info at acutus.pro > ???? > ????On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote: > ????> I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends.??I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly.??Is there a way to have Keycloak return the actual value that?s stored in the database???I have found where in the database this is stored but I?d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support. > ????>? > ????> If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work???I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm?s configured LDAP. > ????>? > ????> Thanks, > ????> - Trey > ????>? > ????> [1] > > ????> > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password | jq .config.bindCredential > > ????> > Logging into http://localhost:8080/auth as user admin of realm master > ????>? > ????> [ > ????>???"**********" > ????> ] > ????>? > ????> -- > ????> Trey Dockendorf > ????> HPC Systems Engineer > ????> Ohio Supercomputer Center > ????> _______________________________________________ > ????> keycloak-user mailing list > ????> keycloak-user at lists.jboss.org > ????> https://lists.jboss.org/mailman/listinfo/keycloak-user > ???? > ???? > From dt at acutus.pro Sun Dec 16 22:12:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 06:12:55 +0300 Subject: [keycloak-user] Fw: SSO saml and jwt client In-Reply-To: <1544803467505.51430@JTV.com> References: <1544801446375.92650@JTV.com>,<1544801765316.59360@JTV.com> <1544803467505.51430@JTV.com> Message-ID: <1545016375.12250.3.camel@acutus.pro> Hello Mahendra, This should work out of the box - after all, that's what SSO is about. Are you sure that both OIDC and SAML clients are in the same Keycloak realm? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote: > I can SSO across different JWT clients but if I try to access a SAML client, I am redirected to the login page even if I have an active session for the user in keycloak after an OIDC authentication. > > > Is it possible to automatically authenticate the user for the SAML client? Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication. > > > Thanks in advance!! > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sun Dec 16 22:20:24 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 06:20:24 +0300 Subject: [keycloak-user] 4.6.0 Class cast exception In-Reply-To: References: Message-ID: <1545016824.12250.5.camel@acutus.pro> Hello Keshav, This can happen if you include Keycloak adapter modules (e.g. keycloak-core, keycloak-adapter-core) into your WEB-INF/lib. If your webapp depends on that modules, they should have "provided" scope in your pom.xml. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-12-12 at 20:16 +0000, Keshav Sharma wrote: > Hi All, > > I am getting below exception. > Can anyone help me out in fixing below issue .Very Urgent. > Issue : > ????private KeycloakSecurityContext getSession(HttpServletRequest req) { > ????????return (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName()); > ????} > > I am getting class cast exception??RefreshKeycloakSecurityContext can not be cast to KeycloakSecurityContext. > > Thanks in Advance? > > > > > Regards, > ______________________________________________________ > > Keshav Sharma > ______________________________________________________ > > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org On Behalf Of Jernej Porenta > Sent: Thursday, December 13, 2018 1:16 AM > > To: keycloak-user > Subject: Re: [keycloak-user] 4.6.0 Upgrade disables client scopes > > Anyone with the solution to it? > > br, Jernej > > > > > On 21 Nov 2018, at 18:07, Lamina, Marco wrote: > > > > To answer your questions: > > - I upgraded from 4.5.0 to 4.6.0 > > - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected > > - Even when I create a new client and add the scope, it is not added to the token > > > > Thanks, > > Marco > > > > > > > > ?On 11/21/18, 5:19 AM, "Marek Posolda" wrote: > > > > ???No, it doesn't need to be updated in any profile like Token Exchange. > > > > ???Question is, from which version you upgraded? Note that during upgrade > > ???to 4.0.0, the realm default client scopes are not automatically linked > > ???to the clients. Thing is, that clients from previous version already has > > ???some protocolMappers defined on them, so the clientScopes are not added > > ???to it. You may need to do change your clients manually and remove > > ???protocolMappers from them and link them to default client scopes. > > > > ???Just the new clients, which you will create now through admin UI, will > > ???have the client scopes added to them. See details in the docs: > > ???https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes > > > > ???BTV. When you're on client, you can click to "Client Scopes" and then > > ???"Evaluate" to see what are applied client scopes and check what > > ???clientScopes will be applied based on the value of "scope" parameter. > > > > ???Marek > > > > ???On 21/11/2018 01:55, Lamina, Marco wrote: > > > Hi, > > > I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the ?scope? parameter is ignored and none of my default client scopes are applied. The ?scope? claim in the token endpoint response is always empty. > > > Is that a feature that needs to be enabled similar to the token exchange? > > > > > > [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final > > > > > > Thanks, > > > Marco > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ________________________________ > > This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to SHL and/or its affiliates. If you have received this e-mail in error, please notify the sender and immediately destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s), is prohibited. If you would like to know how SHL collects, processes, uses, and stores personal data please go to www.shl.com/privacy to learn more. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sun Dec 16 22:42:09 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 06:42:09 +0300 Subject: [keycloak-user] Issues faced in IdP initiated flow In-Reply-To: References: Message-ID: <1545018129.12250.8.camel@acutus.pro> Hello Bhavana, There is no direct equivalent for "IdP initiated SSO" in the OpenID Connect world. This will work seamlessly only if both 3rd party IdP *and* the client are SAML (see the attached?diagram). However, there is a workaround that could solve the problem to some extent. You can create a special link that would point inside Keycloak, and upon being opened it will initiate login against 3rd party IdP, bypassing Keycloak login screen. Do you think this will suit your needs? Regards, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 17:31 +0530, Bhavana Motwani wrote: > Hi all, > > We are using Keycloak as a SP. > So far we have done the following: > > ???- Configured an external IDP (eg. auth0) to broker the authentication in > ???a realm. > ???- Created an open-id connect client in the same realm > ???- Using the keycloak-connect node lib in our web application to connect > ???to client. > ???- We are successfully able to do a SP initiated SSO authentication. > > > Facing issues with IDP initiated SSO > > ???- Do we have to create a client in our Keycloak? if yes what will be the > ???changes. > ???- What will be the possible changes on the IDP side that we have > ???brokered. We are trying with Auth0. > ???- this is the link we are using : > ???https://www.keycloak.org/docs/4.5/server_admin/index.html#idp-initiated-login > , > ???but documentation is not very clear. > > Thank you for the help > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: sso_.png Type: image/png Size: 43721 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181217/0c980198/attachment-0001.png From dt at acutus.pro Sun Dec 16 22:45:38 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 06:45:38 +0300 Subject: [keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :) In-Reply-To: References: <1544747667.12484.1.camel@acutus.pro> Message-ID: <1545018338.12250.10.camel@acutus.pro> Hi Geoffrey, you're welcome :) As for embedding custom error messages into existing templates, I suggest that you check out the following thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016669.html Please let me know if it works for you. Cheers, Dmitry On Fri, 2018-12-14 at 11:49 +0100, Geoffrey Cleaves wrote: > Thanks?Dmitry, I never in a 1000 years would have figured this out.? > > My goal with all of this is to only allow a user to log in with Google (or other provider) if there is already an account created with the same email address. My code below works, but instead of returning an entire custom page on failure, it would be nice to use the existing template with simply a different text. I hate to abuse of your free time, but if you have any tips for that I would be most appreciative. > > AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); > > // take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. > > SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); > AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); > Response = Java.type("javax.ws.rs.core.Response"); > MediaType = Java.type("javax.ws.rs.core.MediaType"); > response = Response.status(401).entity("

You must have an existing account to log in.

").type(MediaType.TEXT_HTML_TYPE).build(); > users = session.users().getUsers(realm, false); > > function authenticate(context) { > ? ? var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); > ? ? var biCtx = serializedCtx.deserialize(session, authenticationSession); > ? ? var idpUsername = biCtx.username; > ? ? LOG.info("username = " + idpUsername); > ? ? LOG.info("alias = " + biCtx.idpConfig.alias); > > ? ? for(var u in users) { > ? ? ? ? //LOG.info("u = " + users[u].getEmail()); > ? ? ? ? if(idpUsername===users[u].getEmail()) { > ? ? ? ? ? ? context.success(); > ? ? ? ? ? ? return; > ? ? ? ? } > ? ? } > > ? ? context.failure(AuthenticationFlowError.USER_DISABLED, response); > ? ? return; > } > > > > On Fri, 14 Dec 2018 at 01:34, Dmitry Telegin
wrote: > > Hello Geoffrey, > > > > I was right about to click Send when I finally noticed that statement in parentheses :-D you were 100% right, what else can I say :) > > > > Here we go, try this snippet: > > > > SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); > > AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); > > > > function authenticate(context) { > > > > ? ? var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); > > > > ? ? var biCtx = serializedCtx.deserialize(session, authenticationSession); > > > > ? ? LOG.info(biCtx.username); > > ? ? LOG.info(biCtx.idpConfig.alias); > > > > ? ? context.success(); > > > > } > > > > Also take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. > > > > Good luck :) > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Thu, 2018-12-13 at 14:31 +0100, Geoffrey Cleaves wrote: > > > Hello. I have a simple JS execution which denies access as the first step > > > of the first broker login flow. I would like to access some of the > > > attributes that Keycloak writes out to the log when executing this flow > > > (see below) > > >? > > > What objects or variables must my JS execution load in order to get the > > > identity_provider_identity attribute listed below? > > >? > > > 20:29:56,588 WARN??[org.keycloak.events] (default task-527) > > > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic, > > > userId=null, ipAddress=90., error=user_not_found, identity_provider=google, > > > auth_method=openid-connect, redirect_uri=http://localhost:8222?clientid=tic, > > > > > identity_provider_identity=user at gmail.com, code_id=b07317fdb > > >? > > > Thanks in advance! > > >? > > > Geoff > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > --? > > Regards, > Geoffrey Cleaves > > > > > From dt at acutus.pro Sun Dec 16 23:08:51 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 17 Dec 2018 07:08:51 +0300 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: References: Message-ID: <1545019731.12250.12.camel@acutus.pro> Hello David, Please take a look at how it is done in BeerCloak: https://github.com/dteleguin/beercloak/tree/master/beercloak-module/src/main/java/beercloak/resources All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. (Some musings: I dream of having AdminRealmResourceProvider with all that stuff OOTB; the idea has been around for years, but I'm afraid we won't have it in Keycloak anytime soon. Luckily, this can be done at a low price of introducing some boilerplate code into your project.) Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > Hello, > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > AuthenticationManager.AuthResult authResult = > ??????authManager.authenticateBearerToken(session); > > if (authResult == null) { > ???throw new NotAuthorizedException("Bearer token required"); > } > > And > > > if(!auth.hasClientRole(client,"view-users")){ > ???throw new NotAuthorizedException("Necessary permission not available"); > } > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > Here > > AuthenticationManager.AuthResult authResult = > ??????authManager.authenticateBearerToken(session); > > if (authResult == null) { > ???throw new NotAuthorizedException("Bearer token required"); > } > > Always results in unauthorized. > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > Mit freundlichen Gr??en / With kind regards > > > > David Herrmann > > RD/UIA > Team Rising Stars > [Computergenerierter Alternativtext: RDIU] > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > ellbogen.spr?che.anf?nge > > > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 > Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), > Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From david_christian.herrmann at daimler.com Mon Dec 17 02:29:00 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Mon, 17 Dec 2018 07:29:00 +0000 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <1545019731.12250.12.camel@acutus.pro> References: <1545019731.12250.12.camel@acutus.pro> Message-ID: <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> Hi Dmitry, thanks for your answer and the link to your project! I will try this out. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Montag, 17. Dezember 2018 05:09 An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Cross Realm authorization Hello David, Please take a look at how it is done in BeerCloak: https://github.com/dteleguin/beercloak/tree/master/beercloak-module/src/main/java/beercloak/resources All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. (Some musings: I dream of having AdminRealmResourceProvider with all that stuff OOTB; the idea has been around for years, but I'm afraid we won't have it in Keycloak anytime soon. Luckily, this can be done at a low price of introducing some boilerplate code into your project.) Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > Hello, > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer token required"); } > > And > > > if(!auth.hasClientRole(client,"view-users")){ > throw new NotAuthorizedException("Necessary permission not > available"); } > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > Here > > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer token required"); } > > Always results in unauthorized. > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > Mit freundlichen Gr??en / With kind regards > > > > David Herrmann > > RD/UIA > Team Rising Stars > [Computergenerierter Alternativtext: RDIU] > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > ellbogen.spr?che.anf?nge > > > E-Mail: > > david_christian.herrmann at daimler.com > @daimler.com> > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From sven.beauprez at theglue.com Mon Dec 17 04:24:18 2018 From: sven.beauprez at theglue.com (Sven Beauprez) Date: Mon, 17 Dec 2018 09:24:18 +0000 Subject: [keycloak-user] MySQL and UTF8 Message-ID: Hi, Searching the internet, I noticed that I am not alone struggling with this and the things I found did not work for my particular test, unless I missed something, hence this mail. When trying to use UTF-8, I get the exception ?Row size too large?. I am starting MySQL (8.0.3) and Keycloak (4.7.0-Final) respectively via docker as follows (just a test env, not the most secure setup). I am aware of following MySQL configuration https://www.keycloak.org/docs/latest/server_installation/index.html#mysql-database But it seems I am doing something wrong when using the containerized version. Do docker volume create mysql-volume docker network create mysql-network docker run --name mysql --mount source=mysql-volume,target=/var/lib/mysql --net mysql-network -p 3306:3306 -e MYSQL_USER=keycloak -e MYSQL_DATABASE=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=password -d mysql:8.0.13 --character-set-server=utf8 and run keycloak docker run --name keycloak --net mysql-network -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password -e JDBC_PARAMS='connectTimeout=30&useSSL=false&allowPublicKeyRetrieval=true&characterEncoding=UTF-8' -p 8080:8080 jboss/keycloak:4.7.0.Final And I get the following error (as described above) ... Caused by: liquibase.exception.MigrationFailedException: Migration failed for change set META-INF/jpa-changelog-1.9.1.xml::1.9.1::keycloak: Reason: liquibase.exception.DatabaseException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)] at liquibase.changelog.ChangeSet.execute(ChangeSet.java:619) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:79) at liquibase.Liquibase.update(Liquibase.java:214) at liquibase.Liquibase.update(Liquibase.java:192) at liquibase.Liquibase.update(Liquibase.java:188) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:182) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:102) ... 57 more Caused by: liquibase.exception.DatabaseException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:309) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:113) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1277) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1259) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:582) ... 64 more Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs ... Regards, Sven From newsletters at syquus.com Mon Dec 17 04:51:53 2018 From: newsletters at syquus.com (Julio) Date: Mon, 17 Dec 2018 10:51:53 +0100 Subject: [keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints! In-Reply-To: References: Message-ID: Hello Max, Did anything change in your ALB problem since the response of Hiroyuki Wada regarding a Classic ELB? Did ALB work for your OIDC/Keycloak backed endeavour :) ? I'm in the guest of accomplishing the same, but would be great to know how did it go for you. Best Regards Julio From mariusz at info.nl Mon Dec 17 04:53:24 2018 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Mon, 17 Dec 2018 09:53:24 +0000 Subject: [keycloak-user] Refresh_token error after keycloak cluster restart Message-ID: Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart. We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app. Keycloak version currently used is 3.4.3 After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log: 2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret 2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client 2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0 2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client 2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz at info.nl] on [Mon Dec 17 09:23:50 CET 2018] 2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a For app, flow is: * User log in using browser view, on keycloak login page * Token and refreshToken are stored in app After keycloak is restarted, app tries to refresh token, and gets: 2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret Response from REST call is: { "error": "invalid_grant", "error_description": "Session doesn't have required client" } Can you please help me to solve that issue? Regards Mariusz From sthorger at redhat.com Mon Dec 17 06:54:37 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Dec 2018 12:54:37 +0100 Subject: [keycloak-user] Keycloak 4.8.0.Final released Message-ID: To download the release go to the Keycloak homepage . For details on what is included in the release check out the Release notes The full list of resolved issues is available in JIRA . Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed. From mariusz at info.nl Mon Dec 17 07:19:29 2018 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Mon, 17 Dec 2018 12:19:29 +0000 Subject: [keycloak-user] ODP: Refresh_token error after keycloak cluster restart In-Reply-To: References: Message-ID: What I also found, during debug, is that TokenManager is able to find userSession, with all details, but can't getAuthenticatedClientSessionByClient (line 162, tokenManager.java) This is what I see in debug, is that UserSessionAdapter has entity field (UsersSessionEntity), and this Entity contains authenticatedClientSessions (with session ID, and correct clientID). So I don't understand why this call: userSession.getAuthenticatedClientSessionByClient(client.getId()) Is returning null. Also this: userSession.getAuthenticatedClientSessions() returns empty list. Do you know, if that might be caused by some misconfiguration? Regards Mariusz -----Wiadomo?? oryginalna----- Od: keycloak-user-bounces at lists.jboss.org W imieniu Mariusz Chruscielewski - Info.nl Wys?ano: Monday, 17 December, 2018 10:53 Do: keycloak-user Temat: [keycloak-user] Refresh_token error after keycloak cluster restart Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart. We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app. Keycloak version currently used is 3.4.3 After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log: 2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret 2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client 2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0 2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client 2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz at info.nl] on [Mon Dec 17 09:23:50 CET 2018] 2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a For app, flow is: * User log in using browser view, on keycloak login page * Token and refreshToken are stored in app After keycloak is restarted, app tries to refresh token, and gets: 2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret Response from REST call is: { "error": "invalid_grant", "error_description": "Session doesn't have required client" } Can you please help me to solve that issue? Regards Mariusz _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Mon Dec 17 07:21:41 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Mon, 17 Dec 2018 13:21:41 +0100 Subject: [keycloak-user] Keycloak 4.8.0.Final released In-Reply-To: References: Message-ID: Thanks for the update. I see more and more features being labeled as tech preview and disabled by default. I guess that this means the features have bugs or negatively impact performance? Any further insight would be appreciated. On Mon, 17 Dec 2018 at 12:59, Stian Thorgersen wrote: > To download the release go to the Keycloak homepage > . > > For details on what is included in the release check out the Release notes > > > The full list of resolved issues is available in JIRA > < > https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.8.0.Final > > > . > > Before you upgrade remember to backup your database and check the upgrade > guide for > anything that may have changed. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves From david_christian.herrmann at daimler.com Mon Dec 17 08:09:10 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Mon, 17 Dec 2018 13:09:10 +0000 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> Message-ID: <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> Hi Dmitry, I implemented it based on beercloak. Here in AbstractAdminRessource.java: AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session, realm); if (authResult == null) { throw new NotAuthorizedException("Bearer"); } Still results in Unauthorized. I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. The realm is set to master realm and the session seems to be injected ... Any ideas? Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von david_christian.herrmann at daimler.com Gesendet: Montag, 17. Dezember 2018 08:29 An: dt at acutus.pro; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Cross Realm authorization Hi Dmitry, thanks for your answer and the link to your project! I will try this out. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Montag, 17. Dezember 2018 05:09 An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Cross Realm authorization Hello David, Please take a look at how it is done in BeerCloak: https://github.com/dteleguin/beercloak/tree/master/beercloak-module/src/main/java/beercloak/resources All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. (Some musings: I dream of having AdminRealmResourceProvider with all that stuff OOTB; the idea has been around for years, but I'm afraid we won't have it in Keycloak anytime soon. Luckily, this can be done at a low price of introducing some boilerplate code into your project.) Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > Hello, > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer token required"); } > > And > > > if(!auth.hasClientRole(client,"view-users")){ > throw new NotAuthorizedException("Necessary permission not > available"); } > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > Here > > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer token required"); } > > Always results in unauthorized. > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > Mit freundlichen Gr??en / With kind regards > > > > David Herrmann > > RD/UIA > Team Rising Stars > [Computergenerierter Alternativtext: RDIU] > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > ellbogen.spr?che.anf?nge > > > E-Mail: > > david_christian.herrmann at daimler.com > @daimler.com> > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From jdennis at redhat.com Mon Dec 17 08:32:05 2018 From: jdennis at redhat.com (John Dennis) Date: Mon, 17 Dec 2018 08:32:05 -0500 Subject: [keycloak-user] Fw: SSO saml and jwt client In-Reply-To: <1545016375.12250.3.camel@acutus.pro> References: <1544801446375.92650@JTV.com> <1544801765316.59360@JTV.com> <1544803467505.51430@JTV.com> <1545016375.12250.3.camel@acutus.pro> Message-ID: On 12/16/18 10:12 PM, Dmitry Telegin wrote: > Hello Mahendra, > > This should work out of the box - after all, that's what SSO is about. Are you sure that both OIDC and SAML clients are in the same Keycloak realm? And make sure you don't have ForceAuthn set to true in the request. As a reminder this is the definition of ForceAuthn: "A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context." > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote: >> I can SSO across different JWT clients but if I try to access a SAML client, I am redirected to the login page even if I have an active session for the user in keycloak after an OIDC authentication. >> >> >> Is it possible to automatically authenticate the user for the SAML client? Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication. >> >> >> Thanks in advance!! >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- John Dennis From nikola.malenic at netsetglobal.rs Mon Dec 17 09:39:10 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Mon, 17 Dec 2018 15:39:10 +0100 Subject: [keycloak-user] Keycloak behind reverse proxy Message-ID: <015001d49616$461b7b00$d2527100$@netsetglobal.rs> I configured mutual-ssl authentication on Keycloak. That means that user coming to Keycloak does SSL handshake allowing Keycloak to extract data from client certificate and map that data to an existing user at Keycloak, and based on that authenticate the user. Now, I need to configure reverse proxy in front of Keycloak. I'm using Apache's httpd. The problem is that user's browser now does SSL handshake with the reverse proxy server instead of Keycloak and sends plain http request, disabling Keycloak to map and authenticate the user. Is there a proposed method to achieve this? Can I configure some reverse proxy (maybe not httpd) to proxy requests on the transport layer? For example, I've seen there is a way to do client authentication on httpd and then send client certificate details to the Wildfly thorugh AJP protocol, but how to map this data to the user then? Or should I somehow configure Keycloak for this? Maybe configure the proxy to be KC's client and do the authentication somehow? Many thanks, Nikola From mariusz at info.nl Mon Dec 17 09:42:48 2018 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Mon, 17 Dec 2018 14:42:48 +0000 Subject: [keycloak-user] ODP: Refresh_token error after keycloak cluster restart In-Reply-To: References: Message-ID: To explain my case a bit more, what I do is: First I get token using: POST https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token scope: openid client_id: myClient Grant_type: password Username: username password: password Response_type: code Then I save token, restart both keycloak nodes (which work in cluster) Then I try to do: POST https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token scope: openid client_id: myClient grant_type: refresh_token refresh_token: TOKEN response_type: code And that request fails with status 400 and response: { "error": "invalid_grant", "error_description": "Session doesn't have required client" } What can I do to make that work? Regards Mariusz -----Wiadomo?? oryginalna----- Od: Mariusz Chruscielewski - Info.nl Wys?ano: Monday, 17 December, 2018 13:19 Do: Mariusz Chruscielewski - Info.nl ; keycloak-user Temat: ODP: Refresh_token error after keycloak cluster restart What I also found, during debug, is that TokenManager is able to find userSession, with all details, but can't getAuthenticatedClientSessionByClient (line 162, tokenManager.java) This is what I see in debug, is that UserSessionAdapter has entity field (UsersSessionEntity), and this Entity contains authenticatedClientSessions (with session ID, and correct clientID). So I don't understand why this call: userSession.getAuthenticatedClientSessionByClient(client.getId()) Is returning null. Also this: userSession.getAuthenticatedClientSessions() returns empty list. Do you know, if that might be caused by some misconfiguration? Regards Mariusz -----Wiadomo?? oryginalna----- Od: keycloak-user-bounces at lists.jboss.org W imieniu Mariusz Chruscielewski - Info.nl Wys?ano: Monday, 17 December, 2018 10:53 Do: keycloak-user Temat: [keycloak-user] Refresh_token error after keycloak cluster restart Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart. We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app. Keycloak version currently used is 3.4.3 After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log: 2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret 2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client 2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0 2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client 2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz at info.nl] on [Mon Dec 17 09:23:50 CET 2018] 2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a For app, flow is: * User log in using browser view, on keycloak login page * Token and refreshToken are stored in app After keycloak is restarted, app tries to refresh token, and gets: 2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret Response from REST call is: { "error": "invalid_grant", "error_description": "Session doesn't have required client" } Can you please help me to solve that issue? Regards Mariusz _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From luca.stancapiano at vige.it Mon Dec 17 11:23:17 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Mon, 17 Dec 2018 17:23:17 +0100 (CET) Subject: [keycloak-user] Get the realms through the Client Admin Api Message-ID: <283929471.433725.1545063797892@pim.register.it> I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console: user: admin pass: admin The server works on the 8180 port and it starts through the command: ./standalone.sh -Djboss.socket.binding.port-offset=100 I try to do a simple call using the admin client api imported through the dependency in the pom: org.keycloak keycloak-admin-client 4.7.0.Final test Here the java code: Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); keycloak.realm("master").clients().findAll(); when the findAll method is executed I receive the Exception: javax.ws.rs.ProcessingException: java.lang.NullPointerException at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at com.sun.proxy.$Proxy29.findAll(Unknown Source) at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532) at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115) at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171) at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167) at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114) at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59) at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108) at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32) at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57) at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51) at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220) at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188) at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202) at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181) at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128) at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142) at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117) at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) Caused by: java.lang.NullPointerException at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586) ... 47 more What i miss? From manuel.waltschek at prisma-solutions.at Mon Dec 17 13:09:19 2018 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Mon, 17 Dec 2018 18:09:19 +0000 Subject: [keycloak-user] Security context not propagated to EJB Tier Message-ID: Hello, I know this has already been asked and the documentation of keycloak also has a short entry on this topic: "To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This can be achieved with the @SecurityDomain annotation:", which is exactly what I did with all my EJBs. I even made my own quickstart/testproject, since I am trying to secure an EAR-Deployment with EJBs on Wildfly 10 and I just cannot get Keycloak SAML to work properly. I also annotated these beans with @PermitAll. I am using the wildfly-saml-adapter to authenticate against an external IdP and I have been debugging the adapter to figure out what is happening. I can see that in org.keycloak.adapters.saml.wildfly.SecurityInfoHelper.propagateSessionInfo(KeycloakAccount) the SubjectInfo is created and the Principal is propagated to org.jboss.security.SecurityContext. I configured my war in my ear to have a jboss-web.xml which points to "keycloak" security-domain, but it does not make any difference. I am trying to invoke EJBContext.getCallerPrincipal() in my stateless EJB which always returns a SimplePrincipal with name anonymous. This is only true for my real application. Everything is working as expected in my test application, since I inject the Beans directly in a Servlet Endpoint. On my real application they are looked up by a jndi lookup on code I have in jar deployments too. Can you please point me to any other ideas on what else I can try to get this working? Thank you in advance, Manuel Waltschek From tdockendorf at osc.edu Mon Dec 17 13:39:51 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Mon, 17 Dec 2018 18:39:51 +0000 Subject: [keycloak-user] Unable to query currently set bindCredentials for LDAP In-Reply-To: <1545014481.12250.1.camel@acutus.pro> References: <430CBE4F-B11E-4773-AD3F-9C6DB448998F@osc.edu> <1544764416.16111.5.camel@acutus.pro> <13B9955C-AA84-4036-945E-2F0171ED00BF@osc.edu> <1545014481.12250.1.camel@acutus.pro> Message-ID: Using GET was giving me 405 Method not allowed [1], but if I change to POST I get 400 even though I know the credentials saved are good. The buttons in web interface are doing nothing for me, I click "Test authentication" and nothing happens. This is Keycloak 4.2.1.Final. Tried with both Firefox and Chrome. Also "Test connection" does nothing too. Thanks, - Trey TOKEN: export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=admin" \ -d 'password= \ -d 'grant_type=password' \ -d 'client_id=admin-cli' | jq -r '.access_token') [1]: # curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn%3Dread%2Cou%3DAdmin%&componentId=OSC-LDAP-osc&connectionTimeout=&connectionUrl=ldaps%3A%2F%OMIT%3A636&useTruststoreSpi=never' \ > -H "Accept: application/json" \ > -H "Authorization: Bearer $TKN" -v * About to connect() to localhost port 8080 (#0) * Trying ::1... * Connection refused * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn%3Dread%2Cou%3DAdmin%OMIT&componentId=OSC-LDAP-osc&connectionTimeout=&connectionUrl=ldaps%3A%2F%OMIT%3A636&useTruststoreSpi=never HTTP/1.1 > User-Agent: curl/7.29.0 > Host: localhost:8080 > Accept: application/json > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1NzJiNjU5MC0zZGZlLTRjM2QtYTg4MS0wYzNiYzM2ZTdkMTciLCJleHAiOjE1NDUwNzExNjYsIm5iZiI6MCwiaWF0IjoxNTQ1MDcxMTA2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMjJkZTdmNWItMmQ2OC00YzNjLWIzM2YtYzQzMzk1ZWM0NTY5IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.VRlEt0O_8_7YF2I8I7TggbItyh8Wn3FW0k3GTL9gH4buXaLAt8i8RbSrfn_THVtTagDREw4EyHgVSVPaUYnDlODouk7b4k9-bOWTfAQm9BsNncWLWhvbiZGfrVu6BDqGEtWY-JIUNhbg_ChDMPlcctBvTwgBmnQvh3JIQfsM7bxPhqO7k9b5NPT5yKiyL9RWQqgNHCJvRaQrzqT1JhzRxJiZB38FCd8_Hf25IpWtvfYQnaU0r3LRcMDaO-2rYMYkm_1IztdSOQFPB6vCdwup45HpSPvFB8J5WB0z7nNtsdaVrly0B8AHWV2bckS5n_-jI4LCxxh2H5ZHyNPrp_jOzA > < HTTP/1.1 405 Method Not Allowed < Connection: keep-alive < Content-Length: 0 < Date: Mon, 17 Dec 2018 18:25:07 GMT < * Connection #0 to host localhost left intact -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center ?On 12/16/18, 9:41 PM, "Dmitry Telegin"
wrote: Hello Trey, Please try the following link: GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=&componentId=&connectionTimeout=&connectionUrl=&useTruststoreSpi=ldapsOnly You should substitute the values in angle brackets with your actual ones. You can look them up by firing Admin console, going to LDAP config, pressing F12, clicking "Test authentication" and examining the contents of the resulting GET request. You should also leave bindCredential as is; this special value (10 asterisks) instructs Keycloak to perform testing with the saved credentials. You will get HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-12-14 at 18:46 +0000, Dockendorf, Trey wrote: > So my goal is for Puppet code to be given bind credentials and know if the provided value is currently configured in Keycloak. Since the plain-text value isn't easily accessed I was hoping to use testLDAPConnection API call to test if the provided credentials currently configured in Keycloak are still valid so that Puppet could know if it needs to update with Puppet provided credentials. In order to do this I'd have to make a call to testLDAPConnection and have it use bindCredential from the database and not have to be specified. Is that possible? So far I'm not having much luck. Also only getting useful response if I use POST (per API docs) and not GET. Is bindCredential not read from the database if omitted as query parameter? > > Get token: > export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "username=admin" \ > -d 'password=OMIT' \ > -d 'grant_type=password' \ > -d 'client_id=admin-cli' | jq -r '.access_token') > > $ curl -X POST 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > > -H "Accept: application/json" \ > > -H "Authorization: Bearer $TKN" > > {"errorMessage":"LDAP test error"} > > $ curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \ > > -H "Accept: application/json" \ > > -H "Authorization: Bearer $TKN" -v > > * About to connect() to localhost port 8080 (#0) > * Trying ::1... > * Connection refused > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 8080 (#0) > > GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc HTTP/1.1 > > User-Agent: curl/7.29.0 > > Host: localhost:8080 > > Accept: application/json > > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ > > > > < HTTP/1.1 405 Method Not Allowed > < Connection: keep-alive > < Content-Length: 0 > < Date: Fri, 14 Dec 2018 18:43:20 GMT > < > * Connection #0 to host localhost left intact > > -- > Trey Dockendorf > > HPC Systems Engineer > Ohio Supercomputer Center > > > On 12/14/18, 12:13 AM, "Dmitry Telegin"
wrote: > > Hello Trey, > > The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me. > > OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this: > > GET https:///auth/admin/realms//testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly > > This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise. > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote: > > I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends. I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly. Is there a way to have Keycloak return the actual value that?s stored in the database? I have found where in the database this is stored but I?d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support. > > > > If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work? I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm?s configured LDAP. > > > > Thanks, > > - Trey > > > > [1] > > > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password | jq .config.bindCredential > > > > Logging into http://localhost:8080/auth as user admin of realm master > > > > [ > > "**********" > > ] > > > > -- > > Trey Dockendorf > > HPC Systems Engineer > > Ohio Supercomputer Center > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From enenum at yahoo.com Mon Dec 17 16:31:40 2018 From: enenum at yahoo.com (Munene Kiruja) Date: Mon, 17 Dec 2018 21:31:40 +0000 (UTC) Subject: [keycloak-user] Problem using Keycloak behind reverse proxy since 4.5.0.Final References: <911385040.1119970.1545082300846.ref@mail.yahoo.com> Message-ID: <911385040.1119970.1545082300846@mail.yahoo.com> I have keycloak in a bare metal kubernetes singe nod cluster. Its installed using helm. For https, we setup a reverse proxy in front of keycloak. First we use nginx with a lua extension for oidc, and moved on to envoy proxy. Results are the same - works until 4.4.0.Final. Everything is working well as long as we use keycloak versions up to 4.4.0. >From 4.5.0 and up, access https/auth/admin redirects to http and fails. I have spent much time going over the reverse proxy setup in the documentation (which seems to have nothing new lately that should justify any changes since 4.4.0) and not made any progress. Can any one shed light on this darkness for us? From dt at acutus.pro Mon Dec 17 17:14:10 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 18 Dec 2018 01:14:10 +0300 Subject: [keycloak-user] Problem using Keycloak behind reverse proxy since 4.5.0.Final In-Reply-To: <911385040.1119970.1545082300846@mail.yahoo.com> References: <911385040.1119970.1545082300846.ref@mail.yahoo.com> <911385040.1119970.1545082300846@mail.yahoo.com> Message-ID: <1545084850.2035.4.camel@acutus.pro> Hello, Beginning with 4.5.0, Keycloak Docker images use standalone-ha.xml by default instead of standalone.xml. I think that might be the cause because you need to properly configure http-listener (proxy-address-forwarding="true" etc.) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-17 at 21:31 +0000, Munene Kiruja wrote: > I have keycloak in a bare metal kubernetes singe nod cluster. Its installed using helm.? > > For https, we setup a reverse proxy in front of keycloak. First we use nginx with a lua extension for oidc, and moved on to envoy proxy. Results are the same - works until 4.4.0.Final. Everything is working well as long as we use keycloak versions up to 4.4.0.? > > > From 4.5.0 and up, access https/auth/admin redirects to http and fails. > > I have spent much time going over the reverse proxy setup in the documentation (which seems to have nothing new lately that should justify any changes since 4.4.0) and not made any progress. > > Can any one shed light on this darkness for us? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 17 20:10:18 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 18 Dec 2018 04:10:18 +0300 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> Message-ID: <1545095418.13723.1.camel@acutus.pro> David, Which version of Keycloak are you using? The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary. Cheers, Dmitry On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote: > Hi Dmitry, > > I implemented it based on beercloak. > > Here in AbstractAdminRessource.java: > AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session, realm); > > if (authResult == null) { > ????throw new NotAuthorizedException("Bearer"); > } > > Still results in Unauthorized. > > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. > > The realm is set to master realm and the session seems to be injected ... Any ideas? > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 > Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), > Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von david_christian.herrmann at daimler.com > Gesendet: Montag, 17. Dezember 2018 08:29 > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hi Dmitry, > > thanks for your answer and the link to your project! I will try this out. > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > Gesendet: Montag, 17. Dezember 2018 05:09 > An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hello David, > > Please take a look at how it is done in BeerCloak: https://github.com/dteleguin/beercloak/tree/master/beercloak-module/src/main/java/beercloak/resources > > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. > > (Some musings: I dream of having AdminRealmResourceProvider with all that stuff OOTB; the idea has been around for years, but I'm afraid we won't have it in Keycloak anytime soon. Luckily, this can be done at a low price of introducing some boilerplate code into your project.) > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > > Hello, > > > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > > > AuthenticationManager.AuthResult authResult = > > ??????authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > ???throw new NotAuthorizedException("Bearer token required"); } > > > > And > > > > > > if(!auth.hasClientRole(client,"view-users")){ > > ???throw new NotAuthorizedException("Necessary permission not > > available"); } > > > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > > > Here > > > > AuthenticationManager.AuthResult authResult = > > ??????authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > ???throw new NotAuthorizedException("Bearer token required"); } > > > > Always results in unauthorized. > > > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > > > Mit freundlichen Gr??en / With kind regards > > > > > > > > David Herrmann > > > > RD/UIA > > Team Rising Stars > > [Computergenerierter Alternativtext: RDIU] > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > ellbogen.spr?che.anf?nge > > > > > E-Mail: > > > david_christian.herrmann at daimler.com > > @daimler.com> > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > > Seeger, Hubertus Troska, Bodo Uebber > > > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > From dt at acutus.pro Mon Dec 17 23:46:20 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 18 Dec 2018 07:46:20 +0300 Subject: [keycloak-user] Get the realms through the Client Admin Api In-Reply-To: <283929471.433725.1545063797892@pim.register.it> References: <283929471.433725.1545063797892@pim.register.it> Message-ID: <1545108380.15171.3.camel@acutus.pro> Hello Luca, I was able to retrieve clients with the identical setup. I've written a simple Java CLI program with the same two lines in the main method. The only difference is that I have some more dependencies in my POM: org.keycloak keycloak-admin-client 4.7.0.Final org.jboss.resteasy resteasy-client 3.5.1.Final org.jboss.resteasy resteasy-jackson2-provider 3.5.1.Final Are you also trying to create a Java CLI program? I can share the whole project if you wish. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-17 at 17:23 +0100, Luca Stancapiano wrote: > I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console: > > user: admin > pass: admin > > The server works on the 8180 port and it starts through the command: > > ./standalone.sh -Djboss.socket.binding.port-offset=100 > > I try to do a simple call using the admin client api imported through the dependency in the pom: > > > ???? > org.keycloak > keycloak-admin-client > 4.7.0.Final > test > ???? > > > Here the java code: > > > Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); > keycloak.realm("master").clients().findAll(); > > when the findAll method is executed I receive the Exception: > > javax.ws.rs.ProcessingException: java.lang.NullPointerException > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599) > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > at com.sun.proxy.$Proxy29.findAll(Unknown Source) > at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532) > at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32) > at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57) > at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220) > at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188) > at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128) > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142) > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) > Caused by: java.lang.NullPointerException > at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53) > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586) > ... 47 more > > > > What i miss? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 17 23:56:03 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 18 Dec 2018 07:56:03 +0300 Subject: [keycloak-user] Keycloak behind reverse proxy In-Reply-To: <015001d49616$461b7b00$d2527100$@netsetglobal.rs> References: <015001d49616$461b7b00$d2527100$@netsetglobal.rs> Message-ID: <1545108963.15171.5.camel@acutus.pro> Hello Nikola, You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out, there are examples for haproxy and Apache: https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote: > I configured mutual-ssl authentication on Keycloak. That means that user > coming to Keycloak does SSL handshake allowing Keycloak to extract data from > client certificate and map that data to an existing user at Keycloak, and > based on that authenticate the user. > > ? > > Now, I need to configure reverse proxy in front of Keycloak. I'm using > Apache's httpd. > > The problem is that user's browser now does SSL handshake with the reverse > proxy server instead of Keycloak and sends plain http request, disabling > Keycloak to map and authenticate the user. > > ? > > Is there a proposed method to achieve this?? > > Can I configure some reverse proxy (maybe not httpd) to proxy requests on > the transport layer? For example, I've seen there is a way to do client > authentication on httpd and then send client certificate details to the > Wildfly thorugh AJP protocol, but how to map this data to the user then? > > Or should I somehow configure Keycloak for this?? > > Maybe configure the proxy to be KC's client and do the authentication > somehow? > > ? > > Many thanks, > > Nikola > > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Dec 17 23:58:19 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 18 Dec 2018 07:58:19 +0300 Subject: [keycloak-user] Fw: SSO saml and jwt client In-Reply-To: References: <1544801446375.92650@JTV.com> <1544801765316.59360@JTV.com> <1544803467505.51430@JTV.com> <1545016375.12250.3.camel@acutus.pro> Message-ID: <1545109099.15171.7.camel@acutus.pro> Hi John, Thanks for pointing this out - in my original message I was about to write "...and check that your client doesn't have Force Authentication turned on", but recalled that this is for brokered SAML IdPs only :) Dmitry On Mon, 2018-12-17 at 08:32 -0500, John Dennis wrote: > On 12/16/18 10:12 PM, Dmitry Telegin wrote: > > Hello Mahendra, > > > > This should work out of the box - after all, that's what SSO is about. Are you sure that both OIDC and SAML clients are in the same Keycloak realm? > > And make sure you don't have ForceAuthn set to true in the request. As a? > reminder this is the definition of ForceAuthn: "A Boolean value. If? > "true", the identity provider MUST authenticate the presenter directly? > rather than rely on a previous security context." > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > > > On Fri, 2018-12-14 at 16:04 +0000, Satrasala, Mahendra wrote: > > > I can SSO across different JWT clients but if I try to access a SAML client, I am redirected to the login page even if I have an active session for the user in keycloak after an OIDC authentication. > > > > > > > > > Is it possible to automatically authenticate the user for the SAML client? Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication. > > > > > > > > > Thanks in advance!! > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From nikola.malenic at netsetglobal.rs Tue Dec 18 02:38:22 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Tue, 18 Dec 2018 08:38:22 +0100 Subject: [keycloak-user] Keycloak behind reverse proxy In-Reply-To: <1545108963.15171.5.camel@acutus.pro> References: <015001d49616$461b7b00$d2527100$@netsetglobal.rs> <1545108963.15171.5.camel@acutus.pro> Message-ID: <015701d496a4$a7662840$f63278c0$@netsetglobal.rs> Thank you very much. I already found this lookup provider in documentation and configured as proposed. Thank you again, Nikola -----Original Message----- From: Dmitry Telegin [mailto:dt at acutus.pro] Sent: Tuesday, December 18, 2018 5:56 AM To: Nikola Malenic ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak behind reverse proxy Hello Nikola, You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out, there are examples for haproxy and Apache: https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote: > I configured mutual-ssl authentication on Keycloak. That means that > user coming to Keycloak does SSL handshake allowing Keycloak to > extract data from client certificate and map that data to an existing > user at Keycloak, and based on that authenticate the user. > > > > Now, I need to configure reverse proxy in front of Keycloak. I'm using > Apache's httpd. > > The problem is that user's browser now does SSL handshake with the > reverse proxy server instead of Keycloak and sends plain http request, > disabling Keycloak to map and authenticate the user. > > > > Is there a proposed method to achieve this? > > Can I configure some reverse proxy (maybe not httpd) to proxy requests > on the transport layer? For example, I've seen there is a way to do > client authentication on httpd and then send client certificate > details to the Wildfly thorugh AJP protocol, but how to map this data to the user then? > > Or should I somehow configure Keycloak for this? > > Maybe configure the proxy to be KC's client and do the authentication > somehow? > > > > Many thanks, > > Nikola > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hariprasad.n at ramyamlab.com Tue Dec 18 02:55:26 2018 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Tue, 18 Dec 2018 13:25:26 +0530 Subject: [keycloak-user] RSA Provider not working. Message-ID: Hi All, I am using keycloak 4.7.0.Final, I create a realm 'Realm_1' By default in keys section of realm three keys active which are. 1. HS256 2. AES 3. RS256 I created a user 'user1' and client 'client1' and I have a war file which is deployed in wildfy server and secured with keycloak server(realm : Realm_1, client : client1) when i try to access the resources inside war it is redirecting to keycloak login page and after login i am able to access resources, it is fine. The problem is once I logged in, it is createing JWT token with 'HS256' algorithm , i want to enforce to use any public key algorithms like 'RS256'. To achieve this 1. I increased priority of RSA256 no use. 2. Deleted AES and HS256 no use, in this case when next time login it is automatically falling back to HS256 and AES , it automatically created two fall back providers for HS256 and AES . So please tell me how can I enforce to use any public key algorithms. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* From david_christian.herrmann at daimler.com Tue Dec 18 03:24:01 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Tue, 18 Dec 2018 08:24:01 +0000 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <1545095418.13723.1.camel@acutus.pro> References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> <1545095418.13723.1.camel@acutus.pro> Message-ID: <8ddb6dc8507c468bb5350e6f24ccfe92@DE36S004EXC0R.wp.corpintra.net> Hi Dmitry, I used Keycloak 4.5.0.Final to test the implementation. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Dienstag, 18. Dezember 2018 02:10 An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org Betreff: Re: AW: [keycloak-user] Cross Realm authorization David, Which version of Keycloak are you using? The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary. Cheers, Dmitry On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote: > Hi Dmitry, > > I implemented it based on beercloak. > > Here in AbstractAdminRessource.java: > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session, realm); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer"); } > > Still results in Unauthorized. > > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. > > The realm is set to master realm and the session seems to be injected ... Any ideas? > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von > > david_christian.herrmann at daimler.com > Gesendet: Montag, 17. Dezember 2018 08:29 > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hi Dmitry, > > thanks for your answer and the link to your project! I will try this out. > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > Gesendet: Montag, 17. Dezember 2018 05:09 > An: Herrmann, David Christian (059) > ; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hello David, > > Please take a look at how it is done in BeerCloak: > https://github.com/dteleguin/beercloak/tree/master/beercloak-module/sr > c/main/java/beercloak/resources > > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. > > (Some musings: I dream of having AdminRealmResourceProvider with all > that stuff OOTB; the idea has been around for years, but I'm afraid we > won't have it in Keycloak anytime soon. Luckily, this can be done at a > low price of introducing some boilerplate code into your project.) > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > > Hello, > > > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > And > > > > > > if(!auth.hasClientRole(client,"view-users")){ > > throw new NotAuthorizedException("Necessary permission not > > available"); } > > > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > > > Here > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > Always results in unauthorized. > > > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > > > Mit freundlichen Gr??en / With kind regards > > > > > > > > David Herrmann > > > > RD/UIA > > Team Rising Stars > > [Computergenerierter Alternativtext: RDIU] > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > ellbogen.spr?che.anf?nge > > > > > E-Mail: > > > david_christian.herrmann at daimler.com > > nn > > > @daimler.com> > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: > > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des > > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / > > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, > > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From kjetil.nilsen at Logiq.no Tue Dec 18 03:39:04 2018 From: kjetil.nilsen at Logiq.no (Kjetil Nilsen) Date: Tue, 18 Dec 2018 08:39:04 +0000 Subject: [keycloak-user] Link to account update in email sent to user In-Reply-To: References: Message-ID: The link in the Update Your Account email is like this: {baseurl}/auth/realms/{realm}/login-actions/action-token?key=token Is it possible to change this to for instance {baseurl}/{somethin else}/realms/{realm}/login-actions/action-token?key=token We don't like to expose the link as it is to the users for security reasons. Beste hilsen / Best regards Kjetil Nilsen Programmerer LOGIQ AS T?nne Huitfeldts plass 2, NO-1767 Halden, Norge Mob. +47 958 89 571 kjetiln at logiq.no www.logiq.no From imbacen at gmail.com Tue Dec 18 04:48:01 2018 From: imbacen at gmail.com (cen) Date: Tue, 18 Dec 2018 10:48:01 +0100 Subject: [keycloak-user] Authz - Problem stacking entitlmenets Message-ID: Hi I am trying to stack all permissions from two different confidential clients via entitelments API. Steps: 1. Get access token for public client 2. Get entitlements for client 1: Authorization: Bearer access_token grant_type: urn:ietf:params:oauth:grant-type:uma-ticket audience: client1 Returns RPT with all resources owned by user on client1. Works as expected. 3. Get entitlements for client 2 Authorization: Bearer access_token grant_type: urn:ietf:params:oauth:grant-type:uma-ticket audience: client2 rpt: {{rpt from step 2}} Response: forbidden 403 { ??? "error": "access_denied", ??? "error_description": "not_authorized" } If I remove rpt parameter I get all permissions for client 2 as expected. What is the reason for 403? Why would rpt param result in 403, isn't it is supposed to be there just to stack additional permissions? Must be some additional checks which I am not aware of. What are they? reference doc: https://www.keycloak.org/docs/4.6/authorization_services/#_service_obtaining_permissions Best regards From hariprasad.n at ramyamlab.com Tue Dec 18 05:16:48 2018 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Tue, 18 Dec 2018 15:46:48 +0530 Subject: [keycloak-user] Public client token to Bearer Token Message-ID: Hi All, How can I use JWT token created with public client to access Rest API in Bearer-Only client. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* From geoff at opticks.io Tue Dec 18 05:39:55 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 18 Dec 2018 11:39:55 +0100 Subject: [keycloak-user] Public client token to Bearer Token In-Reply-To: References: Message-ID: Yes, see this section: https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter On Tue, 18 Dec 2018 at 11:32, Hariprasad N wrote: > Hi All, > > How can I use JWT token created with public client to access Rest API in > Bearer-Only client. > > -- > Thanks & Regards, > > Hari Prasad N > Senior Software Engineer > ------------------------------------------------- > Ramyam Intelligence Lab Pvt. Ltd., > Part of Arvato > 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, > Bangalore ? 560001, Karnataka, India. > > Phone: +91 80 67269266 > Mobile: +91 7022156319 > E-Mail: *hariprasad.n at ramyamlab.co m* > *www.ramyamlab.com* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From luca.stancapiano at vige.it Tue Dec 18 05:59:15 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Tue, 18 Dec 2018 11:59:15 +0100 (CET) Subject: [keycloak-user] Get the realms through the Client Admin Api In-Reply-To: <283929471.433725.1545063797892@pim.register.it> References: <283929471.433725.1545063797892@pim.register.it> Message-ID: <210346395.821567.1545130759328@pim.register.it> Trying this code I receive a null token: Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); keycloak.tokenManager().getAccessTokenString(); > Il 17 dicembre 2018 alle 17.23 Luca Stancapiano ha scritto: > > > I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console: > > user: admin > pass: admin > > The server works on the 8180 port and it starts through the command: > > ./standalone.sh -Djboss.socket.binding.port-offset=100 > > I try to do a simple call using the admin client api imported through the dependency in the pom: > > > > org.keycloak > keycloak-admin-client > 4.7.0.Final > test > > > > Here the java code: > > Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); > keycloak.realm("master").clients().findAll(); > > when the findAll method is executed I receive the Exception: > > javax.ws.rs.ProcessingException: java.lang.NullPointerException > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599) > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > at com.sun.proxy.$Proxy29.findAll(Unknown Source) > at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532) > at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114) > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32) > at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57) > at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220) > at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188) > at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181) > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128) > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142) > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) > Caused by: java.lang.NullPointerException > at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53) > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586) > ... 47 more > > > > What i miss? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Deepti.Tyagi at halliburton.com Tue Dec 18 06:24:25 2018 From: Deepti.Tyagi at halliburton.com (Deepti Tyagi) Date: Tue, 18 Dec 2018 11:24:25 +0000 Subject: [keycloak-user] Issue in Migrating standalone.xml with Vault Configuration on Linux Message-ID: <847A59EDBBC62D43BEE2CFA482C6CB6A648DC690@NP1EXMB105.corp.halliburton.com> Hi Team, I am trying to migrate standalone.xml (from v3.0 to v4.6) that is having vault configurations enabled, using command (./jboss-cli.sh --file=migrate-standalone.cli) on Linux. But it always throw the exception as highlighted though same works fine on Windows. Is it a known issue? Any workaround? 04:36:53,835 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("core-service" => "management"), ("security-realm" => "MySSLRealm") ]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0227: Security exception accessing the vault at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:190) at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115) at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341) at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66) at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:873) at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1278) at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:603) at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:667) at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:626) at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:600) at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addKeyManagerService(SecurityRealmAddHandler.java:688) at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addSSLServices(SecurityRealmAddHandler.java:611) at org.jboss.as.domain.management.security.SecurityRealmAddHandler.installServices(SecurityRealmAddHandler.java:237) at org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler.execute(SecurityRealmAddHandler.java:917) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411) at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:470) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:432) at org.jboss.as.server.ServerService.boot(ServerService.java:427) at org.jboss.as.server.ServerService.boot(ServerService.java:386) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.security.vault.SecurityVaultException: javax.crypto.BadPaddingException: Given final block not properly padded at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297) at org.jboss.as.server.services.security.VaultReaderImpl.getValue(RuntimeVaultReader.java:223) at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:176) ... 28 more Caused by: javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:975) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) at javax.crypto.Cipher.doFinal(Cipher.java:2165) at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134) at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293) ... 30 more 04:36:53,855 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 04:36:53,865 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 4.6.0.Final (WildFly Core 6.0.2.Final) stopped in 15ms Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: JBTHR00005: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. Below is the sample vault configurations in standalone.xml (Keycloak v3.0.0) ... ... Thanks, Deepti ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From hariprasad.n at ramyamlab.com Tue Dec 18 06:49:10 2018 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Tue, 18 Dec 2018 17:19:10 +0530 Subject: [keycloak-user] Public client token to Bearer Token In-Reply-To: References: Message-ID: Thanks Geoffrey Cleaves. On Tue, Dec 18, 2018 at 4:10 PM Geoffrey Cleaves wrote: > Yes, see this section: > https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter > > On Tue, 18 Dec 2018 at 11:32, Hariprasad N > wrote: > >> Hi All, >> >> How can I use JWT token created with public client to access Rest API in >> Bearer-Only client. >> >> -- >> Thanks & Regards, >> >> Hari Prasad N >> Senior Software Engineer >> ------------------------------------------------- >> Ramyam Intelligence Lab Pvt. Ltd., >> Part of Arvato >> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, >> Bangalore ? 560001, Karnataka, India. >> >> Phone: +91 80 67269266 >> Mobile: +91 7022156319 >> E-Mail: *hariprasad.n at ramyamlab.co m* >> *www.ramyamlab.com* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Regards, > Geoffrey Cleaves > > > > > > -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* From gareth at garethwestern.com Tue Dec 18 07:18:39 2018 From: gareth at garethwestern.com (Gareth Western) Date: Tue, 18 Dec 2018 13:18:39 +0100 Subject: [keycloak-user] Are the URLs in the REST API documentation correct? Message-ID: I'm learning about the REST API and in the documentation it mentions that the "BasePath" is "/auth" To get, for example, a list of all users for a realm the (GET) URL is documented as "/{realm}/users". This implies that the full URL would be something like "http://localhost:8080/auth/{realm}/users" however this returns a 404. All other examples and questions about getting a user seem to use the "admin/realms/{realm}/users" url (i.e. " http://localost:8080/auth/admin/realms/{realm}/users"). Is the documentation incorrect? Kind regards, Gareth From gareth.western+listman at gmail.com Tue Dec 18 07:54:21 2018 From: gareth.western+listman at gmail.com (Gareth Western) Date: Tue, 18 Dec 2018 13:54:21 +0100 Subject: [keycloak-user] URLs in REST API Documentation Message-ID: I'm reading about the REST API and in the documentation (e.g. https://www.keycloak.org/docs-api/4.6/rest-api/index.html#_users_resource) it mentions that the "BasePath" is "/auth" So, for example, to get a list of all users for a realm the URL is documented as "/{realm}/users". This implies that the full URL would be something like GET "http://localhost:8080/auth/{realm}/users" however this returns a 404. All other examples and questions about getting a user seem to use the "admin/realms/{realm}/users" url (i.e. " http://localost:8080/auth/admin/realms/{realm}/users"). Is the documentation incorrect? Kind regards, Gareth From Simon.Vogensen at sos.eu Tue Dec 18 07:58:47 2018 From: Simon.Vogensen at sos.eu (Simon Buch Vogensen) Date: Tue, 18 Dec 2018 12:58:47 +0000 Subject: [keycloak-user] OIDC Identity Provider userinfo parsing problem In-Reply-To: <1544556585.2046.3.camel@acutus.pro> References: <0B5FE54E105AE740942983F0F633CF85464161D8@EUIEX04.sos.eu> <1544556585.2046.3.camel@acutus.pro> Message-ID: <0B5FE54E105AE740942983F0F633CF8546416DEC@EUIEX04.sos.eu> Hi Dmitry Thanks for the pointer to protocol mappers - that was much simpler to get working. Regarding Signicat - they have an example here of what to expect a /userinfo request. https://developer.signicat.com/documentation/authentication/protocols/openid-connect/oidc-response-examples/oidc-response-with-swedish-bankid/ With that you should be able to extend an existing unittest of idp mapper in keycloak with data containing periods in parameternames. Kind regards Simon Buch Vogensen -----Original Message----- From: Dmitry Telegin [mailto:dt at acutus.pro] Sent: 11. december 2018 20:30 To: Simon Buch Vogensen; 'keycloak-user at lists.jboss.org' Subject: Re: [keycloak-user] OIDC Identity Provider userinfo parsing problem Hello Simon, I think you don't need to introduce a dedicated IdentityProvider to workaround the dot issue. Instead, you can try creating a protocol mapper. As for newer Keycloak versions, I can test it on Keycloak 4.7.0 if Signicat allows for some test/demo access. Do you have any info on it? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-12-10 at 10:02 +0000, Simon Buch Vogensen wrote: > Hi > > We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider. > When keycloak requests userinfo from signicat the response does not parse correctly. > > Here is an example response. > > {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"} > > The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all. > > The fix I have come up with would be a > > currentNode = baseNode.get(fieldPath); > > call after no node has been found. See line 206. > > I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak? > > Is this problem fixed in newer versions of keycloak? > > Thanks in advance > > Regards > Simon Buch Vogensen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Simon.Vogensen at sos.eu Tue Dec 18 08:25:55 2018 From: Simon.Vogensen at sos.eu (Simon Buch Vogensen) Date: Tue, 18 Dec 2018 13:25:55 +0000 Subject: [keycloak-user] How to redirect back to our web app in error situation. Message-ID: <0B5FE54E105AE740942983F0F633CF8546416E16@EUIEX04.sos.eu> Hi We are using Keycloak 2.5.5 (Redhat SSO 7.1) as an identity broker with Signicat.com as oidc identity provider. If Signicat for some reason (like user aborting Signicat login flow) returns an error to Keycloak. How am I able to redirect from there to my web app which initially started the request? Here is the url that Im redirected back to. As you can see there is no redirect url back to my web app. Is it possible to get hold of the redirect url from Keycloak via the state value? https://sso.server/auth/realms/realm/broker/oidc/endpoint?error=access_denied&error_description=The+Resource+Owner+did+not+complete+the+login.&state=ieRv_eOoI1mS37XER33VcpzuHna2ds8kjPo-PO3aG9A.a8cd08a3-a701-48ed-bb9c-18f8595cb43c It seems like a part of the state is coming from Keycloak - heres the Keycloak request before being redirected to Signicat. https://sso.server/auth/realms/realm/broker/oidc/login?code=pQD4oJ2Hf3ueQ2Usf7VKtghjF8XV4RD3UCQwKGkO_i0.a8cd08a3-a701-48ed-bb9c-18f8595cb43c As you can see in the code value, the part after the dot is the same as in state. Am I able to use that for accessing the redirect_uri? Kind Regards Simon Vogensen From luiscardozocarreras at gmail.com Tue Dec 18 15:57:32 2018 From: luiscardozocarreras at gmail.com (Luis Cardozo) Date: Tue, 18 Dec 2018 17:57:32 -0300 Subject: [keycloak-user] How to get "current" AuthenticatorConfigModel without access to AuthenticationFlowContext Message-ID: Hello, I am doing an Authenticator provider based on the SecretQuestionAuthenticator example. (Let's call it MyAuthenticator) In the SecretQuestionAuthenticator example, in *setCookie(AuthenticationFlowContext context)* we can get the "actual" AuthenticatorConfigModel directly: context.getAuthenticatorConfig() I want to use a new entry (added by the Factory, as in the example) in which I have an URL of an external service (the key is called "url.externalservice"). I can get the config entry it in MyAuthenticator#action(AuthenticationFlowContext context) without problem: AuthenticatorConfigModel config = context.getAuthenticatorConfig(). if (config != null) { externalServiceURL = config.getConfig().get("url.externalservice"); } But I also need to get the entry from another place. In this case in configuredFor(KeycloakSession session, RealmModel realm, UserModel user) Searching a lot, reading code and trying things, I got it from realm: realm.getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice"); I also need to use it in MyAuthenticator*RequiredAction*, in processAction(RequiredActionContext context). But I don't have a context.getAuthenticatorConfig() in RequiredActionContext, so I also use it as: context.getAuthenticationSession().getRealm().getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice"); But I am not sure that my "current configuration" will be always the position 0 of the array. We have realm.getAuthenticatorConfigByAlias() and getAuthenticatorConfigById(), but, how do I know wich is the alias or ID of the "current" context? So, how can I know the "current" AuthenticatorConfig Alias or ID, or how can I get the current AuthenticatorConfig from these places? Thanks, Luis Cardozo Ciudad del Este, Paraguay From deruere.julien at gmail.com Tue Dec 18 16:47:30 2018 From: deruere.julien at gmail.com (Julien Deruere) Date: Tue, 18 Dec 2018 16:47:30 -0500 Subject: [keycloak-user] NullPointerExeception when trying to obtain Requesting Party Token Message-ID: II need to access resources that the user is allow to: In my client I'm starting by obtaining a PAT: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}' \ "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token" And then using the access_token in the body to get my RPT: curl -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}" But I got this exception in Keycloak (I'm not sure what I'm doing wrong): 21:15:19,307 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-10) Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions at org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onError(DecisionPermissionCollector.java:141) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:69) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:81) at org.keycloak.authorization.authorization.AuthorizationTokenService.evaluateAllPermissions(AuthorizationTokenService.java:239) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:166) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1148) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) at sun.reflect.GeneratedMethodAccessor796.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at org.keycloak.authorization.policy.evaluation.DefaultEvaluation$1.getUserGroups(DefaultEvaluation.java:255) at org.keycloak.authorization.policy.provider.group.GroupPolicyProvider.evaluate(GroupPolicyProvider.java:53) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51) at java.lang.Iterable.forEach(Iterable.java:75) at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43) at org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:981) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:879) at org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:400) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:68) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:64) ... 75 more From david_christian.herrmann at daimler.com Wed Dec 19 02:23:47 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Wed, 19 Dec 2018 07:23:47 +0000 Subject: [keycloak-user] Cross Realm authorization References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> <1545095418.13723.1.camel@acutus.pro> Message-ID: <60c6b91504684c73920c4432b85a1af7@DE36S004EXC0R.wp.corpintra.net> Hi Dmitry, in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with the unauthorized. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Herrmann, David Christian (059) Gesendet: Dienstag, 18. Dezember 2018 09:24 An: 'Dmitry Telegin'
; keycloak-user at lists.jboss.org Betreff: AW: AW: [keycloak-user] Cross Realm authorization Hi Dmitry, I used Keycloak 4.5.0.Final to test the implementation. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Dienstag, 18. Dezember 2018 02:10 An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org Betreff: Re: AW: [keycloak-user] Cross Realm authorization David, Which version of Keycloak are you using? The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary. Cheers, Dmitry On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote: > Hi Dmitry, > > I implemented it based on beercloak. > > Here in AbstractAdminRessource.java: > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session, realm); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer"); } > > Still results in Unauthorized. > > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. > > The realm is set to master realm and the session seems to be injected ... Any ideas? > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von > > david_christian.herrmann at daimler.com > Gesendet: Montag, 17. Dezember 2018 08:29 > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hi Dmitry, > > thanks for your answer and the link to your project! I will try this out. > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > Gesendet: Montag, 17. Dezember 2018 05:09 > An: Herrmann, David Christian (059) > ; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hello David, > > Please take a look at how it is done in BeerCloak: > https://github.com/dteleguin/beercloak/tree/master/beercloak-module/sr > c/main/java/beercloak/resources > > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. > > (Some musings: I dream of having AdminRealmResourceProvider with all > that stuff OOTB; the idea has been around for years, but I'm afraid we > won't have it in Keycloak anytime soon. Luckily, this can be done at a > low price of introducing some boilerplate code into your project.) > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > > Hello, > > > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > And > > > > > > if(!auth.hasClientRole(client,"view-users")){ > > throw new NotAuthorizedException("Necessary permission not > > available"); } > > > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > > > Here > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > Always results in unauthorized. > > > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > > > Mit freundlichen Gr??en / With kind regards > > > > > > > > David Herrmann > > > > RD/UIA > > Team Rising Stars > > [Computergenerierter Alternativtext: RDIU] > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > ellbogen.spr?che.anf?nge > > > > > E-Mail: > > > david_christian.herrmann at daimler.com > > nn > > > @daimler.com> > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: > > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des > > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / > > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, > > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From wolfbro92 at gmail.com Wed Dec 19 04:09:16 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Wed, 19 Dec 2018 17:09:16 +0800 Subject: [keycloak-user] Using Self Signed Certificate for SSL with Keycloak as authenticator Message-ID: Hi all, I'd like to know if Keycloak is able to be connected to my test web app, which is currently running on a self signed certificate instead of an officially signed one? Regards, Kunal Kumar From noodi.net at gmail.com Wed Dec 19 04:37:55 2018 From: noodi.net at gmail.com (Amin Khoshnood) Date: Wed, 19 Dec 2018 13:07:55 +0330 Subject: [keycloak-user] G Suite SSO incorrect redirect to admin.google.com Message-ID: Hello everybody, I configured Keycloak through this guide ( https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-and-keycloak-as-identity-provider-79227fd2e063) and it imports users from FreeIPA (LDAP). Right now when I login to G Suite through Keycloak (SAML), Google redirects me to admin.google.com (with regular user account) and I get the error ' admin.google.com is for G Suite accounts only. Regular Gmail accounts cannot be used to sign in to admin.google.com. Learn more'. Google support team answered: "We have noticed that during these last few days a significant number of cases have been created about this same matter and overall integration with KeyCloack SSO. We understand how important this configuration is or you and believe me that we have been working as fast as we can." You can check these video casts about the problem: MacOS and Chrome: https://drive.google.com/file/d/16o6B0hzPtiMHBuG9CCBxe860o8JAE8w7/view?usp=sharing MacOS: https://drive.google.com/file/d/1Rk2KbV9iMsdg2UQox8p4XKz4soO7Gcuy/view?usp=sharing iPhone video: https://drive.google.com/file/d/12-6iWuL5xx3i0keFA5aPXpN5ghjH0uAn/view?usp=sharing Do you have the same issue with G Suite SSO or any other services? Also please let me know if there are any problems with other SPs (service providers) like Microsoft 365? Best Regards. Amin Khoshnood. From noodi.net at gmail.com Wed Dec 19 04:52:28 2018 From: noodi.net at gmail.com (Amin Khoshnood) Date: Wed, 19 Dec 2018 13:22:28 +0330 Subject: [keycloak-user] G Suite SSO incorrect redirect to admin.google.com In-Reply-To: References: Message-ID: I used Keycloak docker image (4.7.0.Final) with Mariadb. Server Version: 4.7.0.Final Java Version: 1.8.0_191 Java Vendor: Oracle Corporation Java Runtime: OpenJDK Runtime Environment Java VM Version: 25.191-b12 Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre Operating System: Linux 4.15.0-42-generic MariaDB: docker run -d --name=mariadb --network=host -e MYSQL_ROOT_PASSWORD=password -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=password mariadb Keycloak with MariaDB: docker run -d --name=keycloak --network=host -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=XXXX -e DB_VENDOR=mariadb -e DB_ADDR=127.0.0.1 -e DB_PORT=3306 -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=password jboss/keycloak On Wed, Dec 19, 2018 at 1:07 PM Amin Khoshnood wrote: > Hello everybody, > I configured Keycloak through this guide > > ( > https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-and-keycloak-as-identity-provider-79227fd2e063) > and it imports users from FreeIPA (LDAP). > > Right now when I login to G Suite through Keycloak (SAML), Google > redirects me to admin.google.com (with regular user account) and I get > the error 'admin.google.com is for G Suite accounts only. Regular Gmail > accounts cannot be used to sign in to admin.google.com. Learn more'. > > Google support team answered: > "We have noticed that during these last few days a significant number of > cases have been created about this same matter and overall integration with > KeyCloack SSO. We understand how important this configuration is or you and > believe me that we have been working as fast as we can." > > You can check these video casts about the problem: > > MacOS and Chrome: > > https://drive.google.com/file/d/16o6B0hzPtiMHBuG9CCBxe860o8JAE8w7/view?usp=sharing > MacOS: > > https://drive.google.com/file/d/1Rk2KbV9iMsdg2UQox8p4XKz4soO7Gcuy/view?usp=sharing > iPhone video: > > https://drive.google.com/file/d/12-6iWuL5xx3i0keFA5aPXpN5ghjH0uAn/view?usp=sharing > > Do you have the same issue with G Suite SSO or any other services? > > Also please let me know if there are any problems with other SPs (service > providers) like Microsoft 365? > > Best Regards. > Amin Khoshnood. > From david_christian.herrmann at daimler.com Wed Dec 19 05:57:08 2018 From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com) Date: Wed, 19 Dec 2018 10:57:08 +0000 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <60c6b91504684c73920c4432b85a1af7@DE36S004EXC0R.wp.corpintra.net> References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> <1545095418.13723.1.camel@acutus.pro> <60c6b91504684c73920c4432b85a1af7@DE36S004EXC0R.wp.corpintra.net> Message-ID: <7e3e119126e5493a93cb57cd51902e3d@DE36S004EXC0R.wp.corpintra.net> Hi Dmitry, I setup remote debugging for Keycloak and had a look what happens in Keycloak 4.8.0 Final. authenticateBearerToken(session, realm) (or to be more precise verifyIdentiyToken( ....)) returns null in my testing because: - at https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java :1153 there is an exception in verifier(kid) - this happens because in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/keys/DefaultKeyManager.java :106 the first part of the if-statement in method getKey(RealmModel realm, String kid, KeyUse use, String algorithm) does not become true - I think this happens because here getKey(...) is called with session.getContext().getRealm() --> The realm from the session --> The realm where the requested resource is. But kid is taken from token which is created for the realm where the technical user is. - Call to getKey() is in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/crypto/ServerAsymmetricSignatureVerifierContext.java :29 - kid is taken in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java :1145-1150 I hope this information is useful for you. Mit freundlichen Gr??en / With kind regards David HerrmannRD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moistureE-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von david_christian.herrmann at daimler.com Gesendet: Mittwoch, 19. Dezember 2018 08:24 An: dt at acutus.pro; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Cross Realm authorization Hi Dmitry, in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with the unauthorized. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Herrmann, David Christian (059) Gesendet: Dienstag, 18. Dezember 2018 09:24 An: 'Dmitry Telegin'
>; keycloak-user at lists.jboss.org Betreff: AW: AW: [keycloak-user] Cross Realm authorization Hi Dmitry, I used Keycloak 4.5.0.Final to test the implementation. Mit freundlichen Gr??en / With kind regards David Herrmann RD/UIA Team Rising Stars Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: entfalten.j?ngste.nehmen choppy.impact.moisture E-Mail: david_christian.herrmann at daimler.com Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Dienstag, 18. Dezember 2018 02:10 An: Herrmann, David Christian (059) >; keycloak-user at lists.jboss.org Betreff: Re: AW: [keycloak-user] Cross Realm authorization David, Which version of Keycloak are you using? The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary. Cheers, Dmitry On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote: > Hi Dmitry, > > I implemented it based on beercloak. > > Here in AbstractAdminRessource.java: > AuthenticationManager.AuthResult authResult = > authManager.authenticateBearerToken(session, realm); > > if (authResult == null) { > throw new NotAuthorizedException("Bearer"); } > > Still results in Unauthorized. > > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. > > The realm is set to master realm and the session seems to be injected ... Any ideas? > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von > > david_christian.herrmann at daimler.com > Gesendet: Montag, 17. Dezember 2018 08:29 > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hi Dmitry, > > thanks for your answer and the link to your project! I will try this out. > > Mit freundlichen Gr??en / With kind regards > > David Herrmann > RD/UIA > Team Rising Stars > > > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > > > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > Seeger, Hubertus Troska, Bodo Uebber > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > Gesendet: Montag, 17. Dezember 2018 05:09 > An: Herrmann, David Christian (059) > >; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > > Hello David, > > Please take a look at how it is done in BeerCloak: > https://github.com/dteleguin/beercloak/tree/master/beercloak-module/sr > c/main/java/beercloak/resources > > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. > > (Some musings: I dream of having AdminRealmResourceProvider with all > that stuff OOTB; the idea has been around for years, but I'm afraid we > won't have it in Keycloak anytime soon. Luckily, this can be done at a > low price of introducing some boilerplate code into your project.) > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > > Hello, > > > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > And > > > > > > if(!auth.hasClientRole(client,"view-users")){ > > throw new NotAuthorizedException("Necessary permission not > > available"); } > > > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > > > Here > > > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session); > > > > if (authResult == null) { > > throw new NotAuthorizedException("Bearer token required"); } > > > > Always results in unauthorized. > > > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > > > Mit freundlichen Gr??en / With kind regards > > > > > > > > David Herrmann > > > > RD/UIA > > Team Rising Stars > > [Computergenerierter Alternativtext: RDIU] > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > ellbogen.spr?che.anf?nge > > > > > E-Mail: > > > david_christian.herrmann at daimler.com > > > nn > > > @daimler.com> > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: > > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des > > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / > > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, > > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From adrianmatei at gmail.com Wed Dec 19 06:58:31 2018 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 19 Dec 2018 12:58:31 +0100 Subject: [keycloak-user] use JBoss/Javaadapter to verify both realm and client roles Message-ID: Hi everyone, Is there a possibility to *declaratively* verify in the JBoss/JavaAdapter that the user(service account) has both REALM and Client roles? In the documentation I found the following: use-resource-role-mappingsIf set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings. This is *OPTIONAL*. The default value is *false*. It sounds like is one or the other, which is kind of limited.... Thanks and regards, Adrian From gareth.western+listman at gmail.com Wed Dec 19 08:02:28 2018 From: gareth.western+listman at gmail.com (Gareth Western) Date: Wed, 19 Dec 2018 14:02:28 +0100 Subject: [keycloak-user] Disable HTTP2 in Keycloak 4.6 container? Message-ID: It looks like the wildfly server used for the Keycloak 4.6.0.Final image is configured to use HTTP2. Is there an easy way to disable this? I think it might be the cause of some strange behaviour in Chrome, similar to as described here: https://issues.jboss.org/browse/KEYCLOAK-2656. The related 'test http2' issue is pending for the Keycloak 5.x release, so i assume Keycloak 4.x does not officially support HTTP2, is that correct? Kind regards, Gareth From deruere.julien at gmail.com Wed Dec 19 09:43:20 2018 From: deruere.julien at gmail.com (Julien Deruere) Date: Wed, 19 Dec 2018 09:43:20 -0500 Subject: [keycloak-user] Access permission as member of a specific group Message-ID: I would like to know how my resource-server can know which resource I can access as a member of a specific group. For now I'm doing this: request.post(`${kcConfig['auth-server-url']}/realms/${kcConfig.realm}/protocol/openid-connect/token`) .send({ grant_type: 'urn:ietf:params:oauth:grant-type:uma-ticket', audience: 'nimbee-gateway', response_mode: 'permissions' }) .set('Authorization', request.headers.authorization) .set('Content-Type', 'application/x-www-form-urlencoded') .set('X-Client', 'keycloak-nodejs-connect'); Which give me a list of all resources with permission I have since I'm in multiple groups. But how can I do to have only resources I can access for a specific group? Thanks From Sebastian.Loesch at governikus.de Wed Dec 19 10:43:46 2018 From: Sebastian.Loesch at governikus.de (=?utf-8?B?TMO2c2NoLCBTZWJhc3RpYW4=?=) Date: Wed, 19 Dec 2018 15:43:46 +0000 Subject: [keycloak-user] Map authenticator information to AccessToken In-Reply-To: <1544563286.10225.1.camel@acutus.pro> References: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> <1544563286.10225.1.camel@acutus.pro> Message-ID: Thank you Dmitry. Your solution works great! Best regards, Sebastian -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin
Gesendet: Dienstag, 11. Dezember 2018 22:21 An: L?sch, Sebastian ; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Map authenticator information to AccessToken Hello Sebastian, Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers. This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses: var statuses = authenticationSession.getExecutionStatus(); Then process it and attach the data to the user session: authenticationSession.setUserSessionNote(key, val); After that, the data will become available to the mapper: var foo = userSession.notes["foo"]; The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED. Feel free to ask any further questions, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-12-11 at 20:10 +0000, L?sch, Sebastian wrote: > Hello folks, > > > > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. > > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? > > > > Best regards, > > Sebastian L?sch > > > > -- > > Solution Engineering > > Governikus GmbH & Co. KG > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From or at myobligo.com Wed Dec 19 11:21:10 2018 From: or at myobligo.com (Or Harary) Date: Wed, 19 Dec 2018 18:21:10 +0200 Subject: [keycloak-user] Hide realm name behind proxy in a single realm application Message-ID: Hey, Can I somehow use keycloak for a single realm without using the realm name in the URL and set a proxy to pass requests to the single realm (proxy pass to /auth/realms//)? I managed to set this for the login url (proxy pass "/login" to "/auth/realms//protocol/openid-connect/auth" for example), but I'm having trouble when i'm trying to do the "auth code flow" to a client with a consent screen, because keycloak redirects the browser, after the login, to a different url (the "action" attribute in the form) which is the full keycloak url that contains the /realms/ and this URL can't be changed somewhere. I'm trying to achieve that because as I see, the consent screen can't be created in my application and be used with the keycloak API (like login with direct grant API) and can only customized with templates. Thanks, Or From totheocean0402 at gmail.com Wed Dec 19 12:04:29 2018 From: totheocean0402 at gmail.com (Frank Franz) Date: Wed, 19 Dec 2018 18:04:29 +0100 Subject: [keycloak-user] Realm.toRepresentation results in com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException Message-ID: Hello, I'm using the java admin client to create a realm and some other setting. In this process I like to update the realm (set authentication bindings for registration flow and credential flow) therefore I from my actual knowledge have to transfer the realm to the realm representation. Doing this calling realm.toRepresentation() results in the following error: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs. ProcessingException: com.fasterxml.jackson.databind.exc. UnrecognizedPropertyException: Unrecognized field " offlineSessionMaxLifespanEnabled" (class org.keycloak.representations.idm. RealmRepresentation), not marked as ignorable (101 known properties: " directGrantFlow", "otpPolicyDigits", "identityProviderMappers", " revokeRefreshToken", "identityProviders", "userFederationMappers", " rememberMe", "duplicateEmailsAllowed", "dockerAuthenticationFlow", " otpSupportedApplications", "adminEventsDetailsEnabled", "registrationFlow", "editUsernameAllowed", "clients", "users", "emailTheme", "realm", " actionTokenGeneratedByAdminLifespan", "authenticatorConfig", "components", "certificate", "updateProfileOnInitialSocialLogin", "otpPolicyType", " accessCodeLifespanUserAction", "protocolMappers", "id", "accountTheme", " maxDeltaTimeSeconds", "enabledEventTypes", "verifyEmail", "applications", " waitIncrementSeconds", "eventsListeners", "eventsExpiration", " defaultDefaultClientScopes", "defaultOptionalClientScopes", "passwordPolicy", "clientTemplates", "registrationAllowed", "userManagedAccessAllowed", " notBefore", "otpPolicyAlgorithm", "actionTokenGeneratedByUserLifespan", " permanentLockout", "socialProviders", "otpPolicyInitialCounter" [truncated]]) Can you pleas give me a hint how to resolve this? Thanks in advance. Andreas From ntle at castortech.com Wed Dec 19 15:02:52 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Wed, 19 Dec 2018 15:02:52 -0500 Subject: [keycloak-user] Keycloak adapter for single page app Message-ID: Hello, I have a single page web app that mostly use ajax to retrieve data from REST services, it also have some polling requests going every few seconds to check for changes on server. My take is that i should use js adapter to protect my app, however, we want to store authorization artifacts (permission, resources, ...) on KC server and using JS adapter force us to use public client which disable authorization. Is there a way to use js adapter with authorization? I use KeycloakAdmin client to query the permission from KC server directly btw Thai Le From nikola.malenic at netsetglobal.rs Thu Dec 20 10:57:34 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Thu, 20 Dec 2018 16:57:34 +0100 Subject: [keycloak-user] Authorization of action in application (client of KC) Message-ID: <01e201d4987c$b8cd83b0$2a688b10$@netsetglobal.rs> I have an use case where I have to authorize an action in my application taken by the user. Here is how it should go: The user is logged in at KC and using my application. Now, my application would need to authorize one user action by sending the user to KC, where he would enter his OTP, and then, my application would get some kind of proof that user authorized the action (I don't know what should that be, yet). Do you have any idea how this could be achieved using KC? I guess action SPI would somehow be used. Thank you in advance, Nikola From bhavana at browserstack.com Thu Dec 20 12:59:28 2018 From: bhavana at browserstack.com (Bhavana Motwani) Date: Thu, 20 Dec 2018 23:29:28 +0530 Subject: [keycloak-user] Questions around keycloak IdP initiated flow In-Reply-To: References: Message-ID: Hi all We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows. We are using Auth0 as the external IdP for test purposes. We have managed the SP-initiated flow successfully. But we are facing issues with IdP initiated flow. I was hoping you could help. 1. Will the external IdP need two separate clients to connect to our keycloak instance, one for SP-initiated and other for IdP. PFA the metadata we generated for SP-initiated flow. The SingleLogoutService.Location and AssertionConsumerService.Location are ' https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-stage/endpoint ' But, for IdP initiated flow, we are having to replace the above with ' https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-stage/endpoint/clients/{client-name} ' This would result in 2 clients on the external IdP side. Is there a way to avoid this? 2. With the IdP initiated flow, we are also facing issues with backchannel logout. It gives a certificate issue. What certificate does keycloak expect? The SP client's or the external IdP's? Any help will be appreciated! Thank you once again. -------------- next part -------------- A non-text attachment was scrubbed... Name: bs_oracle_shaktimaan.xml Type: text/xml Size: 2226 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181220/5e179a4c/attachment-0001.xml From Tom.Billiet at technicolor.com Fri Dec 21 05:30:01 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Fri, 21 Dec 2018 10:30:01 +0000 Subject: [keycloak-user] Map authenticator information to AccessToken In-Reply-To: References: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> <1544563286.10225.1.camel@acutus.pro> Message-ID: Also thanks, was looking for something similar. We tend to write our custom code as java plugins though. For me I could only get it working by setting this authenticator as the FIRST in the flow, mark as "alternative" and then always call context.attempted() to make sure the "real" authenticator is still called. Tom -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of L?sch, Sebastian Sent: Wednesday, December 19, 2018 4:44 PM To: dt at acutus.pro Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Map authenticator information to AccessToken ** WARNING: This mail is from an external source ** Thank you Dmitry. Your solution works great! Best regards, Sebastian -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin
Gesendet: Dienstag, 11. Dezember 2018 22:21 An: L?sch, Sebastian ; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Map authenticator information to AccessToken Hello Sebastian, Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers. This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses: var statuses = authenticationSession.getExecutionStatus(); Then process it and attach the data to the user session: authenticationSession.setUserSessionNote(key, val); After that, the data will become available to the mapper: var foo = userSession.notes["foo"]; The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED. Feel free to ask any further questions, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-12-11 at 20:10 +0000, L?sch, Sebastian wrote: > Hello folks, > > > > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. > > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? > > > > Best regards, > > Sebastian L?sch > > > > -- > > Solution Engineering > > Governikus GmbH & Co. KG > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Dec 21 08:19:24 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 21 Dec 2018 16:19:24 +0300 Subject: [keycloak-user] Authorization of action in application (client of KC) In-Reply-To: <01e201d4987c$b8cd83b0$2a688b10$@netsetglobal.rs> References: <01e201d4987c$b8cd83b0$2a688b10$@netsetglobal.rs> Message-ID: <1545398364.2097.8.camel@acutus.pro> Hello Nikola, On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote: > I have an use case where I have to authorize an action in my application > taken by the user. Here is how it should go: > > The user is logged in at KC and using my application. Now, my application > would need to authorize one user action by sending the user to KC, where he > would enter his OTP, and then, my application would get some kind of proof > that user authorized the action (I don't know what should that be, yet). Seems like what you want is?"step-up authentication". It's been on the list since 2014, but AFAIK still no progress to the moment: https://issues.jboss.org/browse/KEYCLOAK-847 https://issues.jboss.org/browse/KEYCLOAK-4182 http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html I'm also adding Thomas Darimont to CC: as probably no one knows this topic better than he does. ? > Do you have any idea how this could be achieved using KC? I guess action SPI > would somehow be used. If you're talking about Action Token SPI [1], I'm afraid this is not much relevant here. Action tokens are issued by Keycloak and allow users to perform special actions like password reset. OTOH, your case is about conditionally executing a part of authentication flow on the client's request. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > ? > > Thank you in advance, > > Nikola > > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Dec 21 08:29:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 21 Dec 2018 16:29:55 +0300 Subject: [keycloak-user] Authorization of action in application (client of KC) In-Reply-To: <1545398364.2097.8.camel@acutus.pro> References: <01e201d4987c$b8cd83b0$2a688b10$@netsetglobal.rs> <1545398364.2097.8.camel@acutus.pro> Message-ID: <1545398995.2097.10.camel@acutus.pro> Sorry, forgot the link: https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_spi Dmitry On Fri, 2018-12-21 at 16:19 +0300, Dmitry Telegin wrote: > Hello Nikola, > > On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote: > > I have an use case where I have to authorize an action in my > > application > > taken by the user. Here is how it should go: > > > > The user is logged in at KC and using my application. Now, my > > application > > would need to authorize one user action by sending the user to KC, > > where he > > would enter his OTP, and then, my application would get some kind > > of proof > > that user authorized the action (I don't know what should that be, > > yet). > > Seems like what you want is?"step-up authentication". It's been on > the list since 2014, but AFAIK still no progress to the moment: > https://issues.jboss.org/browse/KEYCLOAK-847 > https://issues.jboss.org/browse/KEYCLOAK-4182 > http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html > > I'm also adding Thomas Darimont to CC: as probably no one knows this > topic better than he does. > ? > > Do you have any idea how this could be achieved using KC? I guess > > action SPI > > would somehow be used. > > If you're talking about Action Token SPI [1], I'm afraid this is not > much relevant here. Action tokens are issued by Keycloak and allow > users to perform special actions like password reset. OTOH, your case > is about conditionally executing a part of authentication flow on the > client's request.? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > ? > > > > Thank you in advance, > > > > Nikola > > > > ? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Dec 21 08:45:32 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 21 Dec 2018 16:45:32 +0300 Subject: [keycloak-user] Map authenticator information to AccessToken In-Reply-To: References: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> <1544563286.10225.1.camel@acutus.pro> Message-ID: <1545399932.2097.11.camel@acutus.pro> Sebastian, Tom, you're welcome, On Fri, 2018-12-21 at 10:30 +0000, Billiet Tom wrote: > Also thanks, was looking for something similar. > > We tend to write our custom code as java plugins though. For me I could only get it working by setting this authenticator as the FIRST in the flow, mark as "alternative" and then always call context.attempted() to make sure the "real" authenticator is still called. Just wondering: are you also trying to retrieve execution statuses for authenticators? I've just tried to make my authenticator the first one in the flow, and in this case authenticationSession.getExecutionStatus() returns an empty list, which IMHO makes sense. Dmitry > > Tom > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org On Behalf Of L?sch, Sebastian > Sent: Wednesday, December 19, 2018 4:44 PM > To: dt at acutus.pro > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Map authenticator information to AccessToken > > ** WARNING: This mail is from an external source ** > > > Thank you Dmitry. Your solution works great! > > Best regards, > Sebastian > > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin
> Gesendet: Dienstag, 11. Dezember 2018 22:21 > > An: L?sch, Sebastian ; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Map authenticator information to AccessToken > > Hello Sebastian, > > Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers. > > This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses: > > var statuses = authenticationSession.getExecutionStatus(); > > Then process it and attach the data to the user session: > > authenticationSession.setUserSessionNote(key, val); > > After that, the data will become available to the mapper: > > var foo = userSession.notes["foo"]; > > The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED. > > Feel free to ask any further questions, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-12-11 at 20:10 +0000, L?sch, Sebastian wrote: > > Hello folks, > > > > > > > > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. > > > > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? > > > > > > > > Best regards, > > > > Sebastian L?sch > > > > > > > > -- > > > > Solution Engineering > > > > Governikus GmbH & Co. KG > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Tom.Billiet at technicolor.com Fri Dec 21 09:17:32 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Fri, 21 Dec 2018 14:17:32 +0000 Subject: [keycloak-user] Map authenticator information to AccessToken In-Reply-To: <1545399932.2097.11.camel@acutus.pro> References: <9b13849ca60347e697301d911bba9399@BOSKGEXC01.boskg.local> <1544563286.10225.1.camel@acutus.pro> <1545399932.2097.11.camel@acutus.pro> Message-ID: No. I'm using client authentication using a signed JWT token. That token is passed as an HTTP POST parameter. Obviously this token needs to be validated, and the default JWTClientAuthenticator does a perfect job. However later on I want to be able in one of my mappers to read some (custom) fields in the JWT token after authentication is OK. For that I need to expose that token on the user session note in order to be able to use it in the mapper. So that's the only think my new authenticator does: read the http post parameter and set it on the user session note. Then leave the real authentication to the default authenticator. Tom -----Original Message----- From: Dmitry Telegin
Sent: Friday, December 21, 2018 2:46 PM To: Billiet Tom ; L?sch, Sebastian Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Map authenticator information to AccessToken ** WARNING: This mail is from an external source ** Sebastian, Tom, you're welcome, On Fri, 2018-12-21 at 10:30 +0000, Billiet Tom wrote: > Also thanks, was looking for something similar. > > We tend to write our custom code as java plugins though. For me I could only get it working by setting this authenticator as the FIRST in the flow, mark as "alternative" and then always call context.attempted() to make sure the "real" authenticator is still called. Just wondering: are you also trying to retrieve execution statuses for authenticators? I've just tried to make my authenticator the first one in the flow, and in this case authenticationSession.getExecutionStatus() returns an empty list, which IMHO makes sense. Dmitry > > Tom > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org > > On Behalf Of L?sch, > > Sebastian > Sent: Wednesday, December 19, 2018 4:44 PM > To: dt at acutus.pro > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Map authenticator information to > AccessToken > > ** WARNING: This mail is from an external source ** > > > Thank you Dmitry. Your solution works great! > > Best regards, > Sebastian > > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin
> Gesendet: Dienstag, 11. Dezember 2018 22:21 > > An: L?sch, Sebastian ; > > keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Map authenticator information to > AccessToken > > Hello Sebastian, > > Keycloak internally tracks all the attempted authenticators together with their execution statuses, but this data is exposed to authenticators only, and in your case it needs to be passed down to the mappers. > > This can be solved with JavaScript authenticator + JavaScript mapper. In your authenticator, retrieve execution statuses: > > var statuses = authenticationSession.getExecutionStatus(); > > Then process it and attach the data to the user session: > > authenticationSession.setUserSessionNote(key, val); > > After that, the data will become available to the mapper: > > var foo = userSession.notes["foo"]; > > The authenticator should be placed as the last one in the flow, and should be marked as REQUIRED. > > Feel free to ask any further questions, Dmitry Telegin CTO, Acutus > s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-12-11 at 20:10 +0000, L?sch, Sebastian wrote: > > Hello folks, > > > > > > > > we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application. > > > > For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper? > > > > > > > > Best regards, > > > > Sebastian L?sch > > > > > > > > -- > > > > Solution Engineering > > > > Governikus GmbH & Co. KG > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Felix.Knecht at hrm-systems.ch Fri Dec 21 09:38:24 2018 From: Felix.Knecht at hrm-systems.ch (Felix Knecht) Date: Fri, 21 Dec 2018 14:38:24 +0000 Subject: [keycloak-user] Get the realms through the Client Admin Api Message-ID: I have almost exactly the same problem: I run the keycloak server in a wildfly 14 distribution. When I try to get a token from a call within a deployed webapp (same wildfly) I get the same NPE. When running exactly the same code from an external application all runs fine, no NPE. I suppose running the code from within a war/ear file does not exactly the same like running the code from single class. It worked versions ago (keycloak 2.1). For know I don't have an idea what's the difference ... > Trying this code I receive a null token: > > Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); > keycloak.tokenManager().getAccessTokenString(); > > > Il 17 dicembre 2018 alle 17.23 Luca Stancapiano > ha scritto: > > > > > > I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console: > > > > user: admin > > pass: admin > > > > The server works on the 8180 port and it starts through the command: > > > > ./standalone.sh -Djboss.socket.binding.port-offset=100 > > > > I try to do a simple call using the admin client api imported through the dependency in the pom: > > > > > > > > org.keycloak > > keycloak-admin-client > > 4.7.0.Final > > test > > > > > > > > Here the java code: > > > > Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli"); > > keycloak.realm("master").clients().findAll(); > > > > when the findAll method is executed I receive the Exception: > > > > javax.ws.rs.ProcessingException: java.lang.NullPointerException > > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599) > > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) > > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148) > > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) > > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) > > at com.sun.proxy.$Proxy29.findAll(Unknown Source) > > at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42) > > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > > at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532) > > at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115) > > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171) > > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167) > > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114) > > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108) > > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540) > > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112) > > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98) > > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74) > > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32) > > at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57) > > at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51) > > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220) > > at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188) > > at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202) > > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181) > > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128) > > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142) > > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117) > > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) > > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) > > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) > > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) > > Caused by: java.lang.NullPointerException > > at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53) > > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586) > > ... 47 more > > > > > > > > What i miss? From geoff at opticks.io Fri Dec 21 09:52:22 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 21 Dec 2018 15:52:22 +0100 Subject: [keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :) In-Reply-To: <1545018338.12250.10.camel@acutus.pro> References: <1544747667.12484.1.camel@acutus.pro> <1545018338.12250.10.camel@acutus.pro> Message-ID: Hi. I was able to successfully maintain the template and edit the error code using your instructions (thanks again!) but unfortunately bumped into another snag. Imagine the scenario where you want to log into Keycloak using your Google credentials. If you have multiple Google accounts, Google will ask you which one you want to use. If you accidentally choose the wrong one, my custom authenticator script will notice that there is no corresponding email address in Keycloak, deny login and give you the custom message. So far so good. The problem arises when the user clicks the Google option again from the resulting custom error page but on the next attempt selects the correct Google account. The user should log in normally, but instead I'm getting an error message: "Unexpected error when authenticating with identity provider". It's like the session has somehow been poisoned, even though I added context.clearUser(); context.resetFlow(); to the script. Here is the full script, in case anybody has any ideas on how to reset the flow successfully. function myError(context) { return context.form().setError("You must have an existing account to log in via Google.", []).createLogin(); } AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.type("javax.ws.rs.core.MediaType"); users = session.users().getUsers(realm, false); //LOG.info("users = " + users); function authenticate(context) { var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); var biCtx = serializedCtx.deserialize(session, authenticationSession); var idpUsername = biCtx.username; LOG.info("username = " + idpUsername); LOG.info("alias = " + biCtx.idpConfig.alias); for(var u in users) { //LOG.info("u = " + users[u].getEmail()); if(idpUsername===users[u].getEmail()) { context.success(); return; } } var response2 = myError(context); context.clearUser(); context.resetFlow(); context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response2); return; } On Mon, 17 Dec 2018 at 04:45, Dmitry Telegin
wrote: > Hi Geoffrey, you're welcome :) > > As for embedding custom error messages into existing templates, I suggest > that you check out the following thread: > http://lists.jboss.org/pipermail/keycloak-user/2018-December/016669.html > > Please let me know if it works for you. > > Cheers, > Dmitry > > On Fri, 2018-12-14 at 11:49 +0100, Geoffrey Cleaves wrote: > > Thanks Dmitry, I never in a 1000 years would have figured this out. > > > > My goal with all of this is to only allow a user to log in with Google > (or other provider) if there is already an account created with the same > email address. My code below works, but instead of returning an entire > custom page on failure, it would be nice to use the existing template with > simply a different text. I hate to abuse of your free time, but if you have > any tips for that I would be most appreciative. > > > > AuthenticationFlowError = > Java.type("org.keycloak.authentication.AuthenticationFlowError"); > > > > // take a look at org.keycloak.broker.provider.BrokeredIdentityContext > to figure out what else you can obtain from that object. > > > > SerializedBrokeredIdentityContext = > Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); > > AbstractIdpAuthenticator = > Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); > > Response = Java.type("javax.ws.rs.core.Response"); > > MediaType = Java.type("javax.ws.rs.core.MediaType"); > > response = Response.status(401).entity("

You must have an existing > account to log in.

").type(MediaType.TEXT_HTML_TYPE).build(); > > users = session.users().getUsers(realm, false); > > > > function authenticate(context) { > > var serializedCtx = > SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, > AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); > > var biCtx = serializedCtx.deserialize(session, > authenticationSession); > > var idpUsername = biCtx.username; > > LOG.info("username = " + idpUsername); > > LOG.info("alias = " + biCtx.idpConfig.alias); > > > > for(var u in users) { > > //LOG.info("u = " + users[u].getEmail()); > > if(idpUsername===users[u].getEmail()) { > > context.success(); > > return; > > } > > } > > > > context.failure(AuthenticationFlowError.USER_DISABLED, response); > > return; > > } > > > > > > > On Fri, 14 Dec 2018 at 01:34, Dmitry Telegin
wrote: > > > Hello Geoffrey, > > > > > > I was right about to click Send when I finally noticed that statement > in parentheses :-D you were 100% right, what else can I say :) > > > > > > Here we go, try this snippet: > > > > > > SerializedBrokeredIdentityContext = > Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); > > > AbstractIdpAuthenticator = > Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); > > > > > > function authenticate(context) { > > > > > > var serializedCtx = > SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, > AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); > > > > > > var biCtx = serializedCtx.deserialize(session, > authenticationSession); > > > > > > LOG.info(biCtx.username); > > > LOG.info(biCtx.idpConfig.alias); > > > > > > context.success(); > > > > > > } > > > > > > Also take a look at > org.keycloak.broker.provider.BrokeredIdentityContext to figure out what > else you can obtain from that object. > > > > > > Good luck :) > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Thu, 2018-12-13 at 14:31 +0100, Geoffrey Cleaves wrote: > > > > Hello. I have a simple JS execution which denies access as the first > step > > > > of the first broker login flow. I would like to access some of the > > > > attributes that Keycloak writes out to the log when executing this > flow > > > > (see below) > > > > > > > > What objects or variables must my JS execution load in order to get > the > > > > identity_provider_identity attribute listed below? > > > > > > > > 20:29:56,588 WARN [org.keycloak.events] (default task-527) > > > > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic, > > > > userId=null, ipAddress=90., error=user_not_found, > identity_provider=google, > > > > auth_method=openid-connect, redirect_uri= > http://localhost:8222?clientid=tic, > > > > > > identity_provider_identity=user at gmail.com, code_id=b07317fdb > > > > > > > > Thanks in advance! > > > > > > > > Geoff > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > -- > > > > Regards, > > Geoffrey Cleaves > > > > > > > > > > > -- Regards, Geoffrey Cleaves From m.belmontet at systel-sa.com Fri Dec 21 09:57:34 2018 From: m.belmontet at systel-sa.com (BELMONTET Matthieu) Date: Fri, 21 Dec 2018 14:57:34 +0000 Subject: [keycloak-user] Uma ticket Message-ID: Good morning every body With the 4.x.x of keycloak we can ask for uma ticket with a specific permission for an user. I'm really interested by this feature to set up a role access to my application. I found the way to test it with the REST calling. I wonder if you work on the login page to implement this feature. "After login form, the page can propose to select a role in the list and then return generate the uma-ticket"? If it isn't planned. Should I work only with my uma-ticket which replace the authentication token or I should keep the authentication token too and send both in the header of my http requests? If I keep both, should I refresh both? How to access with keycloak -angular library to the uma ticket API? Thank you BELMONTET Matthieu ______________________________________ Systel P?le concevoir *: m.belmontet at systel-sa.com ______________________________________ From geoff at opticks.io Fri Dec 21 11:46:02 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 21 Dec 2018 17:46:02 +0100 Subject: [keycloak-user] Uma ticket In-Reply-To: References: Message-ID: UMA tickets are sent by the resource server to the client when the access token does not have the necessary permissions. The client uses the ticket to enrich the access token with permission information, which can then be sent back to the resource server in order to access the resource. UMA tickets do not replace tokens. In Keycloak, users (and clients) have roles. When using UMA protection, you can use roles to determine what resources and scopes a user can access. For example, if the client tries to POST to /bank_accounts with an access token, your resource server could create a permission ticket requesting the create scope for the bank_account resource. The resource server responds with 401 and the permission ticker to the client. The client is smart enough to see the permission ticket and in turn sends the ticket (and auth token) to Keycloak. Keycloak can then look up the user's roles to determine if the user has the create scope for bank_accounts. Keycloak responds with an access token which includes the permissions, and with the new token the client once again tries to POST to /bank_accounts. The resource server confirms the permissions and creates a bank account. You don't need to use roles to determine UMA permissions. You can use groups, attributes, whatever you want. You don't actually need to use UMA permissions for the scenario described above. Access tokens usually have roles included in them. The resource server could examine the roles in the token to determine whether she can create a bank account or not. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter and https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_js_adapter for javascript and UMA tips. On Fri, 21 Dec 2018 at 16:09, BELMONTET Matthieu wrote: > Good morning every body > > With the 4.x.x of keycloak we can ask for uma ticket with a specific > permission for an user. > > I'm really interested by this feature to set up a role access to my > application. > I found the way to test it with the REST calling. > I wonder if you work on the login page to implement this feature. "After > login form, the page can propose to select a role in the list and then > return generate the uma-ticket"? > If it isn't planned. Should I work only with my uma-ticket which replace > the authentication token or I should keep the authentication token too and > send both in the header of my http requests? > If I keep both, should I refresh both? > > How to access with keycloak -angular library to the uma ticket API? > > > Thank you > > BELMONTET Matthieu > ______________________________________ > Systel > P?le concevoir > *: m.belmontet at systel-sa.com > ______________________________________ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves From mandy.fung at tasktop.com Fri Dec 21 13:23:56 2018 From: mandy.fung at tasktop.com (Mandy Fung) Date: Fri, 21 Dec 2018 10:23:56 -0800 Subject: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0 Message-ID: Hello, We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer access the dedicated realm admin console (/auth/admin/{realm}/console) with the same realm-management roles that they had in 4.5.0. We only want our admin users to manage users and groups and in 4.5.0 we were able to assign the following roles to our admin users such that only the "Manage > Groups" and "Manage > Users" tab show up in the realm admin console: 'manage-users', 'query-groups', 'query-users', and 'view-users'. However, with the new upgrade to 4.7.0 these admin users with the same realm-management roles assigned can no longer access the realm admin console and they see a 403 Forbidden error page. Has anyone run into this issue recently or if there are some new realm management roles added in 4.7.0 that we need to re-configure? Best regards, Mandy -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung at tasktop.com From Kevin.Fox at pnnl.gov Fri Dec 21 14:42:13 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Fri, 21 Dec 2018 19:42:13 +0000 Subject: [keycloak-user] kcinit status Message-ID: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov> Not much has happened with kcinit in a long time and it has a few outstanding bugs in the way of working for us. What is the status of the project? Thanks, Kevin From jpcampb2 at ncsu.edu Fri Dec 21 15:58:42 2018 From: jpcampb2 at ncsu.edu (James Campbell) Date: Fri, 21 Dec 2018 15:58:42 -0500 Subject: [keycloak-user] Google Identity and Google+ API Message-ID: Hi all-- I'm just getting started with keycloak, and have set up the google identity provider. I notice that the google identity provider uses the Google+ API for profile information, which seems unnecessary, but I do not see a way to turn it off (maybe limit the scopes requested)? Given the now-imminent deprecation of the Google+ APIs, is there a way to ensure I'm not using the Google+ API? James From jpcampb2 at ncsu.edu Fri Dec 21 22:01:30 2018 From: jpcampb2 at ncsu.edu (James Campbell) Date: Fri, 21 Dec 2018 22:01:30 -0500 Subject: [keycloak-user] Google Identity and Google+ API In-Reply-To: References: Message-ID: Having looked a bit more closely at this, it appears that currently the GoogleIdentityProvider (keycloak\services\src\main\java\org\keycloak\social\google\GoogleIdentityProvider.java) has the Google+ Profile URL hard-coded into it. There are at least four alternatives available, according to the Google OAuth2.0 Playground and documentation. Three provide very similar data, and rely on the same base authorization as the oauth2 series (i.e. they do not require specifically enabling the People API or Google+ API) - https://www.googleapis.com/userinfo/v2/me - https://www.googleapis.com/oauth2/v2/userinfo - https://www.googleapis.com/oauth2/v3/userinfo (also exists but does not seem as well documented) The fourth is an endpoint on the PeopleAPI that provides much fuller profile information: - https://people.googleapis.com/v1/people/me (which *would* require enabling the People API for the associated credentials) Given those alternatives, and the fact that Google documentation says they'll be shutting down the Google+ APIs as early as January 2019, it seems prudent to simply change to one of the oauth-only endpoints, such as https://www.googleapis.com/oauth2/v2/userinfo Would that simple change be sufficient, or would additional default mapping changes be required? James On Fri, Dec 21, 2018 at 3:58 PM James Campbell wrote: > Hi all-- > > I'm just getting started with keycloak, and have set up the google > identity provider. I notice that the google identity provider uses the > Google+ API for profile information, which seems unnecessary, but I do not > see a way to turn it off (maybe limit the scopes requested)? > > Given the now-imminent deprecation of the Google+ APIs, is there a way to > ensure I'm not using the Google+ API? > > James > -- James Campbell Government Researcher (919) 987-3378 Laboratory for Analytic Sciences From geoff at opticks.io Sat Dec 22 17:00:07 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sat, 22 Dec 2018 23:00:07 +0100 Subject: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0 In-Reply-To: References: Message-ID: When I was messing with granular permissions recently I had to give the view-realm role in order to log into the Admin Console. On Fri, Dec 21, 2018, 19:29 Mandy Fung Hello, > > We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer access > the dedicated realm admin console (/auth/admin/{realm}/console) with the > same realm-management roles that they had in 4.5.0. > > We only want our admin users to manage users and groups and in 4.5.0 we > were able to assign the following roles to our admin users such that only > the "Manage > Groups" and "Manage > Users" tab show up in the realm admin > console: 'manage-users', 'query-groups', 'query-users', and 'view-users'. > > However, with the new upgrade to 4.7.0 these admin users with the same > realm-management roles assigned can no longer access the realm admin > console and they see a 403 Forbidden error page. > > Has anyone run into this issue recently or if there are some new realm > management roles added in 4.7.0 that we need to re-configure? > > Best regards, > Mandy > > -- > > > *Mandy Fung **|* Software Engineer 1 *| *Tasktop > > *email: *mandy.fung at tasktop.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sakodiya at grepruby.com Mon Dec 24 08:09:03 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Mon, 24 Dec 2018 18:39:03 +0530 Subject: [keycloak-user] Keycloak logout API not working properly Message-ID: Hi, I'm using the log out API( https://localhost:8080/auth/realms/my-realm-name/protocol/openid-connect/logout) and sending all the required parameters i.r refresh_token, client_id and client_secret. The API working properly but the user can still able to use the access_token to access the APIs. How to revoke that access_token? Thanks, Shubham Akodiya From mandy.fung at tasktop.com Mon Dec 24 11:14:11 2018 From: mandy.fung at tasktop.com (Mandy Fung) Date: Mon, 24 Dec 2018 08:14:11 -0800 Subject: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0 In-Reply-To: References: Message-ID: Thanks for the reply! This indeed allowed the user to access the realm console. However, this also exposed other configurations that we do not wish the admin users to see such as configuring the Realm Settings, Roles, User Federation, and Authentication. Is there another configuration that would allow the user to access the admin console and only expose the manage groups and users tab? Thanks again, Mandy On Sat, Dec 22, 2018 at 2:00 PM Geoffrey Cleaves wrote: > When I was messing with granular permissions recently I had to give the > view-realm role in order to log into the Admin Console. > > On Fri, Dec 21, 2018, 19:29 Mandy Fung >> Hello, >> >> We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer access >> the dedicated realm admin console (/auth/admin/{realm}/console) with the >> same realm-management roles that they had in 4.5.0. >> >> We only want our admin users to manage users and groups and in 4.5.0 we >> were able to assign the following roles to our admin users such that only >> the "Manage > Groups" and "Manage > Users" tab show up in the realm admin >> console: 'manage-users', 'query-groups', 'query-users', and 'view-users'. >> >> However, with the new upgrade to 4.7.0 these admin users with the same >> realm-management roles assigned can no longer access the realm admin >> console and they see a 403 Forbidden error page. >> >> Has anyone run into this issue recently or if there are some new realm >> management roles added in 4.7.0 that we need to re-configure? >> >> Best regards, >> Mandy >> >> -- >> >> >> *Mandy Fung **|* Software Engineer 1 *| *Tasktop >> >> *email: *mandy.fung at tasktop.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung at tasktop.com From craig at baseventure.com Mon Dec 24 13:38:34 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 24 Dec 2018 12:38:34 -0600 Subject: [keycloak-user] Script authenticators via UI? Message-ID: I'm trying to (finally) wrap back around to handling our partner code. Based on conversation with Dmitry, I'm trying to add a new authenticator to our current flow, but I'm not seeing the script executor option in the UI. I have enabled the profile (and see that it is enabled in the logs). Is that something that I should expect to see via the UI or is this something I'm only going to be able to manage via API? (I expect to eventually configure this via API, but was trying to test things out first). Thanks! Craig ================================= *Craig Setera* *Chief Technology Officer* From dt at acutus.pro Mon Dec 24 14:33:14 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 24 Dec 2018 22:33:14 +0300 Subject: [keycloak-user] Script authenticators via UI? In-Reply-To: References: Message-ID: <1545679994.22937.1.camel@acutus.pro> Hello Craig, Just tried this with Keycloak 4.8.1: bin/standalone.sh -Dkeycloak.profile.feature.scripts=enabled and I was able to see Script in the executions dropdown list again (between OTP and OTP Form). Cheers, Dmitry On Mon, 2018-12-24 at 12:38 -0600, Craig Setera wrote: > I'm trying to (finally) wrap back around to handling our partner code. > Based on conversation with Dmitry, I'm trying to add a new authenticator to > our current flow, but I'm not seeing the script executor option in the UI. > I have enabled the profile (and see that it is enabled in the logs).??Is > that something that I should expect to see via the UI or is this something > I'm only going to be able to manage via API???(I expect to eventually > configure this via API, but was trying to test things out first). > > Thanks! > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From craig at baseventure.com Mon Dec 24 15:49:28 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 24 Dec 2018 14:49:28 -0600 Subject: [keycloak-user] Script authenticators via UI? In-Reply-To: <1545679994.22937.1.camel@acutus.pro> References: <1545679994.22937.1.camel@acutus.pro> Message-ID: I'm either doing something wrong or I'm just missing it. I'm running 4.8.1 (via Docker). I've set the system property and I'm seeing this in the log: keycloak_1 | 18:27:56,908 INFO [org.keycloak.common.Profile] (ServerService Thread Pool -- 61) Preview feature enabled: scripts However, I can't seem to find Script in any of the drop-downs for the Authentication configuration. Any other ideas where I should be looking? Craig ================================= *Craig Setera* *Chief Technology Officer* On Mon, Dec 24, 2018 at 1:33 PM Dmitry Telegin
wrote: > Hello Craig, > > Just tried this with Keycloak 4.8.1: > > bin/standalone.sh -Dkeycloak.profile.feature.scripts=enabled > > and I was able to see Script in the executions dropdown list again > (between OTP and OTP Form). > > Cheers, > Dmitry > > On Mon, 2018-12-24 at 12:38 -0600, Craig Setera wrote: > > I'm trying to (finally) wrap back around to handling our partner code. > > Based on conversation with Dmitry, I'm trying to add a new authenticator > to > > our current flow, but I'm not seeing the script executor option in the > UI. > > I have enabled the profile (and see that it is enabled in the logs). Is > > that something that I should expect to see via the UI or is this > something > > I'm only going to be able to manage via API? (I expect to eventually > > configure this via API, but was trying to test things out first). > > > > Thanks! > > Craig > > > > ================================= > > *Craig Setera* > > > > *Chief Technology Officer* > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From geoff at opticks.io Tue Dec 25 09:39:24 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 25 Dec 2018 15:39:24 +0100 Subject: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0 In-Reply-To: References: Message-ID: I think you should open a bug report. I agree with you that it does not make sense to expose those other config settings (even if limited to read-only.) Post the ticket here and I'll vote for it. On Mon, 24 Dec 2018 at 17:14, Mandy Fung wrote: > Thanks for the reply! This indeed allowed the user to access the realm > console. However, this also exposed other configurations that we do not > wish the admin users to see such as configuring the Realm Settings, Roles, > User Federation, and Authentication. > > Is there another configuration that would allow the user to access the > admin console and only expose the manage groups and users tab? > > Thanks again, > Mandy > > On Sat, Dec 22, 2018 at 2:00 PM Geoffrey Cleaves wrote: > >> When I was messing with granular permissions recently I had to give the >> view-realm role in order to log into the Admin Console. >> >> On Fri, Dec 21, 2018, 19:29 Mandy Fung > >>> Hello, >>> >>> We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer >>> access >>> the dedicated realm admin console (/auth/admin/{realm}/console) with the >>> same realm-management roles that they had in 4.5.0. >>> >>> We only want our admin users to manage users and groups and in 4.5.0 we >>> were able to assign the following roles to our admin users such that only >>> the "Manage > Groups" and "Manage > Users" tab show up in the realm admin >>> console: 'manage-users', 'query-groups', 'query-users', and 'view-users'. >>> >>> However, with the new upgrade to 4.7.0 these admin users with the same >>> realm-management roles assigned can no longer access the realm admin >>> console and they see a 403 Forbidden error page. >>> >>> Has anyone run into this issue recently or if there are some new realm >>> management roles added in 4.7.0 that we need to re-configure? >>> >>> Best regards, >>> Mandy >>> >>> -- >>> >>> >>> *Mandy Fung **|* Software Engineer 1 *| *Tasktop >>> >>> *email: *mandy.fung at tasktop.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > -- > > > *Mandy Fung **|* Software Engineer 1 *| *Tasktop > > *email: *mandy.fung at tasktop.com > -- Regards, Geoffrey Cleaves From geoff at opticks.io Tue Dec 25 09:43:38 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 25 Dec 2018 15:43:38 +0100 Subject: [keycloak-user] Script authenticators via UI? In-Reply-To: References: <1545679994.22937.1.camel@acutus.pro> Message-ID: It works for me with 4.8.1. This is what my docker run command looks like: docker run -d -p ${KC_IP}:8080:8080 --name keycloak -e "JAVA_TOOL_OPTIONS=-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.scripts=enabled" -e DB_VENDOR=postgres -e DB_ADDR=${PG_IP} -e DB_PORT=5432 -e DB_DATABASE=keycloak -e DB_USER=${DB_KC_USER} -e DB_PASSWORD=${DB_KC_PASS} -e KEYCLOAK_LOGLEVEL=DEBUG -e ROOT_LOGLEVEL=DEBUG -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:${LATEST_KC} On Mon, 24 Dec 2018 at 21:55, Craig Setera wrote: > I'm either doing something wrong or I'm just missing it. I'm running 4.8.1 > (via Docker). I've set the system property and I'm seeing this in the log: > > keycloak_1 | 18:27:56,908 INFO [org.keycloak.common.Profile] > (ServerService Thread Pool -- 61) Preview feature enabled: scripts > > However, I can't seem to find Script in any of the drop-downs for the > Authentication configuration. Any other ideas where I should be looking? > > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > > > On Mon, Dec 24, 2018 at 1:33 PM Dmitry Telegin
wrote: > > > Hello Craig, > > > > Just tried this with Keycloak 4.8.1: > > > > bin/standalone.sh -Dkeycloak.profile.feature.scripts=enabled > > > > and I was able to see Script in the executions dropdown list again > > (between OTP and OTP Form). > > > > Cheers, > > Dmitry > > > > On Mon, 2018-12-24 at 12:38 -0600, Craig Setera wrote: > > > I'm trying to (finally) wrap back around to handling our partner code. > > > Based on conversation with Dmitry, I'm trying to add a new > authenticator > > to > > > our current flow, but I'm not seeing the script executor option in the > > UI. > > > I have enabled the profile (and see that it is enabled in the logs). > Is > > > that something that I should expect to see via the UI or is this > > something > > > I'm only going to be able to manage via API? (I expect to eventually > > > configure this via API, but was trying to test things out first). > > > > > > Thanks! > > > Craig > > > > > > ================================= > > > *Craig Setera* > > > > > > *Chief Technology Officer* > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Regards, Geoffrey Cleaves From wolfbro92 at gmail.com Tue Dec 25 20:08:22 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Wed, 26 Dec 2018 09:08:22 +0800 Subject: [keycloak-user] How to redirect to a certain IP, and not localhost, while signing on to Keycloak Message-ID: Currently all my web apps are being redirected to a *http://localhost:8080/auth/realms/EBIDS/... .. *when logging in. But I want it to be redirected to a certain IP address for example :- *http://199.1.2.33:8080/auth/realms/EBIDS/.. ..*instead of localhost. What configuration changes do I have to make to accomplish this? Regards, Kunal From craig at baseventure.com Tue Dec 25 21:38:47 2018 From: craig at baseventure.com (Craig Setera) Date: Tue, 25 Dec 2018 20:38:47 -0600 Subject: [keycloak-user] Script authenticators via UI? In-Reply-To: References: <1545679994.22937.1.camel@acutus.pro> Message-ID: This is probably a dumb question, but where would I expect to see this? I've tried copying various authentication flows and trying to add executions to them, but no luck. Maybe I'm misunderstanding where I should see the option? ================================= *Craig Setera* *Chief Technology Officer* On Tue, Dec 25, 2018 at 8:43 AM Geoffrey Cleaves wrote: > It works for me with 4.8.1. This is what my docker run command looks like: > > docker run -d -p ${KC_IP}:8080:8080 --name keycloak -e "JAVA_TOOL_OPTIONS=-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.scripts=enabled" -e DB_VENDOR=postgres -e DB_ADDR=${PG_IP} -e DB_PORT=5432 -e DB_DATABASE=keycloak -e DB_USER=${DB_KC_USER} -e DB_PASSWORD=${DB_KC_PASS} -e KEYCLOAK_LOGLEVEL=DEBUG -e ROOT_LOGLEVEL=DEBUG -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:${LATEST_KC} > > > On Mon, 24 Dec 2018 at 21:55, Craig Setera wrote: > >> I'm either doing something wrong or I'm just missing it. I'm running >> 4.8.1 >> (via Docker). I've set the system property and I'm seeing this in the >> log: >> >> keycloak_1 | 18:27:56,908 INFO [org.keycloak.common.Profile] >> (ServerService Thread Pool -- 61) Preview feature enabled: scripts >> >> However, I can't seem to find Script in any of the drop-downs for the >> Authentication configuration. Any other ideas where I should be looking? >> >> Craig >> >> ================================= >> *Craig Setera* >> >> *Chief Technology Officer* >> >> >> On Mon, Dec 24, 2018 at 1:33 PM Dmitry Telegin
wrote: >> >> > Hello Craig, >> > >> > Just tried this with Keycloak 4.8.1: >> > >> > bin/standalone.sh -Dkeycloak.profile.feature.scripts=enabled >> > >> > and I was able to see Script in the executions dropdown list again >> > (between OTP and OTP Form). >> > >> > Cheers, >> > Dmitry >> > >> > On Mon, 2018-12-24 at 12:38 -0600, Craig Setera wrote: >> > > I'm trying to (finally) wrap back around to handling our partner code. >> > > Based on conversation with Dmitry, I'm trying to add a new >> authenticator >> > to >> > > our current flow, but I'm not seeing the script executor option in the >> > UI. >> > > I have enabled the profile (and see that it is enabled in the logs). >> Is >> > > that something that I should expect to see via the UI or is this >> > something >> > > I'm only going to be able to manage via API? (I expect to eventually >> > > configure this via API, but was trying to test things out first). >> > > >> > > Thanks! >> > > Craig >> > > >> > > ================================= >> > > *Craig Setera* >> > > >> > > *Chief Technology Officer* >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > > Regards, > Geoffrey Cleaves > > > > > > From wolfbro92 at gmail.com Tue Dec 25 23:46:54 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Wed, 26 Dec 2018 12:46:54 +0800 Subject: [keycloak-user] Keycloak authentication page has no background when loaded using mobile devices Message-ID: The Keycloak themed background image is missing when I try to enter the authentication page using any kind of mobile devices. Why is this? Regards, Kunal From bruno at maehdros.com Wed Dec 26 08:14:38 2018 From: bruno at maehdros.com (Bruno Mairlot) Date: Wed, 26 Dec 2018 14:14:38 +0100 Subject: [keycloak-user] Where do I find the secret to verify a token Message-ID: <7692c90c-bd21-72fe-9708-42d1242bb78d@maehdros.com> Dear List Members, I am working on implementing a Single Sign On with keycloak and I have implemented the Standard Flow, I can exchange the Authorization Grant to receive the tokens, but I cannot find a way to verify them. Each time I try to check the token, classical tools like jwt.io or https://www.jsonwebtoken.io/ says the signature is incorrect. I would like to know, which secret does Keycloak use to sign (with HS256) the tokens ? And where can I find it ? I tried the client secret, but it seems wrong to me. Many thanks for your help, Cheers, Bruno Mairlot From craig at baseventure.com Wed Dec 26 13:51:59 2018 From: craig at baseventure.com (Craig Setera) Date: Wed, 26 Dec 2018 12:51:59 -0600 Subject: [keycloak-user] Script authenticators via UI? In-Reply-To: References: <1545679994.22937.1.camel@acutus.pro> Message-ID: OK.... Now I feel really foolish. The option has been there all along... The browser was not showing it, nor was there an obvious scrollbar. However, the drop-down is scrollable and the option was hiding off the bottom of the viewport. Script has been there all along and I feel stupid now. Sorry about the false alarms. ================================= *Craig Setera* *Chief Technology Officer* On Wed, Dec 26, 2018 at 4:14 AM Geoffrey Cleaves wrote: > Choose the option to Add Execution and you should see this: > > [image: Screenshot 2018-12-26 at 11.13.40.png] > > On Wed, 26 Dec 2018 at 03:38, Craig Setera wrote: > >> This is probably a dumb question, but where would I expect to see this? >> I've tried copying various authentication flows and trying to add >> executions to them, but no luck. Maybe I'm misunderstanding where I should >> see the option? >> >> ================================= >> *Craig Setera* >> >> *Chief Technology Officer* >> >> >> >> >> On Tue, Dec 25, 2018 at 8:43 AM Geoffrey Cleaves >> wrote: >> >>> It works for me with 4.8.1. This is what my docker run command looks >>> like: >>> >>> docker run -d -p ${KC_IP}:8080:8080 --name keycloak -e "JAVA_TOOL_OPTIONS=-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.scripts=enabled" -e DB_VENDOR=postgres -e DB_ADDR=${PG_IP} -e DB_PORT=5432 -e DB_DATABASE=keycloak -e DB_USER=${DB_KC_USER} -e DB_PASSWORD=${DB_KC_PASS} -e KEYCLOAK_LOGLEVEL=DEBUG -e ROOT_LOGLEVEL=DEBUG -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:${LATEST_KC} >>> >>> >>> On Mon, 24 Dec 2018 at 21:55, Craig Setera >>> wrote: >>> >>>> I'm either doing something wrong or I'm just missing it. I'm running >>>> 4.8.1 >>>> (via Docker). I've set the system property and I'm seeing this in the >>>> log: >>>> >>>> keycloak_1 | 18:27:56,908 INFO >>>> [org.keycloak.common.Profile] >>>> (ServerService Thread Pool -- 61) Preview feature enabled: scripts >>>> >>>> However, I can't seem to find Script in any of the drop-downs for the >>>> Authentication configuration. Any other ideas where I should be >>>> looking? >>>> >>>> Craig >>>> >>>> ================================= >>>> *Craig Setera* >>>> >>>> *Chief Technology Officer* >>>> >>>> >>>> On Mon, Dec 24, 2018 at 1:33 PM Dmitry Telegin
wrote: >>>> >>>> > Hello Craig, >>>> > >>>> > Just tried this with Keycloak 4.8.1: >>>> > >>>> > bin/standalone.sh -Dkeycloak.profile.feature.scripts=enabled >>>> > >>>> > and I was able to see Script in the executions dropdown list again >>>> > (between OTP and OTP Form). >>>> > >>>> > Cheers, >>>> > Dmitry >>>> > >>>> > On Mon, 2018-12-24 at 12:38 -0600, Craig Setera wrote: >>>> > > I'm trying to (finally) wrap back around to handling our partner >>>> code. >>>> > > Based on conversation with Dmitry, I'm trying to add a new >>>> authenticator >>>> > to >>>> > > our current flow, but I'm not seeing the script executor option in >>>> the >>>> > UI. >>>> > > I have enabled the profile (and see that it is enabled in the >>>> logs). Is >>>> > > that something that I should expect to see via the UI or is this >>>> > something >>>> > > I'm only going to be able to manage via API? (I expect to >>>> eventually >>>> > > configure this via API, but was trying to test things out first). >>>> > > >>>> > > Thanks! >>>> > > Craig >>>> > > >>>> > > ================================= >>>> > > *Craig Setera* >>>> > > >>>> > > *Chief Technology Officer* >>>> > > _______________________________________________ >>>> > > keycloak-user mailing list >>>> > > keycloak-user at lists.jboss.org >>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> -- >>> >>> Regards, >>> Geoffrey Cleaves >>> >>> >>> >>> >>> >>> > > -- > > Regards, > Geoffrey Cleaves > > > > > > From craig at baseventure.com Wed Dec 26 19:53:51 2018 From: craig at baseventure.com (Craig Setera) Date: Wed, 26 Dec 2018 18:53:51 -0600 Subject: [keycloak-user] Any examples of creating script authenticator using kcadm? Message-ID: I'm trying to create a script-based authenticator (from bash) using kcadm and set it to REQUIRED. While I can create the execution, I can't seem to set up the script code or get it to change from DISABLED to REQUIRED. This is despite trying to replicate what I'm seeing in the browser developer tools via kcadm commands. Any examples would be most appreciated. Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From wolfbro92 at gmail.com Thu Dec 27 04:51:51 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Thu, 27 Dec 2018 17:51:51 +0800 Subject: [keycloak-user] SSL connection to Keycloak Server Message-ID: Hi guys, I have 5 web apps that use Keycloak for authentication. But none of them are using SSL yet. How is the practice done? Do i need to set SSL on the Keycloak server for the Keycloak authentication page to have the secured lock symbol? Or is setting SSL to my web apps enough? I am not very clear about Keycloak and its SSL implementation, I hope someone can help explain to me. Regards, Kunal From dt at acutus.pro Thu Dec 27 06:07:43 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 27 Dec 2018 14:07:43 +0300 Subject: [keycloak-user] Cross Realm authorization In-Reply-To: <7e3e119126e5493a93cb57cd51902e3d@DE36S004EXC0R.wp.corpintra.net> References: <1545019731.12250.12.camel@acutus.pro> <26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net> <18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net> <1545095418.13723.1.camel@acutus.pro> <60c6b91504684c73920c4432b85a1af7@DE36S004EXC0R.wp.corpintra.net> <7e3e119126e5493a93cb57cd51902e3d@DE36S004EXC0R.wp.corpintra.net> Message-ID: <1545908863.4245.1.camel@acutus.pro> Hello David, Thanks a lot for your extensive research! Indeed, in recent Keycloak the internal authentication logic has changed. Particularly, session.context.realm has to be set to user's realm in order for authentication to succeed. As a consequence, custom REST resources can no longer rely on session.getContext().getRealm() for realm resolution. I've updated BeerCloak in GitHub, so please test it and let me know of the results. As the next major update (hopefully January) I'm planning to make the code more aligned to what we have in Keycloak (particularly org.keycloak.services.resources.admin.AdminRoot) and maybe implement fine-grained permissions. Merry Christmas and a Happy New Year to you and all the Keycloakers :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-12-19 at 10:57 +0000, david_christian.herrmann at daimler.com wrote: > Hi Dmitry, > ? > I setup remote debugging for Keycloak and had a look what happens in Keycloak 4.8.0 Final. > ? > authenticateBearerToken(session, realm) (or to be more precise verifyIdentiyToken( ....)) returns null in my testing because: > ? > -? at https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java? :1153 there is an exception in verifier(kid) > ? > - this happens because in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/keys/DefaultKeyManager.java? :106 the first part of the if-statement in method getKey(RealmModel realm, String kid, KeyUse use, String algorithm) does not become true > ? > - I think this happens because here getKey(...) is called with session.getContext().getRealm() --> The realm from the session --> The realm where the requested resource is. But kid is taken from token which is created for the realm where the technical user is. > ??????? - Call to getKey() is in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/crypto/ServerAsymmetricSignatureVerifierContext.java? :29 > ??????? - kid is taken in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java :1145-1150 > ? > I hope this information is useful for you. > ? > Mit freundlichen Gr??en / With kind regards?David HerrmannRD/UIA????? > Team Rising Stars > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > ? > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moistureE-Mail: david_christian.herrmann at daimler.com > ? > ? > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 > Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), > Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > ? > ? > -----Urspr?ngliche Nachricht----- > > Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von david_christian.herrmann at daimler.com > Gesendet: Mittwoch, 19. Dezember 2018 08:24 > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Cross Realm authorization > ? > Hi Dmitry, > ? > in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with the unauthorized. > ? > Mit freundlichen Gr??en / With kind regards > ? > David Herrmann > RD/UIA > Team Rising Stars > ? > ? > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > ? > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > ? > ? > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > ? > -----Urspr?ngliche Nachricht----- > Von: Herrmann, David Christian (059) > Gesendet: Dienstag, 18. Dezember 2018 09:24 > > An: 'Dmitry Telegin'
; keycloak-user at lists.jboss.org > Betreff: AW: AW: [keycloak-user] Cross Realm authorization > ? > Hi Dmitry, > ? > I used Keycloak 4.5.0.Final to test the implementation. > ? > Mit freundlichen Gr??en / With kind regards > ? > David Herrmann > RD/UIA > Team Rising Stars > ? > ? > Daimler AG > HPC G464 > 70546 Stuttgart > Mobil: +49 176 309 369 87 > ? > What3Words Address: > entfalten.j?ngste.nehmen > choppy.impact.moisture > E-Mail: david_christian.herrmann at daimler.com > ? > ? > Daimler AG > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > ? > ? > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > Gesendet: Dienstag, 18. Dezember 2018 02:10 > An: Herrmann, David Christian (059) ; keycloak-user at lists.jboss.org > Betreff: Re: AW: [keycloak-user] Cross Realm authorization > ? > David, > ? > Which version of Keycloak are you using? > ? > The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary. > ? > Cheers, > Dmitry > ? > On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote: > > Hi Dmitry, > > > > I implemented it based on beercloak. > > > > Here in AbstractAdminRessource.java: > > AuthenticationManager.AuthResult authResult = > > authManager.authenticateBearerToken(session, realm); > > > > if (authResult == null) { > >???? throw new NotAuthorizedException("Bearer"); } > > > > Still results in Unauthorized. > > > > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point. > > > > The realm is set to master realm and the session seems to be injected ... Any ideas? > > > > Mit freundlichen Gr??en / With kind regards > > > > David Herrmann > > RD/UIA > > Team Rising Stars > > > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > entfalten.j?ngste.nehmen > > choppy.impact.moisture > > E-Mail: david_christian.herrmann at daimler.com > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > > Seeger, Hubertus Troska, Bodo Uebber > > > > > > -----Urspr?ngliche Nachricht----- > > > Von: keycloak-user-bounces at lists.jboss.org > > > > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von > > > david_christian.herrmann at daimler.com > > Gesendet: Montag, 17. Dezember 2018 08:29 > > > > An: dt at acutus.pro; keycloak-user at lists.jboss.org > > Betreff: Re: [keycloak-user] Cross Realm authorization > > > > Hi Dmitry, > > > > thanks for your answer and the link to your project! I will try this out. > > > > Mit freundlichen Gr??en / With kind regards > > > > David Herrmann > > RD/UIA > > Team Rising Stars > > > > > > Daimler AG > > HPC G464 > > 70546 Stuttgart > > Mobil: +49 176 309 369 87 > > > > What3Words Address: > > entfalten.j?ngste.nehmen > > choppy.impact.moisture > > E-Mail: david_christian.herrmann at daimler.com > > > > > > Daimler AG > > Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; > > HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats > > / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board > > of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang > > Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta > > Seeger, Hubertus Troska, Bodo Uebber > > > > > > -----Urspr?ngliche Nachricht----- > > > > Von: Dmitry Telegin [mailto:dt at acutus.pro] > > Gesendet: Montag, 17. Dezember 2018 05:09 > > An: Herrmann, David Christian (059) > > > ; keycloak-user at lists.jboss.org > > Betreff: Re: [keycloak-user] Cross Realm authorization > > > > Hello David, > > > > Please take a look at how it is done in BeerCloak: > > https://github.com/dteleguin/beercloak/tree/master/beercloak-module/sr > > c/main/java/beercloak/resources > > > > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms. > > > > (Some musings: I dream of having AdminRealmResourceProvider with all > > that stuff OOTB; the idea has been around for years, but I'm afraid we > > won't have it in Keycloak anytime soon. Luckily, this can be done at a > > low price of introducing some boilerplate code into your project.) > > > > Good luck, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote: > > > Hello, > > > > > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: > > > > > > AuthenticationManager.AuthResult authResult = > > >?????? authManager.authenticateBearerToken(session); > > > > > > if (authResult == null) { > > >??? throw new NotAuthorizedException("Bearer token required"); } > > > > > > And > > > > > > > > > if(!auth.hasClientRole(client,"view-users")){ > > >??? throw new NotAuthorizedException("Necessary permission not > > > available"); } > > > > > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. > > > > > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. > > > > > > Here > > > > > > AuthenticationManager.AuthResult authResult = > > >?????? authManager.authenticateBearerToken(session); > > > > > > if (authResult == null) { > > >??? throw new NotAuthorizedException("Bearer token required"); } > > > > > > Always results in unauthorized. > > > > > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? > > > > > > Mit freundlichen Gr??en / With kind regards > > > > > > > > > > > > David Herrmann > > > > > > RD/UIA > > > Team Rising Stars > > > [Computergenerierter Alternativtext: RDIU] > > > > > > Daimler AG > > > HPC G464 > > > 70546 Stuttgart > > > Mobil: +49 176 309 369 87 > > > > > > What3Words Address: > > > ellbogen.spr?che.anf?nge > > > > > > > E-Mail: > > > > > david_christian.herrmann at daimler.com > > > nn > > > > @daimler.com> > > > > > > > > > Daimler AG > > > Sitz und Registergericht / Domicile and Court of Registry: > > > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des > > > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff > > > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / > > > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, > > > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber > > > > > > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > > ? > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > ? > ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > ? > ? > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > From totheocean0402 at gmail.com Thu Dec 27 06:40:42 2018 From: totheocean0402 at gmail.com (Andreas Lau) Date: Thu, 27 Dec 2018 12:40:42 +0100 Subject: [keycloak-user] Realm.toRepresentation results in com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException In-Reply-To: References: Message-ID: Sorry for bouncing this up again. But I'm a bit stuck Ed on the problem. Can anyone help me out? Is this the right list for this? Thanks Am Mi., 19. Dez. 2018, 18:04 hat Frank Franz geschrieben: > Hello, > I'm using the java admin client to create a realm and some other setting. > In this process I like to update the realm (set authentication bindings for > registration flow and credential flow) therefore I from my actual knowledge > have to transfer the realm to the realm representation. > > Doing this calling realm.toRepresentation() results in the following > error: > javax.ws.rs.client.ResponseProcessingException: javax.ws.rs. > ProcessingException: com.fasterxml.jackson.databind.exc. > UnrecognizedPropertyException: Unrecognized field " > offlineSessionMaxLifespanEnabled" (class org.keycloak.representations.idm. > RealmRepresentation), not marked as ignorable (101 known properties: " > directGrantFlow", "otpPolicyDigits", "identityProviderMappers", " > revokeRefreshToken", "identityProviders", "userFederationMappers", " > rememberMe", "duplicateEmailsAllowed", "dockerAuthenticationFlow", " > otpSupportedApplications", "adminEventsDetailsEnabled", "registrationFlow", > "editUsernameAllowed", "clients", "users", "emailTheme", "realm", " > actionTokenGeneratedByAdminLifespan", "authenticatorConfig", > "components", "certificate", "updateProfileOnInitialSocialLogin", " > otpPolicyType", "accessCodeLifespanUserAction", "protocolMappers", "id", " > accountTheme", "maxDeltaTimeSeconds", "enabledEventTypes", "verifyEmail", > "applications", "waitIncrementSeconds", "eventsListeners", " > eventsExpiration", "defaultDefaultClientScopes", " > defaultOptionalClientScopes", "passwordPolicy", "clientTemplates", " > registrationAllowed", "userManagedAccessAllowed", "notBefore", " > otpPolicyAlgorithm", "actionTokenGeneratedByUserLifespan", " > permanentLockout", "socialProviders", "otpPolicyInitialCounter" > [truncated]]) > > Can you pleas give me a hint how to resolve this? > Thanks in advance. > Andreas > From mandy.fung at tasktop.com Thu Dec 27 12:08:08 2018 From: mandy.fung at tasktop.com (Mandy Fung) Date: Thu, 27 Dec 2018 09:08:08 -0800 Subject: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0 In-Reply-To: References: Message-ID: Thanks, I have created a new bug report in Jira: https://issues.jboss.org/browse/KEYCLOAK-9177 On Tue, Dec 25, 2018 at 6:39 AM Geoffrey Cleaves wrote: > I think you should open a bug report. I agree with you that it does not > make sense to expose those other config settings (even if limited to > read-only.) Post the ticket here and I'll vote for it. > > On Mon, 24 Dec 2018 at 17:14, Mandy Fung wrote: > >> Thanks for the reply! This indeed allowed the user to access the realm >> console. However, this also exposed other configurations that we do not >> wish the admin users to see such as configuring the Realm Settings, Roles, >> User Federation, and Authentication. >> >> Is there another configuration that would allow the user to access the >> admin console and only expose the manage groups and users tab? >> >> Thanks again, >> Mandy >> >> On Sat, Dec 22, 2018 at 2:00 PM Geoffrey Cleaves >> wrote: >> >>> When I was messing with granular permissions recently I had to give the >>> view-realm role in order to log into the Admin Console. >>> >>> On Fri, Dec 21, 2018, 19:29 Mandy Fung >> >>>> Hello, >>>> >>>> We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer >>>> access >>>> the dedicated realm admin console (/auth/admin/{realm}/console) with the >>>> same realm-management roles that they had in 4.5.0. >>>> >>>> We only want our admin users to manage users and groups and in 4.5.0 we >>>> were able to assign the following roles to our admin users such that >>>> only >>>> the "Manage > Groups" and "Manage > Users" tab show up in the realm >>>> admin >>>> console: 'manage-users', 'query-groups', 'query-users', and >>>> 'view-users'. >>>> >>>> However, with the new upgrade to 4.7.0 these admin users with the same >>>> realm-management roles assigned can no longer access the realm admin >>>> console and they see a 403 Forbidden error page. >>>> >>>> Has anyone run into this issue recently or if there are some new realm >>>> management roles added in 4.7.0 that we need to re-configure? >>>> >>>> Best regards, >>>> Mandy >>>> >>>> -- >>>> >>>> >>>> *Mandy Fung **|* Software Engineer 1 *| *Tasktop >>>> >>>> *email: *mandy.fung at tasktop.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> >> -- >> >> >> *Mandy Fung **|* Software Engineer 1 *| *Tasktop >> >> *email: *mandy.fung at tasktop.com >> > > > -- > > Regards, > Geoffrey Cleaves > > > > > > -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung at tasktop.com From dt at acutus.pro Thu Dec 27 14:01:54 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 27 Dec 2018 22:01:54 +0300 Subject: [keycloak-user] Where do I find the secret to verify a token In-Reply-To: <7692c90c-bd21-72fe-9708-42d1242bb78d@maehdros.com> References: <7692c90c-bd21-72fe-9708-42d1242bb78d@maehdros.com> Message-ID: <1545937314.4245.5.camel@acutus.pro> Hello Bruno, For RSA (asymmetric), you can retrieve public key from the Admin console (realm > Keys > RSA > Public key). It's only the pubkey that is needed for RSA signature verification. For symmetric algorithms, namely AES and HMAC, you should use the direct SQL query: SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE provider_id = 'hmac-generated' AND CC.name = 'secret'; (similarly for 'aes-generated') However, seems like none of the online JWT debuggers, neither https://jsonwebtoken.io nor https://jwt.io, understand Keycloak's symmetric keys. The former simply fails every time, and the latter, instead of verifying the signature, simply regenerates it with the key supplied. I was only able to verify RSA signature using https://jwt.io and RSA pubkey retrieved from Keycloak. The only pitfall is that you need to enclose the pubkey in -----BEGIN RSA PUBLIC KEY----- and -----END RSA PUBLIC KEY-----. As the online services seem to be not much reliable, I'd suggest that you try using one of the many libraries to verify the token yourself. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-12-26 at 14:14 +0100, Bruno Mairlot wrote: > Dear List Members, > > I am working on implementing a Single Sign On with keycloak and I have > implemented the Standard Flow, I can exchange the Authorization Grant to > receive the tokens, but I cannot find a way to verify them. > > Each time I try to check the token, classical tools like jwt.io or > https://www.jsonwebtoken.io/ says the signature is incorrect. > > I would like to know, which secret does Keycloak use to sign (with > HS256) the tokens ? And where can I find it ? > > I tried the client secret, but it seems wrong to me. > > Many thanks for your help, > > Cheers, > > Bruno Mairlot > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jernej.porenta at 3fs.si Thu Dec 27 15:04:46 2018 From: jernej.porenta at 3fs.si (Jernej Porenta) Date: Thu, 27 Dec 2018 21:04:46 +0100 Subject: [keycloak-user] first broker login for existing users only Message-ID: <5C5FF2CE-633C-4E7F-98B9-FE885FCB5B8D@3fs.si> Hey, Is there a way to achieve IdP account linking through ?First broker login? flow for existing users only? I am trying to disable user registration through identity provider without success. The idea is: - pre-create users in keycloak - allow user login only for pre-created users - allow users to link the account to identity provider through login page (not account portal) If default First Login flow in IdP config is set to ?First broker login?, users are still created. If I modify the ?First broker login?, i can only get the ?invalid_user_credentials?. Thank you in advance. br, Jernej -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3802 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181227/940fefd6/attachment.bin From swarren at sumglobal.com Thu Dec 27 18:51:28 2018 From: swarren at sumglobal.com (Warren, Scott) Date: Thu, 27 Dec 2018 18:51:28 -0500 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: Hi, I need some input on the best way to solve authorization for a retail chain scenario. Here's the scenario: A retailer has 10,000 stores and 30,000 users While each user has a primary store, they can work in other stores in their region At his/her primary store UserA (clerk) has the following scopes: POS, DailyCloseout For secondary stores, a UserA has only the POS scope While there are many more scopes, and user roles, the problem to solve is this multi-tiered permissions structure. UserA's permissions depend on the store context. I've set up stores as resources (of type "store"), each resource has a storeNbr attribute I've set up scopes of POS, DailyCloseout, SalesReports, etc. I'm struggling with a clean way to tie a user to his/her "storeX" : [ "scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute, and after mapping it, got it working with a javascript policy but that's a maintenance nightmare at best. I can set up roles with names like .. It's better than the user attribute route, but still feels like a hack. I'm guessing I could write a Drools policy that could, using the identity from the context, read from a database that contains this structure. BUT this provider is in tech preview / not supported, so I'm not excited about this route. Lastly, I guess I could write a custom policy provider. These last two require me to maintain a separate database (and app to maintain it), so I'm not thrilled with either of them. So, what have I missed? Is there an elegant way to solve this? Thanks for your help! Scott -- Scott G. Warren SUM Global Technology swarren at sumglobal.com 678.469.3455 From tlann at technoeclectic.com Thu Dec 27 20:17:37 2018 From: tlann at technoeclectic.com (Thomas) Date: Thu, 27 Dec 2018 17:17:37 -0800 Subject: [keycloak-user] Imported users disapear from a realm Message-ID: I've setup Keycloak to import users from an Openldap server. As a test run, I went with the docker container that uses Postgres to see if I could get it running. It connects and authenticates correctly. Once I hit synchronize all users, it reports back Success x imported users, 0 changed users. After going into Manage=>Users and clicking on View all Users, it doesn't show any users. Upon import, I can see the users in the keycloak database in the user_entity table. Once I go to the Manage user page and click view users, the users disappear from the database. I turned the log level up to debug and I keep getting the below db messages which include deletions. I'm not sure if this is suspect. Is there some other area I should be looking at? 00:40:16,155 DEBUG [org.hibernate.loader.Loader] (default task-5) Result set contains (possibly empty) collection: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#f39de748-ffae-4cef-acb4-16430b0242f8] 00:40:16,155 DEBUG [org.hibernate.engine.loading.internal.CollectionLoadContext] (default task-5) 1 collections were found in result set for role: org.keycloak.models.jpa.entities.UserEntity.requiredActions 00:40:16,155 DEBUG [org.hibernate.engine.loading.internal.CollectionLoadContext] (default task-5) Collection fully initialized: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#f39de748-ffae-4cef-acb4-16430b0242f8] 00:40:16,155 DEBUG [org.hibernate.engine.loading.internal.CollectionLoadContext] (default task-5) 1 collections initialized for role: org.keycloak.models.jpa.entities.UserEntity.requiredActions 00:40:16,155 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,155 DEBUG [org.hibernate.loader.Loader] (default task-5) Done loading collection 00:40:16,155 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Processing flush-time cascades 00:40:16,155 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Dirty checking collections 00:40:16,155 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection dereferenced: [org.keycloak.models.jpa.entities.UserEntity.attributes#f39de748-ffae-4cef-acb4-16430b0242f8] 00:40:16,155 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection dereferenced: [org.keycloak.models.jpa.entities.UserEntity.credentials#f39de748-ffae-4cef-acb4-16430b0242f8] 00:40:16,155 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection dereferenced: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#f39de748-ffae-4cef-acb4-16430b0242f8] 00:40:16,155 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Flushed: 0 insertions, 0 updates, 6 deletions to 6 objects 00:40:16,155 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Flushed: 0 (re)creations, 0 updates, 3 removals to 3 collections 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) Listing entities: 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserAttributeEntity{name=createTimestamp, id=66998c7b-4415-441f-bc12-27c6c6316367, user=org.keycloak.models.jpa.entities.UserEntity#f39de748-ffae-4cef-acb4-16430b0242f8, value=20181219164526Z} 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserAttributeEntity{name=LDAP_ID, id=e2f78054-39b6-46f4-ba54-0681e12470b8, user=org.keycloak.models.jpa.entities.UserEntity#f39de748-ffae-4cef-acb4-16430b0242f8, value=Jim.doe at smon.gumu} 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserAttributeEntity{name=LDAP_ENTRY_DN, id=de2ff539-7065-4617-a0b6-25cc7fddc253, user=org.keycloak.models.jpa.entities.UserEntity#f39de748-ffae-4cef-acb4-16430b0242f8, value=mail=Jim.doe at smon.gumu,ou=SMON Users,dc=smon,dc=gumu} 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=Jim doe, realmId=smon, credentials=[], createdTimestamp=1545956741828, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=Jim.doe at smon.gumu, emailVerified=false, firstName=Jim doe, requiredActions=[], federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=[org.keycloak.models.jpa.entities.UserAttributeEntity#66998c7b-4415-441f-bc12-27c6c6316367, org.keycloak.models.jpa.entities.UserAttributeEntity#b9291898-4f07-4d50-b46d-abf18ab5c906, org.keycloak.models.jpa.entities.UserAttributeEntity#db6e9e7b-58sam-403d-b434-187f0b996ff2, org.keycloak.models.jpa.entities.UserAttributeEntity#e2f78054-39b6-46f4-ba54-0681e12470b8, org.keycloak.models.jpa.entities.UserAttributeEntity#de2ff539-7065-4617-a0b6-25cc7fddc253], id=f39de748-ffae-4cef-acb4-16430b0242f8, email=Jim.doe at smon.gumu, username=Jim doe} 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserAttributeEntity{name=destination, id=b9291898-4f07-4d50-b46d-abf18ab5c906, user=org.keycloak.models.jpa.entities.UserEntity#f39de748-ffae-4cef-acb4-16430b0242f8, value=Jim.doe} 00:40:16,155 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserAttributeEntity{name=modifyTimestamp, id=db6e9e7b-58sam-403d-b434-187f0b996ff2, user=org.keycloak.models.jpa.entities.UserEntity#f39de748-ffae-4cef-acb4-16430b0242f8, value=20181219164526Z} 00:40:16,155 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ATTRIBUTE where ID=? 00:40:16,155 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,155 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ATTRIBUTE where ID=? 00:40:16,156 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,156 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ATTRIBUTE where ID=? 00:40:16,156 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,156 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ATTRIBUTE where ID=? 00:40:16,156 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,156 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ATTRIBUTE where ID=? 00:40:16,156 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,156 DEBUG [org.hibernate.SQL] (default task-5) delete from USER_ENTITY where ID=? 00:40:16,157 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) Skipping aggressive release due to manual disabling 00:40:16,157 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,158 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-5) Not present cache item for key LoginFailureKey [ realmId=smon. userId=f39de748-ffae-4cef-acb4-16430b0242f8 ] 00:40:16,158 DEBUG [org.hibernate.SQL] (default task-5) delete from OFFLINE_CLIENT_SESSION where USER_SESSION_ID in ( select persistent1_.USER_SESSION_ID from OFFLINE_USER_SESSION persistent1_ where persistent1_.USER_ID=? ) 00:40:16,173 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,173 DEBUG [org.hibernate.SQL] (default task-5) delete from OFFLINE_USER_SESSION where USER_ID=? 00:40:16,173 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,174 DEBUG [org.hibernate.query.criteria.internal.CriteriaQueryImpl] (default task-5) Rendered criteria query -> select generatedAlias0.id from PolicyEntity as generatedAlias0 inner join generatedAlias0.config as generatedAlias1 inner join generatedAlias0.config as generatedAlias2 where ( lower(generatedAlias0.type) like :param0 ) and ( key(generatedAlias1) in (:param1) ) and ( generatedAlias2 like :param2 ) and ( generatedAlias0.owner is null ) order by generatedAlias0.name asc 00:40:16,174 DEBUG [org.hibernate.SQL] (default task-5) select policyenti0_.ID as col_0_0_ from RESOURCE_SERVER_POLICY policyenti0_ inner join POLICY_CONFIG config1_ on policyenti0_.ID=config1_.POLICY_ID inner join POLICY_CONFIG config2_ on policyenti0_.ID=config2_.POLICY_ID where ( lower(policyenti0_.TYPE) like ? ) and ( config1_.NAME in ( ? ) ) and ( config2_.VALUE like ? ) and ( policyenti0_.OWNER is null ) order by policyenti0_.NAME asc 00:40:16,174 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,174 DEBUG [org.keycloak.storage.UserStorageManager] (default task-5) Removed invalid user 'john doe' 00:40:16,174 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-5) JtaTransactionWrapper commit 00:40:16,175 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterTransaction 00:40:16,175 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-5) KeycloakDS: returnConnection(37fd7111, false) [0/20] 00:40:16,175 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-5) JtaTransactionWrapper end 00:40:16,175 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-5) JtaTransactionWrapper resuming suspended 00:40:16,175 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-5) HHH000420: Closing un-released batch 00:40:16,176 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-5) JtaTransactionWrapper commit 00:40:16,176 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Processing flush-time cascades 00:40:16,176 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Dirty checking collections 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#d8beb059-6ba9-4614-8da7-30f6f39762e4], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#d8beb059-6ba9-4614-8da7-30f6f39762e4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#d8beb059-6ba9-4614-8da7-30f6f39762e4], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#d8beb059-6ba9-4614-8da7-30f6f39762e4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d8beb059-6ba9-4614-8da7-30f6f39762e4], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d8beb059-6ba9-4614-8da7-30f6f39762e4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#2f5f5f07-4582-4c3d-969b-b360b8409df4], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#2f5f5f07-4582-4c3d-969b-b360b8409df4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#2f5f5f07-4582-4c3d-969b-b360b8409df4], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#2f5f5f07-4582-4c3d-969b-b360b8409df4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#2f5f5f07-4582-4c3d-969b-b360b8409df4], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#2f5f5f07-4582-4c3d-969b-b360b8409df4] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#32ca6509-77bd-446c-9072-2bc2827b8ab9], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#32ca6509-77bd-446c-9072-2bc2827b8ab9] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#32ca6509-77bd-446c-9072-2bc2827b8ab9], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#32ca6509-77bd-446c-9072-2bc2827b8ab9] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#32ca6509-77bd-446c-9072-2bc2827b8ab9], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#32ca6509-77bd-446c-9072-2bc2827b8ab9] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#1663aa5f-05ac-46cb-9a04-b6f7125883aa], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#1663aa5f-05ac-46cb-9a04-b6f7125883aa] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#1663aa5f-05ac-46cb-9a04-b6f7125883aa], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#1663aa5f-05ac-46cb-9a04-b6f7125883aa] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#1663aa5f-05ac-46cb-9a04-b6f7125883aa], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#1663aa5f-05ac-46cb-9a04-b6f7125883aa] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#79ee8cb3-0242-42d2-94b9-dc88be59c9ee], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#79ee8cb3-0242-42d2-94b9-dc88be59c9ee] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#79ee8cb3-0242-42d2-94b9-dc88be59c9ee], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#79ee8cb3-0242-42d2-94b9-dc88be59c9ee] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#79ee8cb3-0242-42d2-94b9-dc88be59c9ee], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#79ee8cb3-0242-42d2-94b9-dc88be59c9ee] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#6d4d83c1-374b-496c-8f11-a0a658cbd03a], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#6d4d83c1-374b-496c-8f11-a0a658cbd03a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#6d4d83c1-374b-496c-8f11-a0a658cbd03a], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#6d4d83c1-374b-496c-8f11-a0a658cbd03a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#6d4d83c1-374b-496c-8f11-a0a658cbd03a], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#6d4d83c1-374b-496c-8f11-a0a658cbd03a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#639abed4-9b33-428f-b35f-f2a021ae58b8], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#639abed4-9b33-428f-b35f-f2a021ae58b8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#639abed4-9b33-428f-b35f-f2a021ae58b8], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#639abed4-9b33-428f-b35f-f2a021ae58b8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#639abed4-9b33-428f-b35f-f2a021ae58b8], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#639abed4-9b33-428f-b35f-f2a021ae58b8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#52b308d5-e81c-4f0e-8393-eca4ff366a1f], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#52b308d5-e81c-4f0e-8393-eca4ff366a1f] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#52b308d5-e81c-4f0e-8393-eca4ff366a1f], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#52b308d5-e81c-4f0e-8393-eca4ff366a1f] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#52b308d5-e81c-4f0e-8393-eca4ff366a1f], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#52b308d5-e81c-4f0e-8393-eca4ff366a1f] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#1132cb63-97ea-4de7-8107-5b2554bee89d], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#1132cb63-97ea-4de7-8107-5b2554bee89d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#1132cb63-97ea-4de7-8107-5b2554bee89d], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#1132cb63-97ea-4de7-8107-5b2554bee89d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#1132cb63-97ea-4de7-8107-5b2554bee89d], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#1132cb63-97ea-4de7-8107-5b2554bee89d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#d9ff7c8d-c36b-4ac4-95f3-65924213fded], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#d9ff7c8d-c36b-4ac4-95f3-65924213fded] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#d9ff7c8d-c36b-4ac4-95f3-65924213fded], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#d9ff7c8d-c36b-4ac4-95f3-65924213fded] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d9ff7c8d-c36b-4ac4-95f3-65924213fded], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d9ff7c8d-c36b-4ac4-95f3-65924213fded] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#821b6c14-1da4-4377-8e18-fsam0633d25cc], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#821b6c14-1da4-4377-8e18-fsam0633d25cc] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#821b6c14-1da4-4377-8e18-fsam0633d25cc], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#821b6c14-1da4-4377-8e18-fsam0633d25cc] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#821b6c14-1da4-4377-8e18-fsam0633d25cc], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#821b6c14-1da4-4377-8e18-fsam0633d25cc] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#a727fdb1-731d-4cd4-949f-8dfe5cfb7f69] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#d5f88dba-9263-4508-8f78-982075c90ba8], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#d5f88dba-9263-4508-8f78-982075c90ba8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#d5f88dba-9263-4508-8f78-982075c90ba8], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#d5f88dba-9263-4508-8f78-982075c90ba8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d5f88dba-9263-4508-8f78-982075c90ba8], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#d5f88dba-9263-4508-8f78-982075c90ba8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#012dc197-3c0d-465e-83de-247966sam229a], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#012dc197-3c0d-465e-83de-247966sam229a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#012dc197-3c0d-465e-83de-247966sam229a], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#012dc197-3c0d-465e-83de-247966sam229a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#012dc197-3c0d-465e-83de-247966sam229a], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#012dc197-3c0d-465e-83de-247966sam229a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#b14111f5-b1b0-483c-9318-f4d2ee802f8a], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#b14111f5-b1b0-483c-9318-f4d2ee802f8a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#b14111f5-b1b0-483c-9318-f4d2ee802f8a], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#b14111f5-b1b0-483c-9318-f4d2ee802f8a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#b14111f5-b1b0-483c-9318-f4d2ee802f8a], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#b14111f5-b1b0-483c-9318-f4d2ee802f8a] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.attributes#f39de748-ffae-4cef-acb4-16430b0242f8], was: [org.keycloak.models.jpa.entities.UserEntity.attributes#f39de748-ffae-4cef-acb4-16430b0242f8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.credentials#f39de748-ffae-4cef-acb4-16430b0242f8], was: [org.keycloak.models.jpa.entities.UserEntity.credentials#f39de748-ffae-4cef-acb4-16430b0242f8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.engine.internal.Collections] (default task-5) Collection found: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#f39de748-ffae-4cef-acb4-16430b0242f8], was: [org.keycloak.models.jpa.entities.UserEntity.requiredActions#f39de748-ffae-4cef-acb4-16430b0242f8] (uninitialized) 00:40:16,176 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Flushed: 0 insertions, 0 updates, 0 deletions to 18 objects 00:40:16,176 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-5) Flushed: 0 (re)creations, 0 updates, 0 removals to 54 collections 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) Listing entities: 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=SAM Gert, realmId=smon, credentials=, createdTimestamp=1545956740581, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=sam.gert at smon.gumu, emailVerified=false, firstName=SAM Gert, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=2f5f5f07-4582-4c3d-969b-b360b8409df4, email=sam.gert at smon.gumu, username=sam gert} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=JEFF BLATT, realmId=smon, credentials=, createdTimestamp=1545956741094, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=jeff.blatt at smon.gumu, emailVerified=false, firstName=JEFF BLATT, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=6d4d83c1-374b-496c-8f11-a0a658cbd03a, email=jeff.blatt at smon.gumu, username=jeff blatt} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=SAM Small, realmId=smon, credentials=, createdTimestamp=1545956740708, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=sam.small at smon.gumu, emailVerified=false, firstName=SAM Small, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=32ca6509-77bd-446c-9072-2bc2827b8ab9, email=sam.small at smon.gumu, username=sam small} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Kerp, realmId=smon, credentials=, createdTimestamp=1545956741357, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.kerp at smon.gumu, emailVerified=false, firstName=john Kerp, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=1132cb63-97ea-4de7-8107-5b2554bee89d, email=john.kerp at smon.gumu, username=john kerp} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Gert 3, realmId=smon, credentials=, createdTimestamp=1545956741550, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.gert-3 at smon.gumu, emailVerified=false, firstName=john Gert 3, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=8dacc80d-41ee-42ae-bd2b-dce07a1c1b7d, email=john.gert-3 at smon.gumu, username=john Gert 3} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Gert, realmId=smon, credentials=, createdTimestamp=1545956741718, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.gert at smon.gumu, emailVerified=false, firstName=john Gert, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=d5f88dba-9263-4508-8f78-982075c90ba8, email=john.gert at smon.gumu, username=john gert} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Small, realmId=smon, credentials=, createdTimestamp=1545956741748, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.small at smon.gumu, emailVerified=false, firstName=john Small, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=012dc197-3c0d-465e-83de-247966sam229a, email=john.small at smon.gumu, username=john small} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=SAM Black, realmId=smon, credentials=, createdTimestamp=1545956740785, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=sam.black at smon.gumu, emailVerified=false, firstName=SAM Black, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=1663aa5f-05ac-46cb-9a04-b6f7125883aa, email=sam.black at smon.gumu, username=sam black} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Gert 4, realmId=smon, credentials=, createdTimestamp=1545956741622, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.Gert-4 at smon.gumu, emailVerified=false, firstName=john Gert 4, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=a727fdb1-731d-4cd4-949f-8dfe5cfb7f69, email=john.Gert-4 at smon.gumu, username=john Gert 4} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=SAM Blue, realmId=smon, credentials=, createdTimestamp=1545956740297, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=sam.blue at smon.gumu, emailVerified=false, firstName=SAM Blue, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=d8beb059-6ba9-4614-8da7-30f6f39762e4, email=sam.blue at smon.gumu, username=sam blue} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Black, realmId=smon, credentials=, createdTimestamp=1545956741777, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.black at smon.gumu, emailVerified=false, firstName=john Black, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=b14111f5-b1b0-483c-9318-f4d2ee802f8a, email=john.black at smon.gumu, username=john black} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=Amy Black, realmId=smon, credentials=, createdTimestamp=1545956740919, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=amy.black at smon.gumu, emailVerified=false, firstName=Amy Black, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=a3dedabc-0bb7-42ca-8f6d-d4e9fdb51a1b, email=amy.black at smon.gumu, username=amy black} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Gert 1, realmId=smon, credentials=, createdTimestamp=1545956741421, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.Gert-1 at smon.gumu, emailVerified=false, firstName=john Gert 1, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=d9ff7c8d-c36b-4ac4-95f3-65924213fded, email=john.Gert-1 at smon.gumu, username=john Gert 1} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=JEFF Hue, realmId=smon, credentials=, createdTimestamp=1545956741292, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=jeff.hue at smon.gumu, emailVerified=false, firstName=JEFF Hue, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=52b308d5-e81c-4f0e-8393-eca4ff366a1f, email=jeff.hue at smon.gumu, username=jeff hue} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=Jeff Black, realmId=smon, credentials=, createdTimestamp=1545956741221, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=jeff.black at smon.gumu, emailVerified=false, firstName=Jeff Black, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=639abed4-9b33-428f-b35f-f2a021ae58b8, email=jeff.black at smon.gumu, username=jeff black} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Gert 2, realmId=smon, credentials=, createdTimestamp=1545956741528, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.Gert-2 at smon.gumu, emailVerified=false, firstName=john Gert 2, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=821b6c14-1da4-4377-8e18-fsam0633d25cc, email=john.Gert-2 at smon.gumu, username=john Gert 2} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=SAM Mick, realmId=smon, credentials=, createdTimestamp=1545956740862, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=sam.mick at smon.gumu, emailVerified=false, firstName=SAM Mick, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=79ee8cb3-0242-42d2-94b9-dc88be59c9ee, email=sam.mick at smon.gumu, username=sam mick} 00:40:16,177 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-5) org.keycloak.models.jpa.entities.UserEntity{lastName=john Mice, realmId=smon, credentials=, createdTimestamp=1545956741828, serviceAccountClientLink=null, enabled=true, notBefore=0, emailConstraint=john.mice at smon.gumu, emailVerified=false, firstName=john Mice, requiredActions=, federationLink=889b8dbf-e7f2-4a70-87bf-8084eb025811, attributes=, id=f39de748-ffae-4cef-acb4-16430b0242f8, email=john.mice at smon.gumu, username=john mice} 00:40:16,177 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterStatement 00:40:16,186 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-5) Initiating JDBC connection release from samterTransaction 00:40:16,186 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-5) KeycloakDS: returnConnection(32eef326, false) [0/20] 00:40:16,186 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-5) JtaTransactionWrapper end 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) WriterInterceptor: org.jboss.resteasy.security.doseta.DigitalSigningInterceptor 00:40:16,210 DEBUG [org.jboss.resteasy.security.doseta.i18n] (default task-5) Interceptor : org.jboss.resteasy.security.doseta.DigitalSigningInterceptor, Method : aroundWriteTo 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider 00:40:16,210 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-5) Provider : org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider, Method : writeTo 00:40:18,110 DEBUG [org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator] (ConnectionValidator) Notifying pools, interval: 30000 00:40:18,110 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency 00:40:18,111 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Returning for connection within frequency 00:40:18,112 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency 00:40:18,252 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 00:40:18,252 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 00:40:18,252 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 00:40:18,252 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 00:40:18,252 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$964/1929658402 From geoff at opticks.io Fri Dec 28 04:43:37 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 28 Dec 2018 10:43:37 +0100 Subject: [keycloak-user] first broker login for existing users only In-Reply-To: <5C5FF2CE-633C-4E7F-98B9-FE885FCB5B8D@3fs.si> References: <5C5FF2CE-633C-4E7F-98B9-FE885FCB5B8D@3fs.si> Message-ID: See this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016723.html On Thu, 27 Dec 2018 at 21:08, Jernej Porenta wrote: > Hey, > > Is there a way to achieve IdP account linking through ?First broker login? > flow for existing users only? > > I am trying to disable user registration through identity provider without > success. > > The idea is: > - pre-create users in keycloak > - allow user login only for pre-created users > - allow users to link the account to identity provider through login page > (not account portal) > > If default First Login flow in IdP config is set to ?First broker login?, > users are still created. If I modify the ?First broker login?, i can only > get the ?invalid_user_credentials?. > > Thank you in advance. > > br, Jernej_______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From pavel.masloff at gmail.com Fri Dec 28 05:22:11 2018 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Fri, 28 Dec 2018 11:22:11 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. Message-ID: Hi, guys. Haven't been here for quite a while :) I'm using the Springboot Keycloak adapter (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST API via bearer token [1]. And it works! Cool. Now, I would like to get the access token in my @RestController, or even better some information about the user. Is it possible? Thanks in advance. Regards, Pavel Maslov, MS [1] https://github.com/maslick/barkoder From niko at n-k.de Fri Dec 28 05:37:58 2018 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 28 Dec 2018 11:37:58 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: Message-ID: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Hi Pavel, that's quite easy (as most things with Spring Boot). You can get the AccessToken object through the HttpServletRequest, KeycloakPrincipal and KeycloakSecurityContext. In my projects, I do some bean definitions like here: https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java Then, you can just inject the AccessToken or KeycloakSecurityContext where you want, like this: https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java Instead of the AccessToken, you can also get the IdentityToken, of course. HTH, - Niko > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : > > Hi, guys. Haven't been here for quite a while :) > > > I'm using the Springboot Keycloak adapter > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST > API via bearer token [1]. And it works! Cool. > > Now, I would like to get the access token in my @RestController, or even > better some information about the user. Is it possible? > > Thanks in advance. > > Regards, > Pavel Maslov, MS > > [1] https://github.com/maslick/barkoder > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pavel.masloff at gmail.com Fri Dec 28 05:46:04 2018 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Fri, 28 Dec 2018 11:46:04 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Message-ID: Hey Niko, Excellent, this is exactly what I was looking for! In your example does the *accessToken *injected field return a token for each and every user respectively (not the same)? Thank you very "many" (much) :)) Regards, Pavel Maslov, MS On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > Hi Pavel, > > that's quite easy (as most things with Spring Boot). > > You can get the AccessToken object through the HttpServletRequest, > KeycloakPrincipal and KeycloakSecurityContext. > In my projects, I do some bean definitions like here: > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > Then, you can just inject the AccessToken or KeycloakSecurityContext where > you want, like this: > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > Instead of the AccessToken, you can also get the IdentityToken, of course. > > HTH, > - Niko > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : > > > > Hi, guys. Haven't been here for quite a while :) > > > > > > I'm using the Springboot Keycloak adapter > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST > > API via bearer token [1]. And it works! Cool. > > > > Now, I would like to get the access token in my @RestController, or even > > better some information about the user. Is it possible? > > > > Thanks in advance. > > > > Regards, > > Pavel Maslov, MS > > > > [1] https://github.com/maslick/barkoder > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From niko at n-k.de Fri Dec 28 06:16:22 2018 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 28 Dec 2018 12:16:22 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Message-ID: As you can see, the bean definition ist Request-scoped. This leads to a new bean instance for every request, and thus for each and every user :) > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > Hey Niko, > > Excellent, this is exactly what I was looking for! > In your example does the accessToken injected field return a token for each and every user respectively (not the same)? > Thank you very "many" (much) :)) > > Regards, > Pavel Maslov, MS > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler > wrote: > Hi Pavel, > > that's quite easy (as most things with Spring Boot). > > You can get the AccessToken object through the HttpServletRequest, KeycloakPrincipal and KeycloakSecurityContext. > In my projects, I do some bean definitions like here: https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > Then, you can just inject the AccessToken or KeycloakSecurityContext where you want, like this: https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > Instead of the AccessToken, you can also get the IdentityToken, of course. > > HTH, > - Niko > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov >: > > > > Hi, guys. Haven't been here for quite a while :) > > > > > > I'm using the Springboot Keycloak adapter > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST > > API via bearer token [1]. And it works! Cool. > > > > Now, I would like to get the access token in my @RestController, or even > > better some information about the user. Is it possible? > > > > Thanks in advance. > > > > Regards, > > Pavel Maslov, MS > > > > [1] https://github.com/maslick/barkoder > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pavel.masloff at gmail.com Fri Dec 28 06:17:29 2018 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Fri, 28 Dec 2018 12:17:29 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Message-ID: Awesome, thanks a million! Regards, Pavel Maslov, MS On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler wrote: > As you can see, the bean definition ist Request-scoped. > This leads to a new bean instance for every request, and thus for each and > every user :) > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > Hey Niko, > > Excellent, this is exactly what I was looking for! > In your example does the *accessToken *injected field return a token for > each and every user respectively (not the same)? > Thank you very "many" (much) :)) > > Regards, > Pavel Maslov, MS > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > >> Hi Pavel, >> >> that's quite easy (as most things with Spring Boot). >> >> You can get the AccessToken object through the HttpServletRequest, >> KeycloakPrincipal and KeycloakSecurityContext. >> In my projects, I do some bean definitions like here: >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java >> Then, you can just inject the AccessToken or KeycloakSecurityContext >> where you want, like this: >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java >> >> Instead of the AccessToken, you can also get the IdentityToken, of course. >> >> HTH, >> - Niko >> >> >> > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : >> > >> > Hi, guys. Haven't been here for quite a while :) >> > >> > >> > I'm using the Springboot Keycloak adapter >> > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my >> REST >> > API via bearer token [1]. And it works! Cool. >> > >> > Now, I would like to get the access token in my @RestController, or even >> > better some information about the user. Is it possible? >> > >> > Thanks in advance. >> > >> > Regards, >> > Pavel Maslov, MS >> > >> > [1] https://github.com/maslick/barkoder >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From psilva at redhat.com Fri Dec 28 08:20:20 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 28 Dec 2018 11:20:20 -0200 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: Hi, What if you push user's primary store as a claim to your policies and use this information to decide the scopes he/she has access to? It could also be useful to avoid creating a resource for each store, so you could use a single resource and corresponding permission that matches the store the user is accessing and his primary store (both sent as claims to your policies). Regards. Pedro Igor On Thu, Dec 27, 2018 at 9:55 PM Warren, Scott wrote: > Hi, > > I need some input on the best way to solve authorization for a retail chain > scenario. Here's the scenario: > A retailer has 10,000 stores and 30,000 users > While each user has a primary store, they can work in other stores in their > region > > At his/her primary store UserA (clerk) has the following scopes: POS, > DailyCloseout > For secondary stores, a UserA has only the POS scope > > While there are many more scopes, and user roles, the problem to solve is > this multi-tiered permissions structure. UserA's permissions depend on the > store context. > > I've set up stores as resources (of type "store"), each resource has a > storeNbr attribute > I've set up scopes of POS, DailyCloseout, SalesReports, etc. > > I'm struggling with a clean way to tie a user to his/her "storeX" : [ > "scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute, > and after mapping it, got it working with a javascript policy > but that's a maintenance nightmare at best. > > I can set up roles with names like .. It's better than > the user attribute route, but still feels like a hack. > > I'm guessing I could write a Drools policy that could, using the identity > from the context, read from a database that contains this structure. BUT > this provider is in tech preview / not supported, so I'm not excited about > this route. > Lastly, I guess I could write a custom policy provider. > These last two require me to maintain a separate database (and app to > maintain it), so I'm not thrilled with either of them. > > So, what have I missed? Is there an elegant way to solve this? > > Thanks for your help! > Scott > > > > > -- > > Scott G. Warren > > SUM Global Technology > > swarren at sumglobal.com > > 678.469.3455 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From swarren at sumglobal.com Fri Dec 28 09:54:14 2018 From: swarren at sumglobal.com (Warren, Scott) Date: Fri, 28 Dec 2018 09:54:14 -0500 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: I like the idea of only creating one store resource! I see the benefit of pushing the current store as a claim. Is there a way for a policy to get the request URI to extract the store number (GET /stores/{storeNbr}/sales)? That seems ideal (provided the storeNbr is in the URI). I've got the user's primaryStoreNbr as a identityAttribute, so that's no problem. Unfortunately, this doesn't solve my real problem, which is storing the user-to-store-to-scope relationships somehow in Keycloak. While I can do some common permission consolidation using groups, I've got to have the following for each of my 30K users so that my policies have the information they need to make decisions: { "user" : "userA", <--identityAttribute "primaryStoreNbr" : "2001", <--identityAttribute "storePermissions" : [ { "storeNbr" : "2001", "scopes" : [ "POS", "DailyCloseout", "SalesReports"] }, { "storeNbr" : "2002", "scopes" : [ "POS", "DailyCloseout"] }, { "storeNbr" : "2003", "scopes" : [ "POS"] }, { "storeNbr" : "2004", "scopes" : [ "POS"] } ] } So, do I need to maintain a separate database for (and app to maintain) this data? If I'm forced into that :( I can use the identity to do an external DB lookup for the user permission information. Can I do this with a Drools rule, or would it be better just to create a custom provider? From swarren at sumglobal.com Fri Dec 28 11:53:21 2018 From: swarren at sumglobal.com (Warren, Scott) Date: Fri, 28 Dec 2018 11:53:21 -0500 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: Jumped the gun on that last response: 1. I can configure the policy enforcer with claim-information-point to extract information from the request 2. Assuming I'm correct in that this information is not easily stored in Keycloak, I need to set up an external Claim Information Point (CIP) either as an HTTP service or by implementing the CIP SPI. This seems like the most elegant path, though I really didn't want to create a separate app and DB to maintain this data. Any thoughts? From psilva at redhat.com Fri Dec 28 13:18:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 28 Dec 2018 16:18:11 -0200 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: If you use CIP to push the URI [1]. >From your example, I understand that by default users have access to POS. For the primary store, they can do more. By pushing the URL (or only the store id), you should be able to differentiate the scopes that should be granted to primaries vs secondaries stores. [1] https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/src/main/resources/application.properties#L13 On Fri, Dec 28, 2018 at 2:57 PM Warren, Scott wrote: > Jumped the gun on that last response: > 1. I can configure the policy enforcer with claim-information-point to > extract information from the request > 2. Assuming I'm correct in that this information is not easily stored in > Keycloak, I need to set up an external Claim Information Point (CIP) either > as an HTTP service or by implementing the CIP SPI. > > This seems like the most elegant path, though I really didn't want to > create a separate app and DB to maintain this data. > > Any thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From craig at baseventure.com Fri Dec 28 15:36:05 2018 From: craig at baseventure.com (Craig Setera) Date: Fri, 28 Dec 2018 14:36:05 -0600 Subject: [keycloak-user] Re : Setting authentication execution requirement via kcadm.sh? In-Reply-To: References: Message-ID: I spent way more time on this than I'd like to admit, but finally came up with a "general" solution. # # Set the requirement value for a particular flow's # execution # # Expected parameters: # $1 - The authentication flow alias # $2 - The execution identifier # $3 - The required value # function setAuthFlowExecutionRequirement { echo "Setting execution with id $2 in flow $1 to $3..." ${KCADM} get authentication/flows/$1/executions -r ${REALM_NAME} | \ jq --arg exec_id $2 --arg requirement $3 'map(select(.id | contains($exec_id))) | .[0] | .requirement |= $requirement' | \ ${KCADM} update authentication/flows/$1/executions -r ${REALM_NAME} -n -f - } After a lot of poking around, there were a couple of things that lead to this difficulty: - The administration service explicitly ignores the incoming requirement on the create/POST and always sets the requirement to DISABLED. I'm not really sure why that might be the case. but significantly complicates things. - The only place I could find that I could change it was via the authentication/flows/$flow_id/executions endpoint. That endpoint expects a single JSON object containing the fields, including the execution ID - However, a GET of the same endpoint, returns an array of execution objects which cannot be used immediately to call the update Thus, this solution depends on "jq" for a bit of help to take the array of execution definitions, capture the specific object definition associated with the execution ID, and update the requirement field of that object before using it for the update/PUT. Hopefully this may be useful to others. Craig ================================= *Craig Setera* *Chief Technology Officer* On Mon, Oct 15, 2018 at 10:02 AM triton oidc wrote: > Hi Craig, > > i'm not an expert, but here is what i did to set my execution value to > REQUIRED : > create a json with > {"id":[ID_OF_YOUR_EXECUTION],"requirement":"REQUIRED"} > put it in a file my_file.json > > you can have the id of you execution using this command > ./kcadm.sh get authentication/flows/[your_flow]/executions --format csv -r > $keycloak_new_realm --fields id | tr -d '\n' > > and you can import the file using this command : > ./kcadm.sh update authentication/flows/[your_flow]/executions -r > $keycloak_new_realm -f my_file.json > > There is probably a better way but i didn't found it > > hope it helps > > Amaury > > On Mon, Oct 15, 2018 at 1:07 PM > wrote: > >> Send keycloak-user mailing list submissions to >> keycloak-user at lists.jboss.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> or, via email, send a message with subject or body 'help' to >> keycloak-user-request at lists.jboss.org >> >> You can reach the person managing the list at >> keycloak-user-owner at lists.jboss.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of keycloak-user digest..." >> >> >> Today's Topics: >> >> 1. Setting authentication execution requirement via kcadm.sh? >> (Craig Setera) >> 2. org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not >> update user roles (Philippe Gauthier) >> 3. Re: Unrecognized field "authenticationFlowBindingOverrides" >> (Fabio Ebner) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 15 Oct 2018 07:21:30 -0500 >> From: Craig Setera >> Subject: [keycloak-user] Setting authentication execution requirement >> via kcadm.sh? >> To: keycloak-user at lists.jboss.org >> Message-ID: >> < >> CAPVdwjq1oyjCom4_A0TBJ8m3KBCgit5nOqMCGqKP4t2RU6zb5Q at mail.gmail.com> >> Content-Type: text/plain; charset="UTF-8" >> >> I'm trying to figure out if it is possible to set the "requirement" level >> of an execution that is created for an authentication flow via the kcadm >> tool. I have a shell script that I'm using to set up the Keycloak >> configuration that looks like the following: >> >> >> *echo "Creating new authentication flow..."AUTO_LINK_FLOW_ID=`${KCADM} >> create authentication/flows --id -r ${REALM_NAME} -s >> alias="FirstBrokerLoginAutoLink" -s providerId="basic-flow" -s >> topLevel=true`* >> >> >> >> *echo "Adding unique authenticator..."${KCADM} create >> authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r >> ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s >> requirement=ALTERNATIVE -s priority=10* >> >> >> >> >> *echo "Adding auto link authenticator..."${KCADM} create >> authentication/flows/FirstBrokerLoginAutoLink/executions/execution -r >> ${REALM_NAME} \ -s provider=idp-auto-link -s requirement=ALTERNATIVE -s >> priority=20* >> With this script, I'm seeing the flow and executions created, but the >> requirement seems to be ignored. In this case, the executions are always >> set to DISABLED. I've tried to follow that up with an update call that >> looks like this: >> >> >> >> >> >> >> *echo "Adding unique authenticator..."EXECUTION_ID=`${KCADM} create >> authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r >> ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s >> requirement=ALTERNATIVE -s priority=10`${KCADM} update >> authentication/flows/FirstBrokerLoginAutoLink/executions -r ${REALM_NAME} >> \ -s id=${EXECUTION_ID} -s requirement=ALTERNATIVE* >> >> However, that is failing with the following error: >> >> >> >> *HTTP request error: Can not deserialize instance of >> com.fasterxml.jackson.databind.node.ObjectNode out of START_ARRAY tokenat >> [Source: [B at 527ee8a7; line: 1, column: 1]* >> Can anyone offer any suggestions on how to get this authentication flow >> properly configured so that the executions are set to ALTERNATIVE? >> >> Thanks! >> Craig >> >> ================================= >> *Craig Setera* >> >> *Chief Technology Officer* >> >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 15 Oct 2018 12:45:04 +0000 >> From: Philippe Gauthier >> Subject: [keycloak-user] >> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update >> user roles >> To: "keycloak-user at lists.jboss.org" >> Cc: ?tienne Sadio >> Message-ID: >> < >> YTOPR0101MB141798E50DFEF73BB8C32857B1FD0 at YTOPR0101MB1417.CANPRD01.PROD.OUTLOOK.COM >> > >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Hi >> >> >> I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot >> find any answers for his question. >> >> http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html >> >> >> This post was about ClaimToRoleMapper class of the OIDC broker component. >> This class search for a claim, check for its value and grant a role if the >> value is equals to the value specified in the configuration. >> >> >> If the user from the IdP is not known by Keycloak, it will be created by >> the First Broker Login Flow and the role will be granted. >> >> >> If the user is already known by Keycloak, he have the role specified by >> the mapper and he don't have the claim anymore, the role will be revocated. >> >> >> But. If the user is known by Keycloak, he don't have the role specified >> by the mapper and he have the claim, Keycloak does not grant him the role. >> >> >> It is clear why it does this in the code but it is not clear why this >> have been done that way: >> >> >> Here is the code. >> >> @Override >> public void importNewUser(KeycloakSession session, RealmModel realm, >> UserModel user, IdentityProviderMapperModel mapperModel, >> BrokeredIdentityContext context) { >> String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); >> if (hasClaimValue(mapperModel, context)) { >> RoleModel role = KeycloakModelUtils.getRoleFromString(realm, >> roleName); >> if (role == null) throw new IdentityBrokerException("Unable to >> find role: " + roleName); >> user.grantRole(role); >> } >> } >> >> @Override >> public void updateBrokeredUser(KeycloakSession session, RealmModel >> realm, UserModel user, IdentityProviderMapperModel mapperModel, >> BrokeredIdentityContext context) { >> String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); >> if (!hasClaimValue(mapperModel, context)) { >> RoleModel role = KeycloakModelUtils.getRoleFromString(realm, >> roleName); >> if (role == null) throw new IdentityBrokerException("Unable to >> find role: " + roleName); >> user.deleteRoleMapping(role); >> } >> /* Maybe we should add an else here that does what the importNewUser >> does. >> } >> Thankyou >> >> Philippe Gauthier. >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Mon, 15 Oct 2018 09:53:48 -0300 >> From: Fabio Ebner >> Subject: Re: [keycloak-user] Unrecognized field >> "authenticationFlowBindingOverrides" >> To: Marek Posolda >> Cc: keycloak-user at lists.jboss.org >> Message-ID: >> < >> CAFxMZba+qwDnfkrggWXn6U+iY_hZYpMJ0CzMYvrtYgMmL3rQ9g at mail.gmail.com> >> Content-Type: text/plain; charset="UTF-8" >> >> Marek tks I was using a old version in my pom. but after I put the correct >> 4.5.0.Final when I try to start my project throw an exception: >> >> Caused by: java.lang.NoClassDefFoundError: >> org/springframework/boot/web/server/WebServerFactoryCustomizer >> >> Look in the google say that class are only in springboot > 2 so I update >> my >> project to Springboot 2.0.5.Final, now my project start but when I try to >> access any url I got the error: >> >> in a loop: >> >> >> >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> >> 2018-10-15 09:50:12.363 ERROR 20936 --- [nio-8081-exec-2] >> o.a.c.c.C.[Tomcat].[localhost] : Exception Processing >> /favicon.ico >> >> java.lang.StackOverflowError: null >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at or >> >> ..... >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> >> 2018-10-15 09:50:12.387 ERROR 20936 --- [nio-8081-exec-2] >> o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet >> [dispatcherServlet] threw exception >> >> java.lang.StackOverflowError: null >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> ...... >> >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> >> 2018-10-15 09:50:12.399 ERROR 20936 --- [nio-8081-exec-2] >> o.a.c.c.C.[Tomcat].[localhost] : Exception Processing >> ErrorPage[errorCode=0, location=/error] >> >> javax.servlet.ServletException: Filter execution threw an exception >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.tomcat.util.net >> .SocketProcessorBase.run(SocketProcessorBase.java:49) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> [na:1.8.0_162] >> at >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> [na:1.8.0_162] >> at >> >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] >> Caused by: java.lang.StackOverflowError: null >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> .... >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> >> 2018-10-15 09:50:12.425 ERROR 20936 --- [nio-8081-exec-2] >> o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet >> [dispatcherServlet] threw exception >> >> java.lang.StackOverflowError: null >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at org.keycloak.ada >> .... >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> >> 2018-10-15 09:50:12.437 ERROR 20936 --- [nio-8081-exec-2] >> o.a.c.c.C.[Tomcat].[localhost] : Exception Processing >> ErrorPage[errorCode=0, location=/error] >> >> javax.servlet.ServletException: Filter execution threw an exception >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) >> ~[tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> org.apache.tomcat.util.net >> .SocketProcessorBase.run(SocketProcessorBase.java:49) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> [na:1.8.0_162] >> at >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> [na:1.8.0_162] >> at >> >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-embed-core-8.5.34.jar:8.5.34] >> at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] >> Caused by: java.lang.StackOverflowError: null >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at >> >> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) >> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] >> at org.key >> >> >> >> Em seg, 15 de out de 2018 ?s 04:19, Marek Posolda >> escreveu: >> >> > I think the field "authenticationFlowBindingOverrides" was added in some >> > Keycloak 4.X version. I suggest to update Keycloak dependencies versions >> > in your pom from 3.4.3.Final to same version, which your Keycloak server >> > is. >> > >> > Marek >> > >> > On 13/10/18 04:18, Fabio Ebner wrote: >> > > When I try to get my client wit this code: >> > > >> > > ClientRepresentation app1Client = >> > > realmResource.clients().findByClientId("central-api").get(0); >> > > >> > > >> > > that error return: >> > > >> > > javax.ws.rs.client.ResponseProcessingException: >> > > javax.ws.rs.ProcessingException: >> > > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >> > > Unrecognized field "authenticationFlowBindingOverrides" (class >> > > org.keycloak.representations.idm.ClientRepresentation), not marked as >> > > ignorable (38 known properties: "enabled", "clientAuthenticatorType", >> > > "redirectUris", "clientId", "authorizationServicesEnabled", "name", >> > > "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", >> > > "publicClient", "attributes", "protocol", "webOrigins", >> > "protocolMappers", >> > > "id", "baseUrl", "surrogateAuthRequired", "adminUrl", >> "fullScopeAllowed", >> > > "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", >> > > "secret", "useTemplateMappers", "notBefore", "useTemplateScope", >> > > "standardFlowEnabled", "description", "directAccessGrantsEnabled", >> > > "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", >> > "access", >> > > "bearerOnly", "registrationAccessToken", "defaultRoles", >> > > "authorizationSettings"]) >> > > >> > > >> > > >> > > this is my pom. >> > > >> > > >> > > >> > > org.keycloak >> > > keycloak-spring-security-adapter >> > > 3.4.3.Final >> > > >> > > >> > > org.keycloak >> > > keycloak-spring-boot-starter >> > > 3.4.3.Final >> > > >> > > >> > > org.keycloak >> > > keycloak-admin-client >> > > 3.4.3.Final >> > > >> > > >> > > javax.ws.rs >> > > javax.ws.rs-api >> > > 2.1 >> > > >> > > >> > > >> > > org.jboss.resteasy >> > > resteasy-client >> > > 3.1.3.Final >> > > >> > > >> > > org.jboss.resteasy >> > > resteasy-jackson2-provider >> > > 3.1.3.Final >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> >> >> ------------------------------ >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> End of keycloak-user Digest, Vol 58, Issue 37 >> ********************************************* >> > From swarren at sumglobal.com Fri Dec 28 19:01:39 2018 From: swarren at sumglobal.com (Warren, Scott) Date: Fri, 28 Dec 2018 19:01:39 -0500 Subject: [keycloak-user] Fwd: Multi-tiered Permissions In-Reply-To: References: Message-ID: Yeah, I made my original example very simple as I was trying to point out the multi-tiered permission issue rather than getting bogged down in the myriad of scopes. Users can have 1-to-many scopes across several stores. It's not as simple as "if primary store grant this scope set, else grant that scope set". Life would be a lot easier if it was :) It sounds like a CIP service accessing an external DB is the 'correct' answer for this scenario. I see no other clean way to tie users->stores->scopes. Thanks for your help! From wolfbro92 at gmail.com Fri Dec 28 22:43:13 2018 From: wolfbro92 at gmail.com (Kunal Kumar) Date: Sat, 29 Dec 2018 11:43:13 +0800 Subject: [keycloak-user] Adding new security-realm using CLI Message-ID: I intend to use SSL for my Keycloak Server. So I am following the documentation from Keycloak for it. At one point they mentioned have to add a new security-realm using the CLI. But I have no idea how to use the CLI to input this /core-service=management/security-realm=UndertowRealm:add() It keeps saying it is not a recognized command. Any ideas? Regards, Kunal From luca.stancapiano at vige.it Sat Dec 29 06:08:56 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Sat, 29 Dec 2018 12:08:56 +0100 (CET) Subject: [keycloak-user] Registration page and comboboxes Message-ID: <2137152622.449907.1546081736355@pim.register.it> I have a registration page in a Keycloak theme where the user has to choose from a list from a combobox. This list is dynamic, meaning it could be changed by an administrator at any time. What is the best way to manage this list with Keycloak? Can I use the administrative console to update this data? If you are on which component? From pavel.masloff at gmail.com Sat Dec 29 08:20:27 2018 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Sat, 29 Dec 2018 14:20:27 +0100 Subject: [keycloak-user] refresh token expiration time Message-ID: Hi, Am I right in presuming that the refresh token expiration time is controlled by the SSO Session Idle property in the web UI? Thanks. Regards, Pavel Maslov, MS From Kevin.Fox at pnnl.gov Mon Dec 31 15:30:23 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Mon, 31 Dec 2018 20:30:23 +0000 Subject: [keycloak-user] kcinit status In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov> Message-ID: <1A3C52DFCD06494D8528644858247BF01C26D459@EX10MBOX03.pnnl.gov> Ping ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Fox, Kevin M [Kevin.Fox at pnnl.gov] Sent: Friday, December 21, 2018 11:42 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] kcinit status Not much has happened with kcinit in a long time and it has a few outstanding bugs in the way of working for us. What is the status of the project? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user